@azure/identity
Provides credential implementations for Azure SDK libraries that can authenticate with Microsoft Entra ID
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): Azure Identity SDK regularly ships large multi-dialect builds (ESM/CJS/browser). Large file count increases are expected during build tooling migrations and are not indicative of injected code for this well-established Microsoft package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding is used to parse JWT access token claims (appid, upn, tid, oid) — standard and expected behavior for an Azure authentication library. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in azureCliCredential.js to invoke the Azure CLI for credential retrieval — documented and expected behavior for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; phantom-dep detection is a known false positive for TypeScript packages that bundle tslib. | ai | |
| dependencies | unvetted-dep:stoppable | AI (dependencies): stoppable is a well-known HTTP server graceful shutdown utility; its use in Azure Identity for managed identity HTTP server handling is legitimate and stable across versions. | ai | |
| phantom-deps | phantom-dep:jws | AI (phantom-deps): jws is a standard JWT signing library used conditionally in Azure Identity for token handling; phantom detection is a false positive for this large SDK. | ai | |
| phantom-deps | phantom-dep:events | AI (phantom-deps): events is a Node.js core polyfill used for browser compatibility in Azure SDK packages; phantom detection is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:stoppable | AI (phantom-deps): stoppable is used conditionally in Azure Identity; phantom detection is a false positive for this large SDK package. | ai | |
| dependencies | unvetted-dep:@azure/abort-controller | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| provenance | no-provenance | AI (provenance): @azure/identity is a Microsoft Azure SDK package published via microsoft1es; lack of Sigstore provenance is expected for this publisher and not a risk signal. | ai | |
| dependencies | unvetted-dep:open | AI (dependencies): The 'open' package is a well-known utility used by @azure/identity to open browser windows for interactive authentication flows; legitimate and expected use. | ai | |
| dependencies | unvetted-dep:@azure/core-rest-pipeline | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/logger | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/core-auth | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/core-util | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/msal-node | AI (dependencies): First-party Microsoft MSAL package for Node.js authentication; core dependency of @azure/identity. | ai | |
| dependencies | unvetted-dep:@azure/core-client | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/core-tracing | AI (dependencies): First-party Microsoft Azure SDK package; stable dependency of @azure/identity across all versions. | ai | |
| dependencies | unvetted-dep:@azure/msal-browser | AI (dependencies): First-party Microsoft MSAL package for browser authentication; core dependency of @azure/identity. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 4.13.1 | 11 / 18 | |
| 4.13.0 | 11 / 18 | |
| 4.12.0 | 11 / 18 | |
| 4.11.2 | 11 / 18 | |
| 4.11.1 | 11 / 18 | |
| 4.11.0 | 11 / 18 | |
| 4.10.2 | 11 / 18 | |
| 4.10.1 | 11 / 18 | |
| 4.10.0 | 11 / 18 | |
| 4.9.1 | 11 / 18 | |
| 4.9.0 | 11 / 18 | |
| 4.8.0 | 14 / 21 | |
| 4.7.0 | 14 / 21 | |
| 4.6.0 | 14 / 38 | |
| 4.5.0 | 14 / 38 | |
| 4.4.1 | 14 / 38 | |
| 4.4.0 | 14 / 38 | |
| 4.3.0 | 14 / 38 | |
| 4.2.1 | 14 / 38 |
v4.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.