postgraphile — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

benjie

graphilegraphqlenginepostgraphilepgpostgrespostgresqlgraphqljspluginengineextensiongraphite

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:pg	AI (phantom-deps): pg is a declared dep/peer-dep re-exported via fwd/ pattern, not a phantom.	ai	2026/04/29
phantom-deps	phantom-dep:ws	AI (phantom-deps): ws is a declared dep re-exported via fwd/ pattern.	ai	2026/04/29
phantom-deps	phantom-dep:debug	AI (phantom-deps): debug is a declared dep used transitively/re-exported.	ai	2026/04/29
phantom-deps	phantom-dep:graphql	AI (phantom-deps): graphql is a declared dep/peer-dep re-exported via fwd/grafast/graphql.	ai	2026/04/29
phantom-deps	phantom-dep:iterall	AI (phantom-deps): iterall is a declared dep; forwarding pattern explains no direct import.	ai	2026/04/29
phantom-deps	phantom-dep:@types/pg	AI (phantom-deps): Type-only package; no runtime import expected.	ai	2026/04/29
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Type-only package; no runtime import expected.	ai	2026/04/29
phantom-deps	phantom-dep:@graphile/lru	AI (phantom-deps): @graphile/lru is a declared dep re-exported via fwd/ pattern.	ai	2026/04/29

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.