graphql-tools
Useful tools to create and manipulate GraphQL schemas.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:request | AI (dependencies): The `request` package is a historically standard HTTP client widely used in the Node.js ecosystem; its presence in this era package is expected and benign. | ai | |
| dependencies | unvetted-dep:@graphql-tools/batch-delegate | AI (dependencies): First-party sub-package from the same graphql-tools monorepo, same publisher (ardatan), pinned to the same version. Standard monorepo release pattern, not a supply-chain risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/module-loader | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/github-loader | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/load-files | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/git-loader | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/links | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/stitch | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:@graphql-tools/resolvers-composition | AI (dependencies): First-party sub-package from the graphql-tools monorepo, same publisher and version. Unvetted status reflects pipeline gap, not genuine risk. | ai | |
| dependencies | unvetted-dep:casual-browserify | AI (dependencies): casual-browserify is a legitimate fake-data generation library used for mocking in graphql-tools; consistent with the package's purpose and not a security concern. | ai | |
| phantom-deps | phantom-dep:@graphql-tools/json-file-loader | AI (phantom-deps): graphql-tools is an umbrella re-export package; listing sub-packages as deps without direct imports is expected for this monorepo architecture. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @graphql-tools/schema is from the same org; @apollo/client is optional and well-known. Both are expected additions from the graphql-tools monorepo refactor. | ai | |
| phantom-deps | phantom-dep:fs | AI (phantom-deps): fs is a Node.js built-in stub package (0.0.2); phantom-dep finding is a benign artifact of older npm packaging conventions. | ai | |
| dependencies | unvetted-dep:casual | AI (dependencies): casual is a fake data generation library appropriate for GraphQL mocking tools; its use is contextually justified and not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:babel-polyfill | AI (phantom-deps): babel-polyfill is typically loaded globally rather than imported directly; phantom-dep finding is expected and benign for this package. | ai | |
| phantom-deps | phantom-dep:@apollo/client | AI (phantom-deps): @apollo/client is declared as an optional dependency and referenced in config files; not a true phantom dep for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard implicit runtime dep for TypeScript-compiled packages; stable false positive for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Apollo maintainers removed as part of the documented handoff to The Guild; not a hostile takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy is an artifact of diffing against v5.0.0 (old Apollo era). The Guild has been actively publishing v9.x; the gap reflects registry sparsity, not true inactivity. | ai | |
| source-diff | source-size-dropped | AI (source-diff): graphql-tools v8+ is intentionally a thin re-export wrapper over @graphql-tools/schema monorepo packages; size drop is architectural, not a stub/malware replacement. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): The Guild (ardatan, dotansimha, kamilkisiela) publicly took over graphql-tools from Apollo; this is a well-known legitimate transfer. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from kamilkisiela to ardatan is within The Guild team; both are trusted maintainers of this package. | ai | |
| dependencies | unvetted-dep:node-fetch | AI (dependencies): node-fetch is a well-known, widely-used npm package; its use in graphql-tools for HTTP transport is expected and benign. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance adoption; absence is expected for packages of this age and does not indicate risk. | ai | |
| dependencies | unvetted-dep:form-data | AI (dependencies): form-data is a well-known, widely-used npm package; its use in graphql-tools for HTTP multipart/upload support is expected and benign. | ai |
Versions (showing 100 of 176)
| Version | Deps | Published |
|---|---|---|
| 9.0.28 | 2 / 0 | |
| 9.0.27 | 2 / 0 | |
| 9.0.26 | 2 / 0 | |
| 9.0.25 | 2 / 0 | |
| 9.0.24 | 2 / 0 | |
| 9.0.23 | 2 / 0 | |
| 9.0.22 | 2 / 0 | |
| 9.0.21 | 2 / 0 | |
| 9.0.20 | 2 / 0 | |
| 9.0.19 | 2 / 0 | |
| 9.0.18 | 2 / 0 | |
| 9.0.17 | 2 / 0 | |
| 9.0.16 | 2 / 0 | |
| 9.0.15 | 2 / 0 | |
| 9.0.14 | 2 / 0 | |
| 9.0.13 | 2 / 0 | |
| 9.0.12 | 2 / 0 | |
| 9.0.11 | 2 / 0 | |
| 9.0.10 | 2 / 0 | |
| 9.0.9 | 2 / 0 | |
| 9.0.8 | 2 / 0 | |
| 9.0.7 | 2 / 0 | |
| 9.0.6 | 2 / 0 | |
| 9.0.5 | 2 / 0 | |
| 9.0.4 | 2 / 0 | |
| 9.0.3 | 2 / 0 | |
| 9.0.2 | 2 / 0 | |
| 9.0.1 | 2 / 0 | |
| 9.0.0 | 3 / 0 | |
| 8.3.20 | 3 / 0 | |
| 8.3.19 | 3 / 0 | |
| 8.3.18 | 3 / 0 | |
| 8.3.17 | 3 / 0 | |
| 8.3.16 | 3 / 0 | |
| 8.3.15 | 3 / 0 | |
| 8.3.14 | 3 / 0 | |
| 8.3.13 | 3 / 0 | |
| 8.3.12 | 3 / 0 | |
| 8.3.11 | 3 / 0 | |
| 8.3.10 | 3 / 0 | |
| 8.3.9 | 3 / 0 | |
| 8.3.8 | 3 / 0 | |
| 8.3.7 | 3 / 0 | |
| 8.3.6 | 3 / 0 | |
| 8.3.5 | 3 / 0 | |
| 8.3.4 | 3 / 0 | |
| 8.3.3 | 3 / 0 | |
| 8.3.2 | 3 / 0 | |
| 8.3.1 | 3 / 0 | |
| 8.3.0 | 3 / 0 | |
| 8.2.13 | 3 / 0 | |
| 8.2.12 | 3 / 0 | |
| 8.2.11 | 3 / 0 | |
| 8.2.10 | 3 / 0 | |
| 8.2.9 | 3 / 0 | |
| 8.2.8 | 3 / 0 | |
| 8.2.7 | 3 / 0 | |
| 8.2.6 | 3 / 0 | |
| 8.2.5 | 3 / 0 | |
| 8.2.4 | 3 / 0 | |
| 8.2.3 | 3 / 0 | |
| 8.2.2 | 3 / 0 | |
| 8.2.1 | 3 / 0 | |
| 7.0.5 | 26 / 0 | |
| 7.0.4 | 25 / 0 | |
| 7.0.3 | 25 / 0 | |
| 7.0.2 | 25 / 0 | |
| 7.0.1 | 24 / 0 | |
| 7.0.0 | 24 / 0 | |
| 6.2.6 | 23 / 0 | |
| 6.2.5 | 24 / 0 | |
| 6.2.4 | 23 / 0 | |
| 6.2.3 | 23 / 0 | |
| 6.2.2 | 23 / 0 | |
| 6.2.1 | 23 / 0 | |
| 6.2.0 | 22 / 0 | |
| 6.1.0 | 22 / 0 | |
| 6.0.18 | 22 / 0 | |
| 6.0.17 | 22 / 0 | |
| 6.0.16 | 22 / 0 | |
| 6.0.15 | 22 / 0 | |
| 6.0.14 | 22 / 0 | |
| 6.0.13 | 22 / 0 | |
| 6.0.12 | 21 / 0 | |
| 6.0.11 | 21 / 0 | |
| 6.0.10 | 21 / 0 | |
| 6.0.9 | 21 / 0 | |
| 6.0.8 | 21 / 0 | |
| 6.0.7 | 21 / 0 | |
| 6.0.6 | 21 / 0 | |
| 6.0.5 | 21 / 0 | |
| 6.0.4 | 21 / 0 | |
| 6.0.3 | 21 / 0 | |
| 6.0.2 | 21 / 0 | |
| 6.0.1 | 21 / 0 | |
| 6.0.0 | 13 / 0 | |
| 5.0.0 | 8 / 0 | |
| 4.0.8 | 5 / 21 | |
| 4.0.7 | 5 / 21 | |
| 4.0.6 | 5 / 21 |
v9.0.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.