@graphql-toolkit/core
A set of utils for faster development of GraphQL tools
36
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ardatandotansimhaurigo
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is a governance signal, not a security blocker for an established package with strong publisher history. | ai | |
| provenance | missing-githead | AI (provenance): Established publisher ardatan with strong track record; missing gitHead reflects a CI environment change, not a security concern for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (lodash, p-limit, import-from, resolve-from, unixify) are all established packages; typical expansion for toolkit functionality. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 4x source size growth reflects legitimate feature expansion in a toolkit package, not bundled payloads or injection. | ai | |
| phantom-deps | phantom-dep:aggregate-error | AI (phantom-deps): aggregate-error is explicitly declared in dependencies and used indirectly; false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:graphql-import | AI (phantom-deps): graphql-import is explicitly declared in dependencies and used indirectly; false positive for this package's architecture. | ai | |
| phantom-deps | phantom-dep:valid-url | AI (phantom-deps): valid-url is explicitly declared in dependencies and used indirectly; false positive for this package's architecture. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition (ardatan → dotansimha) on 2020-05-18 reflects legitimate maintainer handoff within GraphQL ecosystem; already marked accepted. | ai | |
| dependencies | unvetted-dep:unixify | AI (dependencies): [email protected] is a simple, stable path normalization utility with no known security issues. Pinned to exact version. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is intentional — used in getCustomLoaderByPath to load user-specified custom loader modules, a documented feature of graphql-toolkit. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper used implicitly by compiled TypeScript output; phantom-dep detection is a known false positive for this pattern. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @graphql-toolkit/core is a scoped GraphQL utility package with no relation to the 'cors' HTTP middleware. The Levenshtein match on 'core' vs 'cors' is a coincidental false positive; this package is a legitimate, long-established project. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.10.7 | 12 / 0 | |
| 0.10.6 | 12 / 0 | |
| 0.10.5 | 12 / 0 | |
| 0.10.4 | 12 / 0 | |
| 0.10.3 | 12 / 0 | |
| 0.10.2 | 12 / 0 | |
| 0.10.1 | 12 / 0 | |
| 0.9.12 | 12 / 0 | |
| 0.9.11 | 12 / 0 | |
| 0.9.10 | 12 / 0 | |
| 0.9.9 | 11 / 0 | |
| 0.9.8 | 11 / 0 | |
| 0.9.7 | 11 / 0 | |
| 0.9.6 | 11 / 0 | |
| 0.9.5 | 11 / 0 | |
| 0.9.4 | 10 / 0 | |
| 0.9.3 | 10 / 0 | |
| 0.9.2 | 10 / 0 | |
| 0.9.1 | 11 / 0 | |
| 0.9.0 | 9 / 0 | |
| 0.8.1 | 9 / 0 | |
| 0.8.0 | 9 / 0 | |
| 0.7.5 | 8 / 0 | |
| 0.7.4 | 8 / 0 | |
| 0.7.3 | 8 / 0 | |
| 0.7.2 | 8 / 13 | |
| 0.7.1 | 8 / 13 | |
| 0.7.0 | 8 / 13 | |
| 0.6.8 | 8 / 13 | |
| 0.6.7 | 9 / 13 | |
| 0.6.6 | 9 / 13 | |
| 0.6.5 | 9 / 13 | |
| 0.6.4 | 9 / 13 | |
| 0.6.3 | 9 / 13 | |
| 0.6.2 | 9 / 13 | |
| 0.6.0 | 9 / 13 |