← Home

relay-compiler

npm Repository Homepage

A compiler tool for building GraphQL-driven applications.

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbyuzhirelay-bot

Keywords

graphqlrelay

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:eval-usage AI (semgrep): eval('require') is a documented pattern in relay-compiler for optional dynamic require of relay-config, wrapped in try/catch. Not malicious — stable across versions. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawning 'watchman version' is core relay-compiler functionality for Watchman file-watching integration. Expected and stable for this package. ai
npm-metadata bundled-binaries AI (npm-metadata): relay-compiler ships platform-specific native binaries (Rust-compiled) as its core distribution mechanism; bundled binaries are expected and stable for this package. ai
semgrep semgrep:child-process-import AI (semgrep): cli.js uses child_process.spawn to invoke the bundled native binary — standard pattern for npm-wrapped native executables; stable false positive for this package. ai
bogus-package bogus-package AI (bogus-package): The 'fb' maintainer flag is a false positive — fb is the official Facebook/Meta npm account used for the Relay ecosystem, not a spam publisher. ai

Versions (showing 100 of 174)

Hide prereleases
Version Deps Published
21.0.1 0 / 0
21.0.0 0 / 0
20.1.1 0 / 0
20.1.0 0 / 0
20.0.0 0 / 0
19.0.0 0 / 0
18.2.0 0 / 0
18.1.0 0 / 0
18.0.0 0 / 0
17.0.0 0 / 0
16.2.0 0 / 0
16.1.0 0 / 0
16.0.0 0 / 0
15.0.0 0 / 0
14.1.0 0 / 0
14.0.0 0 / 0
13.2.0 0 / 0
13.1.1 0 / 0
13.1.0 0 / 0
13.0.3 0 / 0
13.0.2 0 / 0
13.0.1 0 / 0
13.0.0 0 / 0
12.0.0 17 / 0
11.0.2 17 / 0
11.0.1 16 / 0
11.0.0 16 / 0
10.1.3 16 / 0
10.1.2 16 / 0
10.1.1 16 / 0
10.1.0 16 / 0
10.0.1 16 / 0
10.0.0 16 / 0
9.1.0 16 / 0
9.0.0 16 / 0
8.0.0 16 / 0
7.1.0 16 / 0
7.0.0 16 / 0
6.0.0 16 / 0
5.0.0 17 / 0
4.0.0 17 / 0
3.0.0 16 / 0
2.0.0 16 / 0
1.7.0 16 / 0
1.6.2 16 / 0
1.6.1 16 / 0
1.6.0 16 / 0
1.5.0 16 / 0
1.4.1 16 / 0
1.4.0 16 / 0
1.3.0 16 / 0
1.2.0 17 / 0
1.1.0 13 / 0
1.0.0 12 / 0
0.0.1 0 / 0
0.0.0-main-fe7af884 0 / 0
0.0.0-main-fdb3a745 0 / 0
0.0.0-main-fc7d1500 0 / 0
0.0.0-main-fa8668a2 0 / 0
0.0.0-main-f7d1c0f5 0 / 0
0.0.0-main-f22ed806 0 / 0
0.0.0-main-ee43b7b9 0 / 0
0.0.0-main-edcb69da 0 / 0
0.0.0-main-eb270657 0 / 0
0.0.0-main-ea3984e5 0 / 0
0.0.0-main-e8df1ff9 0 / 0
0.0.0-main-e83fa8db 0 / 0
0.0.0-main-e7cacf79 0 / 0
0.0.0-main-e5bfe37a 0 / 0
0.0.0-main-e56664c0 0 / 0
0.0.0-main-e45fc4f4 0 / 0
0.0.0-main-e341ed1d 0 / 0
0.0.0-main-e1f63cf3 0 / 0
0.0.0-main-e1d3745f 0 / 0
0.0.0-main-e0e08698 0 / 0
0.0.0-main-df0070df 0 / 0
0.0.0-main-ddb7914c 0 / 0
0.0.0-main-dd18c036 0 / 0
0.0.0-main-dc0addb8 0 / 0
0.0.0-main-d9771b56 0 / 0
0.0.0-main-d9628ba3 0 / 0
0.0.0-main-d7a16ceb 0 / 0
0.0.0-main-d5a71aff 0 / 0
0.0.0-main-d26bdec1 0 / 0
0.0.0-main-d0dbdc0e 0 / 0
0.0.0-main-d0aa5ed7 0 / 0
0.0.0-main-d0541a30 0 / 0
0.0.0-main-cef5a570 0 / 0
0.0.0-main-ccbe6465 0 / 0
0.0.0-main-caf20add 0 / 0
0.0.0-main-cae3a0a3 0 / 0
0.0.0-main-c81d7dfe 0 / 0
0.0.0-main-c3a809e2 0 / 0
0.0.0-main-c0fe61a5 0 / 0
0.0.0-main-bd5c9e5b 0 / 0
0.0.0-main-bbf7ef98 0 / 0
0.0.0-main-b93ca7a7 0 / 0
0.0.0-main-b5403930 0 / 0
0.0.0-main-b4dc2ed8 0 / 0
0.0.0-main-b40572cd 0 / 0
Showing 100 of 174 Next page →

v21.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.1.1

2 findings
HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • macos-arm64/relay • macos-x64/relay • win-x64/relay.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v20.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v20.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v17.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.