@ardatan/relay-compiler
Fork of `relay-compiler`
13
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
ardatan
Keywords
graphqlrelay
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped loading pattern; @babel/core is loaded by convention in Babel-based tooling, not via direct import. | ai | |
| dependencies | unvetted-dep:@babel/core | AI (dependencies): @babel/core is a foundational Babel package; expected dependency for a relay-compiler fork. | ai | |
| dependencies | unvetted-dep:@babel/types | AI (dependencies): @babel/types is a standard Babel utility; expected in a compiler tool. | ai | |
| dependencies | unvetted-dep:@babel/traverse | AI (dependencies): @babel/traverse is a standard Babel AST traversal package; expected in a compiler tool. | ai | |
| phantom-deps | phantom-dep:@babel/traverse | AI (phantom-deps): Framework-scoped loading pattern; consistent with Babel-based compiler tooling. | ai | |
| dependencies | unvetted-dep:yargs | AI (dependencies): yargs is a well-known, widely-used CLI argument parser; its presence in a compiler tool is expected and benign. | ai | |
| phantom-deps | phantom-dep:fbjs | AI (phantom-deps): fbjs is a Facebook utility library referenced in babel/build config for relay-compiler; phantom dep finding is expected and benign for this package. | ai | |
| phantom-deps | phantom-dep:babel-preset-fbjs | AI (phantom-deps): babel-preset-fbjs is a build-time babel preset referenced in config, not directly imported in JS. Expected pattern for this compiler package. | ai | |
| dependencies | unvetted-dep:fbjs | AI (dependencies): fbjs is Facebook's own utility library, a well-known dependency in the Relay/React ecosystem. No security concern. | ai | |
| dependencies | unvetted-dep:babel-preset-fbjs | AI (dependencies): babel-preset-fbjs is Facebook's official babel preset, expected dependency for relay-compiler. No security concern. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Rapid publishes are expected for this package's automated CI/CD pipeline, confirmed by SLSA provenance attestation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New immutable dependency is appropriate for compiler state management. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is expected for a compiler tool that executes system commands during codegen. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning watchman for file monitoring is core compiler functionality, not malicious process execution. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() used for dynamic require of relay-config in try-catch; legitimate pattern for compiler configuration loading. | ai | |
| dependencies | unvetted-dep:nullthrows | AI (dependencies): nullthrows is a standard utility; stable dependency for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Version format with timestamp and commit hash is standard for automated CI alpha releases; not indicative of malice. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): @babel/parser is a core Babel dependency; expected for a Relay compiler. | ai | |
| dependencies | unvetted-dep:@babel/generator | AI (dependencies): @babel/generator is a core Babel dependency; expected for a Relay compiler. | ai | |
| dependencies | unvetted-dep:immutable | AI (dependencies): immutable is an established library; adding it to a relay compiler fork is a legitimate dependency choice. | ai | |
| dependencies | unvetted-dep:fb-watchman | AI (dependencies): fb-watchman is the canonical watchman client; appropriate for a compiler tool. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions is consistent with CI/CD automation; supported by SLSA provenance attestation. | ai |