@apollo/client
A fully-featured caching GraphQL client.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:apollo-link | AI (dependencies): apollo-link is a well-known Apollo ecosystem package; its presence as a dependency of @apollo/client is expected and legitimate across all versions. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): zen-observable is a direct runtime dependency in package.json; the phantom-dep flag is a false positive caused by config-file references rather than direct imports in source. | ai | |
| dependencies | unvetted-peer-dep:rxjs | AI (dependencies): rxjs is a foundational peer dependency for Apollo Client; widely vetted in practice despite analyzer status. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance attestation is the strongest supply chain integrity signal; stable for this package's CI/CD pipeline. | ai | |
| phantom-deps | phantom-dep:npm | AI (phantom-deps): npm referenced in config files but not directly imported; expected pattern for build tools. | ai | |
| dependencies | unvetted-dep:npm | AI (dependencies): npm is a standard build tool; unvetted status is expected and acceptable for this package. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is metadata drift, not a security issue; Apollo's publisher history is strong. | ai | |
| dependencies | unvetted-dep:optimism | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large new source files are expected for library update; no evidence of injected code. | ai | |
| phantom-deps | phantom-dep:response-iterator | AI (phantom-deps): Declared dependency referenced in config files; normal for build tooling. | ai | |
| dependencies | unvetted-dep:@graphql-typed-document-node/core | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:response-iterator | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:@wry/trie | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Pre-release version from CI/CD (PR-based versioning); pattern is legitimate for this package's release workflow. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are Apollo ecosystem packages; legitimate library update. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in test code is legitimate testing pattern, not obfuscation; stable for this package. | ai | |
| dependencies | unvetted-peer-dep:subscriptions-transport-ws | AI (dependencies): subscriptions-transport-ws is a legacy but standard GraphQL subscription transport; optional peer dependency. | ai | |
| dependencies | unvetted-peer-dep:react-dom | AI (dependencies): react-dom is a standard peer dependency for React libraries; no security concern. | ai | |
| dependencies | unvetted-peer-dep:graphql-ws | AI (dependencies): graphql-ws is a standard GraphQL subscription transport; optional peer dependency with no risk. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions reflects Apollo's CI/CD automation; SLSA provenance attestation validates the transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions to established Apollo project; legitimate team expansion, not account compromise. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): benjamn's removal is part of normal maintainer rotation; combined with new maintainer and SLSA provenance, no takeover risk. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation not yet enabled; not a security defect for this mature package. | ai | |
| dependencies | unvetted-dep:use-sync-external-store | AI (dependencies): Established React utility; single new dependency addition is benign. | ai | |
| phantom-deps | phantom-dep:@types/use-sync-external-store | AI (phantom-deps): Framework-scoped type package loaded by convention; stable for this package. | ai | |
| dependencies | unvetted-dep:@types/use-sync-external-store | AI (dependencies): Type definitions for React hook; framework-scoped package, stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped type package; expected and benign for TypeScript support. | ai | |
| dependencies | unvetted-dep:fast-json-stable-stringify | AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. | ai | |
| phantom-deps | phantom-dep:terser | AI (phantom-deps): terser is referenced in build config files as a minifier tool, not a runtime import — expected pattern for this package. | ai | |
| dependencies | unvetted-dep:terser | AI (dependencies): terser is a well-known JS minifier used as a build tool by Apollo Client; no security concern. | ai |
Versions (showing 51 of 171)
| Version | Deps | Published |
|---|---|---|
| 4.2.0 | 7 / 0 | |
| 4.1.9 | 7 / 0 | |
| 4.1.8 | 7 / 0 | |
| 4.1.7 | 7 / 0 | |
| 4.1.6 | 7 / 0 | |
| 4.1.5 | 7 / 0 | |
| 4.1.4 | 7 / 0 | |
| 4.1.3 | 7 / 0 | |
| 4.1.2 | 7 / 0 | |
| 4.1.1 | 7 / 0 | |
| 4.1.0 | 7 / 0 | |
| 4.0.13 | 7 / 0 | |
| 4.0.12 | 7 / 0 | |
| 4.0.11 | 7 / 0 | |
| 4.0.10 | 7 / 0 | |
| 4.0.9 | 7 / 0 | |
| 4.0.8 | 7 / 0 | |
| 4.0.7 | 7 / 0 | |
| 4.0.6 | 7 / 0 | |
| 4.0.5 | 7 / 0 | |
| 4.0.4 | 7 / 0 | |
| 4.0.3 | 7 / 0 | |
| 4.0.2 | 7 / 0 | |
| 4.0.1 | 7 / 0 | |
| 4.0.0 | 7 / 0 | |
| 3.14.1 | 13 / 93 | |
| 3.14.0 | 13 / 93 | |
| 3.13.9 | 13 / 93 | |
| 3.13.8 | 13 / 93 | |
| 3.13.7 | 13 / 93 | |
| 3.13.6 | 13 / 93 | |
| 3.13.5 | 13 / 93 | |
| 3.13.4 | 13 / 93 | |
| 3.13.3 | 13 / 93 | |
| 3.13.2 | 13 / 93 | |
| 3.13.1 | 13 / 93 | |
| 3.13.0 | 13 / 93 | |
| 3.12.11 | 13 / 93 | |
| 3.12.10 | 13 / 93 | |
| 3.12.9 | 13 / 93 | |
| 3.12.8 | 13 / 93 | |
| 3.12.7 | 14 / 93 | |
| 3.12.6 | 14 / 88 | |
| 3.12.5 | 14 / 88 | |
| 3.12.4 | 14 / 88 | |
| 3.12.3 | 14 / 88 | |
| 3.12.2 | 14 / 87 | |
| 3.12.1 | 14 / 87 | |
| 3.12.0 | 14 / 87 | |
| 3.11.10 | 14 / 85 | |
| 3.11.9 | 14 / 85 |
v4.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.5
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.4
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.2
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.13
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.12
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.11
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.10
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.9
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-31. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.8
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.