@apollo/client
A fully-featured caching GraphQL client.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:apollo-link | AI (dependencies): apollo-link is a well-known Apollo ecosystem package; its presence as a dependency of @apollo/client is expected and legitimate across all versions. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): zen-observable is a direct runtime dependency in package.json; the phantom-dep flag is a false positive caused by config-file references rather than direct imports in source. | ai | |
| dependencies | unvetted-peer-dep:rxjs | AI (dependencies): rxjs is a foundational peer dependency for Apollo Client; widely vetted in practice despite analyzer status. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance attestation is the strongest supply chain integrity signal; stable for this package's CI/CD pipeline. | ai | |
| phantom-deps | phantom-dep:npm | AI (phantom-deps): npm referenced in config files but not directly imported; expected pattern for build tools. | ai | |
| dependencies | unvetted-dep:npm | AI (dependencies): npm is a standard build tool; unvetted status is expected and acceptable for this package. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is metadata drift, not a security issue; Apollo's publisher history is strong. | ai | |
| dependencies | unvetted-dep:optimism | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large new source files are expected for library update; no evidence of injected code. | ai | |
| phantom-deps | phantom-dep:response-iterator | AI (phantom-deps): Declared dependency referenced in config files; normal for build tooling. | ai | |
| dependencies | unvetted-dep:@graphql-typed-document-node/core | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:response-iterator | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| dependencies | unvetted-dep:@wry/trie | AI (dependencies): Apollo ecosystem dependency with reasonable version constraint; stable for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Pre-release version from CI/CD (PR-based versioning); pattern is legitimate for this package's release workflow. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are Apollo ecosystem packages; legitimate library update. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() in test code is legitimate testing pattern, not obfuscation; stable for this package. | ai | |
| dependencies | unvetted-peer-dep:subscriptions-transport-ws | AI (dependencies): subscriptions-transport-ws is a legacy but standard GraphQL subscription transport; optional peer dependency. | ai | |
| dependencies | unvetted-peer-dep:react-dom | AI (dependencies): react-dom is a standard peer dependency for React libraries; no security concern. | ai | |
| dependencies | unvetted-peer-dep:graphql-ws | AI (dependencies): graphql-ws is a standard GraphQL subscription transport; optional peer dependency with no risk. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions reflects Apollo's CI/CD automation; SLSA provenance attestation validates the transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions to established Apollo project; legitimate team expansion, not account compromise. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): benjamn's removal is part of normal maintainer rotation; combined with new maintainer and SLSA provenance, no takeover risk. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation not yet enabled; not a security defect for this mature package. | ai | |
| dependencies | unvetted-dep:use-sync-external-store | AI (dependencies): Established React utility; single new dependency addition is benign. | ai | |
| phantom-deps | phantom-dep:@types/use-sync-external-store | AI (phantom-deps): Framework-scoped type package loaded by convention; stable for this package. | ai | |
| dependencies | unvetted-dep:@types/use-sync-external-store | AI (dependencies): Type definitions for React hook; framework-scoped package, stable for this package. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped type package; expected and benign for TypeScript support. | ai | |
| dependencies | unvetted-dep:fast-json-stable-stringify | AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): Standard Apollo Client dependency; vetted across 686 prior versions. | ai | |
| phantom-deps | phantom-dep:terser | AI (phantom-deps): terser is referenced in build config files as a minifier tool, not a runtime import — expected pattern for this package. | ai | |
| dependencies | unvetted-dep:terser | AI (dependencies): terser is a well-known JS minifier used as a build tool by Apollo Client; no security concern. | ai |
Versions (showing 100 of 347)
| Version | Deps | Published |
|---|---|---|
| 4.2.0 | 7 / 0 | |
| 4.1.9 | 7 / 0 | |
| 4.1.8 | 7 / 0 | |
| 4.1.7 | 7 / 0 | |
| 4.1.6 | 7 / 0 | |
| 4.1.5 | 7 / 0 | |
| 4.1.4 | 7 / 0 | |
| 4.1.3 | 7 / 0 | |
| 4.1.2 | 7 / 0 | |
| 4.1.1 | 7 / 0 | |
| 4.1.0 | 7 / 0 | |
| 4.0.13 | 7 / 0 | |
| 4.0.12 | 7 / 0 | |
| 4.0.11 | 7 / 0 | |
| 4.0.10 | 7 / 0 | |
| 4.0.9 | 7 / 0 | |
| 4.0.8 | 7 / 0 | |
| 4.0.7 | 7 / 0 | |
| 4.0.6 | 7 / 0 | |
| 4.0.5 | 7 / 0 | |
| 4.0.4 | 7 / 0 | |
| 4.0.3 | 7 / 0 | |
| 4.0.2 | 7 / 0 | |
| 4.0.1 | 7 / 0 | |
| 4.0.0 | 7 / 0 | |
| 3.14.1 | 13 / 93 | |
| 3.14.0 | 13 / 93 | |
| 3.13.9 | 13 / 93 | |
| 3.13.8 | 13 / 93 | |
| 3.13.7 | 13 / 93 | |
| 3.13.6 | 13 / 93 | |
| 3.13.5 | 13 / 93 | |
| 3.13.4 | 13 / 93 | |
| 3.13.3 | 13 / 93 | |
| 3.13.2 | 13 / 93 | |
| 3.13.1 | 13 / 93 | |
| 3.13.0 | 13 / 93 | |
| 3.12.11 | 13 / 93 | |
| 3.12.10 | 13 / 93 | |
| 3.12.9 | 13 / 93 | |
| 3.12.8 | 13 / 93 | |
| 3.12.7 | 14 / 93 | |
| 3.12.6 | 14 / 88 | |
| 3.12.5 | 14 / 88 | |
| 3.12.4 | 14 / 88 | |
| 3.12.3 | 14 / 88 | |
| 3.12.2 | 14 / 87 | |
| 3.12.1 | 14 / 87 | |
| 3.12.0 | 14 / 87 | |
| 3.11.10 | 14 / 85 | |
| 3.11.9 | 14 / 85 | |
| 3.11.8 | 14 / 83 | |
| 3.11.7 | 14 / 83 | |
| 3.11.6 | 14 / 83 | |
| 3.11.5 | 14 / 83 | |
| 3.11.4 | 14 / 83 | |
| 3.11.3 | 14 / 83 | |
| 3.11.2 | 14 / 83 | |
| 3.11.1 | 14 / 83 | |
| 3.11.0 | 14 / 83 | |
| 3.10.8 | 14 / 83 | |
| 3.10.7 | 14 / 83 | |
| 3.10.6 | 14 / 82 | |
| 3.10.5 | 14 / 82 | |
| 3.10.4 | 14 / 78 | |
| 3.10.3 | 14 / 78 | |
| 3.10.2 | 14 / 78 | |
| 3.10.1 | 14 / 78 | |
| 3.10.0 | 14 / 78 | |
| 3.9.11 | 14 / 76 | |
| 3.9.10 | 14 / 76 | |
| 3.9.9 | 14 / 76 | |
| 3.9.8 | 14 / 76 | |
| 3.9.7 | 14 / 76 | |
| 3.9.6 | 14 / 76 | |
| 3.9.5 | 14 / 76 | |
| 3.9.4 | 14 / 76 | |
| 3.9.3 | 14 / 76 | |
| 3.9.2 | 14 / 76 | |
| 3.9.1 | 14 / 76 | |
| 3.9.0 | 14 / 76 | |
| 3.8.10 | 12 / 75 | |
| 3.8.9 | 12 / 75 | |
| 3.8.8 | 12 / 75 | |
| 3.8.7 | 13 / 73 | |
| 3.8.6 | 13 / 73 | |
| 3.8.5 | 13 / 73 | |
| 3.8.4 | 13 / 73 | |
| 3.8.3 | 13 / 66 | |
| 3.8.2 | 13 / 66 | |
| 3.8.1 | 13 / 66 | |
| 3.8.0 | 13 / 66 | |
| 3.7.17 | 13 / 58 | |
| 3.7.16 | 13 / 58 | |
| 3.7.15 | 13 / 58 | |
| 3.7.14 | 13 / 55 | |
| 3.7.13 | 13 / 55 | |
| 3.7.12 | 13 / 55 | |
| 3.7.11 | 13 / 55 | |
| 3.7.10 | 13 / 56 |
v4.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.7
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.1.5
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.4
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-05. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.3
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.2
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-20. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.13
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.12
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.11
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.10
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-10. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.9
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-31. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.8
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v4.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.13.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.12.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.11.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.10.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.8.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.8.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.8.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v3.7.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.7.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.