@octokit/rest
GitHub REST API client for Node.js
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): @octokit/rest auto-generates large volumes of API route definitions, TypeScript types, and Flow types from @octokit/routes. Size growth is expected and benign for this package. | ai | |
| dependencies | unvetted-dep:btoa-lite | AI (dependencies): btoa-lite is a well-known, minimal base64 utility legitimately used for browser compatibility in this GitHub API client. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads http/https built-in Node modules based on protocol option — a standard pattern for HTTP agent selection, not arbitrary module loading. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): bkeepers removal is a legitimate org-level change within the Octokit/GitHub organization. Publisher octokitbot is the established automation account for the org. | ai | |
| source-diff | source-size-dropped | AI (source-diff): v18 is a documented architectural rewrite; the package is now a thin wrapper over @octokit/core plugins. Size drop is expected and permanent for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): v15→v16 architectural refactor replaced monolithic deps with purpose-built @octokit/* scoped packages and small well-known utilities; all new deps are legitimate and from the octokit ecosystem or established npm packages. | ai | |
| phantom-deps | phantom-dep:url-template | AI (phantom-deps): url-template is a legitimate runtime dep used for GitHub API URL expansion; analyzer did not detect the indirect import pattern. | ai | |
| dependencies | unvetted-dep:lodash.set | AI (dependencies): lodash.set is a canonical, widely-used utility package; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; octokitbot is the official Octokit publisher with strong track record. No provenance is expected for this era. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-request-log | AI (dependencies): @octokit/plugin-request-log is a first-party Octokit dependency; expected and stable for this package. | ai | |
| dependencies | unvetted-dep:@octokit/core | AI (dependencies): @octokit/core is a first-party Octokit dependency; expected and stable for this package. | ai | |
| typosquat | typosquat.levenshtein:react | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'react' is a false positive due to scoped package naming. No impersonation. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'next' is a false positive due to scoped package naming. No impersonation. | ai | |
| typosquat | typosquat.levenshtein:jest | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'jest' is a false positive due to scoped package naming. No impersonation. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-rest-endpoint-methods | AI (dependencies): @octokit/plugin-rest-endpoint-methods is a first-party Octokit dependency; expected and stable for this package. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-paginate-rest | AI (dependencies): @octokit/plugin-paginate-rest is a first-party Octokit dependency; expected and stable for this package. | ai |
Versions (showing 51 of 103)
| Version | Deps | Published |
|---|---|---|
| 22.0.1 | 4 / 16 | |
| 22.0.0 | 4 / 16 | |
| 21.1.1 | 4 / 16 | |
| 21.1.0 | 4 / 16 | |
| 21.0.2 | 4 / 16 | |
| 21.0.1 | 4 / 16 | |
| 21.0.0 | 4 / 17 | |
| 20.1.2 | 4 / 18 | |
| 20.1.1 | 4 / 18 | |
| 20.1.0 | 4 / 18 | |
| 20.0.2 | 4 / 18 | |
| 20.0.1 | 4 / 18 | |
| 20.0.0 | 4 / 18 | |
| 19.0.13 | 4 / 16 | |
| 19.0.12 | 4 / 16 | |
| 19.0.11 | 4 / 16 | |
| 19.0.10 | 4 / 16 | |
| 19.0.9 | 4 / 16 | |
| 19.0.8 | 4 / 16 | |
| 19.0.7 | 4 / 16 | |
| 19.0.6 | 4 / 16 | |
| 19.0.5 | 4 / 16 | |
| 19.0.4 | 4 / 16 | |
| 19.0.3 | 4 / 16 | |
| 19.0.2 | 4 / 16 | |
| 19.0.1 | 4 / 16 | |
| 19.0.0 | 4 / 16 | |
| 18.12.0 | 4 / 16 | |
| 18.11.4 | 4 / 16 | |
| 18.11.3 | 4 / 16 | |
| 18.11.2 | 4 / 16 | |
| 18.11.1 | 4 / 16 | |
| 18.11.0 | 4 / 16 | |
| 18.10.0 | 4 / 16 | |
| 16.19.0 | 11 / 33 | |
| 15.18.3 | 9 / 34 | |
| 15.18.2 | 9 / 34 | |
| 15.18.1 | 9 / 34 | |
| 15.18.0 | 9 / 34 | |
| 15.17.0 | 9 / 33 | |
| 15.16.1 | 9 / 33 | |
| 15.16.0 | 9 / 33 | |
| 15.15.1 | 9 / 33 | |
| 15.15.0 | 9 / 33 | |
| 15.14.0 | 9 / 34 | |
| 15.13.1 | 9 / 34 | |
| 15.13.0 | 9 / 34 | |
| 15.12.1 | 9 / 34 | |
| 15.12.0 | 9 / 34 | |
| 15.11.4 | 8 / 34 | |
| 15.11.3 | 8 / 34 |
v22.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v22.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.1.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v20.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.11.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.11.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.18.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.18.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.17.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.12.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.11.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.11.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.