OpenSearch JS Client

registrynpm

package name@opensearch-project/opensearch

maintainerOpenSearch Contributors

The official OpenSearch JavaScript client provides Node.js access to OpenSearch clusters for indexing, search, and cluster management. It is used in logging pipelines, enterprise search applications, and observability backends that store events in OpenSearch. The client handles authentication via basic credentials or AWS SigV4 signing.

api usage

Checking OpenSearch JS Client

@opensearch-project/opensearch 2.8.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash

curl "https://api.attestd.io/v1/check?product=%40opensearch-project%2Fopensearch&version=2.8.0" \
  -H "Authorization: Bearer YOUR_API_KEY"

json

{
  "product": "@opensearch-project/opensearch",
  "version": "2.8.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}

attack surface

Why this package is monitored

Search cluster clients authenticate with credentials that may grant access to the full document index. A compromised client can exfiltrate indexed documents, which in logging use cases may contain API responses, user activities, and internal system events.

Attestd monitors @opensearch-project/opensearch using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

Supply chain overview All npm packages node-postgres (pg)Mongoose Prisma Client Response fields