relay-runtime
A core runtime for building GraphQL-driven applications.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:relay-runtime-experimental.js | AI (source-diff): relay-runtime ships standard webpack/UMD minified bundles as part of its normal build output. The sample confirms a legitimate Relay bundle pattern, not obfuscation or malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): invariant is a well-known Meta/Facebook utility already used throughout the Relay ecosystem; its addition is expected and benign. | ai | |
| source-diff | obfuscated-file:relay-runtime.js | AI (source-diff): relay-runtime ships a standard webpack UMD bundle as its distribution artifact. Minified build output is expected and stable for this package across all versions. | ai | |
| source-diff | net-exec-file:relay-runtime.js | AI (source-diff): Network calls in relay-runtime.js are GraphQL fetch operations — core library functionality, not dropper/loader behavior. False positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): relay-runtime is a large, actively developed Facebook OSS project; major version bumps routinely add many source files. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Initial placeholder release by trusted publisher; no description is expected for a namespace-reservation stub. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Version 0.0.1 is a legitimate namespace-reservation stub by trusted Meta/Facebook publisher kassens. Signals reflect intentional placeholder, not spam or malware. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal reflects Meta consolidating Relay publishing under relay-bot automation; consistent with organizational publishing automation, not a takeover. | ai | |
| provenance | publisher-changed | AI (provenance): relay-bot is Meta's established automation account (1693 days old, 8 approved packages) used for publishing Relay packages; this publisher transition is a legitimate organizational change. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() appears in relay-runtime's standard UMD bundle output; this is a known pattern in the Relay framework's minified build, not a malicious code execution vector. | ai | |
| provenance | no-provenance | AI (provenance): relay-runtime is a long-established Facebook/Meta package predating Sigstore provenance; absence of attestation is expected and not a risk signal for this package. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): relay-runtime is part of Meta's Relay monorepo; rapid successive publishes are expected from their automated release pipeline publishing multiple packages simultaneously. | ai | |
| dependencies | unvetted-dep:fbjs | AI (dependencies): fbjs is a well-known Facebook/Meta utility library and a standard, expected dependency for Relay packages. Not a security concern. | ai |
Versions (showing 51 of 55)
| Version | Deps | Published |
|---|---|---|
| 21.0.1 | 3 / 0 | |
| 21.0.0 | 3 / 0 | |
| 20.1.1 | 3 / 0 | |
| 20.1.0 | 3 / 0 | |
| 20.0.0 | 3 / 0 | |
| 19.0.0 | 3 / 0 | |
| 18.2.0 | 3 / 0 | |
| 18.1.0 | 3 / 0 | |
| 18.0.0 | 3 / 0 | |
| 17.0.0 | 3 / 0 | |
| 16.2.0 | 3 / 0 | |
| 16.1.0 | 3 / 0 | |
| 16.0.0 | 3 / 0 | |
| 15.0.0 | 3 / 0 | |
| 14.1.0 | 3 / 0 | |
| 14.0.0 | 3 / 0 | |
| 13.2.0 | 3 / 0 | |
| 13.1.1 | 3 / 0 | |
| 13.1.0 | 3 / 0 | |
| 13.0.3 | 3 / 0 | |
| 13.0.2 | 3 / 0 | |
| 13.0.1 | 3 / 0 | |
| 13.0.0 | 3 / 0 | |
| 12.0.0 | 3 / 0 | |
| 11.0.2 | 3 / 0 | |
| 11.0.1 | 2 / 0 | |
| 11.0.0 | 2 / 0 | |
| 10.1.3 | 2 / 0 | |
| 10.1.2 | 2 / 0 | |
| 10.1.1 | 2 / 0 | |
| 10.1.0 | 2 / 0 | |
| 10.0.1 | 2 / 0 | |
| 10.0.0 | 2 / 0 | |
| 9.1.0 | 2 / 0 | |
| 9.0.0 | 2 / 0 | |
| 8.0.0 | 2 / 0 | |
| 7.1.0 | 2 / 0 | |
| 7.0.0 | 2 / 0 | |
| 6.0.0 | 2 / 0 | |
| 5.0.0 | 2 / 0 | |
| 4.0.0 | 2 / 0 | |
| 3.0.0 | 2 / 0 | |
| 2.0.0 | 2 / 0 | |
| 1.7.0 | 2 / 0 | |
| 1.6.2 | 2 / 0 | |
| 1.6.1 | 2 / 0 | |
| 1.6.0 | 2 / 0 | |
| 1.5.0 | 2 / 0 | |
| 1.4.1 | 3 / 0 | |
| 1.4.0 | 3 / 0 | |
| 1.3.0 | 3 / 0 |
v21.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v21.0.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-18. This could indicate a legitimate maintainer transition or an account compromise.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-22. This could indicate a legitimate maintainer transition or an account compromise.