@apollo/gateway
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; expected for this org. | ai | |
| license | uncommon-license:Elastic-2.0 | AI (license): Elastic-2.0 is Apollo's chosen license for federation packages; stable. | ai | |
| dependencies | unvetted-dep:@apollo/query-planner | AI (dependencies): First-party Apollo federation sibling package, pinned to the same version in the same monorepo release. Expected dependency. | ai | |
| dependencies | unvetted-dep:@apollo/utils.fetcher | AI (dependencies): First-party Apollo utilities package from the same org. Standard dependency for Apollo gateway HTTP fetching. | ai | |
| dependencies | unvetted-dep:node-abort-controller | AI (dependencies): Well-known AbortController polyfill for older Node.js versions. Legitimate utility dependency. | ai | |
| dependencies | unvetted-dep:@apollo/utils.createhash | AI (dependencies): First-party Apollo utilities package from the same org. Standard dependency. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Buffer.from(traceBase64, 'base64') decodes protobuf trace data from subgraphs for Apollo usage reporting — a documented, legitimate use case, not payload obfuscation. | ai | |
| dependencies | unvetted-dep:@apollo/server-gateway-interface | AI (dependencies): First-party Apollo package defining the gateway interface contract. Core dependency for this package's purpose. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): @types/node-fetch is a TypeScript type declaration package used at compile time; phantom detection is a false positive for type-only packages. | ai | |
| phantom-deps | phantom-dep:@apollo/utils.isnodelike | AI (phantom-deps): First-party Apollo utility used indirectly via other Apollo dependencies in the same monorepo; phantom detection is a false positive here. | ai | |
| dependencies | unvetted-dep:@apollo/utils.isnodelike | AI (dependencies): First-party Apollo utilities package from the same org. Standard dependency. | ai | |
| dependencies | unvetted-dep:@apollo/composition | AI (dependencies): First-party Apollo federation sibling package, pinned to the same version in the same monorepo release. Expected dependency. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 2.14.1 | 28 / 0 | |
| 2.14.0 | 28 / 0 | |
| 2.13.3 | 18 / 0 | |
| 2.13.2 | 18 / 0 | |
| 2.12.3 | 18 / 0 | |
| 2.11.6 | 18 / 0 | |
| 2.10.5 | 18 / 0 |
v2.14.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.14.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.13.3
2 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.12.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.