apollo-client
A simple yet functional GraphQL client.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): Minified prettify.js in coverage report is a standard build artifact for HTML rendering, not production code or injected malware. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Alpha pre-release version; suspicious pattern is expected for -alpha.N suffixes in coordinated ecosystem releases. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs 'typings && typings i' — a standard TypeScript type definition install step from 2016 era. No network exfiltration or arbitrary code execution; benign for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Alpha release with significant new functionality; 4.2x size increase is expected for coordinated ecosystem expansion. | ai | |
| dependencies | unvetted-dep:lodash.identity | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.clonedeep | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.isequal | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.countby | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| phantom-deps | phantom-dep:graphql-tag | AI (phantom-deps): graphql-tag is referenced in config/build but not direct imports; stable pattern for GraphQL client libraries. | ai | |
| dependencies | unvetted-dep:isomorphic-fetch | AI (dependencies): isomorphic-fetch is a standard fetch polyfill; legitimate for this package. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:redux | AI (phantom-deps): redux is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isundefined | AI (phantom-deps): lodash.isundefined is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isboolean | AI (phantom-deps): lodash.isboolean is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isstring | AI (phantom-deps): lodash.isstring is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isobject | AI (phantom-deps): lodash.isobject is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isnumber | AI (phantom-deps): lodash.isnumber is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.includes | AI (phantom-deps): lodash.includes is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isarray | AI (phantom-deps): lodash.isarray is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isnull | AI (phantom-deps): lodash.isnull is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.forown | AI (phantom-deps): lodash.forown is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.assign | AI (phantom-deps): lodash.assign is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.has | AI (phantom-deps): lodash.has is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:es6-promise | AI (phantom-deps): es6-promise is used in config/build context; phantom-dep finding is expected for polyfills. | ai | |
| phantom-deps | phantom-dep:@types/redux | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| dependencies | unvetted-dep:@types/chai | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/node | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/redux | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/sinon | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:typed-graphql | AI (dependencies): Optional GraphQL type dependency declared but not directly imported; referenced in config files only. No runtime risk. | ai | |
| dependencies | unvetted-dep:@types/promises-a-plus | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/sinon | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:typed-graphql | AI (phantom-deps): Optional GraphQL type dependency referenced in config files only; not a runtime import. | ai | |
| phantom-deps | phantom-dep:@types/promises-a-plus | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| dependencies | unvetted-dep:apollo-link-core | AI (dependencies): Part of Apollo's own ecosystem; architectural dependency for this major version. | ai | |
| dependencies | unvetted-dep:apollo-cache-core | AI (dependencies): Part of Apollo's own ecosystem; architectural dependency for this major version. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Alpha release with major refactoring; 33 new files are consistent with feature development, not injection. | ai | |
| provenance | missing-githead | AI (provenance): gitHead loss reflects tooling changes over 10+ years; not indicative of compromise for established package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction is consistent with moving from source to compiled distribution; normal for library evolution. | ai | |
| dependencies | unvetted-dep:@types/isomorphic-fetch | AI (dependencies): Optional TypeScript type definition package, phantom dep not directly imported. Benign for a TypeScript GraphQL client; stable across versions. | ai | |
| dependencies | unvetted-dep:@types/graphql | AI (dependencies): Optional TypeScript type definition package, phantom dep not directly imported. Benign for a TypeScript GraphQL client; stable across versions. | ai | |
| dependencies | unvetted-dep:lodash.has | AI (dependencies): lodash.has is a standard utility module; granular lodash dependency is normal refactoring. | ai | |
| dependencies | unvetted-dep:redux | AI (dependencies): redux is a core dependency of apollo-client; widely-used and legitimate for this package. | ai | |
| dependencies | unvetted-dep:lodash.isobject | AI (dependencies): lodash.isobject is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isundefined | AI (dependencies): lodash.isundefined is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isarray | AI (dependencies): lodash.isarray is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isnull | AI (dependencies): lodash.isnull is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.forown | AI (dependencies): lodash.forown is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.assign | AI (dependencies): lodash.assign is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:es6-promise | AI (dependencies): es6-promise is a standard polyfill dependency; legitimate for this package. | ai | |
| dependencies | unvetted-dep:apollo-link-dedup | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:apollo-cache | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:@types/async | AI (dependencies): @types/async is a TypeScript type definition package used as an optional dependency; no security risk. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): Observable implementation; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:apollo-link | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:graphql-anywhere | AI (dependencies): graphql-anywhere is a core GraphQL utility; appropriate for this package. | ai | |
| dependencies | unvetted-dep:apollo-utilities | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): zen-observable is properly declared and referenced in config; phantom status is acceptable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance standard (2017); historical artifact not indicative of compromise. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped type package loaded by convention; phantom status is acceptable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Expected maintainer rotation in established project; no takeover indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are all established utility libraries (lodash modules, whatwg-fetch, symbol-observable); appropriate for GraphQL client evolution. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Legitimate Apollo GraphQL project team expansion; consistent with organizational growth. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within Apollo GraphQL project; no compromise indicators. | ai | |
| email-domain | unclaimed-email:stubailo.com | AI (email-domain): Established maintainer with long history; unclaimed domain is low-probability risk for this package. | ai | |
| phantom-deps | phantom-dep:@types/graphql | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai | |
| phantom-deps | phantom-dep:@types/async | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() calls are legitimate HTTP requests for GraphQL queries; core client functionality, not exfiltration. | ai | |
| phantom-deps | phantom-dep:@types/isomorphic-fetch | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai |
Versions (showing 40 of 140)
| Version | Deps | Published |
|---|---|---|
| 0.3.21 | 21 / 28 | |
| 0.3.20 | 20 / 27 | |
| 0.3.19 | 20 / 27 | |
| 0.3.18 | 20 / 27 | |
| 0.3.17 | 20 / 27 | |
| 0.3.16 | 20 / 27 | |
| 0.3.15 | 20 / 27 | |
| 0.3.14 | 20 / 27 | |
| 0.3.13 | 20 / 27 | |
| 0.3.12 | 16 / 27 | |
| 0.3.11 | 16 / 27 | |
| 0.3.10 | 16 / 27 | |
| 0.3.9 | 15 / 27 | |
| 0.3.8 | 15 / 27 | |
| 0.3.7 | 15 / 27 | |
| 0.3.6 | 15 / 27 | |
| 0.3.5 | 15 / 27 | |
| 0.3.4 | 14 / 26 | |
| 0.3.3 | 14 / 26 | |
| 0.3.2 | 14 / 26 | |
| 0.3.1 | 14 / 26 | |
| 0.3.0 | 14 / 26 | |
| 0.2.5 | 14 / 26 | |
| 0.2.4 | 14 / 26 | |
| 0.2.3 | 14 / 26 | |
| 0.2.2 | 14 / 26 | |
| 0.2.1 | 14 / 26 | |
| 0.2.0 | 14 / 26 | |
| 0.1.6 | 14 / 24 | |
| 0.1.5 | 14 / 25 | |
| 0.1.4 | 14 / 25 | |
| 0.1.3 | 14 / 25 | |
| 0.1.2 | 14 / 25 | |
| 0.1.1 | 14 / 25 | |
| 0.1.0 | 14 / 25 | |
| 0.0.5 | 5 / 14 | |
| 0.0.4 | 5 / 14 | |
| 0.0.3 | 5 / 14 | |
| 0.0.2 | 5 / 13 | |
| 2.0.0-alpha.26 | 7 / 25 |
v0.3.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.