@the-neon/gql — Greenflagged

GraphQL support (GQL Generator) for Neon

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

stojcekrste.bozinoski

Keywords

neongraphqlgeneratortypescript

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:got	AI (typosquat): Scoped package @the-neon/gql; edit-distance match to 'got' is a false positive for this namespace.	ai	2026/05/16
typosquat	typosquat.levenshtein:qs	AI (typosquat): Scoped package @the-neon/gql; edit-distance match to 'qs' is a false positive for this namespace.	ai	2026/05/16
semgrep	semgrep:base64-decode	AI (semgrep): Decodes a role/permission config string for auth logic; no eval or network fetch involved.	ai	2026/05/16
phantom-deps	phantom-dep:graphql-tools	AI (phantom-deps): Listed as a runtime dep in package.json; phantom-dep heuristic is a false positive here.	ai	2026/05/16
phantom-deps	phantom-dep:@graphql-tools/schema	AI (phantom-deps): Listed as a runtime dep in package.json; phantom-dep heuristic is a false positive here.	ai	2026/05/16