adal-node — Greenflagged

Windows Azure Active Directory Client Library for node

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

msopentechazuread

Keywords

nodeazureAADadaladfsoauth

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a framework-scoped TypeScript type package; convention-loaded and stable for this package.	ai	2026/04/24
source-diff	encoded-string-file:test/username-password.js	AI (source-diff): Long strings are base64-encoded JWT test fixtures in test files, not obfuscated payloads. Stable for this package.	ai	2026/04/24
dependencies	unvetted-dep:request	AI (dependencies): request is a well-known, widely-used HTTP client package; its presence in adal-node is expected and not a security concern.	ai	2026/04/24
dependencies	unvetted-dep:xmldom	AI (dependencies): xmldom is a standard XML parser; its use in an OAuth/ADAL library is expected and not a security concern for this package.	ai	2026/04/24
license	uncommon-license:Apache 2.0	AI (license): Apache 2.0 is a standard permissive license; the finding is a false positive due to non-canonical string formatting.	ai	2026/04/24

Versions (showing 7 of 7)

Version	Deps	Published
0.2.4	8 / 10	2022-12-08
0.1.26	9 / 9	2017-12-06
0.1.23	8 / 4	2017-10-26
0.1.20	8 / 4	2016-06-18
0.1.17	8 / 4	2015-10-08
0.1.16	8 / 4	2015-09-04
0.1.5	6 / 5	2014-03-31