gatsby-cli
Gatsby command-line interface for creating new sites and running Gatsby commands
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): @babel/preset-typescript is a well-known official Babel preset consistent with gatsby-cli's existing Babel/TypeScript toolchain; not a suspicious dependency addition. | ai | |
| phantom-deps | phantom-dep:uuid | AI (phantom-deps): uuid is declared as a direct dependency in package.json; phantom-dep flag is a false positive for this CLI package where it may be used indirectly or via config. | ai | |
| dependencies | unvetted-dep:gatsby-recipes | AI (dependencies): gatsby-recipes is a first-party Gatsby monorepo package (gatsbyjs/gatsby); not an unvetted third-party dependency. | ai | |
| phantom-deps | phantom-dep:configstore | AI (phantom-deps): configstore is a legitimate dependency used by gatsby-cli for persistent config storage; phantom-dep finding is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:meant | AI (phantom-deps): meant is a legitimate dependency used by gatsby-cli for command suggestion; phantom-dep finding is a stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): gatsby-cli is a well-established Gatsby project package; lack of Sigstore provenance is a process gap, not a security risk for this trusted publisher. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Netlify acquired Gatsby; serhalp-netlify and mlgualtieri-gatsby are legitimate Netlify/Gatsby team members. Transition is expected and publisher has strong track record. | ai | |
| phantom-deps | phantom-dep:clipboardy | AI (phantom-deps): clipboardy is a legitimate runtime dependency for gatsby-cli's clipboard functionality; phantom-dep detection is a false positive here. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Gatsby org team restructuring; publisher pieh is a long-standing core Gatsby contributor with strong track record. No hostile takeover indicators. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Build/transpile dependency loaded by convention; not a security concern for this CLI package. | ai | |
| phantom-deps | phantom-dep:@types/common-tags | AI (phantom-deps): Type-only dependency loaded by convention in a TypeScript monorepo; not a security concern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of the local site's package.json is core gatsby-cli functionality for reading site configuration; not a security risk. | ai | |
| provenance | publisher-changed | AI (provenance): Netlify acquired Gatsby; serhalp-netlify is the new organizational publisher with strong track record (5546 approved packages). This is a documented org transition. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): gatsby-cli is a CLI tool that inherently spawns child processes to run build/dev commands; child_process usage is expected and legitimate. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): gatsby-cli's postinstall (node scripts/postinstall.js) is a long-standing, documented setup step for this CLI tool; stable across versions. | ai |
Versions (showing 100 of 412)
| Version | Deps | Published |
|---|---|---|
| 5.8.0 | 41 / 20 | |
| 5.3.1 | 41 / 20 | |
| 4.24.0 | 42 / 20 | |
| 4.23.1 | 42 / 20 | |
| 4.23.0 | 42 / 20 | |
| 4.18.1 | 44 / 20 | |
| 4.10.1 | 45 / 19 | |
| 4.5.1 | 39 / 20 | |
| 4.2.0 | 40 / 20 | |
| 3.15.0 | 39 / 20 | |
| 3.14.2 | 39 / 20 | |
| 3.14.1 | 39 / 20 | |
| 3.14.0 | 39 / 20 | |
| 3.13.0 | 38 / 20 | |
| 3.12.0 | 38 / 20 | |
| 3.11.0 | 38 / 20 | |
| 3.10.0 | 38 / 20 | |
| 3.9.0 | 38 / 20 | |
| 3.8.0 | 38 / 20 | |
| 3.7.1 | 38 / 20 | |
| 3.7.0 | 38 / 20 | |
| 3.6.0 | 38 / 20 | |
| 3.5.0 | 38 / 20 | |
| 3.4.1 | 38 / 20 | |
| 3.4.0 | 38 / 20 | |
| 3.3.0 | 38 / 20 | |
| 3.2.0 | 38 / 20 | |
| 3.1.0 | 38 / 20 | |
| 3.0.0 | 38 / 20 | |
| 2.19.3 | 38 / 20 | |
| 2.19.2 | 38 / 20 | |
| 2.19.1 | 38 / 20 | |
| 2.19.0 | 38 / 20 | |
| 2.18.0 | 38 / 20 | |
| 2.17.1 | 38 / 20 | |
| 2.17.0 | 38 / 20 | |
| 2.16.2 | 38 / 20 | |
| 2.16.1 | 38 / 20 | |
| 2.16.0 | 38 / 20 | |
| 2.15.1 | 38 / 20 | |
| 2.15.0 | 38 / 20 | |
| 2.14.1 | 38 / 20 | |
| 2.14.0 | 38 / 20 | |
| 2.13.1 | 37 / 20 | |
| 2.13.0 | 37 / 20 | |
| 2.12.117 | 37 / 20 | |
| 2.12.116 | 37 / 20 | |
| 2.12.115 | 37 / 20 | |
| 2.12.114 | 37 / 20 | |
| 2.12.113 | 37 / 20 | |
| 2.12.112 | 39 / 8 | |
| 2.12.111 | 39 / 8 | |
| 2.12.110 | 39 / 8 | |
| 2.12.109 | 39 / 8 | |
| 2.12.108 | 39 / 8 | |
| 2.12.107 | 39 / 8 | |
| 2.12.106 | 39 / 8 | |
| 2.12.105 | 39 / 8 | |
| 2.12.104 | 39 / 8 | |
| 2.12.103 | 39 / 8 | |
| 2.12.102 | 39 / 8 | |
| 2.12.101 | 39 / 8 | |
| 2.12.100 | 39 / 8 | |
| 2.12.99 | 39 / 8 | |
| 2.12.98 | 37 / 20 | |
| 2.12.97 | 39 / 8 | |
| 2.12.96 | 39 / 8 | |
| 2.12.95 | 39 / 8 | |
| 2.12.94 | 39 / 8 | |
| 2.12.93 | 39 / 8 | |
| 2.12.92 | 39 / 8 | |
| 2.12.91 | 39 / 8 | |
| 2.12.90 | 39 / 8 | |
| 2.12.89 | 39 / 8 | |
| 2.12.88 | 39 / 8 | |
| 2.12.87 | 39 / 8 | |
| 2.12.86 | 39 / 8 | |
| 2.12.85 | 39 / 8 | |
| 2.12.84 | 39 / 8 | |
| 2.12.83 | 39 / 8 | |
| 2.12.82 | 39 / 8 | |
| 2.12.81 | 39 / 8 | |
| 2.12.80 | 39 / 8 | |
| 2.12.79 | 39 / 8 | |
| 2.12.78 | 39 / 8 | |
| 2.12.77 | 39 / 8 | |
| 2.12.76 | 39 / 8 | |
| 2.12.75 | 39 / 8 | |
| 2.12.74 | 39 / 8 | |
| 2.12.73 | 39 / 8 | |
| 2.12.72 | 39 / 8 | |
| 2.12.71 | 39 / 8 | |
| 2.12.70 | 39 / 8 | |
| 2.12.69 | 39 / 8 | |
| 2.12.68 | 39 / 8 | |
| 2.12.67 | 39 / 8 | |
| 2.12.66 | 39 / 8 | |
| 2.12.65 | 39 / 8 | |
| 2.12.64 | 39 / 8 | |
| 2.12.63 | 39 / 8 |
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.24.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.23.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.23.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.18.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.10.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-18. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-16. This could indicate a legitimate maintainer transition or an account compromise.