@microsoft/api-extractor
Analyze the exported API for a TypeScript library and generate reviews, documentation, and .d.ts rollups
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
microsoftodspnpm
Keywords
typescriptAPIJSDocAEDocgeneratedocumentationcompileralphabeta
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@types/es6-collections | AI (dependencies): @types/es6-collections is a TypeScript type definition package with no runtime code; it poses no security risk for this TypeScript tooling package. | ai | |
| phantom-deps | phantom-dep:@types/es6-collections | AI (phantom-deps): @types/es6-collections is a TypeScript type definition package loaded by convention; expected pattern for TypeScript tooling packages. | ai | |
| phantom-deps | phantom-dep:@types/fs-extra | AI (phantom-deps): @types/fs-extra is a TypeScript type definition package loaded by convention; expected pattern for TypeScript tooling packages. | ai | |
| phantom-deps | phantom-dep:jju | AI (phantom-deps): jju is a legitimate JSON utility referenced in config files; phantom-dep finding is a false positive for this package's usage pattern. | ai | |
| source-diff | large-new-source-files | AI (source-diff): api-extractor is a complex TypeScript toolchain; growth in source files across versions is expected and consistent with legitimate feature development. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new deps are well-known RushStack/Microsoft ecosystem packages or widely-used utilities (semver, minimatch, source-map). No suspicious packages; consistent with legitimate version evolution. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require loads a statically-constructed path to the package's own package.json for version display. Not a real dynamic module loading risk for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is a namespace reservation stub by the verified Microsoft publisher; not indicative of malicious intent for this well-established scoped package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): All bogus-package signals are consistent with a legitimate namespace reservation placeholder by Microsoft; the package has 545 real versions and a 3395-day history. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'microsoft' account paired with addition of 'microsoft1es' reflects Microsoft's internal npm account migration, not a package takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): microsoft1es is Microsoft's 1ES engineering systems npm account; this is an internal Microsoft account reorganization, not a hostile takeover. Repo still points to github.com/microsoft/rushstack. | ai | |
| phantom-deps | phantom-dep:z-schema | AI (phantom-deps): z-schema is referenced in config/schema validation context rather than direct imports; this is a legitimate usage pattern for JSON schema validators. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance attestation; absence is expected for this vintage of Microsoft tooling package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a framework-scoped type package; it is conventionally declared as a dependency without direct imports. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/z-schema | AI (phantom-deps): Type-only package; not directly imported in source code by design. Benign pattern for @types/* packages. | ai |
Versions (showing 51 of 543)
| Version | Deps | Published |
|---|---|---|
| 8.0.0 | 10 / 6 | |
| 7.58.7 | 13 / 6 | |
| 7.58.6 | 13 / 6 | |
| 7.58.5 | 13 / 6 | |
| 7.58.4 | 13 / 6 | |
| 7.58.3 | 13 / 6 | |
| 7.58.2 | 14 / 7 | |
| 7.58.1 | 14 / 7 | |
| 7.58.0 | 14 / 7 | |
| 7.57.8 | 14 / 7 | |
| 7.57.7 | 14 / 7 | |
| 7.57.6 | 14 / 7 | |
| 7.57.5 | 14 / 7 | |
| 7.57.4 | 14 / 7 | |
| 7.57.3 | 14 / 7 | |
| 7.57.2 | 14 / 7 | |
| 7.57.1 | 14 / 7 | |
| 7.57.0 | 14 / 7 | |
| 7.56.3 | 14 / 7 | |
| 7.56.2 | 14 / 7 | |
| 7.56.1 | 14 / 7 | |
| 7.56.0 | 14 / 7 | |
| 7.55.5 | 14 / 7 | |
| 7.55.2 | 14 / 7 | |
| 7.55.1 | 14 / 7 | |
| 7.55.0 | 14 / 7 | |
| 7.54.0 | 14 / 7 | |
| 7.53.3 | 13 / 7 | |
| 7.53.2 | 13 / 7 | |
| 7.53.1 | 13 / 7 | |
| 7.53.0 | 13 / 7 | |
| 7.52.15 | 13 / 7 | |
| 7.52.14 | 13 / 7 | |
| 7.52.13 | 13 / 7 | |
| 7.52.12 | 13 / 7 | |
| 7.52.11 | 13 / 7 | |
| 7.52.10 | 13 / 7 | |
| 7.52.9 | 13 / 8 | |
| 7.52.8 | 13 / 7 | |
| 7.52.7 | 13 / 7 | |
| 7.52.6 | 13 / 7 | |
| 7.52.5 | 13 / 7 | |
| 7.52.4 | 13 / 7 | |
| 7.52.3 | 13 / 9 | |
| 7.52.2 | 13 / 9 | |
| 7.52.1 | 13 / 9 | |
| 7.52.0 | 13 / 9 | |
| 7.51.1 | 13 / 9 | |
| 7.51.0 | 13 / 9 | |
| 7.50.1 | 13 / 9 | |
| 7.50.0 | 13 / 9 |