relay-compiler MIT 51 versions

relay-compiler

npm Repository Homepage

A compiler tool for building GraphQL-driven applications.

51

Versions

MIT

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbyuzhirelay-bot

Keywords

graphqlrelay

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:eval-usage	AI (semgrep): eval('require') is a documented pattern in relay-compiler for optional dynamic require of relay-config, wrapped in try/catch. Not malicious — stable across versions.	ai	2026/04/23
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawning 'watchman version' is core relay-compiler functionality for Watchman file-watching integration. Expected and stable for this package.	ai	2026/04/23
npm-metadata	bundled-binaries	AI (npm-metadata): relay-compiler ships platform-specific native binaries (Rust-compiled) as its core distribution mechanism; bundled binaries are expected and stable for this package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): cli.js uses child_process.spawn to invoke the bundled native binary — standard pattern for npm-wrapped native executables; stable false positive for this package.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): The 'fb' maintainer flag is a false positive — fb is the official Facebook/Meta npm account used for the Relay ecosystem, not a spam publisher.	ai	2026/04/23

Versions (showing 51 of 174)

Hide prereleases View all versions

Version	Deps	Published
21.0.1	0 / 0	2026-05-27
21.0.0	0 / 0	2026-05-18
20.1.1	0 / 0	2025-08-06
20.1.0	0 / 0	2025-07-28
20.0.0	0 / 0	2025-06-14
19.0.0	0 / 0	2025-05-02
18.2.0	0 / 0	2024-11-21
18.1.0	0 / 0	2024-10-04
18.0.0	0 / 0	2024-09-07
17.0.0	0 / 0	2024-06-14
16.2.0	0 / 0	2024-01-23
16.1.0	0 / 0	2023-12-11
16.0.0	0 / 0	2023-10-19
15.0.0	0 / 0	2023-03-08
14.1.0	0 / 0	2022-07-27
14.0.0	0 / 0	2022-06-08
13.2.0	0 / 0	2022-03-10
13.1.1	0 / 0	2022-02-09
13.1.0	0 / 0	2022-02-08
13.0.3	0 / 0	2022-02-07
13.0.2	0 / 0	2022-01-28
13.0.1	0 / 0	2022-01-10
13.0.0	0 / 0	2022-01-06
12.0.0	17 / 0	2021-09-01
11.0.2	17 / 0	2021-04-15
11.0.1	16 / 0	2021-03-24
11.0.0	16 / 0	2021-03-09
10.1.3	16 / 0	2021-01-22
10.1.2	16 / 0	2020-12-15
10.1.1	16 / 0	2020-12-07
10.1.0	16 / 0	2020-11-16
10.0.1	16 / 0	2020-07-23
10.0.0	16 / 0	2020-07-13
9.1.0	16 / 0	2020-04-28
9.0.0	16 / 0	2020-02-13
8.0.0	16 / 0	2019-12-19
7.1.0	16 / 0	2019-11-07
7.0.0	16 / 0	2019-10-21
6.0.0	16 / 0	2019-09-16
5.0.0	17 / 0	2019-06-11
4.0.0	17 / 0	2019-04-29
3.0.0	16 / 0	2019-02-23
2.0.0	16 / 0	2019-01-26
1.7.0	16 / 0	2018-10-31
1.6.2	16 / 0	2018-08-01
1.6.1	16 / 0	2018-07-30
1.6.0	16 / 0	2018-04-27
1.5.0	16 / 0	2018-02-20
1.4.1	16 / 0	2017-09-26
1.4.0	16 / 0	2017-09-22
1.3.0	16 / 0	2017-08-28

v21.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v21.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.1.1

2 findings

HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • macos-arm64/relay • macos-x64/relay • win-x64/relay.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v20.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v20.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v18.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v17.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v9.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.