@accounts/graphql-api
Server side GraphQL transport for accounts
52
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
leopradeltmikeladzedotansimha
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate project transfer to js-accounts org; new maintainers include well-known GraphQL ecosystem contributors (dotansimha, davidyaha). Publisher leopradel has strong track record (256 approved packages). | ai | |
| provenance | missing-githead | AI (provenance): Publisher leopradel is the long-standing maintainer; missing githead likely reflects a build environment change (pnpm migration), not a security concern. | ai | |
| source-diff | obfuscated-file:lib/index.js | AI (source-diff): lib/index.js is a standard webpack UMD bundle (confirmed by compile script using webpack -p). Minified output is expected for this package's build process; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:deepmerge | AI (phantom-deps): deepmerge is used in config/build files for legitimate configuration merging; common pattern in TypeScript projects. | ai | |
| phantom-deps | phantom-dep:@types/request-ip | AI (phantom-deps): TypeScript type definitions for request-ip; loaded by convention and appropriate for typed development. | ai | |
| dependencies | unvetted-dep:graphql-toolkit | AI (dependencies): graphql-toolkit is an established GraphQL utility library; appropriate dependency for a GraphQL API package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): 8.8x source size increase is explained by 52 new files and feature expansion; no bundled/injected payload indicators. | ai | |
| dependencies | unvetted-dep:@graphql-tools/utils | AI (dependencies): Established @graphql-tools ecosystem package; pinned to 7.0.2; standard GraphQL tooling dependency. | ai | |
| dependencies | unvetted-dep:@graphql-tools/merge | AI (dependencies): Established @graphql-tools ecosystem package; pinned to 6.2.5; legitimate replacement for deprecated @graphql-toolkit/schema-merging. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 52 new source files reflect legitimate feature expansion; consistent with major version update pattern. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are all established packages within @accounts ecosystem or well-known libraries; no suspicious additions. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'accounts' maintainer in 2018 consistent with legitimate reorganization to js-accounts organization. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer addition (js-accounts) in 2018 appears to be legitimate project organization transfer; no subsequent malicious activity. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from davidyaha to tmikeladze in 2018 appears to be legitimate maintainer transition within js-accounts org; no subsequent malicious activity. | ai | |
| dependencies | unvetted-dep:@graphql-toolkit/schema-merging | AI (dependencies): Standard GraphQL toolkit dependency; pinned version, aligned with package's GraphQL focus. | ai | |
| dependencies | unvetted-dep:request-ip | AI (dependencies): request-ip is a legitimate, established utility for extracting client IP addresses; pinned to 2.1.3 and appropriate for a GraphQL API server. | ai | |
| phantom-deps | phantom-dep:@accounts/server | AI (phantom-deps): Same-org scoped dependency; phantom status is expected for internal ecosystem packages. | ai | |
| dependencies | unvetted-dep:babel-runtime | AI (dependencies): babel-runtime is a canonical, widely-used transpiler runtime; appropriate for Babel-based projects. | ai | |
| provenance | no-provenance | AI (provenance): Package is 3343 days old with 102 versions and a trusted publisher track record. Lack of provenance is expected for packages predating Sigstore adoption. | ai |
Versions (showing 52 of 52)
| Version | Deps | Published |
|---|---|---|
| 0.33.2 | 4 / 20 | |
| 0.33.1 | 4 / 20 | |
| 0.33.0 | 4 / 18 | |
| 0.32.0 | 4 / 18 | |
| 0.31.1 | 4 / 18 | |
| 0.31.0 | 4 / 18 | |
| 0.30.0 | 4 / 18 | |
| 0.29.0 | 3 / 19 | |
| 0.28.0 | 3 / 18 | |
| 0.27.0 | 3 / 18 | |
| 0.26.0 | 3 / 18 | |
| 0.25.4 | 3 / 18 | |
| 0.25.3 | 3 / 18 | |
| 0.25.1 | 3 / 20 | |
| 0.25.0 | 3 / 20 | |
| 0.24.0 | 3 / 20 | |
| 0.23.0 | 3 / 20 | |
| 0.22.0 | 3 / 20 | |
| 0.21.1 | 3 / 20 | |
| 0.21.0 | 3 / 20 | |
| 0.20.1 | 3 / 20 | |
| 0.20.0 | 3 / 20 | |
| 0.19.0 | 3 / 20 | |
| 0.18.0 | 3 / 21 | |
| 0.17.0 | 3 / 21 | |
| 0.16.0 | 3 / 21 | |
| 0.15.0 | 3 / 19 | |
| 0.14.0 | 3 / 19 | |
| 0.13.0 | 3 / 19 | |
| 0.12.0 | 3 / 19 | |
| 0.11.2 | 3 / 19 | |
| 0.11.1 | 3 / 19 | |
| 0.10.0 | 3 / 19 | |
| 0.9.3 | 6 / 15 | |
| 0.9.2 | 6 / 15 | |
| 0.9.1 | 6 / 15 | |
| 0.9.0 | 6 / 15 | |
| 0.8.0 | 7 / 13 | |
| 0.7.0 | 7 / 13 | |
| 0.6.1 | 7 / 13 | |
| 0.6.0 | 7 / 13 | |
| 0.2.3 | 2 / 6 | |
| 0.2.2 | 2 / 6 | |
| 0.2.1 | 2 / 6 | |
| 0.1.1 | 2 / 29 | |
| 0.1.0 | 1 / 27 | |
| 0.0.9 | 1 / 27 | |
| 0.0.7 | 1 / 27 | |
| 0.0.5 | 1 / 27 | |
| 0.0.4 | 1 / 27 | |
| 0.0.3 | 1 / 27 | |
| 0.0.2 | 1 / 27 |