← Home

@graphql-codegen/plugin-helpers

npm Repository Homepage

GraphQL Code Generator common utils and types

6
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dotansimhaardatankamilkisielaurigotheguild-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): theguild-bot is The Guild's established bot publisher; addition is consistent with their standard publishing workflow across the graphql-codegen ecosystem. ai
provenance publisher-changed AI (provenance): theguild-bot is The Guild's official automation account with a strong track record (4686 approved/0 rejected). This transition from dotansimha is a known, legitimate org-level handoff for graphql-code-generator. ai
semgrep semgrep:eval-usage AI (semgrep): eval() is used for legitimate dynamic module loading in resolveExternalModuleAndFn; input is a module name parameter, not user-controlled data. ai
provenance missing-githead AI (provenance): Trusted publisher (dotansimha) with 5382 approved packages; missing gitHead reflects a CI environment change, not a malicious publish. Repo URL is clearly specified. ai
phantom-deps phantom-dep:tslib AI (phantom-deps): tslib is a standard TypeScript runtime helper dependency; implicit usage via compiled output is expected. ai
dependencies unvetted-dep:change-case-all AI (dependencies): change-case-all is a well-known string utility used throughout the graphql-codegen ecosystem; pinned at 1.0.15 with no malicious signals. ai
dependencies unvetted-dep:pascal-case AI (dependencies): pascal-case is a well-known utility package split from change-case v4; its inclusion here is a legitimate refactor replacing the monolithic change-case dependency. ai
publish-pattern new-deps-added AI (publish-pattern): The new deps (camel-case, lower-case, param-case, upper-case, pascal-case, constant-case) are the constituent packages of change-case v4 split — a known ecosystem pattern, not a suspicious addition. ai
phantom-deps phantom-dep:pascal-case AI (phantom-deps): Case-conversion utilities are referenced in config/build logic rather than direct imports; stable pattern for code generation tools. ai
phantom-deps phantom-dep:constant-case AI (phantom-deps): Case-conversion utilities are referenced in config/build logic rather than direct imports; stable pattern for code generation tools. ai
phantom-deps phantom-dep:camel-case AI (phantom-deps): Case-conversion utilities are referenced in config/build logic rather than direct imports; stable pattern for code generation tools. ai
phantom-deps phantom-dep:lower-case AI (phantom-deps): Case-conversion utilities are referenced in config/build logic rather than direct imports; stable pattern for code generation tools. ai
phantom-deps phantom-dep:upper-case AI (phantom-deps): Case-conversion utilities are referenced in config/build logic rather than direct imports; stable pattern for code generation tools. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require is used as a plugin loader (loading user-specified modules by name from cwd), a documented and intentional pattern for this package. ai
phantom-deps phantom-dep:common-tags AI (phantom-deps): Declared dependency referenced in config/re-export context; phantom-dep pattern is expected for this plugin-helpers package. ai
provenance no-provenance AI (provenance): Established package from a trusted publisher with 5169 approved packages; lack of Sigstore provenance is a known gap for this ecosystem, not a disqualifier. ai
phantom-deps phantom-dep:import-from AI (phantom-deps): import-from is a declared runtime dependency; phantom-dep flag is a false positive for this monorepo package. ai

Versions (showing 6 of 106)

Show 150 prereleases
Version Deps Published
1.0.5 4 / 1
1.0.4 4 / 1
1.0.3 4 / 1
1.0.2 4 / 1
1.0.1 4 / 1
1.0.0 4 / 1

v1.0.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.