graphql
A Query Language and Runtime which can target any service.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within GraphQL Foundation; jdecroock is a known, trusted GraphQL ecosystem maintainer with extensive track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are all well-known GraphQL Working Group members; reflects public governance transition from Meta to GraphQL Foundation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers were former Meta employees; removal reflects documented project governance transition. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Diff is against v15.x; v16 is a major rewrite (ESM, TS) that naturally adds many files. No suspicious content. | ai | |
| provenance | missing-githead | AI (provenance): graphql-js now publishes via GitHub Actions with SLSA provenance attestation, which supersedes gitHead as a supply-chain signal. | ai | |
| bogus-package | bogus-package | AI (bogus-package): leebyron is the creator of GraphQL; spam flag is false positive. No-deps is by design for this foundational library. | ai |
Versions (showing 100 of 145)
| Version | Deps | Published |
|---|---|---|
| 16.14.0 | 0 / 0 | |
| 16.13.2 | 0 / 0 | |
| 16.13.1 | 0 / 0 | |
| 16.13.0 | 0 / 0 | |
| 16.12.0 | 0 / 0 | |
| 16.11.0 | 0 / 0 | |
| 16.10.0 | 0 / 0 | |
| 16.9.0 | 0 / 0 | |
| 16.8.2 | 0 / 0 | |
| 16.8.1 | 0 / 0 | |
| 16.8.0 | 0 / 0 | |
| 16.7.1 | 0 / 0 | |
| 16.7.0 | 0 / 0 | |
| 16.6.0 | 0 / 0 | |
| 16.5.0 | 0 / 0 | |
| 16.4.0 | 0 / 0 | |
| 16.3.0 | 0 / 0 | |
| 16.2.0 | 0 / 0 | |
| 16.1.0 | 0 / 0 | |
| 16.0.1 | 0 / 0 | |
| 16.0.0 | 0 / 0 | |
| 15.10.1 | 0 / 0 | |
| 15.10.0 | 0 / 0 | |
| 15.9.0 | 0 / 0 | |
| 15.8.0 | 0 / 0 | |
| 15.7.2 | 0 / 0 | |
| 15.7.1 | 0 / 0 | |
| 15.7.0 | 0 / 0 | |
| 15.6.1 | 0 / 0 | |
| 15.6.0 | 0 / 0 | |
| 15.5.3 | 0 / 0 | |
| 15.5.2 | 0 / 0 | |
| 15.5.1 | 0 / 0 | |
| 15.5.0 | 0 / 0 | |
| 15.4.0 | 0 / 0 | |
| 15.3.0 | 0 / 0 | |
| 15.2.0 | 0 / 0 | |
| 15.1.0 | 0 / 0 | |
| 15.0.0 | 0 / 0 | |
| 14.7.0 | 1 / 0 | |
| 14.6.0 | 1 / 0 | |
| 14.5.8 | 1 / 0 | |
| 14.5.7 | 1 / 0 | |
| 14.5.6 | 1 / 0 | |
| 14.5.5 | 1 / 0 | |
| 14.5.4 | 1 / 0 | |
| 14.5.3 | 1 / 0 | |
| 14.5.2 | 1 / 0 | |
| 14.5.1 | 1 / 0 | |
| 14.5.0 | 1 / 0 | |
| 14.4.2 | 1 / 0 | |
| 14.4.1 | 1 / 0 | |
| 14.4.0 | 1 / 0 | |
| 14.3.1 | 1 / 0 | |
| 14.3.0 | 1 / 0 | |
| 14.2.1 | 1 / 0 | |
| 14.2.0 | 1 / 0 | |
| 14.1.1 | 1 / 0 | |
| 14.1.0 | 1 / 0 | |
| 14.0.2 | 1 / 0 | |
| 14.0.1 | 1 / 0 | |
| 14.0.0 | 1 / 0 | |
| 0.13.2 | 1 / 0 | |
| 0.13.1 | 1 / 0 | |
| 0.13.0 | 1 / 0 | |
| 0.12.3 | 1 / 0 | |
| 0.12.2 | 1 / 0 | |
| 0.12.1 | 1 / 0 | |
| 0.12.0 | 1 / 0 | |
| 0.11.7 | 1 / 0 | |
| 0.11.6 | 1 / 0 | |
| 0.11.5 | 1 / 0 | |
| 0.11.4 | 1 / 0 | |
| 0.11.3 | 1 / 0 | |
| 0.11.2 | 1 / 0 | |
| 0.11.1 | 1 / 0 | |
| 0.11.0 | 1 / 0 | |
| 0.10.5 | 1 / 0 | |
| 0.10.4 | 1 / 0 | |
| 0.10.3 | 1 / 37 | |
| 0.10.2 | 1 / 37 | |
| 0.10.1 | 1 / 37 | |
| 0.10.0 | 1 / 37 | |
| 0.9.6 | 1 / 36 | |
| 0.9.5 | 1 / 35 | |
| 0.9.4 | 1 / 35 | |
| 0.9.3 | 1 / 35 | |
| 0.9.2 | 1 / 35 | |
| 0.9.1 | 1 / 35 | |
| 0.9.0 | 1 / 34 | |
| 0.8.2 | 1 / 34 | |
| 0.8.1 | 1 / 34 | |
| 0.8.0 | 1 / 34 | |
| 0.7.2 | 1 / 35 | |
| 0.7.1 | 1 / 35 | |
| 0.7.0 | 1 / 35 | |
| 0.6.2 | 1 / 35 | |
| 0.6.1 | 0 / 34 | |
| 0.6.0 | 1 / 18 | |
| 0.5.0 | 1 / 18 |
v16.14.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v16.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v16.13.0
2 findingsThis version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.12.0
2 findingsThis version was published by a different npm account than previous versions on 2025-11-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-15. This could indicate a legitimate maintainer transition or an account compromise.
v16.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v16.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-06-12. This could indicate a legitimate maintainer transition or an account compromise.
v16.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.8.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.7.1
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.7.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.6.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.5.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.4.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.3.0
2 findingsCVSS 5.3 (MEDIUM) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-13. This could indicate a legitimate maintainer transition or an account compromise.
v15.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.