graphql-config — Greenflagged

The easiest way to configure your development environment with your GraphQL schema (supported by most tools, editors & IDEs)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

urigodotansimhakamilkisielaardatantheguild-bot

Keywords

graphqlconfigrelayapollo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Legitimate transition from kamilkisiela to dotansimha; both are Guild members co-maintaining graphql-config and @graphql-tools.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): theguild-bot is The Guild's automation account; graphql-config is a The Guild-maintained package. Bot maintainer additions are routine for this org and not a risk signal.	ai	2026/04/24
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): All raw IP references are localhost (127.0.0.1) addresses used in test fixtures to simulate endpoints — not production network calls or exfiltration. Stable false positive for this package.	ai	2026/04/23
publish-pattern	rapid-publish	AI (publish-pattern): theguild-bot regularly promotes alpha/pre-release versions to stable in rapid succession; this is an established CI/CD release pattern for The Guild packages, not a malicious signal.	ai	2026/04/23
dependencies	unvetted-dep:jiti	AI (dependencies): jiti is a well-known ESM/TS loader from the UnJS ecosystem, appropriate for config file loading in graphql-config. Stable dependency choice.	ai	2026/04/23

Versions (showing 77 of 77)

Hide prereleases

Version	Deps	Published
5.1.6	11 / 0	2026-03-06
5.1.5	11 / 0	2025-04-28
5.1.4	11 / 0	2025-04-14
5.1.3	11 / 0	2024-10-09
5.1.2	11 / 0	2024-08-19
5.1.1	11 / 0	2024-08-19
5.0.3	11 / 0	2023-10-08
5.0.2	11 / 0	2023-06-01
5.0.1	11 / 0	2023-05-22
5.0.0	11 / 0	2023-05-22
4.5.0	11 / 0	2023-03-06
4.4.1	10 / 0	2023-02-01
4.4.0	10 / 0	2022-12-26
4.3.6	13 / 0	2022-10-06
4.3.5	13 / 0	2022-08-26
4.3.4	13 / 0	2022-08-26
4.3.3	12 / 0	2022-07-29
4.3.2	12 / 0	2022-07-27
4.3.1	11 / 0	2022-05-24
4.3.0	11 / 0	2022-04-05
4.2.0	11 / 0	2022-03-29
4.1.0	11 / 0	2021-10-31
4.0.2	11 / 0	2021-10-13
4.0.1	11 / 0	2021-08-03
4.0.0	11 / 0	2021-08-03
3.4.1	11 / 0	2021-08-03
3.4.0	11 / 0	2021-07-29
3.3.0	11 / 0	2021-05-19
3.2.0	12 / 0	2020-11-17
3.1.0	12 / 0	2020-11-04
3.0.3	10 / 0	2020-06-30
3.0.2	9 / 0	2020-05-12
3.0.1	9 / 0	2020-04-29
3.0.0	9 / 0	2020-04-14
2.2.2	5 / 0	2020-03-25
2.2.1	5 / 10	2018-09-17
2.2.0	5 / 10	2018-09-12
2.1.1	5 / 10	2018-09-12
2.1.0	5 / 10	2018-07-25
2.0.1	5 / 10	2018-02-24
2.0.0	5 / 10	2018-02-14
1.2.1	6 / 9	2018-01-30
1.2.0	5 / 12	2018-01-29
1.1.7	5 / 12	2018-01-13
1.1.6	5 / 12	2018-01-12
1.1.5	6 / 11	2018-01-05
1.1.4	6 / 12	2017-12-29
1.1.3	6 / 11	2017-12-28
1.1.2	6 / 11	2017-12-27
1.1.1	6 / 11	2017-12-19
1.1.0	6 / 11	2017-12-08
1.0.9	5 / 11	2017-12-04
1.0.8	5 / 11	2017-11-21
1.0.7	5 / 11	2017-10-02
1.0.6	5 / 11	2017-09-29
1.0.5	5 / 11	2017-08-19
1.0.4	5 / 11	2017-08-14
1.0.2	5 / 11	2017-08-10
1.0.1	5 / 11	2017-08-07
1.0.0	5 / 11	2017-07-28
5.1.6-alpha-20260306125431-22d9edbbadf01896b52c90775885bcb3dec3c30f	11 / 0	2026-03-06
5.1.6-alpha-20260305155635-d92537da6681957426215082094f9e960e790514	11 / 0	2026-03-05
5.1.6-alpha-20260304150721-68bb3ddd27f8611db81e8b8bce30a9cd8200e8df	11 / 0	2026-03-04
5.1.6-alpha-20260227005535-9217bc4fc09cff8489b08a5bbaebc0744a5c6c45	11 / 0	2026-02-27
5.1.6-alpha-20260227005523-ffa35e3d59cb2fbf5279d9a4342631e36c603c40	11 / 0	2026-02-27
5.1.6-alpha-20260227005504-b81cbc76fed88f34098aecdf4277b6a7d1380fd6	11 / 0	2026-02-27
5.1.6-alpha-20260227005454-a85ddcd5a58c2a266752581388a68ef75f318c24	11 / 0	2026-02-27
5.1.6-alpha-20260227005437-488281e77477a9b6681d3a01f711e966612c0e04	11 / 0	2026-02-27
5.1.6-alpha-20260226214139-dd3eeb5ee8fbc95fd49bb5c739da01a10923a140	11 / 0	2026-02-26
5.1.6-alpha-20260226214010-b6066215b604f62fc64ac8fa1463c0a287bb9e21	11 / 0	2026-02-26
5.1.6-alpha-20260226213857-659fe14373e3bd8a101adb316aef3d416598b8e4	11 / 0	2026-02-26
5.1.6-alpha-20260226213839-38541b6c96424abf0b979dda37999a963cd5d795	11 / 0	2026-02-26
5.1.6-alpha-20260226213822-5e67cab5aa573ff2b042814309e0a6c1463aaa30	11 / 0	2026-02-26
5.1.6-alpha-20260226213807-07748399c4c6ac0645a260e26d838ba4cf0a9c86	11 / 0	2026-02-26
5.1.6-alpha-20260226213540-ddf3f152afbded21aadf0f9df0f3fee75866a39f	11 / 0	2026-02-26
5.1.6-alpha-20260226213442-6a1daed924f859204346a4c143c36e25c51942d7	11 / 0	2026-02-26
5.1.5-alpha-20250428151500-ed70c64f344e9665a9ade566f67ebbb6691b605b	11 / 0	2025-04-28

v5.1.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.3

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.1.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.3

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.2

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.0.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilkisiela.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: ardatan → kamilkisiela (on 2022-03-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.

v4.1.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: dotansimha → ardatan (on 2021-10-31) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-31. This could indicate a legitimate maintainer transition or an account compromise.

v4.0.2

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: dotansimha → kamilkisiela (on 2021-10-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-13. This could indicate a legitimate maintainer transition or an account compromise.

v4.0.1

2 findings

HIGH Publisher changed: kamilkisiela → dotansimha (on 2021-08-03) provenance

This version was published by a different npm account than previous versions on 2021-08-03. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.