codemirror-graphql — Greenflagged

GraphQL mode and helpers for CodeMirror.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

benjiemjmahoneleebyroni1gacaofbwincentkassensortaasiandrummerags-

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Moved to GitHub Actions CI/CD publishing with SLSA provenance; legitimate for graphql/graphiql monorepo.	ai	2026/05/12
publish-pattern	dormant-publish	AI (publish-pattern): Mature stable package in graphiql monorepo; infrequent releases are normal.	ai	2026/05/12
phantom-deps	phantom-dep:@types/codemirror	AI (phantom-deps): Type-only dependency; not directly imported at runtime.	ai	2026/05/12

Versions (showing 100 of 155)

Hide prereleases

Version	Deps	Published
2.2.6	2 / 6	2026-05-15
2.2.5	2 / 6	2026-05-11
2.2.4	2 / 6	2025-07-17
2.2.3	2 / 6	2025-06-24
2.2.2	2 / 6	2025-06-04
2.2.1	2 / 6	2025-04-26
2.2.0	2 / 6	2024-12-14
2.1.1	2 / 6	2024-08-24
2.1.0	2 / 6	2024-08-13
2.0.13	2 / 6	2024-08-01
2.0.12	2 / 6	2024-05-31
2.0.11	2 / 6	2024-04-02
2.0.10	2 / 6	2023-09-17
2.0.9	1 / 6	2023-06-24
2.0.8	1 / 6	2023-05-11
2.0.7	1 / 6	2023-05-08
2.0.6	1 / 6	2023-05-03
2.0.5	1 / 6	2023-03-26
2.0.4	1 / 6	2023-03-02
2.0.3	1 / 6	2023-01-18
2.0.2	1 / 6	2022-10-30
2.0.1	1 / 6	2022-10-28
2.0.0	1 / 6	2022-08-24
1.3.2	1 / 7	2022-06-15
1.3.1	1 / 7	2022-06-09
1.3.0	1 / 7	2022-04-26
1.2.17	2 / 6	2022-04-14
1.2.16	2 / 6	2022-04-11
1.2.15	2 / 6	2022-03-30
1.2.14	2 / 6	2022-03-23
1.2.13	2 / 6	2022-03-11
1.2.12	2 / 6	2022-02-18
1.2.11	2 / 6	2021-12-09
1.2.10	2 / 6	2021-12-07
1.2.9	2 / 6	2021-12-07
1.2.8	2 / 6	2021-12-06
1.2.7	2 / 6	2021-12-06
1.2.6	2 / 6	2021-12-06
1.2.5	2 / 6	2021-12-01
1.2.4	2 / 6	2021-11-26
1.2.3	2 / 6	2021-11-25
1.2.2	2 / 6	2021-11-24
1.2.1	2 / 6	2021-11-24
1.2.0	2 / 6	2021-11-23
1.1.0	2 / 6	2021-11-07
1.0.3	2 / 6	2021-10-29
1.0.2	2 / 6	2021-05-26
1.0.1	2 / 6	2021-04-10
1.0.0	2 / 6	2021-02-12
0.15.2	2 / 10	2021-01-07
0.15.1	2 / 10	2021-01-07
0.15.0	2 / 10	2021-01-07
0.14.0	2 / 10	2021-01-03
0.13.1	2 / 10	2020-12-28
0.13.0	2 / 10	2020-12-08
0.12.4	2 / 10	2020-11-28
0.12.3	2 / 10	2020-10-20
0.12.2	2 / 10	2020-09-18
0.12.1	2 / 10	2020-08-06
0.12.0	2 / 10	2020-06-11
0.11.6	2 / 9	2019-12-09
0.11.5	2 / 9	2019-12-09
0.11.4	2 / 9	2019-12-03
0.11.3	2 / 8	2019-11-26
0.11.2	2 / 7	2019-10-19
0.11.1	2 / 7	2019-10-04
0.9.0	2 / 7	2019-08-18
0.8.3	2 / 35	2018-10-29
0.8.2	2 / 35	2018-10-23
0.7.1	2 / 35	2018-09-15
0.6.12	2 / 35	2017-11-29
0.6.11	2 / 35	2017-07-08
0.6.10	2 / 35	2017-07-05
0.6.9	2 / 35	2017-06-29
0.6.8	2 / 35	2017-06-27
0.6.7	2 / 35	2017-06-27
0.6.6	2 / 34	2017-06-07
0.6.5	2 / 34	2017-06-07
0.6.4	2 / 34	2017-05-04
0.6.3	0 / 34	2017-02-07
0.6.2	0 / 34	2017-01-24
0.6.1	0 / 34	2017-01-19
0.6.0	0 / 34	2017-01-19
0.5.9	0 / 34	2016-12-21
0.5.8	0 / 34	2016-11-11
0.5.7	0 / 12	2016-08-28
0.5.6	0 / 12	2016-08-28
0.5.5	0 / 12	2016-08-28
0.5.4	0 / 12	2016-08-25
0.5.3	0 / 12	2016-08-25
0.5.2	0 / 12	2016-06-24
0.5.1	0 / 12	2016-06-06
0.5.0	0 / 12	2016-04-08
0.3.1	0 / 12	2016-03-24
0.3.0	0 / 12	2016-03-08
0.2.2	0 / 12	2016-02-03
0.2.1	0 / 12	2015-11-11
0.2.0	0 / 12	2015-10-02
0.1.1	0 / 12	2015-09-01
0.1.0	0 / 12	2015-09-01

Showing 100 of 155 Next page →

v2.2.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.5

2 findings

HIGH Publisher changed: acao → GitHub Actions (on 2026-05-11) provenance

This version was published by a different npm account than previous versions on 2026-05-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.