relay-runtime
A core runtime for building GraphQL-driven applications.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:relay-runtime-experimental.js | AI (source-diff): relay-runtime ships standard webpack/UMD minified bundles as part of its normal build output. The sample confirms a legitimate Relay bundle pattern, not obfuscation or malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): invariant is a well-known Meta/Facebook utility already used throughout the Relay ecosystem; its addition is expected and benign. | ai | |
| source-diff | obfuscated-file:relay-runtime.js | AI (source-diff): relay-runtime ships a standard webpack UMD bundle as its distribution artifact. Minified build output is expected and stable for this package across all versions. | ai | |
| source-diff | net-exec-file:relay-runtime.js | AI (source-diff): Network calls in relay-runtime.js are GraphQL fetch operations — core library functionality, not dropper/loader behavior. False positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): relay-runtime is a large, actively developed Facebook OSS project; major version bumps routinely add many source files. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Initial placeholder release by trusted publisher; no description is expected for a namespace-reservation stub. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Version 0.0.1 is a legitimate namespace-reservation stub by trusted Meta/Facebook publisher kassens. Signals reflect intentional placeholder, not spam or malware. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal reflects Meta consolidating Relay publishing under relay-bot automation; consistent with organizational publishing automation, not a takeover. | ai | |
| provenance | publisher-changed | AI (provenance): relay-bot is Meta's established automation account (1693 days old, 8 approved packages) used for publishing Relay packages; this publisher transition is a legitimate organizational change. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() appears in relay-runtime's standard UMD bundle output; this is a known pattern in the Relay framework's minified build, not a malicious code execution vector. | ai | |
| provenance | no-provenance | AI (provenance): relay-runtime is a long-established Facebook/Meta package predating Sigstore provenance; absence of attestation is expected and not a risk signal for this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): relay-runtime is part of Meta's Relay monorepo; rapid successive publishes are expected from their automated release pipeline publishing multiple packages simultaneously. | ai | |
| dependencies | unvetted-dep:fbjs | AI (dependencies): fbjs is a well-known Facebook/Meta utility library and a standard, expected dependency for Relay packages. Not a security concern. | ai |
Versions (showing 55 of 55)
| Version | Deps | Published |
|---|---|---|
| 21.0.1 | 3 / 0 | |
| 21.0.0 | 3 / 0 | |
| 20.1.1 | 3 / 0 | |
| 20.1.0 | 3 / 0 | |
| 20.0.0 | 3 / 0 | |
| 19.0.0 | 3 / 0 | |
| 18.2.0 | 3 / 0 | |
| 18.1.0 | 3 / 0 | |
| 18.0.0 | 3 / 0 | |
| 17.0.0 | 3 / 0 | |
| 16.2.0 | 3 / 0 | |
| 16.1.0 | 3 / 0 | |
| 16.0.0 | 3 / 0 | |
| 15.0.0 | 3 / 0 | |
| 14.1.0 | 3 / 0 | |
| 14.0.0 | 3 / 0 | |
| 13.2.0 | 3 / 0 | |
| 13.1.1 | 3 / 0 | |
| 13.1.0 | 3 / 0 | |
| 13.0.3 | 3 / 0 | |
| 13.0.2 | 3 / 0 | |
| 13.0.1 | 3 / 0 | |
| 13.0.0 | 3 / 0 | |
| 12.0.0 | 3 / 0 | |
| 11.0.2 | 3 / 0 | |
| 11.0.1 | 2 / 0 | |
| 11.0.0 | 2 / 0 | |
| 10.1.3 | 2 / 0 | |
| 10.1.2 | 2 / 0 | |
| 10.1.1 | 2 / 0 | |
| 10.1.0 | 2 / 0 | |
| 10.0.1 | 2 / 0 | |
| 10.0.0 | 2 / 0 | |
| 9.1.0 | 2 / 0 | |
| 9.0.0 | 2 / 0 | |
| 8.0.0 | 2 / 0 | |
| 7.1.0 | 2 / 0 | |
| 7.0.0 | 2 / 0 | |
| 6.0.0 | 2 / 0 | |
| 5.0.0 | 2 / 0 | |
| 4.0.0 | 2 / 0 | |
| 3.0.0 | 2 / 0 | |
| 2.0.0 | 2 / 0 | |
| 1.7.0 | 2 / 0 | |
| 1.6.2 | 2 / 0 | |
| 1.6.1 | 2 / 0 | |
| 1.6.0 | 2 / 0 | |
| 1.5.0 | 2 / 0 | |
| 1.4.1 | 3 / 0 | |
| 1.4.0 | 3 / 0 | |
| 1.3.0 | 3 / 0 | |
| 1.2.0 | 2 / 0 | |
| 1.1.0 | 2 / 0 | |
| 1.0.0 | 2 / 0 | |
| 0.0.1 | 0 / 0 |
v21.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.
v16.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-19. This could indicate a legitimate maintainer transition or an account compromise.
v15.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-08. This could indicate a legitimate maintainer transition or an account compromise.
v14.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-27. This could indicate a legitimate maintainer transition or an account compromise.
v14.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-08. This could indicate a legitimate maintainer transition or an account compromise.
v13.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-10. This could indicate a legitimate maintainer transition or an account compromise.
v13.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-09. This could indicate a legitimate maintainer transition or an account compromise.
v13.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-28. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-06. This could indicate a legitimate maintainer transition or an account compromise.
v12.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-15. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-22. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-15. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-07. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-11-16. This could indicate a legitimate maintainer transition or an account compromise.
v10.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-23. This could indicate a legitimate maintainer transition or an account compromise.
v10.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-13. This could indicate a legitimate maintainer transition or an account compromise.
v9.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-28. This could indicate a legitimate maintainer transition or an account compromise.
v9.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-07. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-22. This could indicate a legitimate maintainer transition or an account compromise.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.