graphql-tag
A JavaScript template literal tag that parses GraphQL queries
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:stubailo.com | AI (email-domain): stubailo.com is Sashko Stubailo's personal domain (known Apollo/Meteor dev); expired DNS is a hygiene issue, not an active threat to this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Reflects Apollo org's maintainer consolidation; package remains under apollographql org control. | ai | |
| source-diff | net-exec-file:lib/tests.cjs.js | AI (source-diff): Compiled test file using Function() to test webpack loader output evaluation; no actual network calls or malicious code. | ai | |
| source-diff | net-exec-file:src/tests.ts | AI (source-diff): TypeScript test source using Function() to validate webpack loader; standard test pattern, not malicious. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Apollo team reorganization; abernix is a known Apollo maintainer. Publisher apollo-bot is highly trusted. | ai | |
| provenance | publisher-changed | AI (provenance): abernix (Ben Newman) is a known Apollo team member; transition from jnwng is a legitimate team handoff. | ai | |
| provenance | no-provenance | AI (provenance): Sigstore provenance did not exist when this version was published (2019). | ai | |
| bogus-package | bogus-package | AI (bogus-package): False positive on a canonical Apollo ecosystem package with 11.9M weekly downloads. | ai | |
| provenance | missing-githead | AI (provenance): Local publish without gitHead was standard practice in 2019; no security implication for this established package. | ai |
Versions (showing 63 of 63)
| Version | Deps | Published |
|---|---|---|
| 2.12.6 | 1 / 12 | |
| 2.12.5 | 1 / 12 | |
| 2.12.4 | 1 / 12 | |
| 2.12.3 | 1 / 12 | |
| 2.12.2 | 1 / 12 | |
| 2.12.1 | 1 / 12 | |
| 2.12.0 | 1 / 12 | |
| 2.11.0 | 0 / 7 | |
| 2.10.4 | 0 / 7 | |
| 2.10.3 | 0 / 7 | |
| 2.10.2 | 0 / 7 | |
| 2.10.1 | 0 / 7 | |
| 2.10.0 | 0 / 7 | |
| 2.9.2 | 0 / 7 | |
| 2.9.1 | 0 / 7 | |
| 2.9.0 | 0 / 7 | |
| 2.8.0 | 0 / 7 | |
| 2.7.3 | 0 / 6 | |
| 2.7.1 | 0 / 6 | |
| 2.7.0 | 1 / 6 | |
| 2.6.1 | 0 / 6 | |
| 2.6.0 | 0 / 6 | |
| 2.5.0 | 0 / 6 | |
| 2.4.2 | 0 / 6 | |
| 2.4.1 | 0 / 6 | |
| 2.4.0 | 0 / 6 | |
| 2.3.0 | 0 / 6 | |
| 2.2.2 | 0 / 6 | |
| 2.2.1 | 0 / 6 | |
| 2.2.0 | 0 / 6 | |
| 2.1.0 | 0 / 6 | |
| 2.0.0 | 0 / 6 | |
| 1.3.2 | 0 / 6 | |
| 1.3.1 | 0 / 6 | |
| 1.3.0 | 0 / 6 | |
| 1.2.4 | 0 / 6 | |
| 1.2.3 | 0 / 6 | |
| 1.2.2 | 0 / 6 | |
| 1.2.1 | 0 / 6 | |
| 1.2.0 | 0 / 6 | |
| 1.1.3 | 0 / 6 | |
| 1.1.2 | 0 / 6 | |
| 1.1.1 | 0 / 6 | |
| 1.1.0 | 0 / 6 | |
| 1.0.0 | 0 / 6 | |
| 0.1.17 | 0 / 6 | |
| 0.1.16 | 0 / 6 | |
| 0.1.15 | 0 / 6 | |
| 0.1.14 | 0 / 6 | |
| 0.1.13 | 0 / 7 | |
| 0.1.12 | 0 / 7 | |
| 0.1.11 | 0 / 7 | |
| 0.1.10 | 0 / 7 | |
| 0.1.9 | 0 / 7 | |
| 0.1.8 | 0 / 7 | |
| 0.1.7 | 1 / 5 | |
| 0.1.6 | 1 / 5 | |
| 0.1.5 | 1 / 5 | |
| 0.1.4 | 1 / 5 | |
| 0.1.3 | 1 / 5 | |
| 0.1.2 | 1 / 4 | |
| 0.1.1 | 1 / 4 | |
| 0.1.0 | 1 / 2 |
v2.12.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-02-04. This could indicate a legitimate maintainer transition or an account compromise.
v2.10.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: abernix.
This version was published by a different npm account than previous versions on 2019-01-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.1
2 findingsMaintainer email '[email protected]' uses domain 'stubailo.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.9.0
2 findingsMaintainer email '[email protected]' uses domain 'stubailo.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-03-27. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-02-01. This could indicate a legitimate maintainer transition or an account compromise.
v1.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-01-05. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-01-06. This could indicate a legitimate maintainer transition or an account compromise.
v1.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.