@hey-api/openapi-ts
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/config-CU3acGju.d.mts | AI (source-diff): Bundled .d.mts type declarations with long union lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/config-BF7XAWuG.d.cts | AI (source-diff): Bundled .d.cts type declarations with long union lines; not obfuscation. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): Handlebars is a well-known templating library; pinned to 4.7.8 with no active advisories. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Resolves a fixed relative path to the package's own dist bundle; not user-controlled input. | ai | |
| source-diff | obfuscated-file:dist/types-DzR_aHdx.d.cts | AI (source-diff): This is a bundled TypeScript declaration file (.d.cts) with wide union/interface types. Long lines are a bundler artifact, not obfuscation. No executable code present. | ai | |
| source-diff | obfuscated-file:dist/types-ByDiVB9E.d.mts | AI (source-diff): This is a bundled TypeScript declaration file (.d.mts) with wide union/interface types. Long lines are a bundler artifact, not obfuscation. No executable code present. | ai | |
| source-diff | obfuscated-file:dist/config-BY6SQ9vq.d.mts | AI (source-diff): Bundled TypeScript declaration file (.d.mts) with long lines from rollup/tsdown concatenation. Samples show readable type definitions, not obfuscation. Stable false positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/config-BpoUoSpn.d.cts | AI (source-diff): Bundled TypeScript declaration file (.d.cts) with long lines from rollup/tsdown concatenation. Samples show readable type definitions, not obfuscation. Stable false positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/types-CQTciSfa.d.mts | AI (source-diff): TypeScript declaration file with long lines from bundled union types and type definitions. Content is clearly legitimate OpenAPI/TS types, not obfuscated code. False positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/types-WLqvV8HC.d.cts | AI (source-diff): TypeScript declaration file with long lines from bundled union types and type definitions. Content is clearly legitimate OpenAPI/TS types, not obfuscated code. False positive for this package's build output. | ai | |
| source-diff | obfuscated-file:dist/types-CLcjoomL.d.mts | AI (source-diff): TypeScript declaration file with long lines from large union types — not obfuscated. Bundled .d.mts files for this package legitimately produce long lines. Stable false positive. | ai | |
| source-diff | obfuscated-file:dist/types-BcLsQaJ_.d.cts | AI (source-diff): TypeScript declaration file with long lines from large union types — not obfuscated. Bundled .d.cts files for this package legitimately produce long lines. Stable false positive. | ai | |
| source-diff | obfuscated-file:dist/config-CtVXEKSL.d.cts | AI (source-diff): TypeScript declaration file bundled by tsdown; long lines are concatenated type definitions, not obfuscation. Stable false positive for this build toolchain. | ai | |
| source-diff | obfuscated-file:dist/config-BCMpBYUB.d.mts | AI (source-diff): TypeScript declaration file bundled by tsdown; long lines are concatenated type definitions, not obfuscation. Stable false positive for this build toolchain. | ai | |
| source-diff | obfuscated-file:dist/config-kLkHIaUr.d.mts | AI (source-diff): File is a bundled TypeScript declaration file (.d.mts) with readable type definitions and JSDoc comments — long lines are from concatenated type rollup, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/config-Cmhj4J0r.d.cts | AI (source-diff): File is a bundled TypeScript declaration file (.d.cts) with readable type definitions and JSDoc comments — long lines are from concatenated type rollup, not obfuscation. | ai | |
| phantom-deps | phantom-dep:ansi-colors | AI (phantom-deps): ansi-colors is a declared runtime dependency for CLI output coloring; phantom detection is a false positive due to bundling patterns. | ai | |
| phantom-deps | phantom-dep:handlebars | AI (phantom-deps): handlebars is a declared runtime dependency used for legacy template generation; phantom detection is a false positive due to bundling patterns. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is a declared runtime dependency for this CLI tool; phantom detection is a false positive due to bundling/dynamic import patterns. | ai | |
| phantom-deps | phantom-dep:open | AI (phantom-deps): open is a declared runtime dependency for this CLI tool; phantom detection is a false positive due to bundling/dynamic import patterns. | ai | |
| phantom-deps | phantom-dep:color-support | AI (phantom-deps): color-support is a declared runtime dependency; phantom detection is a false positive due to bundling patterns. | ai | |
| phantom-deps | phantom-dep:c12 | AI (phantom-deps): c12 is a declared runtime dependency used for config loading in this CLI tool; phantom detection is a false positive due to bundling/dynamic import patterns. | ai | |
| dependencies | unvetted-dep:@hey-api/shared | AI (dependencies): First-party @hey-api scoped package from the same organization/monorepo as openapi-ts; unvetted status reflects review pipeline gap, not a security concern. | ai | |
| dependencies | unvetted-dep:get-tsconfig | AI (dependencies): get-tsconfig is a well-known, widely-used utility for resolving TypeScript configuration; appropriate dependency for a TypeScript codegen tool. | ai | |
| dependencies | unvetted-dep:@hey-api/json-schema-ref-parser | AI (dependencies): First-party @hey-api scoped package from the same organization/monorepo as openapi-ts; unvetted status reflects review pipeline gap, not a security concern. | ai | |
| dependencies | unvetted-dep:@hey-api/codegen-core | AI (dependencies): First-party @hey-api scoped package from the same organization/monorepo as openapi-ts; unvetted status reflects review pipeline gap, not a security concern. | ai | |
| dependencies | unvetted-dep:@hey-api/spec-types | AI (dependencies): First-party @hey-api scoped package from the same organization/monorepo as openapi-ts; unvetted status reflects review pipeline gap, not a security concern. | ai | |
| dependencies | unvetted-dep:@hey-api/types | AI (dependencies): First-party @hey-api scoped package from the same organization/monorepo as openapi-ts; unvetted status reflects review pipeline gap, not a security concern. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.97.3 | 10 / 17 | |
| 0.97.2 | 10 / 17 | |
| 0.97.1 | 10 / 17 | |
| 0.97.0 | 10 / 17 | |
| 0.96.1 | 9 / 17 | |
| 0.96.0 | 9 / 17 | |
| 0.95.0 | 9 / 17 | |
| 0.94.5 | 9 / 17 | |
| 0.94.4 | 8 / 17 | |
| 0.94.3 | 8 / 17 | |
| 0.94.2 | 8 / 17 | |
| 0.94.1 | 7 / 17 | |
| 0.94.0 | 7 / 17 | |
| 0.93.1 | 7 / 17 | |
| 0.93.0 | 7 / 17 | |
| 0.92.4 | 7 / 17 | |
| 0.92.3 | 7 / 18 | |
| 0.92.2 | 7 / 18 | |
| 0.92.1 | 7 / 18 | |
| 0.92.0 | 7 / 18 | |
| 0.91.1 | 7 / 18 | |
| 0.91.0 | 7 / 19 | |
| 0.90.10 | 8 / 23 | |
| 0.90.9 | 8 / 23 | |
| 0.90.8 | 9 / 23 | |
| 0.90.7 | 9 / 23 | |
| 0.90.6 | 8 / 24 | |
| 0.90.5 | 8 / 24 | |
| 0.90.4 | 8 / 23 | |
| 0.90.3 | 8 / 23 | |
| 0.90.2 | 8 / 23 | |
| 0.90.1 | 8 / 23 | |
| 0.90.0 | 8 / 23 | |
| 0.89.2 | 8 / 23 | |
| 0.89.1 | 8 / 23 | |
| 0.89.0 | 8 / 23 | |
| 0.88.2 | 8 / 23 | |
| 0.88.1 | 8 / 23 | |
| 0.88.0 | 8 / 23 | |
| 0.87.5 | 8 / 23 | |
| 0.87.4 | 8 / 23 | |
| 0.87.3 | 8 / 23 | |
| 0.87.2 | 8 / 23 | |
| 0.87.1 | 8 / 22 | |
| 0.87.0 | 8 / 22 | |
| 0.86.12 | 9 / 23 | |
| 0.86.11 | 9 / 23 | |
| 0.86.10 | 9 / 23 | |
| 0.86.9 | 9 / 23 | |
| 0.86.7 | 9 / 23 | |
| 0.86.6 | 9 / 23 |
v0.97.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.97.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.97.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.97.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.96.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.96.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.95.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.94.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.93.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.93.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.92.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.91.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.91.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.6
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.3
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.90.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.89.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.89.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.89.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.88.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.88.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.88.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.87.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v0.86.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.