apollo-link
Flexible, lightweight transport layer for GraphQL
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Sparse README and missing keywords reflect early-stage release quality, not spam/malicious intent. Package has 30 approved inbound deps and 3218-day history. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the legitimate first published version of apollo-link by its documented author Evans Hauser; not a malicious throwaway package. | ai | |
| phantom-deps | phantom-dep:@types/zen-observable | AI (phantom-deps): TypeScript @types packages are framework-scoped and loaded by convention, not direct imports. Stable false positive for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (tslib, ts-invariant, zen-observable-ts) are well-known Apollo/TypeScript ecosystem packages replacing zen-observable in a standard refactor. No malicious signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): apollo-bot and peggyrayzis are known Apollo org accounts; addition reflects legitimate organizational transition from MDG to Apollo. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mdg removal is consistent with Apollo's spin-out from Meteor Development Group; not a takeover signal. | ai | |
| dependencies | unvetted-dep:zen-observable-ts | AI (dependencies): zen-observable-ts is Apollo's own TypeScript wrapper for zen-observable, a legitimate dependency replacement in the Apollo ecosystem. | ai | |
| provenance | publisher-changed | AI (provenance): apollo-bot is Apollo's official automation account; the transition from jbaxleyiii to apollo-bot is a documented organizational change for the apollographql ecosystem. | ai | |
| dependencies | unvetted-dep:zen-observable | AI (dependencies): zen-observable is a well-known, widely-used observable library and a natural dependency for a GraphQL transport layer. Not a risk for this package. | ai | |
| provenance | no-provenance | AI (provenance): apollo-link is a mature 8+ year old package published before Sigstore provenance was available; absence is expected and not a risk signal. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 1.2.14 | 4 / 11 | |
| 1.2.13 | 4 / 11 | |
| 1.2.12 | 4 / 11 | |
| 1.2.11 | 4 / 11 | |
| 1.2.10 | 4 / 11 | |
| 1.2.9 | 4 / 11 | |
| 1.2.8 | 1 / 13 | |
| 1.2.7 | 1 / 13 | |
| 1.2.6 | 2 / 13 | |
| 1.2.5 | 2 / 13 | |
| 1.2.4 | 2 / 13 | |
| 1.2.3 | 2 / 13 | |
| 1.2.2 | 3 / 12 | |
| 1.2.1 | 3 / 12 | |
| 1.0.3 | 3 / 12 | |
| 0.7.0 | 3 / 11 | |
| 0.5.4 | 9 / 18 | |
| 0.5.2 | 9 / 19 | |
| 0.5.0 | 9 / 18 | |
| 0.4.1 | 7 / 18 | |
| 0.4.0 | 7 / 18 | |
| 0.3.1 | 7 / 17 | |
| 0.3.0 | 6 / 17 | |
| 0.2.0 | 5 / 16 | |
| 0.1.1 | 5 / 16 | |
| 0.1.0 | 5 / 16 | |
| 0.0.0 | 0 / 16 |
v1.2.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-05. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-11-21. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-09-15. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-02-23. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-07. This could indicate a legitimate maintainer transition or an account compromise.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.