graphql-toolkit
A set of utils for faster development of GraphQL tools
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher changed to dotansimha, who is the original author listed in package.json and repo owner. Strong track record (6355 approved packages). Legitimate maintainer transition, not a takeover. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is guarded by existsSync() check; legitimate for loading user-provided GraphQL schema exports. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is in bump.js (build script), not shipped code; used for git metadata in release automation. | ai | |
| source-diff | large-new-source-files | AI (source-diff): graphql-toolkit is an actively developed utility library; large file additions between minor versions are expected and consistent with legitimate feature growth, not injected code. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are coordinated @graphql-toolkit/* sub-packages from the same publisher/team as part of a monorepo split; all pinned to the same version. Not an attack-vector pattern. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Package was intentionally refactored into a meta-package re-exporting @graphql-toolkit/* sub-packages; small source size is expected and stable for this package going forward. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): ardatan, kamilkisiela, and urigo are known The Guild team members; legitimate team addition for the graphql-toolkit project. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): [email protected] is a stable, widely-used HTTP library with no known active exploits in this version. | ai | |
| provenance | no-provenance | AI (provenance): Package predates npm provenance attestation by years; absence is expected and not a security signal for this established package. | ai | |
| phantom-deps | phantom-dep:@types/glob | AI (phantom-deps): @types/glob is a TypeScript type definition loaded by convention; not directly imported but legitimately used. | ai | |
| phantom-deps | phantom-dep:asyncro | AI (phantom-deps): asyncro is declared as a runtime dep and referenced in config; phantom detection is a false positive for this package's build setup. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 0.7.2 | 8 / 5 | |
| 0.7.1 | 8 / 5 | |
| 0.7.0 | 8 / 5 | |
| 0.6.8 | 8 / 5 | |
| 0.6.7 | 8 / 5 | |
| 0.6.6 | 8 / 5 | |
| 0.6.5 | 8 / 5 | |
| 0.6.4 | 8 / 5 | |
| 0.6.3 | 8 / 5 | |
| 0.6.2 | 8 / 5 | |
| 0.6.0 | 8 / 5 | |
| 0.5.18 | 13 / 17 | |
| 0.5.17 | 13 / 17 | |
| 0.5.16 | 13 / 17 | |
| 0.5.15 | 13 / 18 | |
| 0.5.14 | 13 / 18 | |
| 0.5.13 | 13 / 18 | |
| 0.5.12 | 13 / 18 | |
| 0.5.11 | 13 / 18 | |
| 0.5.10 | 13 / 18 | |
| 0.5.9 | 13 / 18 | |
| 0.5.8 | 13 / 18 | |
| 0.5.7 | 13 / 18 | |
| 0.5.6 | 13 / 18 | |
| 0.5.5 | 13 / 18 | |
| 0.5.4 | 13 / 17 | |
| 0.5.3 | 13 / 17 | |
| 0.5.2 | 13 / 17 | |
| 0.5.1 | 13 / 17 | |
| 0.5.0 | 13 / 17 | |
| 0.4.2 | 13 / 17 | |
| 0.4.1 | 13 / 17 | |
| 0.4.0 | 13 / 16 | |
| 0.3.5 | 13 / 15 | |
| 0.2.10 | 13 / 16 | |
| 0.2.5 | 11 / 17 | |
| 0.2.2 | 11 / 17 | |
| 0.0.5 | 9 / 16 | |
| 0.0.4 | 8 / 15 | |
| 0.0.3 | 8 / 15 | |
| 0.0.2 | 8 / 15 | |
| 0.0.1 | 8 / 15 |
v0.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
2 findingsThis version was published by a different npm account than previous versions on 2019-10-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsThis version was published by a different npm account than previous versions on 2019-10-24. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.17
2 findingsThis version was published by a different npm account than previous versions on 2019-10-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.15
2 findingsThis version was published by a different npm account than previous versions on 2019-09-22. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.9
2 findingsThis version was published by a different npm account than previous versions on 2019-08-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.8
2 findingsThis version was published by a different npm account than previous versions on 2019-08-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.7
2 findingsThis version was published by a different npm account than previous versions on 2019-08-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
2 findingsThis version was published by a different npm account than previous versions on 2019-08-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.5
2 findingsThis version was published by a different npm account than previous versions on 2019-08-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
2 findingsThis version was published by a different npm account than previous versions on 2019-08-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
2 findingsThis version was published by a different npm account than previous versions on 2019-08-06. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
2 findingsThis version was published by a different npm account than previous versions on 2019-08-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
2 findingsThis version was published by a different npm account than previous versions on 2019-07-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
2 findingsThis version was published by a different npm account than previous versions on 2019-07-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.10
2 findingsThis version was published by a different npm account than previous versions on 2019-05-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.