@apollo/client — Greenflagged

A fully-featured caching GraphQL client.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

phryneasjerelmillerapollo-botabernix

Keywords

apollographqlreacthooksclientcachetanstack-intent

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:apollo-link	AI (dependencies): apollo-link is a well-known Apollo ecosystem package; its presence as a dependency of @apollo/client is expected and legitimate across all versions.	ai	2026/04/21
phantom-deps	phantom-dep:zen-observable	AI (phantom-deps): zen-observable is a direct runtime dependency in package.json; the phantom-dep flag is a false positive caused by config-file references rather than direct imports in source.	ai	2026/04/21
dependencies	unvetted-peer-dep:rxjs	AI (dependencies): rxjs is a foundational peer dependency for Apollo Client; widely vetted in practice despite analyzer status.	ai	2026/04/21
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation is the strongest supply chain integrity signal; stable for this package's CI/CD pipeline.	ai	2026/04/21
phantom-deps	phantom-dep:npm	AI (phantom-deps): npm referenced in config files but not directly imported; expected pattern for build tools.	ai	2026/04/21
dependencies	unvetted-dep:npm	AI (dependencies): npm is a standard build tool; unvetted status is expected and acceptable for this package.	ai	2026/04/21
provenance	missing-githead	AI (provenance): Missing gitHead is metadata drift, not a security issue; Apollo's publisher history is strong.	ai	2026/04/21
dependencies	unvetted-dep:optimism	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Large new source files are expected for library update; no evidence of injected code.	ai	2026/04/21
phantom-deps	phantom-dep:response-iterator	AI (phantom-deps): Declared dependency referenced in config files; normal for build tooling.	ai	2026/04/21
dependencies	unvetted-dep:@graphql-typed-document-node/core	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable-ts	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:response-iterator	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@wry/trie	AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package.	ai	2026/04/21
publish-pattern	suspicious-version-number	AI (publish-pattern): Pre-release version from CI/CD (PR-based versioning); pattern is legitimate for this package's release workflow.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): New dependencies are Apollo ecosystem packages; legitimate library update.	ai	2026/04/21
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() in test code is legitimate testing pattern, not obfuscation; stable for this package.	ai	2026/04/21
dependencies	unvetted-peer-dep:subscriptions-transport-ws	AI (dependencies): subscriptions-transport-ws is a legacy but standard GraphQL subscription transport; optional peer dependency.	ai	2026/04/21
dependencies	unvetted-peer-dep:react-dom	AI (dependencies): react-dom is a standard peer dependency for React libraries; no security concern.	ai	2026/04/21
dependencies	unvetted-peer-dep:graphql-ws	AI (dependencies): graphql-ws is a standard GraphQL subscription transport; optional peer dependency with no risk.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): Publisher change to GitHub Actions reflects Apollo's CI/CD automation; SLSA provenance attestation validates the transition.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): Maintainer additions to established Apollo project; legitimate team expansion, not account compromise.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): benjamn's removal is part of normal maintainer rotation; combined with new maintainer and SLSA provenance, no takeover risk.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation not yet enabled; not a security defect for this mature package.	ai	2026/04/21
dependencies	unvetted-dep:use-sync-external-store	AI (dependencies): Established React utility; single new dependency addition is benign.	ai	2026/04/21
phantom-deps	phantom-dep:@types/use-sync-external-store	AI (phantom-deps): Framework-scoped type package loaded by convention; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:@types/use-sync-external-store	AI (dependencies): Type definitions for React hook; framework-scoped package, stable for this package.	ai	2026/04/21
phantom-deps	phantom-dep:@types/zen-observable	AI (phantom-deps): Framework-scoped type package; expected and benign for TypeScript support.	ai	2026/04/21
dependencies	unvetted-dep:fast-json-stable-stringify	AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions.	ai	2026/04/21
dependencies	unvetted-dep:zen-observable	AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions.	ai	2026/04/21
phantom-deps	phantom-dep:terser	AI (phantom-deps): terser is referenced in build config files as a minifier tool, not a runtime import — expected pattern for this package.	ai	2026/04/21
dependencies	unvetted-dep:terser	AI (dependencies): terser is a well-known JS minifier used as a build tool by Apollo Client; no security concern.	ai	2026/04/21

Versions (showing 71 of 171)

Show 176 prereleases

Version	Deps	Published
3.7.9	13 / 56	2023-02-17
3.7.8	13 / 56	2023-02-15
3.7.7	13 / 56	2023-02-03
3.7.6	13 / 56	2023-01-31
3.7.5	13 / 56	2023-01-24
3.7.4	13 / 56	2023-01-13
3.7.3	13 / 52	2022-12-15
3.7.2	13 / 50	2022-12-06
3.7.1	13 / 50	2022-10-20
3.7.0	13 / 49	2022-09-30
3.6.10	12 / 46	2022-09-29
3.6.9	12 / 43	2022-06-21
3.6.8	12 / 43	2022-06-10
3.6.7	12 / 43	2022-06-10
3.6.6	12 / 42	2022-05-26
3.6.5	12 / 42	2022-05-23
3.6.4	12 / 42	2022-05-16
3.6.3	13 / 42	2022-05-05
3.6.2	13 / 42	2022-05-03
3.6.1	13 / 42	2022-04-28
3.6.0	13 / 42	2022-04-26
3.5.10	12 / 40	2022-02-24
3.5.9	12 / 39	2022-02-15
3.5.8	12 / 39	2022-01-24
3.5.7	12 / 39	2022-01-10
3.5.6	12 / 39	2021-12-07
3.5.5	12 / 39	2021-11-23
3.5.4	12 / 39	2021-11-19
3.5.3	12 / 39	2021-11-17
3.5.2	12 / 39	2021-11-10
3.5.1	12 / 39	2021-11-09
3.5.0	13 / 39	2021-11-08
3.4.17	12 / 39	2021-11-08
3.4.16	12 / 40	2021-10-04
3.4.15	12 / 40	2021-09-27
3.4.14	12 / 40	2021-09-27
3.4.13	12 / 40	2021-09-20
3.4.12	12 / 40	2021-09-17
3.4.4	12 / 40	2021-08-03
3.4.3	12 / 40	2021-08-02
3.4.2	12 / 39	2021-08-02
3.4.1	12 / 39	2021-07-29
3.4.0	12 / 39	2021-07-28
3.3.21	13 / 39	2021-07-06
3.3.20	13 / 39	2021-06-08
3.3.19	13 / 39	2021-05-18
3.3.18	13 / 39	2021-05-13
3.3.17	13 / 39	2021-05-11
3.3.16	13 / 39	2021-04-30
3.3.15	13 / 39	2021-04-13
3.3.14	13 / 39	2021-04-05
3.3.13	13 / 39	2021-03-24
3.3.12	13 / 39	2021-03-15
3.3.11	13 / 39	2021-02-15
3.3.10	13 / 39	2021-02-14
3.3.9	13 / 40	2021-02-09
3.3.8	13 / 40	2021-02-05
3.3.7	13 / 40	2021-01-14
3.3.5	13 / 40	2020-12-10
3.3.4	13 / 40	2020-12-04
3.3.3	13 / 40	2020-12-02
3.3.1	13 / 40	2020-11-24
3.2.9	13 / 40	2020-11-24
3.2.8	13 / 40	2020-11-24
3.2.5	13 / 40	2020-10-19
3.2.4	14 / 39	2020-10-13
3.2.3	14 / 39	2020-10-10
3.1.3	12 / 37	2020-08-06
3.1.2	12 / 37	2020-08-03
3.0.2	12 / 33	2020-07-16
3.0.1	12 / 33	2020-07-15