apollo-language-server — Greenflagged

A language server for Apollo GraphQL projects

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

apollo-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require() is used to read package.json files discovered in the workspace to check for apollo config keys — a standard monorepo tooling pattern, not arbitrary code loading.	ai	2026/04/24
phantom-deps	phantom-dep:core-js	AI (phantom-deps): core-js is a known implicit runtime polyfill dependency; properly declared for Node.js compatibility.	ai	2026/04/24
phantom-deps	phantom-dep:minimist	AI (phantom-deps): minimist is a CLI/build tool dependency referenced in configuration; properly declared in dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:ws	AI (phantom-deps): ws is a legitimate WebSocket dependency used transitively by apollo-link-ws; properly declared in dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:recursive-readdir	AI (phantom-deps): recursive-readdir is a build/config tool dependency; properly declared in dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:subscriptions-transport-ws	AI (phantom-deps): subscriptions-transport-ws is a GraphQL subscription transport dependency; properly declared in dependencies.	ai	2026/04/24
phantom-deps	phantom-dep:apollo-link-ws	AI (phantom-deps): apollo-link-ws is a transitive WebSocket transport dependency for GraphQL subscriptions; properly declared.	ai	2026/04/24

Versions (showing 6 of 106)

Version	Deps	Published
1.0.6	27 / 0	2018-11-08
1.0.4	27 / 0	2018-11-08
1.0.3	27 / 0	2018-11-08
1.0.2	27 / 0	2018-11-07
1.0.1	26 / 0	2018-11-07
1.0.0	26 / 0	2018-11-07