@cedarjs/realtime — Greenflagged

The real-time solution for CedarJS is initially for GraphQL.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

tobbe

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	no-description	AI (npm-metadata): High-volume package with established ecosystem presence; missing description is benign.	ai	2026/05/27
dependencies	unvetted-dep:@envelop/live-query	AI (dependencies): Established envelop ecosystem package; stable dependency for this realtime package.	ai	2026/04/28
dependencies	unvetted-dep:@n1ru4l/graphql-live-query	AI (dependencies): Well-known n1ru4l GraphQL live query library; no malicious indicators.	ai	2026/04/28
dependencies	unvetted-dep:@graphql-yoga/plugin-graphql-sse	AI (dependencies): Official graphql-yoga plugin from The Guild; reputable maintainer.	ai	2026/04/28
dependencies	unvetted-dep:@graphql-yoga/plugin-defer-stream	AI (dependencies): Official graphql-yoga plugin from The Guild; reputable maintainer.	ai	2026/04/28
dependencies	unvetted-dep:@n1ru4l/in-memory-live-query-store	AI (dependencies): Well-known n1ru4l live query store; no malicious indicators.	ai	2026/04/28
dependencies	unvetted-dep:@graphql-yoga/redis-event-target	AI (dependencies): Official graphql-yoga package from The Guild; reputable maintainer.	ai	2026/04/28
provenance	no-provenance	AI (provenance): Established monorepo package; lack of provenance is consistent across all 1414 versions.	ai	2026/04/28

Versions (showing 27 of 27)

Version	Deps	Published
4.2.0	10 / 10	2026-05-13
4.1.0	10 / 10	2026-04-30
4.0.0	10 / 10	2026-04-12
3.1.1	10 / 10	2026-04-08
3.1.0	10 / 10	2026-03-25
3.0.0	10 / 10	2026-03-23
2.8.1	10 / 10	2026-03-25
2.8.0	10 / 10	2026-03-07
2.7.0	10 / 9	2026-03-03
2.6.0	10 / 9	2026-02-10
2.5.1	10 / 9	2026-02-05
2.5.0	10 / 9	2026-02-02
2.4.1	10 / 9	2026-01-13
2.4.0	10 / 9	2026-01-12
2.3.0	10 / 9	2026-01-02
2.2.1	10 / 9	2025-12-29
2.2.0	10 / 9	2025-12-26
2.1.1	10 / 9	2025-12-19
2.1.0	10 / 9	2025-12-15
2.0.3	10 / 9	2025-12-15
2.0.2	10 / 9	2025-11-30
2.0.1	10 / 9	2025-11-30
2.0.0	10 / 9	2025-11-28
1.1.2	10 / 9	2026-02-08
1.1.1	10 / 9	2025-11-30
1.1.0	10 / 9	2025-11-25
1.0.0	10 / 9	2025-11-17

v4.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.8.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.7.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.