@accounts/boost
Ready to use GraphQL accounts server
39
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
aetherallleopradeljs-accountsdavidyahatmikeladzedotansimha
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established package with consistent publisher (leopradel); missing gitHead likely reflects a publish environment change, not a supply chain compromise. No other risk indicators present. | ai | |
| phantom-deps | phantom-dep:@graphql-modules/core | AI (phantom-deps): Declared and referenced in config; phantom status is expected for framework integration packages. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit dependency of TypeScript output; stable for this package. | ai | |
| provenance | no-provenance | AI (provenance): Lack of Sigstore provenance is a CI/CD improvement opportunity, not a security defect for this established package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher transition occurred in 2019; stable historical change with no ongoing compromise indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): tslib is the official Microsoft TypeScript runtime helper library; its addition is a standard, benign TypeScript build optimization with no security risk. | ai | |
| dependencies | unvetted-dep:jsonwebtoken | AI (dependencies): jsonwebtoken is a canonical JWT library; expected dependency for accounts server. | ai | |
| dependencies | unvetted-dep:apollo-server | AI (dependencies): apollo-server is a canonical GraphQL server library; unvetted status is expected for established packages predating vetting infrastructure. | ai | |
| phantom-deps | phantom-dep:graphql-tools | AI (phantom-deps): graphql-tools is a peer dependency for GraphQL servers; phantom status is expected and documented. | ai | |
| phantom-deps | phantom-dep:graphql | AI (phantom-deps): graphql is a core peer dependency for GraphQL servers; phantom status reflects config-level usage, not a supply-chain risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require with require.resolve guard is a legitimate pattern for optional module loading in GraphQL servers; not a security risk. | ai |
Versions (showing 39 of 39)
| Version | Deps | Published |
|---|---|---|
| 0.32.2 | 10 / 1 | |
| 0.32.1 | 10 / 1 | |
| 0.32.0 | 10 / 1 | |
| 0.31.1 | 10 / 1 | |
| 0.30.0 | 10 / 1 | |
| 0.29.0 | 11 / 1 | |
| 0.28.0 | 11 / 1 | |
| 0.27.0 | 11 / 1 | |
| 0.26.0 | 11 / 1 | |
| 0.25.4 | 11 / 1 | |
| 0.25.3 | 11 / 1 | |
| 0.25.1 | 11 / 1 | |
| 0.25.0 | 11 / 1 | |
| 0.24.0 | 11 / 1 | |
| 0.23.0 | 11 / 1 | |
| 0.22.0 | 11 / 1 | |
| 0.21.1 | 11 / 1 | |
| 0.21.0 | 11 / 1 | |
| 0.20.1 | 11 / 1 | |
| 0.20.0 | 11 / 1 | |
| 0.19.0 | 11 / 1 | |
| 0.18.0 | 11 / 1 | |
| 0.17.0 | 11 / 1 | |
| 0.16.0 | 11 / 1 | |
| 0.15.0 | 11 / 1 | |
| 0.14.0 | 11 / 1 | |
| 0.13.0 | 11 / 1 | |
| 0.12.0 | 11 / 1 | |
| 0.11.2 | 11 / 1 | |
| 0.11.1 | 11 / 1 | |
| 0.10.0 | 11 / 1 | |
| 0.9.3 | 10 / 1 | |
| 0.9.2 | 10 / 1 | |
| 0.9.1 | 10 / 1 | |
| 0.9.0 | 10 / 1 | |
| 0.8.0 | 10 / 1 | |
| 0.7.0 | 10 / 1 | |
| 0.6.1 | 10 / 1 | |
| 0.6.0 | 10 / 1 |