@subql/validator

to validate subquery project

Supply chain provenance

Status for the latest visible version.

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps are all first-party @subql/* sibling packages from the same SubQuery org, representing legitimate multi-chain expansion. Pattern is stable for this package.	ai	2026/04/21
phantom-deps	phantom-dep:ipfs-http-client	AI (phantom-deps): ipfs-http-client is declared as a runtime dep in package.json; phantom detection likely reflects indirect usage. No security concern for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Established SubQuery ecosystem package with clear purpose, repo, and publisher history. Short README and missing keywords are cosmetic, not indicative of spam or malice.	ai	2026/04/21
phantom-deps	phantom-dep:axios	AI (phantom-deps): Axios is a legitimate declared dependency in package.json; phantom-dep finding is a false positive for this package's usage pattern.	ai	2026/04/21

Version	Deps	Published
2.2.0	11 / 1	2023-08-10
2.1.1	10 / 1	2023-07-30
2.1.0	10 / 1	2023-06-26
2.0.0	11 / 1	2023-04-21
1.8.1	11 / 1	2023-03-07
1.8.0	11 / 1	2023-01-31
1.7.0	10 / 1	2022-11-24
1.6.0	9 / 1	2022-11-07
1.5.1	8 / 1	2022-10-06
1.5.0	8 / 1	2022-08-26
1.4.1	9 / 1	2022-08-11
1.4.0	9 / 1	2022-08-04
1.3.0	8 / 1	2022-07-28
1.2.2	8 / 1	2022-07-13
1.2.1	8 / 1	2022-07-05
1.2.0	9 / 1	2022-06-22
1.1.0	6 / 1	2022-05-31
1.0.0	6 / 1	2022-05-11
0.6.0	6 / 1	2022-04-06
0.4.5	5 / 1	2022-02-24
0.4.4	5 / 1	2022-02-15
0.4.3	5 / 1	2022-02-10
0.4.2	5 / 1	2022-01-13
0.4.1	5 / 1	2021-12-23
0.4.0	5 / 1	2021-11-22
0.3.0	4 / 1	2021-10-12
0.2.0	3 / 1	2021-06-28
0.1.1	3 / 1	2021-05-05
0.1.0	3 / 1	2021-03-11