@apollo/federation-internals

Apollo Federation internal utilities

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

dkucapollo-botphryneasabernix

Keywords

graphqlfederationapollo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Apollo Federation migrated publishing to GitHub Actions CI/CD with SLSA provenance attestation. The transition from individual account to GitHub Actions is a legitimate and more secure publishing pattern for this org.	ai	2026/04/23
phantom-deps	phantom-dep:@types/uuid	AI (phantom-deps): @types/uuid is intentionally listed as a runtime dep in this package (pre-existing pattern); not a security concern.	ai	2026/04/23

Versions (showing 11 of 11)

Hide prereleases

Version	Deps	Published
2.14.0	4 / 0	2026-04-30
2.13.3	4 / 0	2026-03-19
2.12.3	4 / 0	2026-03-13
2.11.6	4 / 0	2026-03-13
2.10.5	4 / 0	2026-03-13
2.13.0-preview.2	4 / 0	2025-12-19
2.13.0-preview.1	4 / 0	2025-12-18
2.13.0-preview.0	4 / 0	2025-11-14
2.12.0-preview.4	4 / 0	2025-10-29
2.11.5-preview.1	4 / 0	2025-11-12
2.11.5-preview.0	4 / 0	2025-11-10

v2.14.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.13.3

2 findings

HIGH Publisher changed: dkuc → GitHub Actions (on 2026-03-19) provenance

This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.12.3

1 finding

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

v2.11.6

2 findings

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: GitHub Actions → dkuc (on 2026-03-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.

v2.10.5

2 findings

HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

INFO Publisher changed: GitHub Actions → dkuc (on 2026-03-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-13. This could indicate a legitimate maintainer transition or an account compromise.