@apollo/client — Greenflagged

A fully-featured caching GraphQL client.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

phryneasjerelmillerapollo-botabernix

Keywords

apollographqlreacthooksclientcachetanstack-intent

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:apollo-link	AI (dependencies): apollo-link is a well-known Apollo ecosystem package; its presence as a dependency of @apollo/client is expected and legitimate across all versions.	ai	2026/04/21
phantom-deps	phantom-dep:zen-observable	AI (phantom-deps): zen-observable is a direct runtime dependency in package.json; the phantom-dep flag is a false positive caused by config-file references rather than direct imports in source.	ai	2026/04/21
dependencies	unvetted-peer-dep:rxjs	AI (dependencies): rxjs is a foundational peer dependency for Apollo Client; widely vetted in practice despite analyzer status.	ai	2026/04/21
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation is the strongest supply chain integrity signal; stable for this package's CI/CD pipeline.	ai	2026/04/21
phantom-deps	phantom-dep:npm	AI (phantom-deps): npm referenced in config files but not directly imported; expected pattern for build tools.	ai	2026/04/21
dependencies	unvetted-dep:npm	AI (dependencies): npm is a standard build tool; unvetted status is expected and acceptable for this package.	ai	2026/04/21
provenance	missing-githead	AI (provenance): Missing gitHead is metadata drift, not a security issue; Apollo's publisher history is strong.	ai	2026/04/21
dependencies	unvetted-dep:optimism	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Large new source files are expected for library update; no evidence of injected code.	ai	2026/04/21
phantom-deps	phantom-dep:response-iterator	AI (phantom-deps): Declared dependency referenced in config files; normal for build tooling.	ai	2026/04/21
dependencies	unvetted-dep:@graphql-typed-document-node/core	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable-ts	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:response-iterator	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@wry/trie	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
publish-pattern	suspicious-version-number	AI (publish-pattern): Pre-release version from CI/CD (PR-based versioning); pattern is legitimate for this package's release workflow.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are Apollo ecosystem packages; legitimate library update.	ai	2026/04/21
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() in test code is legitimate testing pattern, not obfuscation; stable for this package.	ai	2026/04/21
dependencies	unvetted-peer-dep:subscriptions-transport-ws	AI (dependencies): subscriptions-transport-ws is a legacy but standard GraphQL subscription transport; optional peer dependency.	ai	2026/04/21
dependencies	unvetted-peer-dep:react-dom	AI (dependencies): react-dom is a standard peer dependency for React libraries; no security concern.	ai	2026/04/21
dependencies	unvetted-peer-dep:graphql-ws	AI (dependencies): graphql-ws is a standard GraphQL subscription transport; optional peer dependency with no risk.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher change to GitHub Actions reflects Apollo's CI/CD automation; SLSA provenance attestation validates the transition.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer additions to established Apollo project; legitimate team expansion, not account compromise.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): benjamn's removal is part of normal maintainer rotation; combined with new maintainer and SLSA provenance, no takeover risk.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation not yet enabled; not a security defect for this mature package.	ai	2026/04/21
dependencies	unvetted-dep:use-sync-external-store	AI (dependencies): Established React utility; single new dependency addition is benign.	ai	2026/04/21
phantom-deps	phantom-dep:@types/use-sync-external-store	AI (phantom-deps): Framework-scoped type package loaded by convention; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@types/use-sync-external-store	AI (dependencies): Type definitions for React hook; framework-scoped package, stable for this package.	ai	2026/04/21
phantom-deps	phantom-dep:@types/zen-observable	AI (phantom-deps): Framework-scoped type package; expected and benign for TypeScript support.	ai	2026/04/21
dependencies	unvetted-dep:fast-json-stable-stringify	AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable	AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions.	ai	2026/04/21
phantom-deps	phantom-dep:terser	AI (phantom-deps): terser is referenced in build config files as a minifier tool, not a runtime import — expected pattern for this package.	ai	2026/04/21
dependencies	unvetted-dep:terser	AI (dependencies): terser is a well-known JS minifier used as a build tool by Apollo Client; no security concern.	ai	2026/04/21

Versions (showing 47 of 347)

Hide prereleases

Version	Deps	Published
3.0.0-beta.39	9 / 27	2020-03-07
3.0.0-beta.37	9 / 27	2020-02-21
3.0.0-beta.36	9 / 27	2020-02-18
3.0.0-beta.32-james	9 / 27	2020-02-04
3.0.0-beta.30	9 / 27	2020-01-29
3.0.0-beta.3	9 / 27	2019-11-05
3.0.0-beta.29	9 / 28	2020-01-28
3.0.0-beta.27	9 / 28	2020-01-27
3.0.0-beta.26	9 / 29	2020-01-24
3.0.0-beta.2	9 / 27	2019-11-04
3.0.0-beta.18	9 / 29	2020-01-02
3.0.0-alpha.8	10 / 26	2019-10-23
3.0.0-alpha.6	9 / 29	2019-09-26
3.0.0-alpha.1	9 / 35	2019-09-09
0.0.0-pr-12042-20240828203939	14 / 83	2024-08-28
0.0.0-pr-11994-20240807171545	14 / 83	2024-08-07
0.0.0-pr-11900-20240620115719	14 / 82	2024-06-20
0.0.0-pr-11839-20240510211204	14 / 78	2024-05-10
0.0.0-pr-11771-20240409102352	14 / 77	2024-04-09
0.0.0-pr-11754-20240404204051	14 / 77	2024-04-04
0.0.0-pr-11638-20240304221457	14 / 76	2024-03-04
0.0.0-pr-11622-20240226120051	14 / 76	2024-02-26
0.0.0-pr-11617-20240226143959	14 / 76	2024-02-26
0.0.0-pr-11617-20240223125210	14 / 76	2024-02-23
0.0.0-pr-11594-20240213203418	14 / 76	2024-02-13
0.0.0-pr-11459-20240103162548	12 / 75	2024-01-03
0.0.0-pr-11412-20231212060506	14 / 76	2023-12-12
0.0.0-pr-11409-20231205142540	14 / 76	2023-12-05
0.0.0-pr-11403-20240201234412	14 / 76	2024-02-01
0.0.0-pr-11345-20231129141218	15 / 74	2023-11-29
0.0.0-pr-11296-20231017080612	13 / 73	2023-10-17
0.0.0-pr-11255-20230927113312	13 / 73	2023-09-27
0.0.0-pr-11228-20230919212733	13 / 73	2023-09-19
0.0.0-pr-11180-20230830082114	13 / 66	2023-08-30
0.0.0-pr-11134-20230808160421	13 / 66	2023-08-08
0.0.0-pr-11086-20230721035547	13 / 66	2023-07-21
0.0.0-pr-11083-20230725111454	13 / 66	2023-07-25
0.0.0-pr-11066-20230714202803	13 / 58	2023-07-14
0.0.0-pr-10958-20230607163359	13 / 62	2023-06-07
0.0.0-pr-10887-20230517142103	13 / 62	2023-05-17
0.0.0-pr-10805-20230425110644	13 / 55	2023-04-25
0.0.0-pr-10789-20230427152943	13 / 55	2023-04-27
0.0.0-pr-10755-20230511152615	13 / 59	2023-05-11
0.0.0-pr-10672-20230323230524	13 / 58	2023-03-23
0.0.0-pr-10651-20230313210704	13 / 59	2023-03-13
0.0.0-pr-10592-20230222165542	13 / 56	2023-02-22
0.0.0-pr-10509-20230525204036	13 / 62	2023-05-25