openid-client — Greenflagged

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

panva

Keywords

access tokenauthauthenticationauthorizationbasicbrowserbuncertifiedcibaclientcloudflaredenoedgeelectronfapijavascriptjwtnetlifynextnextjsnodenodejsoauthoauth2oidcopenid-connectopenidpassportstrategyvercelworkerdworkers

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher changed from panva personal account to GitHub Actions CI/CD with SLSA provenance attestation. This is a standard, positive migration for panva's packages.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): Mature package (218 versions, 8M downloads) by well-known maintainer panva. Dormancy gap is not indicative of compromise given SLSA provenance and consistent repo ownership.	ai	2026/04/26
source-diff	large-new-source-files	AI (source-diff): 23 new files is normal for a mature package evolution; no evidence of bundled/injected code in this well-established project.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): jose is an established cryptographic library by the same author; adding it for OpenID Connect support is contextually appropriate and not a supply-chain attack vector.	ai	2026/04/23
semgrep	semgrep:base64-decode	AI (semgrep): Base64url decoding is a documented part of JWT/OIDC spec; standard utility function with no suspicious context.	ai	2026/04/23
provenance	no-provenance	AI (provenance): openid-client is a long-established, high-download package published well before Sigstore provenance was available on npm. No provenance is expected and not a risk signal here.	ai	2026/04/23
dependencies	unvetted-dep:oauth4webapi	AI (dependencies): oauth4webapi is a well-established OAuth library by the same author (panva); unvetted status is a registry artifact, not a real risk signal for this package.	ai	2026/04/21
dependencies	unvetted-dep:jose	AI (dependencies): jose is an established cryptographic library by panva; appropriate for OpenID Connect token handling.	ai	2026/04/21

Versions (showing 51 of 69)

View all versions

Version	Deps	Published
6.8.4	2 / 30	2026-04-27
6.8.3	2 / 30	2026-04-13
6.8.2	2 / 29	2026-02-07
6.8.1	2 / 29	2025-09-27
6.8.0	2 / 29	2025-09-11
6.7.1	2 / 29	2025-08-29
6.7.0	2 / 29	2025-08-27
6.6.4	2 / 29	2025-08-12
6.6.3	2 / 29	2025-08-05
6.6.2	2 / 29	2025-07-01
6.6.1	2 / 29	2025-06-21
6.6.0	2 / 29	2025-06-21
6.5.3	2 / 28	2025-06-19
6.5.2	2 / 28	2025-06-19
6.5.1	2 / 28	2025-06-08
6.5.0	2 / 28	2025-05-06
6.4.2	2 / 28	2025-04-10
6.4.1	2 / 29	2025-04-03
6.4.0	2 / 29	2025-04-03
6.3.4	2 / 29	2025-03-12
6.3.3	2 / 29	2025-02-24
6.3.2	2 / 29	2025-02-24
6.3.1	2 / 29	2025-02-20
6.3.0	2 / 29	2025-02-18
6.2.0	2 / 29	2025-02-17
6.1.7	2 / 29	2024-12-02
6.1.6	2 / 29	2024-11-28
6.1.5	2 / 29	2024-11-27
6.1.4	2 / 29	2024-11-22
6.1.3	2 / 29	2024-10-23
6.1.2	2 / 29	2024-10-23
6.1.1	2 / 29	2024-10-18
6.1.0	2 / 29	2024-10-17
6.0.0	2 / 29	2024-10-15
5.7.1	4 / 10	2024-11-22
5.7.0	4 / 10	2024-09-09
5.6.5	4 / 10	2024-03-07
5.6.4	4 / 10	2024-01-06
5.6.3	4 / 10	2024-01-05
5.6.2	4 / 10	2023-12-22
5.6.1	4 / 10	2023-10-11
5.6.0	4 / 10	2023-10-03
5.5.0	4 / 11	2023-09-08
5.4.3	4 / 11	2023-07-06
5.4.2	4 / 11	2023-04-25
5.4.1	4 / 11	2023-04-21
5.4.0	4 / 11	2023-02-05
5.3.4	4 / 11	2023-02-02
5.3.3	4 / 11	2023-02-02
5.3.2	4 / 11	2023-01-20
5.3.1	4 / 11	2022-11-28

v6.8.2

2 findings

HIGH Publisher changed: panva → GitHub Actions (on 2026-02-07) provenance

This version was published by a different npm account than previous versions on 2026-02-07. This could indicate a legitimate maintainer transition or an account compromise.