openai — Greenflagged

The official TypeScript library for the OpenAI API

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dylan-hurd-openaimoustafa-openaitylersmith-openaiatty-openaitibo-openaidkundel-openaimbolin-openaifouad-openaieasong-openaiaibrahim-openaiapcha-oaiseratch-openaidschnurrjeevnayakknight-oaidschnurr-openaikwhinnery-openai

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
bogus-package	bogus-package	AI (bogus-package): Signals reflect a deliberate namespace placeholder stub for the official OpenAI SDK, not a spam or malicious package. Age, version count, and publisher track record confirm legitimacy.	ai	2026/04/22
npm-metadata	suspicious-initial-version	AI (npm-metadata): [email protected] is a long-standing namespace reservation stub (2113 days old, 354 versions in registry); the 0.0.0 version is not indicative of malicious intent here.	ai	2026/04/22
phantom-deps	phantom-dep:@types/qs	AI (phantom-deps): TypeScript @types packages are conventionally declared as deps without direct imports; stable pattern for the openai SDK.	ai	2026/04/22
dependencies	unvetted-dep:@types/qs	AI (dependencies): @types/qs is a standard TypeScript type definition package used alongside the qs runtime dep; no security concern for this package.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Official OpenAI SDK with long history and strong ecosystem trust; lack of Sigstore provenance is not a meaningful risk signal here.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): OpenAI is migrating maintainer accounts from personal to org-scoped npm accounts (e.g., fouad → fouad-openai). This pattern is consistent across their releases and is not indicative of a takeover.	ai	2026/04/22
dependencies	unvetted-dep:node-fetch	AI (dependencies): node-fetch is a standard HTTP client; legitimate dependency for API client library.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type definitions loaded by convention in TypeScript packages; stable for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node-fetch	AI (phantom-deps): Type definitions loaded by convention in TypeScript packages; stable for this package.	ai	2026/04/22
source-diff	obfuscated-file:resources/realtime/realtime.d.ts	AI (source-diff): TypeScript declaration file with verbose JSDoc comments for Realtime API types; long lines are type definitions, not obfuscation. False positive for this SDK.	ai	2026/04/22
source-diff	obfuscated-file:resources/realtime/realtime.d.mts	AI (source-diff): TypeScript declaration file with verbose JSDoc comments for Realtime API types; long lines are type definitions, not obfuscation. False positive for this SDK.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): All new maintainers (easong-openai, aibrahim-openai, apcha-oai, victor-openai, seratch-openai, gabor-openai) follow OpenAI's internal account naming convention. Consistent with team expansion.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): All publisher/maintainer accounts follow the *-openai naming convention, consistent with OpenAI's internal team rotation. Legitimate organizational handoff pattern for this package.	ai	2026/04/22
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): The IP 169.254.169.254 is the Azure IMDS endpoint for managed identity token acquisition — a documented, standard Azure cloud integration pattern in the OpenAI SDK's auth module.	ai	2026/04/21
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding of embedding vectors is legitimate API client functionality; no malicious intent.	ai	2026/04/21