graphql-playground-react
GraphQL IDE for better development workflows (GraphQL Subscriptions, interactive docs & collaboration).
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
schicklingtimsuchanekjasonkuhrtacaodivyenduzhuvik
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:react-addons-shallow-compare | AI (phantom-deps): Bundled into compiled React output. | ai | |
| phantom-deps | phantom-dep:json-stable-stringify | AI (phantom-deps): Bundled into compiled output. | ai | |
| phantom-deps | phantom-dep:react-transition-group | AI (phantom-deps): Bundled into compiled output. | ai | |
| phantom-deps | phantom-dep:webpack-bundle-analyzer | AI (phantom-deps): Build tool dep, bundled or used at build time. | ai | |
| phantom-deps | phantom-dep:redux-localstorage-filter | AI (phantom-deps): Bundled into compiled Redux app output. | ai | |
| phantom-deps | phantom-dep:redux-localstorage-debounce | AI (phantom-deps): Bundled into compiled Redux app output. | ai | |
| phantom-deps | phantom-dep:cryptiles | AI (phantom-deps): Bundled React app ships compiled output; build-time deps appear phantom in shipped files. | ai | |
| phantom-deps | phantom-dep:utility-types | AI (phantom-deps): TypeScript utility used at build time, bundled into output. | ai | |
| phantom-deps | phantom-dep:calculate-size | AI (phantom-deps): Used in bundled build output, not directly imported in shipped files. | ai | |
| phantom-deps | phantom-dep:zen-observable | AI (phantom-deps): Apollo ecosystem dep bundled into output. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Bundled into compiled output. | ai | |
| phantom-deps | phantom-dep:@types/lru-cache | AI (phantom-deps): TypeScript type declaration, used at build time only. | ai | |
| phantom-deps | phantom-dep:react-codemirror | AI (phantom-deps): Bundled into compiled React app output. | ai | |
| phantom-deps | phantom-dep:react-virtualized | AI (phantom-deps): Bundled into compiled output. | ai | |
| phantom-deps | phantom-dep:react-display-name | AI (phantom-deps): Bundled into compiled output. | ai | |
| phantom-deps | phantom-dep:redux-localstorage | AI (phantom-deps): Bundled into compiled Redux app output. | ai | |
| phantom-deps | phantom-dep:seamless-immutable | AI (phantom-deps): Bundled into compiled output. | ai | |
| source-diff | net-exec-file:build/static/js/index.js | AI (source-diff): Browser UI bundle for a GraphQL IDE legitimately makes network calls (GraphQL queries) and uses dynamic module loading; not a dropper pattern. | ai | |
| source-diff | obfuscated-file:build/static/js/middleware.js | AI (source-diff): Same as index.js — standard webpack bundle output for a browser-side React application. | ai | |
| source-diff | net-exec-file:build/static/js/middleware.js | AI (source-diff): Browser middleware bundle for GraphQL playground; network calls are core functionality, not malware indicators. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by newly included webpack build artifacts (index.js 2.4MB, middleware.js 2.3MB) and their source maps (~17MB total) added to the published package. | ai | |
| source-diff | obfuscated-file:build/static/js/index.js | AI (source-diff): graphql-playground-react ships webpack-bundled browser assets; minified JS in build/static/js/ is expected and consistent with standard React/Redux bundle output. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 1.7.28 | 53 / 66 |