openapi-typescript — Greenflagged

Convert OpenAPI 3.0 & 3.1 schemas to TypeScript

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

drewpowersgzm0

Keywords

swaggertypescripttsdtsopenapicodegengenerationopenapi 3node

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-dropped	AI (source-diff): Size reduction reflects legitimate build optimization (esbuild bundling + tsc compilation); normal for TypeScript projects.	ai	2026/04/21
source-diff	obfuscated-file:dist/examples/stripe-api.d.ts	AI (source-diff): Generated TypeScript declaration file for Stripe API — long lines are from auto-generated type definitions, not obfuscation. Consistent with package purpose.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Size increase is from shipping generated example .d.ts files for large APIs (Stripe, GitHub, etc.). Expected for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Mature package (2011 days old, 156 versions, 3M weekly downloads). README links are legitimate OpenAPI/TypeScript documentation, not a phishing farm. Inflated semver signal is outdated.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions with SLSA provenance attestation — CI/CD publishing is a security improvement for this established package.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer addition on an established, actively maintained package is consistent with team growth; no compromise indicators present.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Diff spans multiple major versions (4.x→6.x); 47 new files is expected for a large refactor of an established package.	ai	2026/04/21
provenance	missing-githead	AI (provenance): Missing gitHead is a metadata change, likely from CI/CD environment shift; does not indicate malicious intent for an established package.	ai	2026/04/21
dependencies	unvetted-dep:node-fetch	AI (dependencies): node-fetch is a well-known HTTP client used to fetch remote OpenAPI specs; its use is appropriate and expected for this package.	ai	2026/04/21
dependencies	unvetted-dep:slash	AI (dependencies): slash is a well-known, widely-used path utility package; its use here for cross-platform path normalization is appropriate and expected.	ai	2026/04/21
phantom-deps	phantom-dep:hosted-git-info	AI (phantom-deps): hosted-git-info is a declared runtime dependency used transitively; the phantom-dep finding is a false positive for this package.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are all established utility libraries (parse-json, change-case, ansi-colors, supports-color, yargs-parser) appropriate for CLI tooling; no suspicious patterns.	ai	2026/04/21
dependencies	unvetted-dep:fast-glob	AI (dependencies): fast-glob is a well-known, widely-trusted npm package used for file globbing; its use in a code generation tool is expected and benign.	ai	2026/04/21
dependencies	unvetted-dep:@redocly/openapi-core	AI (dependencies): @redocly/openapi-core is the canonical OpenAPI validation library; core to this package's functionality and widely used in the ecosystem.	ai	2026/04/21
dependencies	unvetted-dep:undici	AI (dependencies): undici is the official Node.js HTTP client used here for fetching remote OpenAPI specs; legitimate and expected use.	ai	2026/04/21
dependencies	unvetted-dep:mime	AI (dependencies): mime is a well-known, widely-used MIME type library; its use here for OpenAPI type generation is expected and legitimate.	ai	2026/04/21
dependencies	unvetted-dep:tiny-glob	AI (dependencies): tiny-glob is a lightweight glob utility used for file discovery; legitimate use in a CLI code generation tool.	ai	2026/04/21
dependencies	unvetted-dep:prettier	AI (dependencies): prettier is used to format generated TypeScript output; a well-known, widely-trusted formatting tool.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation is a best practice but not a blocker; this established package has a valid GitHub repo and trusted publisher.	ai	2026/04/21

Versions (showing 51 of 126)

View all versions

Version	Deps	Published
7.13.0	6 / 7	2026-02-11
7.12.0	6 / 7	2026-02-08
7.10.1	6 / 7	2025-10-15
7.10.0	6 / 7	2025-10-14
7.9.1	6 / 7	2025-08-11
7.9.0	6 / 7	2025-08-11
7.8.0	6 / 7	2025-05-10
7.7.3	6 / 9	2025-05-10
7.7.2	6 / 9	2025-05-10
7.7.1	6 / 9	2025-05-05
7.7.0	6 / 9	2025-05-03
7.6.1	6 / 9	2025-02-02
7.6.0	6 / 9	2025-01-25
7.5.2	6 / 9	2025-01-06
7.5.1	6 / 9	2025-01-03
7.5.0	6 / 9	2025-01-03
7.4.4	6 / 9	2024-12-01
7.4.3	6 / 9	2024-11-08
7.4.2	6 / 9	2024-10-25
7.4.1	6 / 9	2024-09-20
7.4.0	6 / 9	2024-09-03
7.3.3	5 / 9	2024-08-30
7.3.2	5 / 9	2024-08-29
7.3.1	5 / 9	2024-08-29
7.3.0	5 / 9	2024-08-02
7.2.0	5 / 9	2024-07-31
7.1.2	5 / 9	2024-07-30
7.1.1	5 / 9	2024-07-29
7.1.0	5 / 9	2024-07-19
7.0.4	5 / 9	2024-07-17
7.0.3	5 / 9	2024-07-16
7.0.2	5 / 9	2024-07-04
7.0.1	5 / 9	2024-07-02
7.0.0	5 / 11	2024-06-20
6.7.6	6 / 10	2024-05-19
6.7.5	6 / 10	2024-03-12
6.7.4	6 / 10	2024-01-19
6.7.3	6 / 10	2023-12-13
6.7.2	6 / 10	2023-12-01
6.7.1	6 / 10	2023-11-09
6.7.0	6 / 10	2023-09-25
6.6.2	6 / 10	2023-09-23
6.6.1	6 / 10	2023-09-13
6.6.0	6 / 10	2023-09-12
6.5.5	6 / 10	2023-09-08
6.5.4	6 / 10	2023-08-30
6.5.3	6 / 10	2023-08-22
6.5.2	6 / 10	2023-08-20
6.5.1	6 / 10	2023-08-19
6.5.0	6 / 10	2023-08-14
6.4.5	6 / 10	2023-08-10