@directus/api
Directus is a real-time API and App dashboard for managing SQL database content
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): New files correspond to AI/MCP feature additions in a major version bump; no obfuscation or suspicious content. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Directus uses GitHub Actions CI publishing; individual maintainer churn is expected and not indicative of takeover. | ai | |
| dependencies | unvetted-dep:@directus/ai | AI (dependencies): Same-org @directus scoped package; consistent with AI feature additions in this release. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Active monorepo; version gap reflects prior approved version in registry, not true account dormancy. | ai | |
| dependencies | unvetted-dep:@braintrust/otel | AI (dependencies): Braintrust is a known AI observability vendor; dep added alongside @directus/ai integration. | ai | |
| dependencies | unvetted-dep:json2csv | AI (dependencies): CSV export utility; consistent with Directus data export features. | ai | |
| dependencies | unvetted-dep:samlify | AI (dependencies): SAML SSO library; expected for Directus auth integrations. | ai | |
| dependencies | unvetted-dep:@tus/utils | AI (dependencies): TUS resumable upload protocol; expected for Directus file uploads. | ai | |
| dependencies | unvetted-dep:@tus/server | AI (dependencies): TUS resumable upload server; expected for Directus file uploads. | ai | |
| dependencies | unvetted-dep:exif-reader | AI (dependencies): EXIF metadata reader; consistent with Directus image processing. | ai | |
| dependencies | unvetted-dep:micromustache | AI (dependencies): Lightweight template engine; used for Directus email/notification templates. | ai | |
| dependencies | unvetted-dep:@directus/specs | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@directus/errors | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@directus/schema | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@directus/storage | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@godaddy/terminus | AI (dependencies): Well-known graceful shutdown library from GoDaddy; stable ecosystem package. | ai | |
| dependencies | unvetted-dep:@directus/constants | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@directus/system-data | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@directus/format-title | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:@authenio/samlify-node-xmllint | AI (dependencies): SAML XML linting companion; expected alongside samlify for auth. | ai | |
| dependencies | unvetted-dep:@directus/storage-driver-local | AI (dependencies): First-party Directus package; same org scope. | ai | |
| dependencies | unvetted-dep:icc | AI (dependencies): Legitimate ICC profile parsing library; consistent with Directus image handling. | ai | |
| dependencies | unvetted-dep:pm2 | AI (dependencies): Well-known process manager; used for Directus CLI process management. | ai | |
| dependencies | unvetted-dep:ldapjs | AI (dependencies): Standard LDAP auth library; expected for Directus SSO/auth features. | ai | |
| phantom-deps | phantom-dep:tsdown | AI (phantom-deps): tsdown is a build tool referenced in build scripts. | ai | |
| phantom-deps | phantom-dep:openapi3-ts | AI (phantom-deps): openapi3-ts is a type-level dependency used in specs/schema generation. | ai | |
| phantom-deps | phantom-dep:@directus/extensions-sdk | AI (phantom-deps): Same-org package used as peer/optional dep in extension loading context. | ai | |
| phantom-deps | phantom-dep:@directus/schema-builder | AI (phantom-deps): Same-org package, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@directus/storage-driver-s3 | AI (phantom-deps): Optional storage driver, dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:@directus/storage-driver-gcs | AI (phantom-deps): Optional storage driver, dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:@directus/storage-driver-azure | AI (phantom-deps): Optional storage driver, dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:@directus/storage-driver-supabase | AI (phantom-deps): Optional storage driver, dynamically loaded at runtime. | ai | |
| phantom-deps | phantom-dep:@directus/storage-driver-cloudinary | AI (phantom-deps): Optional storage driver, dynamically loaded at runtime. | ai | |
| typosquat | typosquat.levenshtein:ajv | AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of ajv. | ai | |
| typosquat | typosquat.levenshtein:joi | AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of joi. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of pg. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): dotenv used in config/env context, not a direct runtime import. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): @directus/api is the canonical Directus API package, not a typosquat of hapi. | ai | |
| phantom-deps | phantom-dep:tsx | AI (phantom-deps): tsx is a dev/build tool referenced in scripts, not a runtime import. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 36.0.0 | 132 / 41 | |
| 35.2.0 | 131 / 41 | |
| 35.1.0 | 132 / 41 | |
| 35.0.2 | 132 / 41 | |
| 35.0.1 | 132 / 41 | |
| 35.0.0 | 132 / 41 | |
| 34.0.1 | 128 / 42 | |
| 34.0.0 | 128 / 42 | |
| 33.3.1 | 128 / 42 | |
| 33.3.0 | 128 / 42 | |
| 33.2.0 | 128 / 42 | |
| 33.1.1 | 127 / 42 | |
| 33.1.0 | 127 / 42 | |
| 33.0.0 | 124 / 43 | |
| 32.2.0 | 124 / 43 |
v36.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v35.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v35.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v35.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v35.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v35.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v34.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v34.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v33.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v32.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.