@langchain/langgraph-checkpoint-sqlite

LangGraph

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hwchase17jacoblee93basprouleric_langchainandrewnguonlydavidduongmaddyadamssam_noyesandy-langchainrcasuphntrlchristian-bromann

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is the intentional initial version scheme used across the LangGraph JS monorepo; not indicative of malicious throwaway package given established publisher and official repo.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Publisher jacoblee93 has a long track record; lack of provenance is common and not a risk signal for this package.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Package has SLSA provenance attestation which supersedes gitHead as a source link. The transition to GitHub Actions CI/CD publishing explains the missing gitHead field.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): LangChain migrated to GitHub Actions for automated publishing, corroborated by SLSA provenance attestation. This is a legitimate CI/CD transition for the official langchain-ai org.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): andy-langchain and rcasup are LangChain organization accounts; addition is consistent with normal team evolution at an established org.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): nfcampos removal is consistent with team role changes at LangChain; no evidence of hostile takeover given SLSA attestation and official repo match.	ai	2026/04/23

Versions (showing 11 of 11)

Version	Deps	Published
1.0.1	1 / 21	2026-02-03
1.0.0	1 / 21	2025-10-18
0.2.1	1 / 22	2025-08-28
0.2.0	1 / 22	2025-07-28
0.1.5	1 / 28	2025-05-13
0.1.4	1 / 28	2025-01-30
0.1.3	1 / 28	2024-10-29
0.1.2	1 / 28	2024-09-14
0.1.1	1 / 28	2024-09-04
0.0.1	1 / 27	2024-08-23
0.0.0	1 / 27	2024-08-22

v1.0.1

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: davidduong → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benjamincburns → davidduong (on 2025-08-28) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-28. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: benjamincburns → davidduong (on 2025-07-28) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-28. This could indicate a legitimate maintainer transition or an account compromise.

v0.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.