gatsby-design-tokens
Gatsby Design Tokens
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/theme.js | AI (source-diff): dist/theme.js is a standard microbundle CJS output. Contains only theme token data. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index.js | AI (source-diff): dist/index.js is a standard microbundle CJS output of Gatsby design tokens (colors, breakpoints, etc.). Minified build artifact, not obfuscated malware. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/theme-gatsbyjs-org.js | AI (source-diff): dist/theme-gatsbyjs-org.js is a standard microbundle CJS output. Contains only theme token data. Stable false positive for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers mlgualtieri-gatsby and serhalp-netlify are Netlify/Gatsby employees consistent with the organizational acquisition of Gatsby by Netlify. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from pieh to serhalp-netlify reflects Netlify's acquisition of Gatsby. serhalp-netlify is a well-established publisher with 5596 approved packages and 0 rejected. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of fk is consistent with the Gatsby/Netlify organizational transition; not indicative of a malicious takeover given the context. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is a standard Babel transpilation helper injected at build time; phantom-dep finding is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:hex2rgba | AI (dependencies): hex2rgba is a well-known tiny color utility used throughout the Gatsby ecosystem; unvetted signal is a stable false positive for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Package is part of the official Gatsby monorepo; mass-production signal reflects the monorepo structure, not spam. Stable false positive. | ai |
Versions (showing 93 of 93)
| Version | Deps | Published |
|---|---|---|
| 5.16.0 | 2 / 3 | |
| 5.15.0 | 2 / 3 | |
| 5.14.0 | 2 / 3 | |
| 5.13.0 | 2 / 3 | |
| 5.12.0 | 2 / 3 | |
| 5.11.0 | 2 / 3 | |
| 5.10.0 | 2 / 3 | |
| 5.9.0 | 2 / 3 | |
| 5.8.0 | 2 / 4 | |
| 5.7.0 | 2 / 4 | |
| 5.6.0 | 2 / 4 | |
| 5.5.0 | 2 / 4 | |
| 5.4.0 | 2 / 4 | |
| 5.3.0 | 2 / 4 | |
| 5.2.0 | 2 / 4 | |
| 5.1.0 | 2 / 4 | |
| 5.0.0 | 2 / 4 | |
| 4.25.0 | 2 / 4 | |
| 4.24.0 | 2 / 4 | |
| 4.23.0 | 2 / 4 | |
| 4.22.0 | 2 / 4 | |
| 4.21.0 | 2 / 4 | |
| 4.20.0 | 2 / 4 | |
| 4.19.0 | 2 / 4 | |
| 4.18.0 | 2 / 4 | |
| 4.17.0 | 2 / 4 | |
| 4.16.0 | 2 / 4 | |
| 4.15.0 | 2 / 4 | |
| 4.14.0 | 2 / 4 | |
| 4.13.0 | 2 / 4 | |
| 4.12.1 | 2 / 4 | |
| 4.12.0 | 2 / 4 | |
| 4.11.0 | 2 / 4 | |
| 4.10.0 | 2 / 4 | |
| 4.9.0 | 2 / 4 | |
| 4.8.0 | 2 / 4 | |
| 4.7.0 | 2 / 4 | |
| 4.6.0 | 2 / 4 | |
| 4.5.0 | 2 / 4 | |
| 4.4.0 | 2 / 4 | |
| 4.3.0 | 2 / 4 | |
| 4.2.0 | 2 / 4 | |
| 4.1.0 | 2 / 4 | |
| 4.0.0 | 2 / 4 | |
| 3.15.0 | 2 / 4 | |
| 3.14.0 | 2 / 4 | |
| 3.13.0 | 1 / 4 | |
| 3.12.0 | 1 / 4 | |
| 3.11.0 | 1 / 4 | |
| 3.10.0 | 1 / 4 | |
| 3.9.0 | 1 / 4 | |
| 3.8.0 | 1 / 4 | |
| 3.7.0 | 1 / 4 | |
| 3.6.0 | 1 / 4 | |
| 3.5.0 | 1 / 4 | |
| 3.4.0 | 1 / 4 | |
| 3.3.0 | 1 / 4 | |
| 3.2.0 | 1 / 4 | |
| 3.1.0 | 1 / 4 | |
| 3.0.0 | 1 / 4 | |
| 2.7.0 | 1 / 4 | |
| 2.6.0 | 1 / 4 | |
| 2.5.0 | 1 / 4 | |
| 2.4.0 | 1 / 4 | |
| 2.3.0 | 1 / 4 | |
| 2.2.0 | 1 / 4 | |
| 2.1.0 | 1 / 4 | |
| 2.0.13 | 1 / 4 | |
| 2.0.12 | 1 / 4 | |
| 2.0.11 | 1 / 4 | |
| 2.0.10 | 1 / 4 | |
| 2.0.9 | 1 / 4 | |
| 2.0.8 | 1 / 4 | |
| 2.0.7 | 1 / 4 | |
| 2.0.6 | 1 / 4 | |
| 2.0.5 | 1 / 4 | |
| 2.0.4 | 1 / 4 | |
| 2.0.3 | 1 / 4 | |
| 2.0.2 | 1 / 4 | |
| 2.0.1 | 1 / 4 | |
| 2.0.0 | 1 / 4 | |
| 1.0.10 | 0 / 4 | |
| 1.0.9 | 0 / 4 | |
| 1.0.8 | 0 / 4 | |
| 1.0.6 | 0 / 4 | |
| 1.0.5 | 0 / 4 | |
| 1.0.4 | 0 / 4 | |
| 1.0.3 | 0 / 4 | |
| 1.0.2 | 0 / 4 | |
| 1.0.1 | 0 / 4 | |
| 1.0.0 | 0 / 4 | |
| 0.0.2 | 0 / 4 | |
| 0.0.1 | 0 / 4 |
v5.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
v5.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.24.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.23.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.22.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.21.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.20.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.19.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.18.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v4.17.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.16.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v4.15.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v4.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v4.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v4.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-25. This could indicate a legitimate maintainer transition or an account compromise.
v4.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-14. This could indicate a legitimate maintainer transition or an account compromise.
v4.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-21. This could indicate a legitimate maintainer transition or an account compromise.