@axinom/mosaic-graphql-common
Common GraphQL and PostGraphile related functionality.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Large monorepo package; inactivity gap explained by jest-to-vitest migration; no malicious indicators in diff. | ai | |
| dependencies | unvetted-dep:@axinom/mosaic-messages | AI (dependencies): Internal Axinom Mosaic ecosystem dep; consistent across all versions. | ai | |
| dependencies | unvetted-dep:pg-transactional-outbox | AI (dependencies): Known transactional outbox library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@axinom/mosaic-db-common | AI (dependencies): Internal Axinom Mosaic ecosystem dep; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@axinom/mosaic-message-bus | AI (dependencies): Internal Axinom Mosaic ecosystem dep; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@axinom/mosaic-service-common | AI (dependencies): Internal Axinom Mosaic ecosystem dep; consistent across all versions. | ai | |
| dependencies | unvetted-dep:@graphile/pg-pubsub | AI (dependencies): Known PostGraphile ecosystem dependency; stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:jest | AI (phantom-deps): jest is a test runner referenced in config/scripts; not imported in runtime code — stable false positive. | ai | |
| phantom-deps | phantom-dep:jest-expect-message | AI (phantom-deps): Test utility referenced in jest config; not a runtime import — stable false positive. | ai | |
| phantom-deps | phantom-dep:@axinom/mosaic-message-bus-abstractions | AI (phantom-deps): Same-org package likely re-exported via another dep; stable false positive for this ecosystem. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Proprietary package with no public repo/homepage is expected for this org; 413 versions and 982 days old confirms legitimacy. | ai | |
| dependencies | unvetted-dep:@axinom/mosaic-transactional-inbox-outbox | AI (dependencies): Internal Axinom Mosaic ecosystem dep; consistent across all versions. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.31.0 | 17 / 11 | |
| 0.30.0 | 19 / 10 | |
| 0.29.0 | 19 / 10 | |
| 0.28.0 | 19 / 10 | |
| 0.27.0 | 19 / 10 | |
| 0.26.0 | 19 / 10 | |
| 0.24.0 | 19 / 10 | |
| 0.23.4 | 19 / 10 |
v0.31.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.29.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.28.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.24.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.23.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.