@octokit/endpoint — Greenflagged

Turns REST API endpoints into generic request options

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

octokitbot

Keywords

octokitgithubapirest

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase is explained by adoption of Pika Pack multi-format build pipeline producing dist-node, dist-web, and bundled web variants. Legitimate architectural change.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Octokit migrated to @pika/pack build system in this version; gitHead absence is a known side effect of the Pika publish flow, not a sign of tampering.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): New files are @pika/pack dist outputs (dist-node, dist-web, dist-types, dist-src) — intentional multi-format distribution, confirmed by pika:true in package.json.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): deepmerge is a well-known, widely-used utility package pinned to an exact version (2.2.1). Its use is appropriate for a package that merges REST API request options. No malicious signal.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): gr2m is the canonical Octokit maintainer and package author; octokitbot was an automation account. The transition back to the primary maintainer is legitimate and expected for this package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance on npm (published 2019); absence of attestation is expected for this era and not a risk signal.	ai	2026/04/24
dependencies	unvetted-dep:universal-user-agent	AI (dependencies): universal-user-agent is a well-known Octokit ecosystem utility for user-agent string generation; stable dependency across all @octokit/* packages.	ai	2026/04/21

Versions (showing 51 of 85)

View all versions

Version	Deps	Published
11.0.3	2 / 9	2026-02-18
11.0.2	2 / 10	2025-10-30
11.0.1	2 / 10	2025-09-29
11.0.0	2 / 10	2025-05-20
10.1.4	2 / 10	2025-04-10
10.1.3	2 / 10	2025-02-13
9.0.6	2 / 10	2025-02-14
9.0.4	2 / 10	2023-11-27
9.0.3	2 / 10	2023-11-23
9.0.2	3 / 10	2023-10-27
9.0.1	3 / 10	2023-09-23
9.0.0	3 / 10	2023-07-07
8.0.1	3 / 10	2023-06-17
8.0.0	3 / 10	2023-06-14
7.0.6	3 / 10	2023-06-09
7.0.5	3 / 11	2023-01-23
7.0.4	3 / 11	2023-01-20
7.0.3	3 / 11	2022-10-13
7.0.2	3 / 11	2022-09-06
7.0.1	3 / 11	2022-08-15
7.0.0	3 / 11	2022-07-07
6.0.12	3 / 11	2021-06-11
6.0.11	3 / 11	2021-01-25
6.0.10	3 / 11	2020-12-01
6.0.9	3 / 11	2020-11-01
6.0.8	3 / 11	2020-10-05
6.0.7	3 / 11	2020-10-05
6.0.6	3 / 11	2020-09-10
6.0.5	3 / 11	2020-07-21
6.0.4	3 / 11	2020-07-17
6.0.3	3 / 11	2020-06-10
6.0.2	3 / 11	2020-05-26
6.0.1	3 / 11	2020-04-19
6.0.0	3 / 11	2020-03-24
5.5.3	3 / 11	2020-02-21
5.5.2	3 / 11	2020-01-30
5.5.1	3 / 11	2019-11-03
5.5.0	3 / 11	2019-10-24
5.4.1	2 / 18	2019-10-13
5.4.0	2 / 18	2019-10-04
5.3.6	2 / 16	2019-09-24
5.3.5	2 / 16	2019-09-03
5.3.4	2 / 16	2019-09-03
5.3.3	3 / 17	2019-09-02
5.3.2	4 / 19	2019-07-23
5.3.1	4 / 19	2019-07-18
5.3.0	4 / 19	2019-07-17
5.2.2	4 / 19	2019-07-12
5.2.1	4 / 19	2019-07-08
5.2.0	4 / 19	2019-06-24
5.1.8	4 / 19	2019-06-20

v11.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v11.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v9.0.6

1 finding

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.