babel-plugin-remove-graphql-queries
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Part of the official Gatsby monorepo; mass-production signals reflect legitimate monorepo publishing patterns, not spam. No description/keywords is consistent across all Gatsby sub-packages. | ai | |
| provenance | no-provenance | AI (provenance): Established Gatsby ecosystem package with 3160-day history; lack of Sigstore provenance is expected for packages of this age and publishing pipeline. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate Gatsby→Netlify maintainer transition; serhalp-netlify is the new steward with strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are Netlify-affiliated, consistent with the known Gatsby organizational transition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are former Gatsby Inc. employees; expected during Netlify transition. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Monorepo sub-package; missing description is a metadata gap, not a malice indicator. | ai |
Versions (showing 100 of 146)
| Version | Deps | Published |
|---|---|---|
| 5.16.0 | 3 / 4 | |
| 5.15.0 | 3 / 4 | |
| 5.14.0 | 3 / 4 | |
| 5.13.1 | 3 / 4 | |
| 5.13.0 | 3 / 4 | |
| 5.12.1 | 3 / 4 | |
| 5.12.0 | 3 / 4 | |
| 5.11.0 | 3 / 4 | |
| 5.10.0 | 3 / 4 | |
| 5.9.0 | 3 / 4 | |
| 5.8.0 | 3 / 4 | |
| 5.7.0 | 3 / 4 | |
| 5.6.0 | 3 / 4 | |
| 5.5.0 | 3 / 4 | |
| 5.4.0 | 3 / 4 | |
| 5.3.1 | 3 / 4 | |
| 5.3.0 | 3 / 4 | |
| 5.2.0 | 3 / 4 | |
| 5.1.0 | 3 / 4 | |
| 5.0.0 | 3 / 4 | |
| 4.25.0 | 3 / 4 | |
| 4.24.0 | 3 / 4 | |
| 4.23.0 | 3 / 4 | |
| 4.22.0 | 3 / 4 | |
| 4.21.0 | 3 / 4 | |
| 4.20.0 | 3 / 4 | |
| 4.19.0 | 2 / 4 | |
| 4.18.1 | 2 / 4 | |
| 4.18.0 | 2 / 4 | |
| 4.17.0 | 2 / 4 | |
| 4.16.0 | 2 / 4 | |
| 4.15.0 | 2 / 4 | |
| 4.14.0 | 2 / 4 | |
| 4.13.0 | 2 / 4 | |
| 4.12.1 | 2 / 4 | |
| 4.12.0 | 2 / 4 | |
| 4.11.1 | 2 / 4 | |
| 4.11.0 | 2 / 4 | |
| 4.10.1 | 2 / 4 | |
| 4.10.0 | 2 / 4 | |
| 4.9.1 | 2 / 4 | |
| 4.9.0 | 2 / 4 | |
| 4.8.2 | 2 / 4 | |
| 4.8.1 | 2 / 4 | |
| 4.8.0 | 2 / 4 | |
| 4.7.0 | 2 / 4 | |
| 4.6.0 | 2 / 4 | |
| 4.5.2 | 2 / 4 | |
| 4.5.1 | 2 / 4 | |
| 4.5.0 | 2 / 4 | |
| 4.4.0 | 2 / 4 | |
| 4.3.0 | 2 / 4 | |
| 4.2.0 | 2 / 4 | |
| 4.1.3 | 2 / 4 | |
| 4.1.2 | 2 / 4 | |
| 4.1.1 | 2 / 4 | |
| 4.1.0 | 2 / 4 | |
| 4.0.0 | 2 / 4 | |
| 3.15.0 | 2 / 4 | |
| 3.14.0 | 2 / 4 | |
| 3.13.0 | 0 / 5 | |
| 3.12.0 | 0 / 5 | |
| 3.11.0 | 0 / 5 | |
| 3.10.0 | 0 / 5 | |
| 3.9.0 | 0 / 5 | |
| 3.8.0 | 0 / 5 | |
| 3.7.1 | 0 / 5 | |
| 3.7.0 | 0 / 5 | |
| 3.6.0 | 0 / 5 | |
| 3.5.0 | 0 / 5 | |
| 3.4.0 | 0 / 5 | |
| 3.3.0 | 0 / 5 | |
| 3.2.0 | 0 / 5 | |
| 3.1.0 | 0 / 5 | |
| 3.0.0 | 0 / 5 | |
| 2.16.1 | 0 / 5 | |
| 2.16.0 | 0 / 5 | |
| 2.15.0 | 0 / 4 | |
| 2.14.0 | 0 / 4 | |
| 2.13.0 | 0 / 4 | |
| 2.12.0 | 0 / 4 | |
| 2.11.0 | 0 / 4 | |
| 2.10.0 | 0 / 4 | |
| 2.9.20 | 0 / 4 | |
| 2.9.19 | 0 / 4 | |
| 2.9.18 | 0 / 4 | |
| 2.9.17 | 0 / 4 | |
| 2.9.16 | 0 / 4 | |
| 2.9.15 | 0 / 4 | |
| 2.9.14 | 0 / 4 | |
| 2.9.13 | 0 / 4 | |
| 2.9.12 | 0 / 4 | |
| 2.9.11 | 0 / 4 | |
| 2.9.10 | 0 / 4 | |
| 2.9.9 | 0 / 4 | |
| 2.9.7 | 0 / 4 | |
| 2.9.6 | 0 / 4 | |
| 2.9.5 | 0 / 4 | |
| 2.9.4 | 0 / 4 | |
| 2.9.3 | 0 / 4 |
v5.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.25.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.24.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.23.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.22.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.21.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.20.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.19.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.18.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v4.17.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.16.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v4.15.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v4.14.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v4.13.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.8.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v4.7.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.