apollo-client
A simple yet functional GraphQL client.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): Minified prettify.js in coverage report is a standard build artifact for HTML rendering, not production code or injected malware. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Alpha pre-release version; suspicious pattern is expected for -alpha.N suffixes in coordinated ecosystem releases. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall runs 'typings && typings i' — a standard TypeScript type definition install step from 2016 era. No network exfiltration or arbitrary code execution; benign for this package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Alpha release with significant new functionality; 4.2x size increase is expected for coordinated ecosystem expansion. | ai | |
| dependencies | unvetted-dep:lodash.identity | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.clonedeep | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.isequal | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| dependencies | unvetted-dep:lodash.countby | AI (dependencies): Standard lodash utility sub-package; widely used, no security concerns. Expected dependency for this era of Apollo Client. | ai | |
| phantom-deps | phantom-dep:graphql-tag | AI (phantom-deps): graphql-tag is referenced in config/build but not direct imports; stable pattern for GraphQL client libraries. | ai | |
| dependencies | unvetted-dep:isomorphic-fetch | AI (dependencies): isomorphic-fetch is a standard fetch polyfill; legitimate for this package. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:redux | AI (phantom-deps): redux is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isundefined | AI (phantom-deps): lodash.isundefined is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isboolean | AI (phantom-deps): lodash.isboolean is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isstring | AI (phantom-deps): lodash.isstring is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isobject | AI (phantom-deps): lodash.isobject is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isnumber | AI (phantom-deps): lodash.isnumber is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.includes | AI (phantom-deps): lodash.includes is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isarray | AI (phantom-deps): lodash.isarray is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.isnull | AI (phantom-deps): lodash.isnull is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.forown | AI (phantom-deps): lodash.forown is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.assign | AI (phantom-deps): lodash.assign is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:lodash.has | AI (phantom-deps): lodash.has is legitimately declared and used; phantom-dep flag reflects config-file reference pattern, not a real dependency issue. | ai | |
| phantom-deps | phantom-dep:es6-promise | AI (phantom-deps): es6-promise is used in config/build context; phantom-dep finding is expected for polyfills. | ai | |
| phantom-deps | phantom-dep:@types/redux | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| dependencies | unvetted-dep:@types/chai | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/node | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/redux | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:@types/sinon | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| dependencies | unvetted-dep:typed-graphql | AI (dependencies): Optional GraphQL type dependency declared but not directly imported; referenced in config files only. No runtime risk. | ai | |
| dependencies | unvetted-dep:@types/promises-a-plus | AI (dependencies): TypeScript type definition in optionalDependencies; phantom dep not imported at runtime. Normal pattern for TS packages of this era. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/sinon | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| phantom-deps | phantom-dep:typed-graphql | AI (phantom-deps): Optional GraphQL type dependency referenced in config files only; not a runtime import. | ai | |
| phantom-deps | phantom-dep:@types/promises-a-plus | AI (phantom-deps): Framework-scoped TypeScript type definition; not imported at runtime by design. | ai | |
| dependencies | unvetted-dep:apollo-link-core | AI (dependencies): Part of Apollo's own ecosystem; architectural dependency for this major version. | ai | |
| dependencies | unvetted-dep:apollo-cache-core | AI (dependencies): Part of Apollo's own ecosystem; architectural dependency for this major version. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Alpha release with major refactoring; 33 new files are consistent with feature development, not injection. | ai | |
| provenance | missing-githead | AI (provenance): gitHead loss reflects tooling changes over 10+ years; not indicative of compromise for established package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size reduction is consistent with moving from source to compiled distribution; normal for library evolution. | ai | |
| dependencies | unvetted-dep:@types/isomorphic-fetch | AI (dependencies): Optional TypeScript type definition package, phantom dep not directly imported. Benign for a TypeScript GraphQL client; stable across versions. | ai | |
| dependencies | unvetted-dep:@types/graphql | AI (dependencies): Optional TypeScript type definition package, phantom dep not directly imported. Benign for a TypeScript GraphQL client; stable across versions. | ai | |
| dependencies | unvetted-dep:lodash.has | AI (dependencies): lodash.has is a standard utility module; granular lodash dependency is normal refactoring. | ai | |
| dependencies | unvetted-dep:redux | AI (dependencies): redux is a core dependency of apollo-client; widely-used and legitimate for this package. | ai | |
| dependencies | unvetted-dep:lodash.isobject | AI (dependencies): lodash.isobject is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isundefined | AI (dependencies): lodash.isundefined is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isarray | AI (dependencies): lodash.isarray is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.isnull | AI (dependencies): lodash.isnull is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.forown | AI (dependencies): lodash.forown is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:lodash.assign | AI (dependencies): lodash.assign is a standard utility; granular lodash dependencies are a common refactoring pattern. | ai | |
| dependencies | unvetted-dep:es6-promise | AI (dependencies): es6-promise is a standard polyfill dependency; legitimate for this package. | ai | |
| dependencies | unvetted-dep:apollo-link-dedup | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:apollo-cache | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:@types/async | AI (dependencies): @types/async is a TypeScript type definition package used as an optional dependency; no security risk. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): Observable implementation; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:apollo-link | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| dependencies | unvetted-dep:graphql-anywhere | AI (dependencies): graphql-anywhere is a core GraphQL utility; appropriate for this package. | ai | |
| dependencies | unvetted-dep:apollo-utilities | AI (dependencies): Core Apollo ecosystem package; intentional architectural dependency for this version. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): zen-observable is properly declared and referenced in config; phantom status is acceptable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance standard (2017); historical artifact not indicative of compromise. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): Framework-scoped type package loaded by convention; phantom status is acceptable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Expected maintainer rotation in established project; no takeover indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are all established utility libraries (lodash modules, whatwg-fetch, symbol-observable); appropriate for GraphQL client evolution. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Legitimate Apollo GraphQL project team expansion; consistent with organizational growth. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within Apollo GraphQL project; no compromise indicators. | ai | |
| email-domain | unclaimed-email:stubailo.com | AI (email-domain): Established maintainer with long history; unclaimed domain is low-probability risk for this package. | ai | |
| phantom-deps | phantom-dep:@types/graphql | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai | |
| phantom-deps | phantom-dep:@types/async | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai | |
| semgrep | semgrep:toplevel-fetch | AI (semgrep): fetch() calls are legitimate HTTP requests for GraphQL queries; core client functionality, not exfiltration. | ai | |
| phantom-deps | phantom-dep:@types/isomorphic-fetch | AI (phantom-deps): @types/* packages are TypeScript type definitions in optionalDependencies; not directly imported in JS code is expected behavior. | ai |
Versions (showing 100 of 140)
| Version | Deps | Published |
|---|---|---|
| 2.0.1 | 6 / 27 | |
| 2.0.0 | 6 / 27 | |
| 1.9.3 | 8 / 46 | |
| 1.9.2 | 8 / 46 | |
| 1.9.1 | 8 / 45 | |
| 1.9.0 | 9 / 45 | |
| 1.8.1 | 9 / 38 | |
| 1.8.0 | 9 / 38 | |
| 1.7.0 | 9 / 38 | |
| 1.6.1 | 9 / 38 | |
| 1.6.0 | 9 / 38 | |
| 1.5.0 | 9 / 38 | |
| 1.4.2 | 9 / 38 | |
| 1.4.1 | 9 / 38 | |
| 1.4.0 | 9 / 38 | |
| 1.3.0 | 9 / 37 | |
| 1.2.2 | 9 / 37 | |
| 1.2.1 | 9 / 37 | |
| 1.2.0 | 9 / 37 | |
| 1.1.2 | 9 / 37 | |
| 1.1.1 | 9 / 37 | |
| 1.1.0 | 9 / 37 | |
| 1.0.4 | 9 / 37 | |
| 1.0.3 | 9 / 37 | |
| 1.0.2 | 9 / 37 | |
| 1.0.1 | 9 / 37 | |
| 1.0.0 | 9 / 37 | |
| 0.10.1 | 8 / 36 | |
| 0.10.0 | 8 / 36 | |
| 0.9.0 | 8 / 36 | |
| 0.8.7 | 8 / 36 | |
| 0.8.6 | 8 / 36 | |
| 0.8.5 | 8 / 36 | |
| 0.8.4 | 8 / 36 | |
| 0.8.3 | 8 / 36 | |
| 0.8.2 | 8 / 34 | |
| 0.8.1 | 8 / 34 | |
| 0.8.0 | 8 / 34 | |
| 0.7.3 | 8 / 34 | |
| 0.7.2 | 8 / 34 | |
| 0.6.0 | 15 / 27 | |
| 0.5.26 | 15 / 27 | |
| 0.5.25 | 15 / 27 | |
| 0.5.24 | 15 / 27 | |
| 0.5.23 | 15 / 27 | |
| 0.5.22 | 15 / 26 | |
| 0.5.21 | 15 / 25 | |
| 0.5.20 | 15 / 25 | |
| 0.5.19 | 15 / 25 | |
| 0.5.18 | 15 / 25 | |
| 0.5.17 | 15 / 25 | |
| 0.5.16 | 15 / 25 | |
| 0.5.15 | 15 / 25 | |
| 0.5.14 | 15 / 25 | |
| 0.5.13 | 15 / 25 | |
| 0.5.12 | 15 / 25 | |
| 0.5.11 | 33 / 25 | |
| 0.5.10 | 31 / 27 | |
| 0.5.9 | 31 / 27 | |
| 0.5.8 | 31 / 27 | |
| 0.5.7 | 31 / 27 | |
| 0.5.6 | 31 / 27 | |
| 0.5.5 | 31 / 27 | |
| 0.5.4 | 30 / 27 | |
| 0.5.3 | 30 / 27 | |
| 0.5.2 | 30 / 27 | |
| 0.5.1 | 30 / 27 | |
| 0.5.0 | 31 / 28 | |
| 0.4.22 | 24 / 39 | |
| 0.4.21 | 24 / 39 | |
| 0.4.20 | 24 / 39 | |
| 0.4.19 | 24 / 39 | |
| 0.4.18 | 24 / 39 | |
| 0.4.17 | 24 / 29 | |
| 0.4.16 | 25 / 39 | |
| 0.4.15 | 24 / 29 | |
| 0.4.14 | 24 / 29 | |
| 0.4.13 | 24 / 29 | |
| 0.4.12 | 24 / 29 | |
| 0.4.11 | 24 / 29 | |
| 0.4.10 | 24 / 29 | |
| 0.4.9 | 24 / 29 | |
| 0.4.8 | 24 / 29 | |
| 0.4.7 | 24 / 29 | |
| 0.4.6 | 23 / 29 | |
| 0.4.5 | 23 / 29 | |
| 0.4.4 | 23 / 29 | |
| 0.4.3 | 23 / 29 | |
| 0.4.2 | 23 / 29 | |
| 0.4.1 | 23 / 29 | |
| 0.4.0 | 21 / 29 | |
| 0.3.30 | 21 / 29 | |
| 0.3.29 | 21 / 29 | |
| 0.3.28 | 21 / 29 | |
| 0.3.27 | 21 / 29 | |
| 0.3.26 | 22 / 28 | |
| 0.3.25 | 22 / 28 | |
| 0.3.24 | 21 / 28 | |
| 0.3.23 | 21 / 28 | |
| 0.3.22 | 21 / 28 |
v0.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.25
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-24. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.24
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.23
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.22
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.19
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.14
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.22
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.21
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-14. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.19
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: helfer.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-09-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.18
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: helfer.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-09-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.17
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.14
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.13
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.12
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: helfer.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-08-19. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: sashko.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.