babel-preset-gatsby
Gatsby uses the phenomenal project [Babel](https://babeljs.io/) to enable support for writing modern JavaScript — while still supporting older browsers. This package contains the default Babel setup for all Gatsby projects.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from pieh to serhalp-netlify reflects Netlify's acquisition of Gatsby. serhalp-netlify has 5587 approved packages and 0 rejected — legitimate corporate transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers mlgualtieri-gatsby and serhalp-netlify are Netlify/Gatsby org accounts, consistent with the corporate acquisition of Gatsby. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of legacy individual maintainers is expected as part of Netlify's consolidation of Gatsby package ownership under org accounts. | ai | |
| phantom-deps | phantom-dep:babel-plugin-macros | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-spread | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-classes | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-runtime | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-dynamic-import-node | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require loads a fixed-path Gatsby cache file (.cache/babelState.json). This is a documented Gatsby internal pattern, not arbitrary or malicious module loading. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-class-properties | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-optional-chaining | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-react-remove-prop-types | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-nullish-coalescing-operator | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal reflects Gatsby monorepo generating many similarly-named packages; this is expected for a large framework, not spam. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-dynamic-import | AI (phantom-deps): Babel plugin declared as dependency and referenced by name in preset config; standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel presets reference plugins by name string in config objects rather than via require(); declaring them as deps without direct import is the standard Babel preset pattern. | ai | |
| phantom-deps | phantom-dep:gatsby-core-utils | AI (phantom-deps): Referenced in config files as a Babel preset dependency; standard Gatsby monorepo pattern. | ai |
Versions (showing 100 of 174)
| Version | Deps | Published |
|---|---|---|
| 3.16.0 | 15 / 4 | |
| 3.15.0 | 15 / 4 | |
| 3.14.0 | 15 / 4 | |
| 3.13.2 | 15 / 4 | |
| 3.13.1 | 15 / 4 | |
| 3.13.0 | 15 / 4 | |
| 3.12.1 | 15 / 4 | |
| 3.12.0 | 15 / 4 | |
| 3.11.0 | 15 / 4 | |
| 3.10.0 | 15 / 4 | |
| 3.9.0 | 15 / 4 | |
| 3.8.0 | 15 / 4 | |
| 3.7.0 | 15 / 4 | |
| 3.6.0 | 15 / 4 | |
| 3.5.0 | 15 / 4 | |
| 3.4.0 | 15 / 4 | |
| 3.3.1 | 15 / 4 | |
| 3.3.0 | 15 / 4 | |
| 3.2.0 | 15 / 4 | |
| 3.1.0 | 15 / 4 | |
| 3.0.0 | 15 / 4 | |
| 2.25.0 | 15 / 4 | |
| 2.24.0 | 15 / 4 | |
| 2.23.0 | 15 / 4 | |
| 2.22.1 | 15 / 4 | |
| 2.22.0 | 15 / 4 | |
| 2.21.0 | 15 / 4 | |
| 2.20.0 | 15 / 4 | |
| 2.19.0 | 15 / 4 | |
| 2.18.1 | 15 / 4 | |
| 2.18.0 | 15 / 4 | |
| 2.17.0 | 15 / 4 | |
| 2.16.0 | 15 / 4 | |
| 2.15.0 | 15 / 4 | |
| 2.14.0 | 15 / 4 | |
| 2.13.0 | 15 / 4 | |
| 2.12.1 | 15 / 4 | |
| 2.12.0 | 15 / 4 | |
| 2.11.1 | 15 / 4 | |
| 2.11.0 | 15 / 4 | |
| 2.10.1 | 15 / 4 | |
| 2.10.0 | 15 / 4 | |
| 2.9.1 | 15 / 4 | |
| 2.9.0 | 15 / 4 | |
| 2.8.2 | 15 / 4 | |
| 2.8.1 | 15 / 4 | |
| 2.8.0 | 15 / 4 | |
| 2.7.0 | 15 / 4 | |
| 2.6.0 | 15 / 4 | |
| 2.5.2 | 15 / 4 | |
| 2.5.1 | 15 / 4 | |
| 2.5.0 | 15 / 4 | |
| 2.4.0 | 15 / 4 | |
| 2.3.0 | 15 / 4 | |
| 2.2.0 | 15 / 4 | |
| 2.1.3 | 15 / 4 | |
| 2.1.2 | 15 / 4 | |
| 2.1.1 | 15 / 4 | |
| 2.1.0 | 15 / 4 | |
| 2.0.0 | 15 / 4 | |
| 1.15.0 | 15 / 4 | |
| 1.14.0 | 15 / 4 | |
| 1.13.0 | 15 / 4 | |
| 1.12.0 | 15 / 4 | |
| 1.11.0 | 15 / 4 | |
| 1.10.0 | 15 / 4 | |
| 1.9.0 | 15 / 4 | |
| 1.8.0 | 15 / 4 | |
| 1.7.1 | 15 / 4 | |
| 1.7.0 | 15 / 4 | |
| 1.6.0 | 15 / 4 | |
| 1.5.0 | 15 / 4 | |
| 1.4.0 | 15 / 4 | |
| 1.3.0 | 15 / 4 | |
| 1.2.0 | 15 / 4 | |
| 1.1.1 | 15 / 4 | |
| 1.1.0 | 15 / 4 | |
| 1.0.0 | 15 / 4 | |
| 0.12.3 | 15 / 4 | |
| 0.12.2 | 15 / 4 | |
| 0.12.1 | 15 / 4 | |
| 0.12.0 | 14 / 4 | |
| 0.11.0 | 14 / 4 | |
| 0.10.0 | 14 / 4 | |
| 0.9.1 | 14 / 4 | |
| 0.9.0 | 14 / 4 | |
| 0.8.0 | 14 / 4 | |
| 0.7.0 | 14 / 4 | |
| 0.6.0 | 14 / 4 | |
| 0.5.16 | 14 / 4 | |
| 0.5.15 | 14 / 4 | |
| 0.5.14 | 14 / 4 | |
| 0.5.13 | 14 / 4 | |
| 0.5.12 | 14 / 4 | |
| 0.5.11 | 14 / 4 | |
| 0.5.10 | 14 / 4 | |
| 0.5.9 | 14 / 4 | |
| 0.5.8 | 14 / 4 | |
| 0.5.7 | 14 / 4 | |
| 0.5.6 | 14 / 4 |
v3.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-16. This could indicate a legitimate maintainer transition or an account compromise.
v3.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v3.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-21. This could indicate a legitimate maintainer transition or an account compromise.
v3.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
v3.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.23.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v2.22.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.22.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v2.21.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.20.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v2.19.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.18.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v2.17.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v2.16.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.15.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v2.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v2.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v2.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.9.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-09. This could indicate a legitimate maintainer transition or an account compromise.
v2.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v2.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v2.8.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v2.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.