@graphql-codegen/cli
<p align="center"> <img src="https://github.com/dotansimha/graphql-code-generator/blob/master/logo.png?raw=true" /> </p>
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): theguild-bot is The Guild's official npm bot (9034 approved versions). Transition from dotansimha (Guild founder) is legitimate org automation. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): theguild-bot is The Guild's established automation account; legitimate org-level maintainer management. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer list cleanup is normal for org-managed packages at The Guild. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): CLI tool augments PATH with node_modules/.bin for lifecycle hook execution; standard pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): CLI tool executes lifecycle hooks via child_process; core functionality. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads user-specified codegen plugins; core functionality of a plugin-based code generator. | ai |
Versions (showing 37 of 37)
| Version | Deps | Published |
|---|---|---|
| 7.0.1 | 35 / 0 | |
| 7.0.0 | 35 / 0 | |
| 6.3.1 | 35 / 0 | |
| 6.3.0 | 35 / 0 | |
| 6.2.1 | 35 / 0 | |
| 6.2.0 | 35 / 0 | |
| 6.1.3 | 34 / 0 | |
| 6.1.2 | 34 / 0 | |
| 6.1.1 | 34 / 0 | |
| 6.1.0 | 34 / 0 | |
| 6.0.2 | 34 / 0 | |
| 6.0.1 | 34 / 0 | |
| 6.0.0 | 34 / 0 | |
| 1.8.3 | 43 / 13 | |
| 1.8.2 | 37 / 13 | |
| 1.8.1 | 37 / 12 | |
| 1.8.0 | 37 / 9 | |
| 1.7.0 | 37 / 9 | |
| 1.6.1 | 37 / 9 | |
| 1.6.0 | 37 / 9 | |
| 1.5.0 | 36 / 9 | |
| 1.4.0 | 37 / 9 | |
| 1.3.1 | 37 / 9 | |
| 1.3.0 | 38 / 8 | |
| 1.2.1 | 37 / 8 | |
| 1.2.0 | 37 / 8 | |
| 1.1.3 | 37 / 8 | |
| 1.1.1 | 37 / 8 | |
| 1.1.0 | 37 / 8 | |
| 1.0.7 | 37 / 8 | |
| 1.0.6 | 37 / 8 | |
| 1.0.5 | 37 / 8 | |
| 1.0.4 | 37 / 8 | |
| 1.0.3 | 37 / 8 | |
| 1.0.2 | 37 / 8 | |
| 1.0.1 | 37 / 8 | |
| 1.0.0 | 37 / 8 |
v7.0.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.1
4 findingsThis version was published by a different npm account than previous versions on 2026-04-18. This could indicate a legitimate maintainer transition or an account compromise.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotansimha/graphql-code-generator/blob/4370999a0d98bd739326b494e4bce97c81bf411f/cjs/hooks.js#L21 19 | return new Promise((resolve, reject) => { 20 | (0, child_process_1.exec)(cmd, { > 21 | env: { 22 | ...process.env, 23 | PATH: `${process.env.PATH}${path_1.delimiter}${process.cwd()}${path_1.sep}node_modules${path_1.sep}.bin`
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/dotansimha/graphql-code-generator/blob/4370999a0d98bd739326b494e4bce97c81bf411f/esm/hooks.js#L18 16 | return new Promise((resolve, reject) => { 17 | exec(cmd, { > 18 | env: { 19 | ...process.env, 20 | PATH: `${process.env.PATH}${delimiter}${process.cwd()}${sep}node_modules${sep}.bin`,
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-13. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-06. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-11. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-20. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-12. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-07. This could indicate a legitimate maintainer transition or an account compromise.