← Home

@useoptic/openapi-utilities

npm Repository
7
Versions
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

niclimacunniffeopticbotnotnmeyer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:yaml-ast-parser AI (dependencies): yaml-ast-parser is a known YAML parsing library used in OpenAPI tooling; stable dependency for this package. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:js-yaml AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:ajv-errors AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:ajv-formats AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
semgrep semgrep:child-process-import AI (semgrep): child_process usage is confined to a test file; not present in runtime/published build output. ai
phantom-deps phantom-dep:lodash.groupby AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:lodash.isequal AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:node-machine-id AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:json-stable-stringify AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai
phantom-deps phantom-dep:lodash.omit AI (phantom-deps): Declared runtime dep; phantom-dep heuristic false positive for compiled TS packages. ai

Versions (showing 7 of 7)

Version Deps Published
1.0.9 17 / 19
1.0.8 17 / 19
1.0.6 17 / 19
1.0.5 17 / 19
1.0.3 17 / 19
1.0.2 17 / 19
1.0.0 17 / 19

v1.0.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.