← Home

@apollo/client

npm Repository Homepage

A fully-featured caching GraphQL client.

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

phryneasjerelmillerapollo-botabernix

Keywords

apollographqlreacthooksclientcachetanstack-intent

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:apollo-link AI (dependencies): apollo-link is a well-known Apollo ecosystem package; its presence as a dependency of @apollo/client is expected and legitimate across all versions. ai
phantom-deps phantom-dep:zen-observable AI (phantom-deps): zen-observable is a direct runtime dependency in package.json; the phantom-dep flag is a false positive caused by config-file references rather than direct imports in source. ai
dependencies unvetted-peer-dep:rxjs AI (dependencies): rxjs is a foundational peer dependency for Apollo Client; widely vetted in practice despite analyzer status. ai
provenance slsa-provenance AI (provenance): SLSA provenance attestation is the strongest supply chain integrity signal; stable for this package's CI/CD pipeline. ai
phantom-deps phantom-dep:npm AI (phantom-deps): npm referenced in config files but not directly imported; expected pattern for build tools. ai
dependencies unvetted-dep:npm AI (dependencies): npm is a standard build tool; unvetted status is expected and acceptable for this package. ai
provenance missing-githead AI (provenance): Missing gitHead is metadata drift, not a security issue; Apollo's publisher history is strong. ai
dependencies unvetted-dep:optimism AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. ai
source-diff large-new-source-files AI (source-diff): Large new source files are expected for library update; no evidence of injected code. ai
phantom-deps phantom-dep:response-iterator AI (phantom-deps): Declared dependency referenced in config files; normal for build tooling. ai
dependencies unvetted-dep:@graphql-typed-document-node/core AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. ai
dependencies unvetted-dep:zen-observable-ts AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. ai
dependencies unvetted-dep:response-iterator AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. ai
dependencies unvetted-dep:@wry/trie AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. ai
publish-pattern suspicious-version-number AI (publish-pattern): Pre-release version from CI/CD (PR-based versioning); pattern is legitimate for this package's release workflow. ai
publish-pattern new-deps-added AI (publish-pattern): New dependencies are Apollo ecosystem packages; legitimate library update. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() in test code is legitimate testing pattern, not obfuscation; stable for this package. ai
dependencies unvetted-peer-dep:subscriptions-transport-ws AI (dependencies): subscriptions-transport-ws is a legacy but standard GraphQL subscription transport; optional peer dependency. ai
dependencies unvetted-peer-dep:react-dom AI (dependencies): react-dom is a standard peer dependency for React libraries; no security concern. ai
dependencies unvetted-peer-dep:graphql-ws AI (dependencies): graphql-ws is a standard GraphQL subscription transport; optional peer dependency with no risk. ai
provenance publisher-changed AI (provenance): Publisher change to GitHub Actions reflects Apollo's CI/CD automation; SLSA provenance attestation validates the transition. ai
maintainer-change maintainer-added AI (maintainer-change): Maintainer additions to established Apollo project; legitimate team expansion, not account compromise. ai
maintainer-change maintainer-removed AI (maintainer-change): benjamn's removal is part of normal maintainer rotation; combined with new maintainer and SLSA provenance, no takeover risk. ai
provenance no-provenance AI (provenance): Provenance attestation not yet enabled; not a security defect for this mature package. ai
dependencies unvetted-dep:use-sync-external-store AI (dependencies): Established React utility; single new dependency addition is benign. ai
phantom-deps phantom-dep:@types/use-sync-external-store AI (phantom-deps): Framework-scoped type package loaded by convention; stable for this package. ai
dependencies unvetted-dep:@types/use-sync-external-store AI (dependencies): Type definitions for React hook; framework-scoped package, stable for this package. ai
phantom-deps phantom-dep:@types/zen-observable AI (phantom-deps): Framework-scoped type package; expected and benign for TypeScript support. ai
dependencies unvetted-dep:fast-json-stable-stringify AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. ai
dependencies unvetted-dep:zen-observable AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. ai
phantom-deps phantom-dep:terser AI (phantom-deps): terser is referenced in build config files as a minifier tool, not a runtime import — expected pattern for this package. ai
dependencies unvetted-dep:terser AI (dependencies): terser is a well-known JS minifier used as a build tool by Apollo Client; no security concern. ai

Versions (showing 100 of 347)

Hide prereleases
Version Deps Published
4.0.0-rc.0 7 / 0
4.0.0-alpha.4 7 / 0
4.0.0-alpha.23 7 / 0
4.0.0-alpha.22 7 / 0
4.0.0-alpha.21 7 / 0
4.0.0-alpha.20 7 / 0
4.0.0-alpha.19 7 / 0
4.0.0-alpha.18 7 / 0
4.0.0-alpha.17 7 / 0
4.0.0-alpha.16 7 / 0
4.0.0-alpha.15 7 / 0
4.0.0-alpha.14 7 / 0
4.0.0-alpha.13 7 / 0
4.0.0-alpha.12 7 / 0
4.0.0-alpha.11 7 / 0
4.0.0-alpha.10 7 / 0
3.12.0-rc.2 14 / 85
3.12.0-rc.0 14 / 85
3.12.0-alpha.0 14 / 84
3.11.0-rc.2 14 / 83
3.10.0-rc.0 14 / 77
3.9.0-beta.1 14 / 76
3.9.0-alpha.3 13 / 74
3.9.0-alpha.2 13 / 73
3.8.0-rc.1 13 / 66
3.8.0-beta.6 13 / 62
3.8.0-beta.3 13 / 62
3.8.0-beta.1 13 / 62
3.8.0-alpha.7 13 / 59
3.8.0-alpha.5 13 / 59
3.8.0-alpha.13 13 / 59
3.8.0-alpha.11 13 / 58
3.7.0-beta.8 13 / 49
3.7.0-beta.7 13 / 49
3.7.0-beta.6 12 / 43
3.7.0-beta.5 12 / 43
3.7.0-beta.4 12 / 43
3.7.0-beta.0 12 / 42
3.7.0-alpha.6 12 / 42
3.7.0-alpha.4 12 / 42
3.7.0-alpha.2 13 / 42
3.7.0-alpha.0 13 / 42
3.6.0-beta.5 12 / 41
3.6.0-beta.3 12 / 40
3.6.0-beta.2 12 / 40
3.6.0-beta.11 12 / 41
3.6.0-beta.10 12 / 41
3.5.0-rc.2 12 / 39
3.5.0-rc.1 12 / 40
3.5.0-rc.0 12 / 40
3.5.0-beta.16 12 / 40
3.5.0-beta.15 12 / 40
3.5.0-beta.12 12 / 40
3.4.0-rc.9 12 / 39
3.4.0-rc.3 12 / 39
3.4.0-rc.23 12 / 39
3.4.0-rc.18 12 / 39
3.4.0-rc.14 12 / 39
3.4.0-rc.13 12 / 39
3.4.0-beta.7 13 / 40
3.4.0-beta.5 13 / 40
3.4.0-beta.4 14 / 40
3.4.0-beta.27 12 / 39
3.4.0-beta.22 13 / 39
3.4.0-beta.20 13 / 39
3.4.0-beta.2 13 / 40
3.4.0-beta.17 13 / 39
3.4.0-beta.15 13 / 39
3.4.0-beta.14 13 / 39
3.4.0-beta.12 13 / 39
3.4.0-beta.1 13 / 40
3.4.0-beta.0 13 / 40
3.3.0-rc.1 13 / 40
3.3.0-beta.4 14 / 39
3.3.0-beta.3 14 / 39
3.3.0-beta.16 13 / 40
3.3.0-beta.11 14 / 39
3.1.2-pre.0 12 / 37
3.1.0-pre.4 12 / 37
3.1.0-pre.3 12 / 37
3.1.0-pre.1 12 / 36
3.1.0-pre.0 12 / 36
3.0.0-rc.9 9 / 28
3.0.0-rc.7 9 / 28
3.0.0-rc.6 9 / 28
3.0.0-rc.5 9 / 28
3.0.0-rc.3 9 / 28
3.0.0-rc.2 9 / 28
3.0.0-rc.13 12 / 33
3.0.0-james.32.1 9 / 27
3.0.0-beta.6 9 / 27
3.0.0-beta.54 9 / 28
3.0.0-beta.53 9 / 28
3.0.0-beta.52 9 / 28
3.0.0-beta.50 9 / 28
3.0.0-beta.49 9 / 28
3.0.0-beta.47 9 / 28
3.0.0-beta.44 9 / 27
3.0.0-beta.40 9 / 27
3.0.0-beta.4 9 / 27
Showing 100 of 347 Next page →

v4.0.0-alpha.23

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.22

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.21

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.19

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.17

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.16

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.14

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.13

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.12

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0-alpha.11

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.