← Home

openai

npm Repository Homepage

The official TypeScript library for the OpenAI API

51
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dylan-hurd-openaimoustafa-openaitylersmith-openaiatty-openaitibo-openaidkundel-openaimbolin-openaifouad-openaieasong-openaiaibrahim-openaiapcha-oaiseratch-openaidschnurrjeevnayakknight-oaidschnurr-openaikwhinnery-openai

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
bogus-package bogus-package AI (bogus-package): Signals reflect a deliberate namespace placeholder stub for the official OpenAI SDK, not a spam or malicious package. Age, version count, and publisher track record confirm legitimacy. ai
npm-metadata suspicious-initial-version AI (npm-metadata): [email protected] is a long-standing namespace reservation stub (2113 days old, 354 versions in registry); the 0.0.0 version is not indicative of malicious intent here. ai
phantom-deps phantom-dep:@types/qs AI (phantom-deps): TypeScript @types packages are conventionally declared as deps without direct imports; stable pattern for the openai SDK. ai
dependencies unvetted-dep:@types/qs AI (dependencies): @types/qs is a standard TypeScript type definition package used alongside the qs runtime dep; no security concern for this package. ai
provenance no-provenance AI (provenance): Official OpenAI SDK with long history and strong ecosystem trust; lack of Sigstore provenance is not a meaningful risk signal here. ai
maintainer-change maintainer-removed AI (maintainer-change): OpenAI is migrating maintainer accounts from personal to org-scoped npm accounts (e.g., fouad → fouad-openai). This pattern is consistent across their releases and is not indicative of a takeover. ai
dependencies unvetted-dep:node-fetch AI (dependencies): node-fetch is a standard HTTP client; legitimate dependency for API client library. ai
phantom-deps phantom-dep:@types/node AI (phantom-deps): Type definitions loaded by convention in TypeScript packages; stable for this package. ai
phantom-deps phantom-dep:@types/node-fetch AI (phantom-deps): Type definitions loaded by convention in TypeScript packages; stable for this package. ai
source-diff obfuscated-file:resources/realtime/realtime.d.ts AI (source-diff): TypeScript declaration file with verbose JSDoc comments for Realtime API types; long lines are type definitions, not obfuscation. False positive for this SDK. ai
source-diff obfuscated-file:resources/realtime/realtime.d.mts AI (source-diff): TypeScript declaration file with verbose JSDoc comments for Realtime API types; long lines are type definitions, not obfuscation. False positive for this SDK. ai
maintainer-change maintainer-added AI (maintainer-change): All new maintainers (easong-openai, aibrahim-openai, apcha-oai, victor-openai, seratch-openai, gabor-openai) follow OpenAI's internal account naming convention. Consistent with team expansion. ai
provenance publisher-changed AI (provenance): All publisher/maintainer accounts follow the *-openai naming convention, consistent with OpenAI's internal team rotation. Legitimate organizational handoff pattern for this package. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): The IP 169.254.169.254 is the Azure IMDS endpoint for managed identity token acquisition — a documented, standard Azure cloud integration pattern in the OpenAI SDK's auth module. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding of embedding vectors is legitimate API client functionality; no malicious intent. ai

Versions (showing 51 of 342)

View all versions
Version Deps Published
6.39.1 0 / 0
6.39.0 0 / 0
6.38.0 0 / 0
6.37.0 0 / 0
6.36.0 0 / 0
6.35.0 0 / 0
6.34.0 0 / 0
6.33.0 0 / 0
6.32.0 0 / 0
6.31.0 0 / 0
6.30.1 0 / 0
6.29.0 0 / 0
6.28.0 0 / 0
6.27.0 0 / 0
6.26.0 0 / 0
6.25.0 0 / 0
6.24.0 0 / 0
6.23.0 0 / 0
6.22.0 0 / 0
6.21.0 0 / 0
6.20.0 0 / 0
6.19.0 0 / 0
6.18.0 0 / 0
6.17.0 0 / 0
6.16.0 0 / 0
6.15.0 0 / 0
6.14.0 0 / 0
6.13.0 0 / 0
6.10.0 0 / 0
6.9.1 0 / 0
6.9.0 0 / 0
6.8.1 0 / 0
6.8.0 0 / 0
6.7.0 0 / 0
6.6.0 0 / 0
6.5.0 0 / 0
6.4.0 0 / 0
6.3.0 0 / 0
6.2.0 0 / 0
6.1.0 0 / 0
6.0.1 0 / 0
6.0.0 0 / 0
5.23.2 0 / 0
5.23.1 0 / 0
5.23.0 0 / 0
5.22.1 0 / 0
5.22.0 0 / 0
5.21.0 0 / 0
5.20.3 0 / 0
5.20.2 0 / 0
5.20.1 0 / 0

v6.39.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.39.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.38.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.37.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.36.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.35.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.