← Home

@graphql-codegen/cli

npm Repository Homepage

<p align="center"> <img src="https://github.com/dotansimha/graphql-code-generator/blob/master/logo.png?raw=true" /> </p>

40
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

dotansimhaardatankamilkisielaurigotheguild-bot

Keywords

gqlgeneratorcodetypesinterfacesgraphqlcodegenapollonodetypescripttsflowtypesd.tstypings

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata no-description AI (npm-metadata): Monorepo sub-package; missing description is stable and benign for this package. ai
phantom-deps phantom-dep:@graphql-codegen/client-preset AI (phantom-deps): Same-org optional/peer-like dep used at runtime; stable false positive. ai
bogus-package bogus-package AI (bogus-package): Monorepo sub-package with sparse README; not a spam indicator for a 6.8M download package. ai
semgrep semgrep:env-spread AI (semgrep): CLI tool augments PATH with node_modules/.bin for lifecycle hook execution; standard pattern. ai
provenance publisher-changed AI (provenance): theguild-bot is The Guild's official npm bot (9034 approved versions). Transition from dotansimha (Guild founder) is legitimate org automation. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require loads user-specified codegen plugins; core functionality of a plugin-based code generator. ai
semgrep semgrep:child-process-import AI (semgrep): CLI tool executes lifecycle hooks via child_process; core functionality. ai
maintainer-change maintainer-added AI (maintainer-change): theguild-bot is The Guild's established automation account; legitimate org-level maintainer management. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer list cleanup is normal for org-managed packages at The Guild. ai

Versions (showing 40 of 40)

Version Deps Published
7.1.3 35 / 0
7.1.1 35 / 0
7.1.0 35 / 0
7.0.1 35 / 0
7.0.0 35 / 0
6.3.1 35 / 0
6.3.0 35 / 0
6.2.1 35 / 0
6.2.0 35 / 0
6.1.3 34 / 0
6.1.2 34 / 0
6.1.1 34 / 0
6.1.0 34 / 0
6.0.2 34 / 0
6.0.1 34 / 0
6.0.0 34 / 0
1.8.3 43 / 13
1.8.2 37 / 13
1.8.1 37 / 12
1.8.0 37 / 9
1.7.0 37 / 9
1.6.1 37 / 9
1.6.0 37 / 9
1.5.0 36 / 9
1.4.0 37 / 9
1.3.1 37 / 9
1.3.0 38 / 8
1.2.1 37 / 8
1.2.0 37 / 8
1.1.3 37 / 8
1.1.1 37 / 8
1.1.0 37 / 8
1.0.7 37 / 8
1.0.6 37 / 8
1.0.5 37 / 8
1.0.4 37 / 8
1.0.3 37 / 8
1.0.2 37 / 8
1.0.1 37 / 8
1.0.0 37 / 8

v7.1.3

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.1.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.1.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: theguild-bot → GitHub Actions (on 2026-05-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

v7.0.1

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: theguild-bot → GitHub Actions (on 2026-05-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-27. This could indicate a legitimate maintainer transition or an account compromise.

v7.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.0.1

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: dotansimha → theguild-bot (on 2025-10-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-21. This could indicate a legitimate maintainer transition or an account compromise.

v6.0.0

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: dotansimha → theguild-bot (on 2025-09-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-07. This could indicate a legitimate maintainer transition or an account compromise.