graphile-settings — Greenflagged

graphile settings

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pyramationluca608phatg

Keywords

graphilesettingsconfigurationconstructivegraphql

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): Package is a graphile plugin aggregator; adding graphile-ecosystem deps is expected behavior for this package.	ai	2026/05/25
dependencies	unvetted-dep:@pyramation/postgraphile-plugin-fulltext-filter	AI (dependencies): Same pyramation org as publisher; stable ecosystem dep.	ai	2026/05/19
dependencies	unvetted-dep:postgraphile-plugin-connection-filter-postgis	AI (dependencies): PostGraphile ecosystem plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:postgraphile-plugin-connection-filter	AI (dependencies): Well-known PostGraphile plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:postgraphile-derived-upload-field	AI (dependencies): PostGraphile ecosystem plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:graphile-simple-inflector	AI (dependencies): Graphile ecosystem plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:graphile-search-plugin	AI (dependencies): Graphile ecosystem plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:@launchql/upload-names	AI (dependencies): Same launchql org; stable ecosystem dep.	ai	2026/05/19
dependencies	unvetted-dep:@launchql/s3-streamer	AI (dependencies): Same launchql org; stable ecosystem dep.	ai	2026/05/19
dependencies	unvetted-dep:graphile-meta-schema	AI (dependencies): Graphile ecosystem plugin; stable for this package.	ai	2026/05/19
dependencies	unvetted-dep:@pyramation/postgis	AI (dependencies): Same pyramation org as publisher; stable ecosystem dep.	ai	2026/05/19
dependencies	unvetted-dep:@launchql/types	AI (dependencies): Same launchql org; stable ecosystem dep.	ai	2026/05/19
dependencies	unvetted-dep:graphile-i18n	AI (dependencies): Graphile ecosystem plugin; stable pattern for this settings aggregator package.	ai	2026/05/19
dependencies	unvetted-dep:@launchql/env	AI (dependencies): Same launchql org as publisher; consistent ecosystem pattern across versions.	ai	2026/05/19
phantom-deps	phantom-dep:graphile-query	AI (phantom-deps): Config aggregator pattern; deps declared for consumers, not directly imported.	ai	2026/05/19
phantom-deps	phantom-dep:graphql-tag	AI (phantom-deps): Config aggregator pattern; deps declared for consumers, not directly imported.	ai	2026/05/19
phantom-deps	phantom-dep:graphql-upload	AI (phantom-deps): Config aggregator pattern; deps declared for consumers, not directly imported.	ai	2026/05/19
phantom-deps	phantom-dep:graphile-settings	AI (phantom-deps): Self-referential dep in config aggregator; stable false positive.	ai	2026/05/19
phantom-deps	phantom-dep:postgraphile-derived-upload-field	AI (phantom-deps): Config aggregator pattern; deps declared for consumers, not directly imported.	ai	2026/05/19
publish-pattern	dormant-publish	AI (publish-pattern): Publisher has extensive trusted history; dormancy followed by minor version bump is low risk for this package.	ai	2026/04/30
dependencies	unvetted-dep:@graphile-contrib/pg-many-to-many	AI (dependencies): Known Graphile ecosystem plugin; RC version pinned explicitly, consistent with this package's graphile-stack usage.	ai	2026/04/30
provenance	no-provenance	AI (provenance): Established publisher with strong track record; lack of provenance is common and not a disqualifier here.	ai	2026/04/29
phantom-deps	phantom-dep:@constructive-io/graphql-types	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@aws-sdk/client-s3	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@dataplan/json	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@pgpmjs/types	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@dataplan/pg	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:request-ip	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:tamedevil	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:lru-cache	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:pg	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:express	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:grafserv	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29
phantom-deps	phantom-dep:cors	AI (phantom-deps): Config/settings package; deps declared for consumer use, not direct import.	ai	2026/04/29

Versions (showing 33 of 33)

Version	Deps	Published
5.6.1	41 / 8	2026-06-05
5.6.0	41 / 8	2026/05/31
5.3.1	41 / 8	2026/05/24
5.2.3	41 / 8	2026-05-20
4.23.0	37 / 8	2026-04-30
4.22.3	37 / 8	2026-04-29
4.22.2	37 / 8	2026-04-28
4.22.1	37 / 8	2026-04-27
4.22.0	37 / 9	2026-04-27
4.21.7	36 / 9	2026-04-20
4.21.6	36 / 9	2026-04-20
4.21.4	36 / 9	2026-04-19
4.21.3	36 / 9	2026-04-19
4.21.2	36 / 9	2026-04-18
4.21.0	36 / 9	2026-04-18
4.20.1	36 / 9	2026-04-11
4.19.0	35 / 9	2026-04-04
4.18.9	32 / 9	2026-04-02
4.18.7	32 / 9	2026-04-02
4.18.6	32 / 9	2026-04-01
4.18.4	32 / 9	2026-03-31
4.18.3	32 / 9	2026-03-30
4.18.2	32 / 9	2026-03-30
4.10.2	32 / 9	2026-03-19
2.6.11	25 / 7	2025-11-25
2.6.3	25 / 7	2025-11-21
2.6.2	25 / 7	2025-11-20
2.6.1	25 / 7	2025-11-16
2.6.0	24 / 7	2025-11-16
2.5.5	24 / 7	2025-11-12
2.5.4	25 / 7	2025-11-12
2.5.3	25 / 7	2025-11-07
2.5.2	25 / 7	2025-11-07

v5.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.3.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.2.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.23.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.22.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.22.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v4.10.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.6.11

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.