octonode
nodejs wrapper for github v3 api
3
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
pksunkara
Keywords
wrapperapiv3github
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): deep-extend is a well-established, legitimate utility package; its addition is consistent with the package's purpose and poses no material risk. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Established maintainer with 12,511 approved packages and 5188-day history; rapid publish is consistent with legitimate patch/correction workflow for this package. | ai | |
| provenance | no-provenance | AI (provenance): Mature package with 5188-day history and trusted publisher; provenance is a best-practice enhancement, not a security requirement for this context. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a well-known, widely-used HTTP library that has been a stable dependency of octonode for many versions. No malicious behavior associated with it. | ai |
v0.9.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.