DETAILED ACTION
This office action is responsive to claims 1 - 20 filed in this application Telang et al., U.S. Patent Application No. 18/649,613 (Filed April 29, 2024) (“Telang”).
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.
Claims 1 – 20 are rejected under 35 U.S.C. 101 because the claimed inventions are directed to non-statutory subject matter. The claimed inventions do not fall within a statutory category of invention because the claimed invention is directed to a “Mental Processes” abstract idea without significantly more.
1. Claim 1 is rejected under 35 U.S.C. 101 because the claimed invention is directed to a “Mental Processes” abstract idea without significantly more. The claim recites selecting a project, and determining a count and relationship score which covers performance of the limitation that can be performed in the mind or by pen and paper, but for the recitation of generic computer components.
That is, other than reciting generic computer components and insignificant extra-solution data transmission, nothing in the claim elements precludes the selecting and determining steps from being performed in the mind of a developer potentially using a computer as a tool for editing program code. See MPEP § 2106.04(a)(2)(III)(C)(3). As drafted, the claimed process, under its broadest reasonable interpretation, covers of the limitation in the mind but for the recitation of generic computer components and insignificant extra-solution data storage, which falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea.
This judicial exception is not integrated into a practical application because the claims only recite generic computing components and data transmission. See MPEP 2106.05(f). Accordingly, these additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea.
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the courts have identified mere data gathering, displaying/outputting, transmitting, and storing, are well-understood, routine and conventional activity. See MPEP 2106.05(d).
Claims 2 - 20 contain the same abstract idea as claim 1 and do not contain any additional limitations that would integrate the judicial exception into a practical application or additional elements that are sufficient to amount to significantly more than the judicial exception.
2. Claims 17 – 20 are rejected under 35 U.S.C. 101 because the claimed inventions are directed to non-statutory subject matter. The claimed inventions do not fall within a statutory category of invention because they are neither a process, machine, manufacture, nor composition of matter.
Claim 17 recites a “computer-readable media” which the claims or specification fail to limit to non-transitory embodiments. Under the broadest reasonable interpretation, computer-readable medium or storage medium (or media), may be interpreted to include transitory media, which includes a signal per se, particularly when the storage medium is explicitly defined in the specification as a signal. See MPEP 2106 (II) & 2106.03. Claims covering signals per se must be rejected as non-statutory subject matter. See Interim Examination Instructions for Evaluating Subject Matter Eligibility Under 35 U.S.C. § 101, U.S. Patent and Trademark Off. (Aug. 24, 2009), available at http://www.uspto.gov/web/offices/pac/dapp/opla/2009-08-25_interim_101_instructions.pdf; see also In re Nuijten, 500 F.3d 1346, 1356-57 (Fed. Cir. 2007) (transitory embodiments are not directed to statutory subject matter). Examiner suggests amending the claims to read “non-transitory machine readable media.”
Claims 18 – 20 are rejected for similar reasoning. Claims 18 – 20 are rejected as depending on claim 17.
Claim Rejections 35 U.S.C. §103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1 – 20 are rejected under 35 U.S.C. 103 as being unpatentable over Jennings, United States Patent No. 11,586,436 (Patented February 21, 2023, filed August 2, 2022) (“Jennings”) in view of Konves, What if we could verify npm packages, Medium (1/7/2019) retrieved from https://medium.com/@stevekonves/what-if-we-could-verify-npm-packages-c2a319cff758 on 6/13/2026 (“Konves”) in view of Ito, NPM Version Match.
Claims 1, 12, and 17
With respect to claims 1, 12, and 17, Jennings teaches the invention as claimed including a method comprising:
obtaining, from the executable software exchange, package versions established for the package, each package version having a version name and a version date; selecting a project of a source code exchange, … obtaining project [tags] established for the project, each project [tag] having a [tag] name and a [tag] date; determining a count of each matching package version and project [tag], wherein a match of a package version and a project [tag] is determined by: establishing that a version name of the package version and a [tag] name of the project [tag] match; and establishing that a version date of the package version and a [tag] date of the project [tag] match; and determining a relationship score based on the count of each matching package version and project [tag]; and …causing an indication of the relationship score to be presented together with the content associated with the package. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which displays the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 15 ln. 27; id. at col. 16 ln. 65 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information). See also col. 21, ln 21 – col. 6, ln 2}
However, Jennings doesn’t explicitly teach the limitation:
selecting a package of an executable software exchange; …wherein the project is identified by the package as a source from which the package is derived; … in response to detecting that a user is viewing content associated with the package, {Konves does teach this limitation. Konves teaches that the method for verifying package version information with source code version information, as taught in Jennings, may include where the verification is between a package being viewed in npm and a source from github where github tag information is accessed to compare to the npm package metadata. Konves at pgs. 1 - 9.
Jennings and Konves are analogous art because they are from the “same field of endeavor” and are both from the same “problem-solving area.” Specifically, they are both from the field of malicious software detection, and both are trying to solve the problem of how to detect differences between packages and source code.
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine validating packages to source code using version information comparisons, as taught in Jennings, with comparing npm to github, as taught in Konves. Konves teaches that npm can have maliciously altered packages that are hard to detect. Konves at pgs. 1 - 4. Therefore, one having ordinary skill in the art would have been motivated to combine validating packages to source code using version information comparisons, as taught in Jennings, with comparing npm to github, as taught in Konves, for the purpose of using a known package and source code verification method with a detection technique that requires verification between npm packages and source code.}
tags {Ito does teach this limitation. Ito teaches that the method for verifying npm package version information with github source code version information, as taught in Jennings and Knoves, may include where the comparison is between version information in an npm package.json file and from github tags. Ito at pgs. 1 - 9.
Jennings, Konves, and Ito are analogous art because they are from the “same field of endeavor” and are both from the same “problem-solving area.” Specifically, they are both from the field of software error detection, and both are trying to solve the problem of how to detect differences between packages and source code.
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to combine validating packages to source code using version information comparisons, as taught in Jennings and Knoves, with comparing version info from an npm package.json file and from github tags, as taught in Ito. Konves teaches that npm can have maliciously altered packages that are hard to detect. Konves at pgs. 1 - 4. Therefore, one having ordinary skill in the art would have been motivated to combine validating packages to source code using version information comparisons, as taught in Jennings and Knoves, with comparing version info from an npm package.json file and from github tags, as taught in Ito, for the purpose of using a known npm package and github source code verification method with a comparison that requires analyzing npm package version info and github version tags.}
Claim 2
With respect to claim 2, Jennings, Konves, and Ito teach the invention as claimed including:
wherein determining the relationship score is further based on a total count of the obtained project tags. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which displays the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 15 ln. 27; id. at col. 16 ln. 65 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 3
With respect to claim 3, Jennings, Konves, and Ito teach the invention as claimed including:
wherein establishing that the version date of the package version and the tag date of the project tag match comprises: determining that the version date of the package version and the tag date of the project tag are within a configurable time threshold of each other. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference, such as zero, to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4;id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claims 4 and 13
With respect to claims 4 and 13, Jennings, Konves, and Ito teach the invention as claimed including:
wherein establishing that the version name of the package version and the tag name of the project tag match comprises: obtaining an operation to extract a version name substring from the version name and a tag name substring from the tag name; extracting, using the operation, the version name substring and the tag name substring; and comparing the version name substring to the tag name substring. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 5
With respect to claim 5, Jennings, Konves, and Ito teach the invention as claimed including:
wherein obtaining the operation to extract the version name substring from the version name and the tag name substring from the tag name comprises: obtaining a regular expression to extract the version name substring from the version name and the tag name substring from the tag name. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claims 6 and 15
With respect to claims 6 and 15, Jennings, Konves, and Ito teach the invention as claimed including:
wherein establishing that the version name of the package version and the tag name of the project tag match comprises: obtaining an approximate string-matching algorithm to compare the version name and the tag name; and comparing the version name and the tag name using the approximate string-matching algorithm. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 7
With respect to claim 7, Jennings, Konves, and Ito teach the invention as claimed including:
further comprising, before establishing that a version name of the package version and the tag name of the project tag match, normalizing the version name and the tag name. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); id. at col. 18 ln. 4 – col. 19 ln. 3 (normalizing); Ito at pgs. 1 – 9 (github tags).}
Claim 8
With respect to claim 8, Jennings, Konves, and Ito teach the invention as claimed including:
wherein determining the relationship score uses a step function. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 9
With respect to claim 9, Jennings, Konves, and Ito teach the invention as claimed including:
wherein causing the indication of the relationship score to be presented together with the content associated with the package comprises: causing a graphical indication of the relationship score to be displayed to the user. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claims 10 and 16
With respect to claims 10 and 16, Jennings, Konves, and Ito teach the invention as claimed including:
wherein establishing that the version date of the package version and the tag date of the project tag match comprises: establishing that the version date and the tag date are within one calendar day of each other. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 11
With respect to claim 11, Jennings, Konves, and Ito teach the invention as claimed including:
wherein determining the relationship score comprises: determining the relationship score based on whether the package version is cryptographically signed by an owner of the project repository. {The verification may include cryptographic verification of signatures to determine similarity. Konves at pgs. 6 - 11.}
Claim 14
With respect to claim 14, Jennings, Konves, and Ito teach the invention as claimed including:
wherein the one or more processors obtain the operation to extract the version name substring from the version name and the tag name substring from the tag name by: attempting to match the version name to a plurality of regular expressions; and selecting, as the operation, a regular expression in the plurality of regular expressions that matches the version name. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 18
With respect to claim 18, Jennings, Konves, and Ito teach the invention as claimed including:
wherein establishing that the version date of the package version and the tag date of the project tag match comprises: selecting an approximate string-matching algorithm to compare the version date and the tag date; and comparing the version date and the tag date using the approximate string-matching algorithm. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 19
With respect to claim 19, Jennings, Konves, and Ito teach the invention as claimed including:
further executable to cause the one or more processors to perform actions, the actions comprising: calculating a reliability of the package using the relationship score. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Claim 20
With respect to claim 20, Jennings, Konves, and Ito teach the invention as claimed including:
wherein determining the relationship score comprises: calculating a matching portion of package versions that match a project tag; computing an entropy based on the matching portion using a binary entropy function; and determining the relationship score based on the entropy. {A malicious software detector uses a version authenticator to perform a comparison between a plurality of version number and date information entries for both a package and a source code and generates a compatibility threshold calculation which determines an acceptable threshold parameter difference including string distance to identify the extent of matching between the version info of the package and of the source code to inform on whether the package version is a safe copy of the source code. Jennings at col. 3 ll. 5 – 23; id. at col. 13 ll. 31 – 38; id. at col. 14 ln. 50 – col. 17 ln. 4; id. at col. 29 ll. 18 – 27 (display matching information); Ito at pgs. 1 – 9 (github tags).}
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to THEODORE E HEBERT whose telephone number is (571)270-1409. The examiner can normally be reached on Monday to Friday 9:00 a.m. to 6:00 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on 571-272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
//T.H./ June 13, 2026
Examiner, Art Unit 2199
/LEWIS A BULLOCK JR/Supervisory Patent Examiner, Art Unit 2199