@favware/graphql-pokemon
Extensive Pokemon GraphQL API
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
favna
Keywords
favwaretypescripttsyarngraphql
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:express | AI (dependencies): express is a well-known, widely-used Node.js web framework; not a risk for this package. | ai | |
| dependencies | unvetted-dep:@discordjs/collection | AI (dependencies): @discordjs/collection is a well-known utility collection from the discord.js ecosystem; no risk signal. | ai | |
| dependencies | unvetted-dep:graphql-type-json | AI (dependencies): graphql-type-json is a well-known GraphQL scalar type package; appropriate for this GraphQL API. | ai | |
| dependencies | unvetted-dep:reflect-metadata | AI (dependencies): reflect-metadata is a standard TypeScript decorator metadata polyfill; expected implicit dependency for type-graphql. | ai | |
| dependencies | unvetted-dep:type-graphql | AI (dependencies): type-graphql is a well-known TypeScript GraphQL framework; appropriate for this GraphQL API package. | ai | |
| dependencies | unvetted-dep:fuse.js | AI (dependencies): fuse.js is a well-known fuzzy-search library; appropriate dependency for a search-capable API. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from favna. to favna reflects an npm account rename/migration by the same author, not a compromise. Package history and metadata are consistent. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): The 'takeover' is a npm account rename from 'favna.' to 'favna' — same individual maintainer, not a third-party hijack. Consistent repo, homepage, and package history confirm continuity. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer 'favna' is the same person as 'favna.' — account rename, not a new party. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of 'favna.' is the other side of the account rename to 'favna'; no actual maintainer loss. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by architectural shift from server app to distributable library with bundled CJS/ESM outputs and source maps — legitimate refactor. | ai | |
| phantom-deps | phantom-dep:graphql-type-json | AI (phantom-deps): Server-side GraphQL scalar type; only type definitions are published. Phantom detection is expected for this package structure. | ai | |
| phantom-deps | phantom-dep:reflect-metadata | AI (phantom-deps): Known implicit runtime dependency for TypeScript decorators used by type-graphql. Stable pattern for this package. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Server-side dependency used in the GraphQL API server; only type definitions are published to consumers. Phantom detection is expected for this package structure. | ai | |
| provenance | no-provenance | AI (provenance): Version 0.0.1 was published ~2351 days ago, well before Sigstore provenance was available on npm. Not a meaningful risk signal for this package. | ai | |
| phantom-deps | phantom-dep:fuse.js | AI (phantom-deps): Server-side dependency for fuzzy search; only type definitions are published. Phantom detection is expected for this package structure. | ai | |
| phantom-deps | phantom-dep:apollo-server-express | AI (phantom-deps): Server-side Apollo GraphQL server dependency; only type definitions are published. Phantom detection is expected for this package structure. | ai | |
| phantom-deps | phantom-dep:type-graphql | AI (phantom-deps): Server-side GraphQL decorator framework; only type definitions are published. Phantom detection is expected for this package structure. | ai | |
| phantom-deps | phantom-dep:@discordjs/collection | AI (phantom-deps): Server-side data structure dependency; only type definitions are published. Phantom detection is expected for this package structure. | ai |
Versions (showing 51 of 129)
| Version | Deps | Published |
|---|---|---|
| 8.7.3 | 1 / 49 | |
| 8.7.2 | 1 / 49 | |
| 8.7.1 | 1 / 49 | |
| 8.7.0 | 1 / 49 | |
| 8.6.2 | 1 / 49 | |
| 8.6.1 | 1 / 49 | |
| 8.6.0 | 1 / 49 | |
| 8.5.3 | 1 / 49 | |
| 8.5.2 | 1 / 49 | |
| 8.5.1 | 1 / 49 | |
| 8.5.0 | 1 / 52 | |
| 8.4.2 | 1 / 49 | |
| 8.4.1 | 1 / 51 | |
| 8.4.0 | 1 / 51 | |
| 8.3.3 | 1 / 47 | |
| 8.3.2 | 1 / 47 | |
| 8.3.1 | 1 / 47 | |
| 8.3.0 | 1 / 47 | |
| 8.2.1 | 1 / 47 | |
| 8.2.0 | 1 / 47 | |
| 8.1.1 | 1 / 47 | |
| 8.1.0 | 1 / 47 | |
| 8.0.0 | 1 / 47 | |
| 7.3.4 | 1 / 44 | |
| 7.3.3 | 1 / 41 | |
| 7.3.2 | 1 / 41 | |
| 7.3.1 | 1 / 41 | |
| 7.3.0 | 1 / 41 | |
| 7.2.2 | 1 / 41 | |
| 7.2.1 | 1 / 41 | |
| 7.2.0 | 1 / 41 | |
| 7.1.2 | 1 / 41 | |
| 7.1.1 | 1 / 41 | |
| 7.1.0 | 1 / 41 | |
| 7.0.9 | 1 / 40 | |
| 7.0.8 | 1 / 40 | |
| 7.0.7 | 1 / 40 | |
| 7.0.6 | 1 / 40 | |
| 7.0.5 | 1 / 40 | |
| 7.0.4 | 1 / 40 | |
| 7.0.3 | 1 / 40 | |
| 7.0.2 | 1 / 40 | |
| 7.0.1 | 1 / 40 | |
| 7.0.0 | 1 / 40 | |
| 6.5.13 | 1 / 48 | |
| 6.5.12 | 1 / 48 | |
| 6.5.11 | 1 / 47 | |
| 6.5.10 | 1 / 48 | |
| 6.5.9 | 1 / 48 | |
| 6.5.0 | 1 / 48 | |
| 6.4.0 | 1 / 48 |