← Home

@subql/common

npm Repository Homepage

51
Versions
GPL-3.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

onfinality-adminscott_subql

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff large-new-source-files AI (source-diff): Active SDK package with frequent feature releases; 21 new files is consistent with a significant version increment from a trusted publisher with no obfuscation signals. ai
phantom-deps phantom-dep:@subql/x-vm2 AI (phantom-deps): Same-org scoped package declared as dependency; phantom classification is a stable false positive for this package's dependency structure. ai
dependencies unvetted-dep:@subql/x-vm2 AI (dependencies): @subql/x-vm2 is SubQuery's own scoped fork of vm2, same org as this package. Its use is consistent with SubQuery's sandboxed execution pattern across their ecosystem. ai
phantom-deps phantom-dep:class-transformer AI (phantom-deps): class-transformer is legitimately declared and used; phantom-dep finding reflects indirect usage pattern, not a real risk. ai
phantom-deps phantom-dep:tar AI (phantom-deps): tar is legitimately declared and used; phantom-dep finding reflects indirect usage pattern, not a real risk. ai
phantom-deps phantom-dep:vm2 AI (phantom-deps): vm2 is legitimately declared and used; phantom-dep finding reflects indirect usage pattern, not a real risk. ai
phantom-deps phantom-dep:ansi-styles AI (phantom-deps): ansi-styles is legitimately declared and used; phantom-dep finding reflects indirect usage pattern, not a real risk. ai
maintainer-change maintainer-removed AI (maintainer-change): jay_ji removal paired with scott_subql addition is consistent with internal team rotation at SubQuery/Onfinality, not a hostile takeover. ai
maintainer-change maintainer-added AI (maintainer-change): scott_subql is a SubQuery organization member; maintainer rotation within the same org is expected for an active project with 189 versions and strong publisher track record. ai
dependencies unvetted-dep:sequelize AI (dependencies): sequelize is a widely-used ORM; appropriate dependency for a data indexing framework like SubQuery. ai
dependencies unvetted-dep:detect-port AI (dependencies): detect-port is a benign utility for port detection; no security concern for this package. ai
dependencies unvetted-dep:vm2 AI (dependencies): vm2 is a legitimate sandboxed execution environment used in SubQuery's blockchain indexing framework; appropriate for this package's use case. ai
dependencies unvetted-dep:pino AI (dependencies): pino is a well-known, widely-used Node.js logger; no security concern for this package. ai
semgrep semgrep:hex-decode AI (semgrep): The hex decode is a hardcoded MMR leaf constant (all-zeros with trailing 1) used in blockchain Merkle tree logic. No dynamic or network-sourced payload; stable false positive for this package. ai
dependencies unvetted-dep:ipfs-http-client AI (dependencies): ipfs-http-client is a well-known IPFS library from Protocol Labs; its use in @subql/common is intentional and consistent across SubQuery ecosystem versions. ai
publish-pattern new-deps-added AI (publish-pattern): form-data is a well-established package with hundreds of millions of weekly downloads; its addition is a routine, low-risk dependency for multipart form support alongside axios. ai
provenance no-provenance AI (provenance): Established publisher with long history; lack of provenance is consistent across all prior versions and is not a risk signal here. ai
npm-metadata no-description AI (npm-metadata): Empty description is a known characteristic of this monorepo package; not indicative of malicious intent. ai
phantom-deps phantom-dep:fs-extra AI (phantom-deps): fs-extra is a legitimate utility dependency in this package; phantom-dep flag is a false positive for this package. ai
dependencies unvetted-dep:update-notifier AI (dependencies): update-notifier is a standard CLI update notification utility; no security concern. ai
dependencies unvetted-dep:@subql/types-core AI (dependencies): This is a sibling package within the same SubQuery monorepo; no security concern. ai
dependencies unvetted-dep:class-transformer AI (dependencies): class-transformer is a widely-used object transformation library in the TypeScript ecosystem; no security concern. ai
dependencies unvetted-dep:axios AI (dependencies): axios is a widely-used, legitimate HTTP client library; no security concern for this package. ai
dependencies unvetted-dep:form-data AI (dependencies): form-data is a well-known, legitimate multipart form data library; no security concern. ai
dependencies unvetted-dep:class-validator AI (dependencies): class-validator is a widely-used validation library in the TypeScript/NestJS ecosystem; no security concern. ai
dependencies unvetted-dep:reflect-metadata AI (dependencies): reflect-metadata is a standard TypeScript decorator metadata polyfill; no security concern. ai

Versions (showing 51 of 85)

Show 3 prereleases View all versions
Version Deps Published
5.7.1 9 / 3
5.7.0 9 / 3
5.6.1 9 / 3
5.6.0 9 / 3
5.5.0 9 / 3
5.4.0 9 / 3
5.3.1 9 / 3
5.3.0 9 / 3
5.2.2 9 / 3
5.2.1 8 / 3
5.2.0 8 / 3
5.1.3 8 / 3
5.1.2 8 / 3
5.1.1 8 / 3
5.1.0 8 / 3
4.1.1 9 / 8
4.1.0 9 / 8
4.0.1 10 / 8
4.0.0 10 / 8
3.9.0 10 / 8
3.8.0 10 / 8
3.7.0 10 / 8
3.6.0 10 / 8
3.5.1 10 / 8
3.5.0 10 / 8
3.4.1 10 / 8
3.3.1 10 / 8
3.3.0 10 / 8
3.2.0 10 / 8
3.1.3 10 / 8
3.1.2 10 / 8
3.1.1 10 / 8
2.7.0 9 / 8
2.6.0 9 / 8
2.5.0 9 / 8
2.4.0 8 / 7
2.3.0 8 / 7
2.2.2 8 / 7
2.2.0 8 / 7
2.1.2 8 / 7
2.1.1 8 / 7
2.1.0 8 / 7
2.0.0 8 / 7
1.8.1 8 / 7
1.7.0 8 / 7
1.6.0 8 / 7
1.5.0 8 / 7
1.4.4 8 / 7
1.4.3 8 / 7
1.4.2 8 / 7
1.4.1 8 / 7