@strapi/plugin-graphql
Adds GraphQL endpoint with default API methods.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Large monorepo; release cadence gaps are normal; no suspicious code changes in this version. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Strapi org regularly adds maintainers; no code changes accompany this version, low risk of compromise. | ai | |
| license | uncommon-license:SEE LICENSE IN LICENSE | AI (license): Standard pattern for monorepo packages referencing root LICENSE file. | ai | |
| dependencies | unvetted-dep:apollo-server-koa | AI (dependencies): apollo-server-koa is a well-known Apollo Server integration package; its use in the Strapi GraphQL plugin is expected and legitimate. | ai | |
| dependencies | unvetted-dep:@strapi/helper-plugin | AI (dependencies): @strapi/helper-plugin is a first-party Strapi package used across the Strapi ecosystem; no security concern. | ai | |
| dependencies | unvetted-dep:@koa/cors | AI (dependencies): @koa/cors is the official CORS middleware for Koa; standard and legitimate dependency. | ai | |
| dependencies | unvetted-dep:graphql-depth-limit | AI (dependencies): graphql-depth-limit is a well-known security utility for GraphQL; appropriate dependency. | ai | |
| dependencies | unvetted-dep:@as-integrations/koa | AI (dependencies): Official Apollo Server integration for Koa; standard dependency for this plugin. | ai | |
| dependencies | unvetted-dep:@strapi/design-system | AI (dependencies): Same-org Strapi package; legitimate UI dependency for the admin panel. | ai | |
| dependencies | unvetted-dep:graphql-playground-middleware-koa | AI (dependencies): Well-known GraphQL Playground middleware for Koa; standard dev tooling dependency. | ai | |
| provenance | no-provenance | AI (provenance): Strapi monorepo packages have historically not used Sigstore provenance; not a risk indicator for this established package. | ai | |
| dependencies | unvetted-dep:nexus | AI (dependencies): nexus is a well-known GraphQL schema-building library; standard dependency for this Strapi GraphQL plugin. | ai | |
| dependencies | unvetted-dep:@strapi/icons | AI (dependencies): Same-org Strapi package; legitimate UI dependency for the admin panel. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Monorepo sub-package; short README and no keywords are expected as documentation lives in the main Strapi docs. | ai | |
| phantom-deps | phantom-dep:graphql-playground-middleware-koa | AI (phantom-deps): Referenced in config files but not directly imported; consistent with optional/conditional usage in Strapi GraphQL plugin. | ai | |
| phantom-deps | phantom-dep:@strapi/design-system | AI (phantom-deps): Same-org sibling package used indirectly in monorepo context; phantom dep is expected for this Strapi plugin. | ai | |
| phantom-deps | phantom-dep:@strapi/icons | AI (phantom-deps): Same-org sibling package used indirectly in monorepo context; phantom dep is expected for this Strapi plugin. | ai | |
| phantom-deps | phantom-dep:koa-compose | AI (phantom-deps): Referenced in config files but not directly imported; common in Koa-based monorepo plugins. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 5.47.1 | 17 / 14 | |
| 5.47.0 | 17 / 14 | |
| 5.46.1 | 17 / 14 | |
| 5.46.0 | 17 / 14 | |
| 5.45.0 | 17 / 14 | |
| 5.44.0 | 17 / 14 | |
| 5.43.0 | 17 / 14 | |
| 5.42.1 | 17 / 14 | |
| 5.42.0 | 17 / 14 | |
| 5.41.1 | 17 / 14 | |
| 5.41.0 | 17 / 14 | |
| 5.39.0 | 17 / 14 | |
| 5.38.0 | 17 / 14 | |
| 5.37.1 | 17 / 14 | |
| 5.36.1 | 17 / 14 | |
| 5.36.0 | 17 / 14 | |
| 5.35.0 | 17 / 14 | |
| 5.34.0 | 17 / 14 | |
| 5.33.4 | 17 / 14 | |
| 5.33.3 | 17 / 14 | |
| 5.33.2 | 17 / 14 | |
| 5.33.1 | 17 / 14 | |
| 5.33.0 | 17 / 14 | |
| 5.32.0 | 17 / 14 | |
| 5.31.3 | 17 / 14 | |
| 5.31.2 | 17 / 14 | |
| 5.31.1 | 17 / 14 | |
| 5.31.0 | 17 / 14 | |
| 5.30.1 | 17 / 14 | |
| 5.30.0 | 17 / 14 | |
| 5.28.0 | 17 / 14 | |
| 5.26.0 | 17 / 14 | |
| 5.25.0 | 17 / 14 | |
| 5.24.2 | 17 / 14 | |
| 5.24.1 | 17 / 14 | |
| 5.23.6 | 17 / 14 | |
| 5.23.5 | 17 / 14 | |
| 5.23.4 | 17 / 14 | |
| 5.23.3 | 17 / 14 | |
| 5.23.1 | 17 / 14 | |
| 5.23.0 | 17 / 14 | |
| 5.22.0 | 17 / 14 | |
| 5.21.0 | 17 / 14 | |
| 5.20.0 | 17 / 14 | |
| 5.18.1 | 17 / 14 | |
| 5.18.0 | 17 / 14 | |
| 5.17.0 | 17 / 14 | |
| 5.16.0 | 17 / 14 | |
| 5.15.1 | 17 / 14 | |
| 5.15.0 | 17 / 14 | |
| 5.14.0 | 17 / 14 |
v5.47.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.47.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.46.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.45.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.43.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.42.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.41.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.39.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.38.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.37.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.36.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.35.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.34.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.33.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.32.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.31.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.30.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.