← Home

@apollo/usage-reporting-protobuf

npm Repository Homepage

Protobuf format for Apollo usage reporting

6
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

glasserdkucphryneasapollo-botabernix

Keywords

GraphQLApolloServerJavascript

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): CI migration from apollo-bot to GitHub Actions; SLSA provenance confirms legitimate Apollo org publish. ai
maintainer-change maintainer-removed AI (maintainer-change): Apollo team roster change; package remains under apollographql org with SLSA provenance. ai
maintainer-change maintainer-added AI (maintainer-change): glasser, trevor.scheer, and dkuc are known Apollo engineers; addition reflects legitimate team growth, not a suspicious takeover. ai
dependencies unvetted-dep:@apollo/protobufjs AI (dependencies): @apollo/protobufjs is Apollo's own protobufjs fork, a legitimate and expected dependency for this protobuf serialization package throughout the Apollo ecosystem. ai
provenance no-provenance AI (provenance): Established Apollo package published by trusted apollo-bot; lack of Sigstore provenance is common for packages of this age and not a meaningful risk signal. ai

Versions (showing 6 of 6)

Show 2 prereleases
Version Deps Published
4.1.2 1 / 0
4.1.1 1 / 0
4.1.0 1 / 0
4.0.2 1 / 0
4.0.1 1 / 0
4.0.0 1 / 0

v4.1.2

2 findings
HIGH Publisher changed: apollo-bot → GitHub Actions (on 2026-05-04) provenance

This version was published by a different npm account than previous versions on 2026-05-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.