@reltio/graph — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

egorshkovvitaly.gerasevalexander.leshukovreltio-ui-coemanpreet_hayerandrew.borovin.reltioamith.ravuru

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:bundle.js	AI (source-diff): bundle.js is a standard webpack bundle; long strings are MUI icon require lists, not obfuscated payloads.	ai	2026/05/29
npm-metadata	no-description	AI (npm-metadata): Consistent pattern across 1353 versions of this org-internal package.	ai	2026/05/27
provenance	no-provenance	AI (provenance): Org-internal package; no provenance is consistent across all versions.	ai	2026/05/27
bogus-package	bogus-package	AI (bogus-package): Internal enterprise module; sparse metadata is consistent across all 1353 versions of this org's packages.	ai	2026/05/26
phantom-deps	phantom-dep:graphology-layout	AI (phantom-deps): Graph layout lib; referenced in config, stable FP.	ai	2026/04/30
phantom-deps	phantom-dep:graphology-operators	AI (phantom-deps): Graph operators lib; referenced in config, stable FP.	ai	2026/04/30
phantom-deps	phantom-dep:graphology-shortest-path	AI (phantom-deps): Graph algorithm lib; referenced in config, stable FP.	ai	2026/04/30
phantom-deps	phantom-dep:sigma	AI (phantom-deps): Graph visualization lib; likely re-exported or used via config/peer, not directly imported.	ai	2026/04/30
phantom-deps	phantom-dep:@reltio/profile	AI (phantom-deps): Same org scope; stable FP for internal monorepo-style package.	ai	2026/04/30
phantom-deps	phantom-dep:@reltio/components	AI (phantom-deps): Same org scope; stable FP for internal monorepo-style package.	ai	2026/04/30
phantom-deps	phantom-dep:@reltio/mdm-module	AI (phantom-deps): Same org scope; stable FP for internal monorepo-style package.	ai	2026/04/30
phantom-deps	phantom-dep:@reltio/mdm-sdk	AI (phantom-deps): Same org scope; stable FP for internal monorepo-style package.	ai	2026/04/30
phantom-deps	phantom-dep:graphology	AI (phantom-deps): Core graph lib; referenced in config, stable false positive for this package.	ai	2026/04/30
phantom-deps	phantom-dep:graphology-types	AI (phantom-deps): Type-only dep; not directly imported but used in config/types.	ai	2026/04/30
phantom-deps	phantom-dep:@react-sigma/core	AI (phantom-deps): Sigma React wrapper; referenced in config, stable FP for this package.	ai	2026/04/30

Versions (showing 51 of 94)

View all versions

Version	Deps	Published
1.4.2335	11 / 0	2026-06-03
1.4.2334	11 / 0	2026-06-03
1.4.2333	11 / 0	2026-05-28
1.4.2332	11 / 0	2026-05-28
1.4.2331	11 / 0	2026-05-25
1.4.2330	11 / 0	2026-05-21
1.4.2329	11 / 0	2026-05-19
1.4.2328	11 / 0	2026-05-19
1.4.2323	11 / 0	2026-04-30
1.4.2322	11 / 0	2026-04-28
1.4.2319	11 / 0	2026-04-23
1.4.2317	11 / 0	2026-04-21
1.4.2316	11 / 0	2026-04-15
1.4.2315	11 / 0	2026-04-10
1.4.2314	11 / 0	2026-04-08
1.4.2313	11 / 0	2026-04-08
1.4.2312	11 / 0	2026-04-02
1.4.2311	11 / 0	2026-04-02
1.4.2310	11 / 0	2026-03-27
1.4.2309	11 / 0	2026-03-27
1.4.2308	11 / 0	2026-03-24
1.4.2307	11 / 0	2026-03-20
1.4.2306	11 / 0	2026-03-19
1.4.2304	11 / 0	2026-03-13
1.4.2303	11 / 0	2026-03-11
1.4.2302	11 / 0	2026-03-10
1.4.2301	11 / 0	2026-03-04
1.4.2298	11 / 0	2026-02-25
1.4.2295	11 / 0	2026-02-13
1.4.2294	11 / 0	2026-02-06
1.4.2293	11 / 0	2026-01-27
1.4.2288	11 / 0	2026-01-23
1.4.2283	11 / 0	2025-12-04
1.4.2281	11 / 0	2025-12-04
1.4.2280	11 / 0	2025-12-04
1.4.2278	11 / 0	2025-11-28
1.4.2275	11 / 0	2025-11-24
1.4.2274	11 / 0	2025-11-14
1.4.2273	11 / 0	2025-11-14
1.4.2270	11 / 0	2025-11-06
1.4.2269	11 / 0	2025-11-06
1.4.2268	11 / 0	2025-11-05
1.4.2266	11 / 0	2025-10-30
1.4.2265	11 / 0	2025-10-24
1.4.2264	11 / 0	2025-10-23
1.4.2263	11 / 0	2025-10-23
1.4.2261	11 / 0	2025-10-15
1.4.2260	11 / 0	2025-10-15
1.4.2259	11 / 0	2025-10-14
1.4.2258	11 / 0	2025-10-09
1.4.2257	11 / 0	2025-10-09

v1.4.2335

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2334

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2333

2 findings

HIGH Long encoded string in modified file: bundle.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2332

2 findings

HIGH Long encoded string in modified file: bundle.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.4.2331

2 findings

HIGH Long encoded string in modified file: bundle.js source-diff

Modified file contains 3 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.