@ardatan/relay-compiler
Fork of `relay-compiler`
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped loading pattern; @babel/core is loaded by convention in Babel-based tooling, not via direct import. | ai | |
| dependencies | unvetted-dep:@babel/core | AI (dependencies): @babel/core is a foundational Babel package; expected dependency for a relay-compiler fork. | ai | |
| dependencies | unvetted-dep:@babel/types | AI (dependencies): @babel/types is a standard Babel utility; expected in a compiler tool. | ai | |
| dependencies | unvetted-dep:@babel/traverse | AI (dependencies): @babel/traverse is a standard Babel AST traversal package; expected in a compiler tool. | ai | |
| phantom-deps | phantom-dep:@babel/traverse | AI (phantom-deps): Framework-scoped loading pattern; consistent with Babel-based compiler tooling. | ai | |
| dependencies | unvetted-dep:yargs | AI (dependencies): yargs is a well-known, widely-used CLI argument parser; its presence in a compiler tool is expected and benign. | ai | |
| phantom-deps | phantom-dep:fbjs | AI (phantom-deps): fbjs is a Facebook utility library referenced in babel/build config for relay-compiler; phantom dep finding is expected and benign for this package. | ai | |
| phantom-deps | phantom-dep:babel-preset-fbjs | AI (phantom-deps): babel-preset-fbjs is a build-time babel preset referenced in config, not directly imported in JS. Expected pattern for this compiler package. | ai | |
| dependencies | unvetted-dep:fbjs | AI (dependencies): fbjs is Facebook's own utility library, a well-known dependency in the Relay/React ecosystem. No security concern. | ai | |
| dependencies | unvetted-dep:babel-preset-fbjs | AI (dependencies): babel-preset-fbjs is Facebook's official babel preset, expected dependency for relay-compiler. No security concern. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Rapid publishes are expected for this package's automated CI/CD pipeline, confirmed by SLSA provenance attestation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New immutable dependency is appropriate for compiler state management. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is expected for a compiler tool that executes system commands during codegen. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning watchman for file monitoring is core compiler functionality, not malicious process execution. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() used for dynamic require of relay-config in try-catch; legitimate pattern for compiler configuration loading. | ai | |
| dependencies | unvetted-dep:nullthrows | AI (dependencies): nullthrows is a standard utility; stable dependency for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Version format with timestamp and commit hash is standard for automated CI alpha releases; not indicative of malice. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): @babel/parser is a core Babel dependency; expected for a Relay compiler. | ai | |
| dependencies | unvetted-dep:@babel/generator | AI (dependencies): @babel/generator is a core Babel dependency; expected for a Relay compiler. | ai | |
| dependencies | unvetted-dep:immutable | AI (dependencies): immutable is an established library; adding it to a relay compiler fork is a legitimate dependency choice. | ai | |
| dependencies | unvetted-dep:fb-watchman | AI (dependencies): fb-watchman is the canonical watchman client; appropriate for a compiler tool. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to GitHub Actions is consistent with CI/CD automation; supported by SLSA provenance attestation. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 13.0.1 | 3 / 0 | |
| 13.0.0 | 3 / 0 | |
| 12.3.0 | 10 / 0 | |
| 12.2.0 | 10 / 0 | |
| 12.1.2 | 9 / 0 | |
| 12.1.1 | 9 / 0 | |
| 12.1.0 | 10 / 0 | |
| 12.0.6 | 10 / 0 | |
| 12.0.4 | 10 / 0 | |
| 12.0.3 | 10 / 0 | |
| 12.0.2 | 10 / 0 | |
| 12.0.1 | 12 / 0 | |
| 12.0.0 | 17 / 0 | |
| 13.0.1-alpha-20260403111900-cd7dd2dd80675577901a5c76cf24de1a53626010 | 3 / 0 | |
| 13.0.1-alpha-20260403111302-50a96a0125ffbd59a8721d964bde8e6e6666d992 | 3 / 0 | |
| 13.0.1-alpha-20260402125447-88f7b5532d1c8a6693f7ddb456649bd6dcfa46e8 | 3 / 0 | |
| 13.0.1-alpha-20260402124024-0f177687f3b0ba50d9d96700e2197994bd749702 | 3 / 0 | |
| 13.0.1-alpha-20260402123214-89e09fc96a2ecb23a27efe3b915fda4ee1605473 | 3 / 0 | |
| 13.0.0-alpha-20260305154116-7cb97d91ac89f0799c5c12554f46e977ce528bfa | 3 / 0 | |
| 12.3.1-alpha-20260305152127-dc298cbadcb7031af4b56be5002559324e0aee06 | 10 / 0 | |
| 12.3.1-alpha-20260305152113-ff7c4843aaf7b1adc54a854f21a483a22c9d924e | 10 / 0 | |
| 12.3.0-alpha-20260305151214-bfb738a26c3b14fde10f798842c9a55ba0eaf931 | 10 / 0 | |
| 12.3.0-alpha-20260305150442-370db740bd2287fa992703d057fda634f08d46dc | 10 / 0 |
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-03. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.