Is @apollo/sandbox safe to use?

@apollo/sandbox has 1 known vulnerabilities on the latest version (2.7.4). DepScope rates its health at 51/100 (high risk).

What is the latest version of @apollo/sandbox?

The latest version of @apollo/sandbox is 2.7.4, released 2026-01-08.

Does @apollo/sandbox have known vulnerabilities?

Yes. @apollo/sandbox has 1 known vulnerabilities. See depscope.dev/pkg/npm/@apollo/sandbox for details.

Is @apollo/sandbox deprecated?

No, @apollo/sandbox is actively maintained. Latest release: 2.7.4 (2026-01-08).

What are alternatives to @apollo/sandbox?

Popular alternatives to @apollo/sandbox in npm include: semver, ansi-styles, minimatch, debug, brace-expansion.

What license does @apollo/sandbox use?

@apollo/sandbox is licensed under MIT.

@apollo/sandbox

npmv2.7.4

This repo hosts the source for Apollo Studio's Embeddable Sandbox

License MITpermissive24 versions3 maintainers6 deps

apollographql/embeddable-explorer/sandbox

/ 100

Health

update required

@apollo/[email protected] has vulnerabilities — update to latest

Update to >= 3.7.3 to fix known vulnerabilities

1 high severity vulnerabilities

Health breakdown0 – 100

15/25

maintenance

0/20

popularity

20/25

security

12/15

maturity

4/15

community

Vulnerabilities

1 high

Advisories (1)

Severity	ID	Summary	Fixed in
high	CVE-2025-59845	Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass	3.7.3

Bundle & TypeScript

📦

Bundle Size

69.1 KBminified

20.1 KB gzipped

6 direct dependencies

ESMside effectsscoped

🌟

TypeScript

10/10typed

bundled

Health History

Dependency Tree

License Audit

Dependencies (6)

graphql-ws eventemitter3 whatwg-mimetype zen-observable-ts @types/whatwg-mimetype subscriptions-transport-ws

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/@apollo/sandbox