@graphql-modules/logger
26
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ardatandotansimhakamilkisielaurigo
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Established publisher (dotansimha) with strong track record; missing gitHead reflects a publish environment change, not a security concern for this package. | ai | |
| dependencies | unvetted-dep:@types/winston | AI (dependencies): @types/winston is a standard TypeScript type definition package for winston; its use here alongside the winston runtime dep is expected and benign for this logging utility package. | ai | |
| phantom-deps | phantom-dep:@types/winston | AI (phantom-deps): @types/winston is a TypeScript type definition package; being declared but not directly imported is expected behavior for type-only packages in older TS projects. | ai | |
| provenance | no-provenance | AI (provenance): Package is nearly 8 years old, predating npm provenance attestation. No provenance is expected for this package's era. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from dotansimha to ardatan occurred in 2018 as a known maintainer transition within the graphql-modules project. ardatan has a strong track record (94 approved packages). This is stable and not a security concern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Scoped monorepo sub-package from a well-established publisher; missing metadata is a monorepo convention, not a spam/malware indicator. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Scoped monorepo sub-package; missing description is a common convention, not a malicious signal for this publisher. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; phantom detection is a known false positive for TypeScript-compiled packages. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 0.2.3 | 2 / 2 | |
| 0.2.2 | 2 / 2 | |
| 0.2.1 | 2 / 2 | |
| 0.2.0 | 3 / 2 | |
| 0.1.9 | 3 / 2 | |
| 0.1.8 | 3 / 2 | |
| 0.1.6 | 2 / 2 | |
| 0.1.5 | 2 / 2 | |
| 0.1.2 | 2 / 2 | |
| 0.1.1 | 2 / 2 | |
| 0.1.0 | 2 / 2 | |
| 0.0.15 | 2 / 2 | |
| 0.0.14 | 2 / 2 | |
| 0.0.13 | 2 / 2 | |
| 0.0.12 | 2 / 2 | |
| 0.0.11 | 2 / 2 | |
| 0.0.10 | 2 / 2 | |
| 0.0.9 | 2 / 2 | |
| 0.0.8 | 2 / 2 | |
| 0.0.7 | 2 / 2 | |
| 0.0.6 | 3 / 2 | |
| 0.0.5 | 3 / 2 | |
| 0.0.4 | 3 / 2 | |
| 0.0.3 | 3 / 2 | |
| 0.0.2 | 3 / 2 | |
| 0.0.1 | 3 / 2 |