open-collaboration-protocol
Open Collaboration Protocol implementation, part of the Open Collaboration Tools project
16
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
msujewjonah.iden
Keywords
collaborationlive-shareprotocol
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Package is a legitimate Eclipse OCT protocol library from TypeFox; dormancy periods are consistent with open-source project cadence, not account takeover indicators. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jonah.iden is an established publisher (14 approved packages, 330 days history) associated with the same Eclipse OCT project. Transition appears legitimate. | ai | |
| provenance | publisher-changed | AI (provenance): msujew is an established publisher with prior approved versions of this package; transition appears to be a legitimate org-internal maintainer change within the Eclipse OCT/TypeFox project. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 59 new source files reflect legitimate protocol implementation expansion, not injected code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 4.5x source expansion is consistent with adding protocol functionality; no obfuscation or payload indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (base64-js, fflate, msgpackr, semver) are all legitimate, established packages appropriate for a protocol library. | ai | |
| dependencies | unvetted-dep:socket.io-client | AI (dependencies): socket.io-client is a well-known, widely-used transport library; its use is directly appropriate for a real-time collaboration protocol package. | ai | |
| dependencies | unvetted-dep:msgpackr | AI (dependencies): msgpackr is an established serialization library; unvetted-dep finding is expected for new deps but poses no risk here. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is common (88% of npm); not a disqualifier for established publisher with clean history. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Early-stage protocol implementation with sparse documentation is expected; no malware indicators present. | ai | |
| dependencies | unvetted-dep:open-collaboration-rpc | AI (dependencies): open-collaboration-rpc is a sibling package in the same TypeFox monorepo; not a suspicious third-party dependency. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Standard Node Buffer.from() base64 decoding in a utility function; legitimate for protocol implementation, not a payload decoder. | ai |