@octokit/rest
GitHub REST API client for Node.js
3
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
octokitbot
Keywords
octokitgithubrestapi-client
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): @octokit/rest auto-generates large volumes of API route definitions, TypeScript types, and Flow types from @octokit/routes. Size growth is expected and benign for this package. | ai | |
| dependencies | unvetted-dep:btoa-lite | AI (dependencies): btoa-lite is a well-known, minimal base64 utility legitimately used for browser compatibility in this GitHub API client. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads http/https built-in Node modules based on protocol option — a standard pattern for HTTP agent selection, not arbitrary module loading. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): bkeepers removal is a legitimate org-level change within the Octokit/GitHub organization. Publisher octokitbot is the established automation account for the org. | ai | |
| source-diff | source-size-dropped | AI (source-diff): v18 is a documented architectural rewrite; the package is now a thin wrapper over @octokit/core plugins. Size drop is expected and permanent for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): v15→v16 architectural refactor replaced monolithic deps with purpose-built @octokit/* scoped packages and small well-known utilities; all new deps are legitimate and from the octokit ecosystem or established npm packages. | ai | |
| phantom-deps | phantom-dep:url-template | AI (phantom-deps): url-template is a legitimate runtime dep used for GitHub API URL expansion; analyzer did not detect the indirect import pattern. | ai | |
| dependencies | unvetted-dep:lodash.set | AI (dependencies): lodash.set is a canonical, widely-used utility package; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; octokitbot is the official Octokit publisher with strong track record. No provenance is expected for this era. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-request-log | AI (dependencies): @octokit/plugin-request-log is a first-party Octokit dependency; expected and stable for this package. | ai | |
| dependencies | unvetted-dep:@octokit/core | AI (dependencies): @octokit/core is a first-party Octokit dependency; expected and stable for this package. | ai | |
| typosquat | typosquat.levenshtein:react | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'react' is a false positive due to scoped package naming. No impersonation. | ai | |
| typosquat | typosquat.levenshtein:next | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'next' is a false positive due to scoped package naming. No impersonation. | ai | |
| typosquat | typosquat.levenshtein:jest | AI (typosquat): @octokit/rest is the official GitHub REST API client; Levenshtein comparison to 'jest' is a false positive due to scoped package naming. No impersonation. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-rest-endpoint-methods | AI (dependencies): @octokit/plugin-rest-endpoint-methods is a first-party Octokit dependency; expected and stable for this package. | ai | |
| dependencies | unvetted-dep:@octokit/plugin-paginate-rest | AI (dependencies): @octokit/plugin-paginate-rest is a first-party Octokit dependency; expected and stable for this package. | ai |
v14.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.