azure-devops-node-api — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

wgasiorvsonlinemartinmrazikbsmidedergachevtkasparek_mstramsing

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decode in WebApi.js is used to decode a file path for certificate-based auth key lookup — a documented, legitimate pattern for this Azure DevOps API client.	ai	2026/04/27
publish-pattern	dormant-publish	AI (publish-pattern): Mature Microsoft SDK; long gaps between releases are expected. No material code changes vs prior version; no install script additions or suspicious payload.	ai	2026/04/27
bogus-package	bogus-package	AI (bogus-package): The vsonline maintainer's templated package names reflect Microsoft's Azure DevOps tooling ecosystem publishing pattern, not spam. This is a legitimate Microsoft package.	ai	2026/04/25
phantom-deps	phantom-dep:tunnel	AI (phantom-deps): tunnel is a legitimate runtime dependency for proxy support in this package; phantom detection is a false positive for this well-known Microsoft library.	ai	2026/04/25