apollo-utilities
Utilities for working with GraphQL ASTs
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): apollo-bot is the Apollo organization's official publishing bot; this transition is expected and documented across the apollographql ecosystem. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mdg (Meteor Development Group) removal is part of the known Apollo org transition to apollographql; stable organizational change, not a takeover. | ai | |
| provenance | publisher-changed | AI (provenance): The benjamn → apollo-bot transition is a well-documented, legitimate move by the Apollo team to a shared bot account for automated publishing; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice signal but not a security blocker; apollo-bot's long track record and 448 approved packages provide sufficient trust. | ai | |
| dependencies | unvetted-dep:lodash.isequal | AI (dependencies): lodash.isequal is a well-known, widely-used utility from the lodash ecosystem; its use in apollo-utilities for deep equality checks is legitimate and expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): fclone is a legitimate, established deep-clone utility appropriate for GraphQL AST manipulation; not a supply-chain attack vector. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Long dormancy followed by release is expected for stable utility libraries undergoing dependency maintenance, not indicative of account takeover. | ai | |
| dependencies | unvetted-dep:fast-json-stable-stringify | AI (dependencies): Already accepted in prior versions; stable dependency for JSON serialization in GraphQL utilities. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 1.3.4 | 4 / 0 | |
| 1.3.3 | 4 / 0 | |
| 1.3.2 | 4 / 0 | |
| 1.3.1 | 4 / 1 | |
| 1.3.0 | 3 / 0 | |
| 1.2.1 | 3 / 0 | |
| 1.2.0 | 3 / 0 | |
| 1.1.3 | 2 / 0 | |
| 1.1.2 | 2 / 0 | |
| 1.1.1 | 1 / 0 | |
| 1.1.0 | 1 / 0 | |
| 1.0.27 | 1 / 0 | |
| 1.0.26 | 1 / 0 | |
| 1.0.25 | 1 / 0 | |
| 1.0.24 | 1 / 0 | |
| 1.0.22 | 1 / 0 | |
| 1.0.21 | 2 / 0 | |
| 1.0.20 | 1 / 0 |
v1.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-01-17. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.27
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-12-19. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.26
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-11-21. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.