apollo-engine-reporting-protobuf

Protobuf format for Apollo Engine

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

apollo-bot

Keywords

GraphQLApolloEngineServerJavascript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher change from mdg to apollo-bot is a known legitimate organizational transition (Apollo rebranding from MDG), not an account compromise.	ai	2026/04/24
maintainer-change	maintainer-takeover	AI (maintainer-change): mdg→apollo-bot transition reflects Apollo's 2018 org rebranding from Meteor Development Group. apollo-bot is the official Apollo GraphQL publishing account with a strong track record (2460 approved packages).	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): apollo-bot is the official Apollo GraphQL automation account; addition is part of the documented org rebranding.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): mdg removal is consistent with Apollo's rebranding away from the Meteor Development Group namespace; not indicative of a hostile takeover.	ai	2026/04/24
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is a legitimate bootstrapped version from the trusted mdg/Apollo publisher in a monorepo setup; not indicative of malicious intent.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): Dependency change is a swap from @apollo/protobufjs to upstream protobufjs — a benign maintenance change for this Apollo protobuf package.	ai	2026/04/24
dependencies	unvetted-dep:protobufjs	AI (dependencies): protobufjs is a well-known, widely-used protobuf library; its use as a dependency in this Apollo protobuf package is expected and legitimate.	ai	2026/04/24

Versions (showing 16 of 16)

Version	Deps	Published
0.5.2	1 / 0	2020-06-30
0.5.1	1 / 0	2020-05-27
0.5.0	1 / 0	2020-05-04
0.4.4	1 / 0	2019-11-21
0.4.3	1 / 0	2019-11-20
0.4.2	1 / 0	2019-11-20
0.4.1	1 / 0	2019-10-10
0.4.0	1 / 0	2019-07-16
0.3.1	1 / 0	2019-06-06
0.3.0	1 / 0	2019-05-07
0.2.1	1 / 0	2019-02-14
0.2.0	1 / 0	2018-12-13
0.1.1	1 / 0	2018-12-13
0.1.0	1 / 0	2018-11-07
0.0.1	1 / 0	2018-08-14
0.0.0	1 / 0	2018-08-14

v0.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

3 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (mdg) were replaced by new maintainers (apollo-bot). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: mdg → apollo-bot (on 2018-11-07) provenance

This version was published by a different npm account than previous versions on 2018-11-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.