← Home

@redocly/openapi-core

npm Repository Homepage

See https://github.com/Redocly/redocly-cli

20
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

romanhotsiyalawaradamaltmanmarshevskyyvolodymyr-rutskyislavikbezkorovainyi

Keywords

linterOpenAPISwaggerOpenAPI linterSwagger linterAsyncAPI linterArazzo linteroas

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): ajv, ajv-formats, picomatch are established packages added as part of a major version refactor; not suspicious. ai
semgrep semgrep:new-function-constructor AI (semgrep): Documented TS dynamic-import workaround in config-resolvers; stable pattern for this package. ai
semgrep semgrep:child-process-import AI (semgrep): Used only in benchmark tooling (src/benchmark/), not in the main library runtime. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in benchmark fork helper; not reachable from library consumers. ai
publish-pattern dormant-publish AI (publish-pattern): Package has 550 versions and is actively maintained by Redocly via CI/CD with SLSA provenance. The dormancy signal does not reflect account takeover risk for this well-established package. ai
dependencies unvetted-dep:yaml-ast-parser AI (dependencies): [email protected] is a long-standing pinned dependency in Redocly's toolchain, not a new or suspicious addition. ai
phantom-deps phantom-dep:ajv AI (phantom-deps): ajv is declared as an npm alias (npm:@redocly/[email protected]) in package.json — this is an intentional aliasing pattern, not a true phantom dependency. Stable for this package. ai

Versions (showing 20 of 20)

Version Deps Published
2.30.5 10 / 6
2.30.4 10 / 6
2.30.2 10 / 6
2.30.1 10 / 6
2.30.0 10 / 6
2.29.1 10 / 6
2.29.0 10 / 6
2.26.0 10 / 6
2.25.4 10 / 6
2.9.0 9 / 6
2.8.0 9 / 6
2.5.1 9 / 6
2.2.3 9 / 6
2.1.3 9 / 6
2.1.0 9 / 6
2.0.6 9 / 6
2.0.5 9 / 6
2.0.1 9 / 6
1.34.14 9 / 6
1.34.13 9 / 6

v2.30.5

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.30.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.30.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.30.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.30.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.29.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.26.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.25.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.8.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.34.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.34.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.