@strapi/strapi — Greenflagged

An open source headless CMS solution to create and manage your own API. It provides a powerful dashboard and features to make your life easier. Databases supported: MySQL, MariaDB, PostgreSQL, SQLite

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pierreburgyaurelsicokoalexandrebodinconvlynico-strapistrapi.adzouzbaronvoninternetmarc-roig-strapijhoward1994bassel17cache-your-dreams

Keywords

strapicmscmfcontent management systemcontent management frameworkadmin paneldashboardapiauthframeworkhttpjsonkoakoajsmvcoauthoauth2ormrestrestfulsecurityjamjamstackjavascriptheadlessMySQLMariaDBPostgreSQLSQLitegraphqLinfrastructurebackendopen sourceself hostedreactreactjs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): Strapi is an active org; maintainer additions are routine team changes, not takeover indicators.	ai	2026/04/28
publish-pattern	dormant-publish	AI (publish-pattern): Strapi is an actively maintained package with 2257 versions and 183k weekly downloads; dormancy signal is a false positive for this package.	ai	2026/04/27
dependencies	unvetted-dep:yalc	AI (dependencies): yalc is a legitimate local package development tool; its presence in Strapi's dependency list is a dev/tooling artifact, not a security risk. It is also a phantom dep (not directly imported).	ai	2026/04/26
phantom-deps	phantom-dep:yalc	AI (phantom-deps): yalc is declared but not directly imported; used as a dev tooling reference in Strapi's monorepo config. No security concern.	ai	2026/04/26
phantom-deps	phantom-dep:copyfiles	AI (phantom-deps): copyfiles is a standard build utility referenced in config files; phantom dep pattern is expected for Strapi's monorepo tooling setup.	ai	2026/04/26
install-scripts	install-script:postinstall	AI (install-scripts): Strapi's standard postinstall script (telemetry/welcome); present across all versions of this package.	ai	2026/04/26
dependencies	unvetted-dep:browserslist-to-esbuild	AI (dependencies): browserslist-to-esbuild is a legitimate build tooling dependency for Strapi's bundling pipeline.	ai	2026/04/26
dependencies	unvetted-dep:@vitejs/plugin-react-swc	AI (dependencies): @vitejs/plugin-react-swc is an official Vite plugin from the Vite org; legitimate build dependency for Strapi.	ai	2026/04/26
phantom-deps	phantom-dep:pkg-up	AI (phantom-deps): Large framework packages commonly load dependencies dynamically or via CLI tooling; phantom-dep findings are expected for @strapi/strapi.	ai	2026/04/26
phantom-deps	phantom-dep:ci-info	AI (phantom-deps): ci-info is a legitimate utility; phantom-dep pattern is expected for this large framework package.	ai	2026/04/26
phantom-deps	phantom-dep:nodemon	AI (phantom-deps): nodemon is used by Strapi's development server; dynamic loading pattern is expected for this framework.	ai	2026/04/26
phantom-deps	phantom-dep:concurrently	AI (phantom-deps): concurrently is a legitimate CLI utility; phantom-dep pattern is expected for this large framework.	ai	2026/04/26
phantom-deps	phantom-dep:git-url-parse	AI (phantom-deps): git-url-parse is used in Strapi's generator/CLI tooling; dynamic loading is expected for this framework.	ai	2026/04/26
phantom-deps	phantom-dep:react-refresh	AI (phantom-deps): react-refresh is a legitimate HMR dependency for Strapi's dev server; phantom-dep pattern expected.	ai	2026/04/26
phantom-deps	phantom-dep:@types/nodemon	AI (phantom-deps): Type definitions loaded by convention; phantom-dep finding is a false positive for this framework package.	ai	2026/04/26
phantom-deps	phantom-dep:get-latest-version	AI (phantom-deps): Legitimate CLI utility; dynamic loading pattern expected for Strapi's CLI tooling.	ai	2026/04/26
phantom-deps	phantom-dep:@strapi/permissions	AI (phantom-deps): Same-org @strapi scoped package; phantom-dep finding is expected for this monorepo-style framework.	ai	2026/04/26
dependencies	unvetted-dep:get-latest-version	AI (dependencies): get-latest-version is a legitimate utility used by Strapi CLI for version checking; appropriate for this package.	ai	2026/04/26
dependencies	unvetted-dep:esbuild-loader	AI (dependencies): esbuild-loader is a legitimate build tooling dependency appropriate for a major CMS framework like Strapi.	ai	2026/04/26
typosquat	typosquat.levenshtein:stripe	AI (typosquat): @strapi/strapi is the official Strapi headless CMS package, a completely different product from stripe. The @strapi org scope makes this a stable false positive.	ai	2026/04/25
phantom-deps	phantom-dep:@strapi/database	AI (phantom-deps): Same-org monorepo package; phantom dep pattern is expected in Strapi's monorepo structure.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/core	AI (dependencies): First-party monorepo package published at the same version; not an independent third-party dependency.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/i18n	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/admin	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/email	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/types	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/utils	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/upload	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/openapi	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/database	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/cloud-cli	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/generators	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/permissions	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/data-transfer	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/content-manager	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/content-releases	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/review-workflows	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/typescript-utils	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25
dependencies	unvetted-dep:@strapi/content-type-builder	AI (dependencies): First-party monorepo package published at the same version.	ai	2026/04/25