@graphql-hive/gateway-runtime
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/index.cjs | AI (source-diff): Encoded string is a base64 PNG icon (iVBORw0KGgo... magic bytes); benign and stable for this package. | ai | |
| source-diff | encoded-string-file:dist/index.js | AI (source-diff): Same base64 PNG icon in ESM build; benign and stable for this package. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types/node is a type-only dep used by convention; stable false positive. | ai | |
| phantom-deps | phantom-dep:@graphql-tools/stitch | AI (phantom-deps): Referenced in config files per analyzer note; stable false positive for this package. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 2.9.6 | 37 / 16 | |
| 2.9.5 | 37 / 16 | |
| 2.9.4 | 37 / 16 | |
| 2.9.2 | 37 / 16 | |
| 2.9.0 | 37 / 16 | |
| 2.8.11 | 37 / 16 | |
| 2.8.10 | 37 / 16 | |
| 2.8.8 | 37 / 16 | |
| 2.8.5 | 36 / 16 | |
| 2.8.3 | 36 / 16 | |
| 2.7.11 | 36 / 16 | |
| 2.7.4 | 36 / 16 | |
| 2.7.2 | 36 / 16 | |
| 2.6.1 | 36 / 16 | |
| 2.5.5 | 36 / 16 | |
| 2.5.2 | 36 / 16 | |
| 2.5.1 | 36 / 16 | |
| 2.4.1 | 36 / 16 | |
| 2.4.0 | 36 / 16 | |
| 2.3.5 | 36 / 16 | |
| 2.3.3 | 36 / 16 | |
| 2.3.1 | 36 / 16 | |
| 2.1.9 | 36 / 16 | |
| 2.1.7 | 36 / 16 | |
| 2.1.6 | 36 / 16 | |
| 2.0.3 | 36 / 16 | |
| 2.0.2 | 36 / 16 |
v2.9.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.5
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.9.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.8.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.11
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v2.7.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.