graphql-language-service-server
Server process backing the GraphQL Language Service
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI publishing with SLSA attestation is expected for the graphql/graphiql monorepo. | ai | |
| phantom-deps | phantom-dep:@astrojs/compiler | AI (phantom-deps): Package explicitly documents that deps may not be directly imported; @astrojs/compiler is a conditional/optional language support dep for .astro file handling in the LSP server. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Addition of @vue/compiler-sfc is consistent with the package's documented Vue SFC support; part of the official graphql/graphiql monorepo. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The flagged code is URI string matching logic (checking for 'package.json' in a path), not dynamic module loading. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:node-abort-controller | AI (dependencies): node-abort-controller is a legitimate AbortController polyfill for Node.js, appropriate for a GraphQL language server. Not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Established graphql/graphiql monorepo package with strong publisher track record; lack of provenance attestation is not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): node-fetch is a declared runtime dependency used indirectly via graphql-config; not a security concern for this package. | ai | |
| phantom-deps | phantom-dep:svelte | AI (phantom-deps): Svelte is an optional language support dependency for the LSP server; intentionally included per package.json comment. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): TypeScript is an optional language support dependency for the LSP server; intentionally included per package.json comment. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): Package explicitly documents that deps are not always directly imported; mkdirp is an intentional runtime dependency for directory creation. | ai | |
| phantom-deps | phantom-dep:node-abort-controller | AI (phantom-deps): node-abort-controller is an intentional runtime polyfill dependency per package.json comment about indirect dependencies. | ai | |
| phantom-deps | phantom-dep:cosmiconfig-toml-loader | AI (phantom-deps): cosmiconfig-toml-loader is an intentional config loader plugin dependency per package.json comment about indirect dependencies. | ai | |
| bogus-package | bogus-package | AI (bogus-package): The spam-flagged maintainers (fb, leebyron) are contributors listed in package.json, not publishers. Lee Byron is the GraphQL co-creator; this is a false positive for this legitimate package. | ai |
Versions (showing 58 of 158)
| Version | Deps | Published |
|---|---|---|
| 2.1.0 | 10 / 0 | |
| 2.0.0 | 10 / 1 | |
| 1.3.2 | 10 / 1 | |
| 1.2.2 | 10 / 1 | |
| 1.2.0 | 10 / 1 | |
| 1.1.2 | 10 / 1 | |
| 1.1.1 | 10 / 1 | |
| 1.1.0 | 10 / 1 | |
| 1.0.18 | 9 / 1 | |
| 1.0.16 | 9 / 1 | |
| 1.0.15 | 9 / 1 | |
| 0.1.14 | 9 / 1 | |
| 0.1.13 | 10 / 1 | |
| 0.1.12 | 10 / 1 | |
| 0.1.11 | 10 / 1 | |
| 0.1.10 | 10 / 1 | |
| 0.1.9 | 10 / 1 | |
| 0.1.8 | 10 / 1 | |
| 0.1.7 | 10 / 0 | |
| 0.1.6 | 10 / 0 | |
| 0.1.5 | 10 / 0 | |
| 0.0.37 | 9 / 0 | |
| 0.0.36 | 9 / 0 | |
| 0.0.35 | 9 / 0 | |
| 0.0.34 | 9 / 0 | |
| 0.0.33 | 9 / 0 | |
| 0.0.32 | 9 / 0 | |
| 0.0.31 | 9 / 0 | |
| 0.0.30 | 9 / 0 | |
| 0.0.29 | 9 / 0 | |
| 0.0.28 | 9 / 0 | |
| 0.0.27 | 9 / 0 | |
| 0.0.26 | 9 / 0 | |
| 0.0.25 | 9 / 0 | |
| 0.0.24 | 9 / 0 | |
| 0.0.23 | 9 / 0 | |
| 0.0.22 | 9 / 0 | |
| 0.0.21 | 9 / 0 | |
| 0.0.20 | 9 / 0 | |
| 0.0.19 | 9 / 0 | |
| 0.0.18 | 9 / 0 | |
| 0.0.17 | 9 / 0 | |
| 0.0.16 | 9 / 0 | |
| 0.0.15 | 9 / 0 | |
| 0.0.14 | 9 / 0 | |
| 0.0.13 | 9 / 0 | |
| 0.0.12 | 9 / 0 | |
| 0.0.11 | 9 / 0 | |
| 0.0.10 | 8 / 0 | |
| 0.0.9 | 8 / 0 | |
| 0.0.8 | 8 / 0 | |
| 0.0.7 | 8 / 0 | |
| 0.0.6 | 8 / 0 | |
| 0.0.5 | 8 / 0 | |
| 0.0.4 | 8 / 0 | |
| 0.0.3 | 8 / 0 | |
| 0.0.2 | 7 / 33 | |
| 0.0.1 | 2 / 33 |
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.