← Home

@apollo/federation-internals

npm Repository Homepage

Apollo Federation internal utilities

5
Versions
Elastic-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dkucapollo-botphryneasabernix

Keywords

graphqlfederationapollo

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Apollo Federation migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation. The transition from individual account to GitHub Actions is a legitimate and more secure publishing pattern for this org. ai
phantom-deps phantom-dep:@types/uuid AI (phantom-deps): @types/uuid is intentionally listed as a runtime dep in this package (pre-existing pattern); not a security concern. ai

Versions (showing 5 of 5)

Show 6 prereleases
Version Deps Published
2.14.0 4 / 0
2.13.3 4 / 0
2.12.3 4 / 0
2.11.6 4 / 0
2.10.5 4 / 0

v2.14.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.3

2 findings
HIGH Publisher changed: dkuc → GitHub Actions (on 2026-03-19) provenance

This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.3

1 finding
HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

v2.11.6

2 findings
HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: GitHub Actions → dkuc (on 2026-03-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.

v2.10.5

2 findings
HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: GitHub Actions → dkuc (on 2026-03-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.