← Home

gatsby-cli

npm Repository Homepage

Gatsby command-line interface for creating new sites and running Gatsby commands

100
Versions
MIT
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

piehkathmbeckserhalp-netlifymlgualtieri-gatsbykylemathewsfreiksenetdschaumonastic.panicm-allansonmoocar

Keywords

gatsby

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): @babel/preset-typescript is a well-known official Babel preset consistent with gatsby-cli's existing Babel/TypeScript toolchain; not a suspicious dependency addition. ai
phantom-deps phantom-dep:uuid AI (phantom-deps): uuid is declared as a direct dependency in package.json; phantom-dep flag is a false positive for this CLI package where it may be used indirectly or via config. ai
dependencies unvetted-dep:gatsby-recipes AI (dependencies): gatsby-recipes is a first-party Gatsby monorepo package (gatsbyjs/gatsby); not an unvetted third-party dependency. ai
phantom-deps phantom-dep:configstore AI (phantom-deps): configstore is a legitimate dependency used by gatsby-cli for persistent config storage; phantom-dep finding is a stable false positive for this package. ai
phantom-deps phantom-dep:meant AI (phantom-deps): meant is a legitimate dependency used by gatsby-cli for command suggestion; phantom-dep finding is a stable false positive for this package. ai
provenance no-provenance AI (provenance): gatsby-cli is a well-established Gatsby project package; lack of Sigstore provenance is a process gap, not a security risk for this trusted publisher. ai
maintainer-change maintainer-added AI (maintainer-change): Netlify acquired Gatsby; serhalp-netlify and mlgualtieri-gatsby are legitimate Netlify/Gatsby team members. Transition is expected and publisher has strong track record. ai
phantom-deps phantom-dep:clipboardy AI (phantom-deps): clipboardy is a legitimate runtime dependency for gatsby-cli's clipboard functionality; phantom-dep detection is a false positive here. ai
maintainer-change maintainer-removed AI (maintainer-change): Gatsby org team restructuring; publisher pieh is a long-standing core Gatsby contributor with strong track record. No hostile takeover indicators. ai
phantom-deps phantom-dep:@babel/preset-typescript AI (phantom-deps): Build/transpile dependency loaded by convention; not a security concern for this CLI package. ai
phantom-deps phantom-dep:@types/common-tags AI (phantom-deps): Type-only dependency loaded by convention in a TypeScript monorepo; not a security concern. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of the local site's package.json is core gatsby-cli functionality for reading site configuration; not a security risk. ai
provenance publisher-changed AI (provenance): Netlify acquired Gatsby; serhalp-netlify is the new organizational publisher with strong track record (5546 approved packages). This is a documented org transition. ai
semgrep semgrep:child-process-import AI (semgrep): gatsby-cli is a CLI tool that inherently spawns child processes to run build/dev commands; child_process usage is expected and legitimate. ai
install-scripts install-script:postinstall AI (install-scripts): gatsby-cli's postinstall (node scripts/postinstall.js) is a long-standing, documented setup step for this CLI tool; stable across versions. ai

Versions (showing 100 of 407)

Show 5 prereleases
Version Deps Published
2.12.62 39 / 8
2.12.61 39 / 8
2.12.60 39 / 8
2.12.59 40 / 8
2.12.58 40 / 8
2.12.57 43 / 8
2.12.56 43 / 8
2.12.55 42 / 8
2.12.54 42 / 8
2.12.52 43 / 8
2.12.51 43 / 8
2.12.50 43 / 8
2.12.49 42 / 8
2.12.48 42 / 8
2.12.47 42 / 8
2.12.46 42 / 7
2.12.45 42 / 7
2.12.44 42 / 7
2.12.43 42 / 7
2.12.42 42 / 7
2.12.41 42 / 7
2.12.40 42 / 7
2.12.39 42 / 7
2.12.38 42 / 7
2.12.37 42 / 7
2.12.36 42 / 6
2.12.35 42 / 6
2.12.34 42 / 6
2.12.33 42 / 6
2.12.32 42 / 6
2.12.31 42 / 6
2.12.30 42 / 6
2.12.29 42 / 6
2.12.28 42 / 6
2.12.27 42 / 6
2.12.26 42 / 6
2.12.25 42 / 6
2.12.24 42 / 6
2.12.23 42 / 6
2.12.22 42 / 6
2.12.21 42 / 5
2.12.20 42 / 5
2.12.19 42 / 5
2.12.18 42 / 5
2.12.17 42 / 5
2.12.16 42 / 5
2.12.15 42 / 5
2.12.14 42 / 5
2.12.13 42 / 5
2.12.12 42 / 5
2.12.11 42 / 5
2.12.10 42 / 5
2.12.9 42 / 5
2.12.8 42 / 5
2.12.7 42 / 5
2.12.6 42 / 5
2.12.5 42 / 5
2.12.4 42 / 5
2.12.3 42 / 5
2.12.1 42 / 4
2.12.0 42 / 4
2.11.22 42 / 4
2.11.21 42 / 4
2.11.20 42 / 4
2.11.19 42 / 4
2.11.18 42 / 4
2.11.17 42 / 4
2.11.16 42 / 4
2.11.15 42 / 4
2.11.14 42 / 4
2.11.13 42 / 4
2.11.12 42 / 4
2.11.11 42 / 4
2.11.10 42 / 4
2.11.9 41 / 4
2.11.8 41 / 4
2.11.7 41 / 4
2.11.6 41 / 4
2.11.5 41 / 4
2.11.4 41 / 4
2.11.3 41 / 4
2.11.2 41 / 4
2.11.1 41 / 4
2.11.0 41 / 4
2.10.13 41 / 4
2.10.12 41 / 4
2.10.11 41 / 4
2.10.10 41 / 4
2.10.9 41 / 4
2.10.8 41 / 4
2.10.7 41 / 4
2.10.6 41 / 4
2.10.5 41 / 4
2.10.4 41 / 4
2.10.3 41 / 4
2.10.2 41 / 4
2.10.1 41 / 4
2.10.0 41 / 4
2.9.0 41 / 4
2.8.30 41 / 4
Showing 100 of 407 Next page →