@workos-inc/node
A Node wrapper for the WorkOS API
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/factory-awA8SmsZ.d.mts | AI (source-diff): Bundled .d.mts type declarations from tsdown; long lines are type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/factory-Ct0t70G0.d.cts | AI (source-diff): Bundled .d.cts type declarations from tsdown; long lines are type unions, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DPWj5UVH.d.cts | AI (source-diff): Bundled .d.cts type declarations with long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-D5a84gFU.d.mts | AI (source-diff): Bundled .d.mts type declarations with long lines; not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DS8Htvr7.d.cts | AI (source-diff): Bundled .d.cts type declarations with long lines; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-Bm__aISC.d.mts | AI (source-diff): Bundled .d.mts type declarations with long lines; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DSjps83I.d.cts | AI (source-diff): Bundled .d.cts type declarations with long union lines; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DQzEZoxn.d.mts | AI (source-diff): Bundled .d.mts type declarations with long union lines; standard build output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DYZ38_bk.d.mts | AI (source-diff): TypeScript declaration file bundled by tsdown; contains standard type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-CcjPGl_n.d.cts | AI (source-diff): TypeScript declaration file bundled by tsdown; long lines are re-exported types, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/index.worker.d.mts | AI (source-diff): Bundled TS declaration file for worker entry point; same tsdown output pattern. | ai | |
| source-diff | obfuscated-file:lib/index.d.mts | AI (source-diff): Bundled TS declaration barrel file with long import lines from tsdown output; not obfuscated. | ai | |
| dependencies | unvetted-dep:iron-session | AI (dependencies): iron-session is a well-known session library; its use in an auth SDK is expected and appropriate across all versions of this package. | ai | |
| source-diff | obfuscated-file:lib/workos-DhbLRXvR.d.mts | AI (source-diff): Bundled TypeScript declaration file from tsdown build; content is readable TS interfaces, not obfuscated code. File names will change per version. | ai | |
| source-diff | obfuscated-file:lib/workos-C0YAqze0.d.cts | AI (source-diff): Bundled TypeScript declaration file from tsdown build; content is readable TS interfaces, not obfuscated code. File names will change per version. | ai | |
| source-diff | obfuscated-file:lib/workos-BsGYox30.d.cts | AI (source-diff): Bundled TypeScript declaration file from tsdown build tool; long lines are type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DeJXESD6.d.mts | AI (source-diff): Bundled TypeScript declaration file from tsdown build tool; long lines are type definitions, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-BN_44ati.d.cts | AI (source-diff): Bundled TypeScript declaration file from tsdown build tool; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-Dcg_3Qok.d.mts | AI (source-diff): Bundled TypeScript declaration file from tsdown build tool; long lines are normal for bundled .d.ts output, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-DUcDmctT.d.mts | AI (source-diff): Bundled TypeScript declaration file from tsdown; long lines are artifact of declaration bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-C6Dd1GJI.d.cts | AI (source-diff): Bundled TypeScript declaration file from tsdown; long lines are artifact of declaration bundling, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-CESKLr5j.d.mts | AI (source-diff): Bundled TypeScript declaration file (ESM variant) from tsdown; same as CJS counterpart — readable types, not obfuscation. | ai | |
| source-diff | obfuscated-file:lib/workos-9ENvbxSO.d.cts | AI (source-diff): Bundled TypeScript declaration file from tsdown build tool; content is readable type declarations, not obfuscation. Hash in filename is standard bundler output. | ai | |
| source-diff | obfuscated-file:lib/workos-DluXltJr.d.mts | AI (source-diff): Bundled TypeScript declaration file with long lines from tsdown output; not obfuscated code. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Package has 267 versions and 1.2M weekly downloads; 'dormancy' reflects publisher identity change to GitHub Actions, not actual inactivity. | ai | |
| source-diff | obfuscated-file:lib/workos-COj1yMhR.d.cts | AI (source-diff): Bundled TypeScript declaration file with long lines from tsdown output; not obfuscated code. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 decoding in inlined jose/iron-webcrypto crypto utilities. Straightforward, readable utility code with no obfuscation or network execution. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): False positive — @workos-inc/node is the official WorkOS Node SDK, not a typosquat of 'zod'. Scoped package under workos-inc org with 2233 days of history. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 10.0.0 | 1 / 24 | |
| 9.3.1 | 1 / 24 | |
| 9.3.0 | 1 / 24 | |
| 9.2.0 | 1 / 24 | |
| 9.1.1 | 1 / 24 | |
| 9.1.0 | 1 / 24 | |
| 9.0.0 | 1 / 24 | |
| 8.13.0 | 1 / 24 | |
| 8.12.1 | 1 / 24 | |
| 8.12.0 | 1 / 24 | |
| 8.11.1 | 1 / 24 | |
| 8.11.0 | 0 / 23 | |
| 8.10.0 | 0 / 24 | |
| 8.9.0 | 0 / 24 | |
| 8.8.0 | 2 / 21 | |
| 8.7.0 | 2 / 21 | |
| 8.6.0 | 2 / 22 | |
| 8.5.0 | 2 / 22 | |
| 8.4.0 | 2 / 22 | |
| 8.3.1 | 2 / 22 | |
| 8.3.0 | 2 / 22 | |
| 8.2.0 | 2 / 22 | |
| 8.1.0 | 2 / 22 | |
| 8.0.0 | 2 / 22 | |
| 7.82.0 | 4 / 12 | |
| 7.81.0 | 4 / 12 | |
| 7.80.0 | 4 / 12 | |
| 7.79.3 | 4 / 12 | |
| 7.79.2 | 4 / 12 | |
| 7.77.0 | 4 / 12 | |
| 7.76.0 | 4 / 12 | |
| 7.75.1 | 4 / 12 | |
| 7.75.0 | 4 / 12 | |
| 7.74.2 | 4 / 12 | |
| 7.74.0 | 4 / 12 | |
| 7.73.0 | 4 / 12 | |
| 7.72.2 | 5 / 13 | |
| 7.72.1 | 5 / 13 | |
| 7.72.0 | 5 / 13 |
v10.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.3.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.3.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.2.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.13.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.12.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.12.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.11.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.9.0
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.7.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.6.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.5.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.4.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.82.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.81.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.80.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.79.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.79.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.77.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.76.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.75.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.75.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.74.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.74.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.73.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.72.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.72.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.72.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.