OverviewWhy AttestdQuickstartResponse FieldsAPI ReferenceSDK Reference↳ Python↳ JavaScriptAccount & PortalAI Agent IntegrationCI/CD IntegrationIntegrations↳ MCP Server↳ LangChain↳ LangChain (JS)↳ AutoGenProductsSupply chainFAQ
supply chain / cohere-ai

Cohere SDK (JS)

registrynpm
package namecohere-ai
maintainerCohere

The Cohere JavaScript SDK provides access to Cohere's Command, Embed, and Rerank APIs from Node.js. It is used in Node.js RAG pipelines for semantic search and document re-ranking. The SDK authenticates via a Cohere API key and handles both synchronous and streaming responses.

api usage

Checking Cohere SDK (JS)

cohere-ai 7.9.0 is a clean version with no known supply chain compromise. The response returns compromised: false with an empty sources array.

bash
curl "https://api.attestd.io/v1/check?product=cohere-ai&version=7.9.0" \
  -H "Authorization: Bearer YOUR_API_KEY"
json
{
  "product": "cohere-ai",
  "version": "7.9.0",
  "supported": true,
  "risk_state": "none",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "last_updated": "2026-05-01T00:00:00Z"
}
attack surface

Why this package is monitored

Embedding and re-ranking API packages process query text and retrieved document content in RAG pipelines, giving a compromised package access to both the user query and the private documents being surfaced in response.

Attestd monitors cohere-ai using the following detection sources:

registry

Manually curated advisories in the Attestd registry, verified by a human analyst. Confidence 1.0.

osv

OSV.dev malicious-package advisories with IDs prefixed MAL-. Confidence 0.95.

npm_deprecation

npm package versions with deprecation messages containing targeted attack language such as malicious, backdoor, or compromised. Confidence 0.80.

related
Supply chain overviewAll npm packagesOpenAI SDK (JS)LangChain (JS)Response fields