@graphql-toolkit/schema-merging
A set of utils for faster development of GraphQL tools
36
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ardatandotansimhaurigo
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): ardatan is the legitimate successor maintainer of graphql-toolkit, with a strong track record (243 approved packages). This is a documented project transfer, not a suspicious takeover. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is consistent with the documented maintainer/environment transition from dotansimha to ardatan in Dec 2019. No malicious signal. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): tslib is a well-known Microsoft-published TypeScript runtime helper library. Its addition is a standard TypeScript build practice and poses no security risk. | ai | |
| provenance | publisher-changed | AI (provenance): dotansimha is the listed author in package.json and has a long, clean npm track record; the ardatan→dotansimha transition reflects the known project maintainership, not a compromise. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance adoption; publisher has strong track record. Absence of provenance is not a risk signal here. | ai | |
| dependencies | unvetted-dep:@kamilkisiela/graphql-tools | AI (dependencies): @kamilkisiela/graphql-tools is a known fork of graphql-tools by a core ecosystem contributor; its use in graphql-toolkit packages is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; its use as an implicit dependency in compiled TS packages is a well-known pattern and not a security concern. | ai | |
| dependencies | unvetted-dep:@graphql-toolkit/common | AI (dependencies): Sibling package from the same publisher (ardatan) and ecosystem; not an independent risk. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.10.7 | 4 / 0 | |
| 0.10.6 | 4 / 0 | |
| 0.10.5 | 4 / 0 | |
| 0.10.4 | 4 / 0 | |
| 0.10.3 | 4 / 0 | |
| 0.10.2 | 4 / 0 | |
| 0.10.1 | 4 / 0 | |
| 0.9.12 | 4 / 0 | |
| 0.9.11 | 4 / 0 | |
| 0.9.10 | 4 / 0 | |
| 0.9.9 | 4 / 0 | |
| 0.9.8 | 4 / 0 | |
| 0.9.7 | 4 / 0 | |
| 0.9.6 | 4 / 0 | |
| 0.9.5 | 4 / 0 | |
| 0.9.4 | 4 / 0 | |
| 0.9.3 | 4 / 0 | |
| 0.9.2 | 4 / 0 | |
| 0.9.1 | 4 / 0 | |
| 0.9.0 | 4 / 0 | |
| 0.8.1 | 4 / 0 | |
| 0.8.0 | 4 / 0 | |
| 0.7.5 | 4 / 0 | |
| 0.7.4 | 4 / 0 | |
| 0.7.3 | 4 / 0 | |
| 0.7.2 | 4 / 6 | |
| 0.7.1 | 4 / 6 | |
| 0.7.0 | 4 / 6 | |
| 0.6.8 | 4 / 6 | |
| 0.6.7 | 3 / 6 | |
| 0.6.6 | 3 / 6 | |
| 0.6.5 | 3 / 6 | |
| 0.6.4 | 3 / 6 | |
| 0.6.3 | 3 / 6 | |
| 0.6.2 | 3 / 6 | |
| 0.6.0 | 3 / 6 |