@apollo/protobufjs
Protocol Buffers for JavaScript (& TypeScript).
2
Versions
BSD-3-Clause
License
Yes
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
apollo-bot
Keywords
protobufprotocol-buffersserializationtypescript
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): High-trust Apollo publisher with 2337 approved packages; dormancy consistent with stable library maintenance cadence. | ai | |
| provenance | no-provenance | AI (provenance): Established Apollo package with trusted publisher; lack of Sigstore provenance is a minor process gap, not a security risk for this package. | ai | |
| dependencies | unvetted-dep:@protobufjs/inquire | AI (dependencies): @protobufjs/inquire is a core sub-package of the protobufjs ecosystem, maintained by the same org. Stable and expected dependency. | ai | |
| dependencies | unvetted-dep:@types/long | AI (dependencies): @types/long is a standard TypeScript type definition package for the long.js library, a well-known dependency in the protobufjs ecosystem. | ai | |
| dependencies | unvetted-dep:@protobufjs/fetch | AI (dependencies): @protobufjs/fetch is a core sub-package of the protobufjs ecosystem, maintained by the same org. Stable and expected dependency. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): glasser and trevor.scheer are known Apollo GraphQL team members. Legitimate maintainer addition. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from apollo-bot to glasser, a known Apollo GraphQL engineer with long npm history. Legitimate team transition, not a compromise. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs a local script (scripts/postinstall.js) included in the package for CLI setup — stable, documented pattern for this Apollo protobuf.js fork. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): child_process.exec used in CLI tool (pbts.js) to invoke jsdoc for TypeScript definition generation — legitimate CLI use, not a backdoor. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process imported only in CLI tooling (pbts.js) for jsdoc invocation — expected for a protobuf CLI tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in CLI tooling (pbjs.js) to resolve protobuf.js path at runtime — standard pattern for CLI tools, no arbitrary user input. | ai | |
| phantom-deps | phantom-dep:@types/long | AI (phantom-deps): @types/long is a TypeScript type definition package; not directly imported at runtime by convention — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:long | AI (phantom-deps): long is a declared runtime dependency used transitively by protobuf.js for 64-bit integer support; phantom-dep false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a TypeScript type definition package; not directly imported at runtime — stable false positive for this package. | ai |
v1.2.8
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.