← Home

@graphql-codegen/core

npm Repository Homepage

<p align="center"> <img src="https://github.com/dotansimha/graphql-code-generator/blob/master/logo.png?raw=true" /> </p>

87
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

dotansimhaardatankamilkisielaurigotheguild-bot

Keywords

gqlgeneratorcodetypesinterfacesgraphqlcodegenapollonodetypescripttsflowtypesd.tstypings

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition from theguild-bot to GitHub Actions reflects CI migration; SLSA provenance present. ai
provenance missing-githead AI (provenance): gitHead often dropped in GitHub Actions publishes; SLSA provenance compensates. ai
npm-metadata no-description AI (npm-metadata): Scoped Guild package; missing description is cosmetic, not a spam signal. ai
bogus-package bogus-package AI (bogus-package): False positive on a 6.8M-download established package. ai
typosquat typosquat.levenshtein:cors AI (typosquat): Scoped package @graphql-codegen/core is a well-known GraphQL code generation library; Levenshtein match to 'cors' is purely coincidental and not a typosquat. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a standard TypeScript runtime helper declared as a dependency; used implicitly by compiled TypeScript output, not a direct import in source. ai

Versions (showing 87 of 87)

Show 121 prereleases
Version Deps Published
6.1.0 4 / 0
6.0.1 4 / 0
6.0.0 4 / 0
5.0.2 4 / 0
5.0.1 4 / 0
5.0.0 4 / 0
4.0.2 4 / 0
4.0.1 4 / 0
4.0.0 4 / 0
3.1.0 4 / 0
3.0.0 4 / 0
2.6.8 4 / 0
2.6.7 4 / 0
2.6.6 4 / 0
2.6.5 4 / 0
2.6.4 4 / 0
2.6.3 4 / 0
2.6.2 4 / 0
2.6.1 4 / 0
2.6.0 4 / 0
2.5.1 4 / 0
2.5.0 4 / 0
2.4.0 4 / 0
2.3.0 4 / 0
2.2.0 4 / 0
2.1.0 4 / 0
2.0.0 4 / 0
1.17.10 4 / 0
1.17.9 4 / 0
1.17.8 4 / 0
1.17.7 4 / 0
1.17.6 4 / 0
1.17.5 4 / 0
1.17.4 4 / 0
1.17.3 4 / 0
1.17.2 4 / 0
1.17.1 4 / 0
1.17.0 4 / 0
1.16.3 4 / 0
1.16.2 4 / 0
1.16.1 4 / 0
1.16.0 4 / 0
1.15.4 4 / 0
1.15.3 4 / 0
1.15.2 4 / 0
1.15.1 4 / 0
1.15.0 4 / 0
1.14.0 4 / 0
1.13.5 4 / 0
1.13.4 4 / 0
1.13.3 4 / 0
1.13.2 4 / 0
1.13.1 4 / 0
1.13.0 4 / 0
1.12.2 4 / 0
1.12.1 4 / 0
1.12.0 4 / 0
1.11.2 4 / 0
1.11.1 4 / 0
1.11.0 4 / 0
1.10.0 4 / 0
1.9.1 4 / 0
1.9.0 3 / 0
1.8.3 4 / 1
1.8.2 3 / 1
1.8.1 3 / 1
1.8.0 3 / 1
1.7.0 3 / 1
1.6.1 3 / 1
1.6.0 3 / 1
1.5.0 3 / 1
1.4.0 3 / 1
1.3.1 3 / 1
1.3.0 3 / 1
1.2.1 3 / 1
1.2.0 3 / 1
1.1.3 3 / 1
1.1.1 3 / 1
1.1.0 3 / 1
1.0.7 3 / 1
1.0.6 3 / 1
1.0.5 3 / 1
1.0.4 3 / 1
1.0.3 3 / 1
1.0.2 3 / 1
1.0.1 3 / 1
1.0.0 3 / 1

v6.1.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: theguild-bot → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.1

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: theguild-bot → GitHub Actions (on 2026-05-27) provenance

This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v6.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

2 findings
HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@graphql-codegen/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v5.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.