@graphql-tools/schema
A set of utils for faster development of GraphQL tools
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:value-or-promise | AI (phantom-deps): value-or-promise is a legitimate declared runtime dependency in the graphql-tools ecosystem; phantom detection is a false positive for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): The long alpha version string (timestamp + commit SHA) is the established pattern for graphql-tools automated pre-releases across its 1477-version history. Not indicative of malicious intent. | ai | |
| provenance | publisher-changed | AI (provenance): graphql-tools publishes alpha versions via GitHub Actions CI automation; SLSA provenance attestation confirms legitimate CI/CD origin. Publisher change to 'GitHub Actions' is expected for this package's automated pre-release workflow. | ai | |
| bogus-package | bogus-package | AI (bogus-package): This is a monorepo sub-package of the well-known graphql-tools project. Minimal README and no keywords are expected for sub-packages; not indicative of spam or low-value content. | ai | |
| dependencies | unvetted-dep:@graphql-tools/merge | AI (dependencies): @graphql-tools/merge is a sibling package from the same ardatan/graphql-tools monorepo; the unvetted status is a pipeline gap, not a real risk. | ai |
Versions (showing 100 of 196)
| Version | Deps | Published |
|---|---|---|
| 10.0.33 | 3 / 0 | |
| 10.0.32 | 3 / 0 | |
| 10.0.31 | 3 / 0 | |
| 10.0.30 | 3 / 0 | |
| 10.0.29 | 3 / 0 | |
| 10.0.28 | 3 / 0 | |
| 10.0.27 | 3 / 0 | |
| 10.0.26 | 3 / 0 | |
| 10.0.25 | 3 / 0 | |
| 10.0.24 | 3 / 0 | |
| 10.0.23 | 3 / 0 | |
| 10.0.22 | 3 / 0 | |
| 10.0.21 | 3 / 0 | |
| 10.0.20 | 3 / 0 | |
| 10.0.19 | 3 / 0 | |
| 10.0.18 | 3 / 0 | |
| 10.0.17 | 3 / 0 | |
| 10.0.16 | 4 / 0 | |
| 10.0.15 | 4 / 0 | |
| 10.0.14 | 4 / 0 | |
| 10.0.13 | 4 / 0 | |
| 10.0.12 | 4 / 0 | |
| 10.0.11 | 4 / 0 | |
| 10.0.10 | 4 / 0 | |
| 10.0.9 | 4 / 0 | |
| 10.0.8 | 4 / 0 | |
| 10.0.7 | 4 / 0 | |
| 10.0.6 | 4 / 0 | |
| 10.0.5 | 4 / 0 | |
| 10.0.4 | 4 / 0 | |
| 10.0.3 | 4 / 0 | |
| 10.0.2 | 4 / 0 | |
| 10.0.1 | 4 / 0 | |
| 10.0.0 | 4 / 0 | |
| 9.0.19 | 4 / 0 | |
| 9.0.18 | 4 / 0 | |
| 9.0.17 | 4 / 0 | |
| 9.0.16 | 4 / 0 | |
| 9.0.15 | 4 / 0 | |
| 9.0.14 | 4 / 0 | |
| 9.0.13 | 4 / 0 | |
| 9.0.12 | 4 / 0 | |
| 9.0.11 | 4 / 0 | |
| 9.0.10 | 4 / 0 | |
| 9.0.9 | 4 / 0 | |
| 9.0.8 | 4 / 0 | |
| 9.0.7 | 4 / 0 | |
| 9.0.6 | 4 / 0 | |
| 9.0.5 | 4 / 0 | |
| 9.0.4 | 4 / 0 | |
| 9.0.3 | 4 / 0 | |
| 9.0.2 | 4 / 0 | |
| 9.0.1 | 4 / 0 | |
| 9.0.0 | 4 / 0 | |
| 8.5.1 | 4 / 0 | |
| 8.5.0 | 4 / 0 | |
| 8.4.0 | 4 / 0 | |
| 8.3.14 | 4 / 0 | |
| 8.3.13 | 4 / 0 | |
| 8.3.12 | 4 / 0 | |
| 8.3.11 | 4 / 0 | |
| 8.3.10 | 4 / 0 | |
| 8.3.9 | 4 / 0 | |
| 8.3.8 | 4 / 0 | |
| 8.3.7 | 4 / 0 | |
| 8.3.6 | 4 / 0 | |
| 8.3.5 | 4 / 0 | |
| 8.3.4 | 4 / 0 | |
| 8.3.3 | 4 / 0 | |
| 8.3.2 | 4 / 0 | |
| 8.3.1 | 4 / 0 | |
| 8.3.0 | 4 / 0 | |
| 8.2.0 | 4 / 0 | |
| 8.1.2 | 4 / 0 | |
| 8.1.1 | 4 / 0 | |
| 8.1.0 | 4 / 0 | |
| 8.0.3 | 4 / 0 | |
| 8.0.2 | 4 / 0 | |
| 8.0.1 | 4 / 0 | |
| 8.0.0 | 4 / 0 | |
| 7.1.5 | 3 / 0 | |
| 7.1.4 | 3 / 0 | |
| 7.1.3 | 2 / 0 | |
| 7.1.2 | 2 / 0 | |
| 7.1.0 | 2 / 0 | |
| 7.0.0 | 2 / 0 | |
| 6.2.4 | 2 / 0 | |
| 6.2.3 | 2 / 1 | |
| 6.2.2 | 2 / 1 | |
| 6.2.1 | 2 / 1 | |
| 6.2.0 | 2 / 1 | |
| 6.1.0 | 2 / 1 | |
| 6.0.18 | 2 / 1 | |
| 6.0.17 | 2 / 1 | |
| 6.0.16 | 2 / 1 | |
| 6.0.15 | 2 / 1 | |
| 6.0.14 | 2 / 1 | |
| 6.0.13 | 2 / 1 | |
| 6.0.12 | 2 / 1 | |
| 6.0.11 | 2 / 1 |
v10.0.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.24
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.23
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.20
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.