gatsby-graphiql-explorer
GraphiQL IDE with custom features for Gatsby users
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:app.js | AI (source-diff): app.js is a legitimate webpack production bundle of the GraphiQL IDE. Minification is expected and documented in the build scripts. Content is GraphQL/Gatsby IDE code. | ai | |
| source-diff | net-exec-file:app.js | AI (source-diff): GraphiQL IDE bundle inherently contains network calls (GraphQL HTTP requests) and dynamic code patterns (code generation). Not indicative of malware for this package. | ai | |
| source-diff | obfuscated-file:dist/app.js | AI (source-diff): dist/app.js is a webpack-bundled GraphiQL IDE browser app; minified single-line output is expected and stable for this package across all versions. | ai | |
| source-diff | net-exec-file:dist/app.js | AI (source-diff): GraphiQL IDE legitimately makes network calls (GraphQL queries) and renders dynamic UI; this pattern is inherent to the package's purpose and not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects the known Netlify acquisition/stewardship of Gatsby packages. serhalp-netlify is a Netlify-affiliated account with a strong track record and no rejected packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (mlgualtieri-gatsby, serhalp-netlify) are Netlify/Gatsby org accounts, consistent with the known organizational transition of Gatsby ownership to Netlify. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of dschau is consistent with the Netlify/Gatsby org transition; not indicative of a hostile takeover given the context. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate Gatsby monorepo package. Mass-production signal reflects gatsby-* monorepo naming convention; README signals are typical for Gatsby sub-packages linking to central docs. | ai |
Versions (showing 51 of 131)
| Version | Deps | Published |
|---|---|---|
| 3.16.0 | 0 / 24 | |
| 3.15.0 | 0 / 24 | |
| 3.14.1 | 0 / 24 | |
| 3.14.0 | 0 / 24 | |
| 3.13.1 | 0 / 24 | |
| 3.13.0 | 0 / 24 | |
| 3.12.1 | 0 / 24 | |
| 3.12.0 | 0 / 24 | |
| 3.11.0 | 0 / 24 | |
| 3.10.0 | 0 / 24 | |
| 3.9.0 | 0 / 24 | |
| 3.8.0 | 0 / 24 | |
| 3.7.0 | 0 / 24 | |
| 3.6.0 | 0 / 24 | |
| 3.5.0 | 0 / 24 | |
| 3.4.0 | 0 / 24 | |
| 3.3.0 | 0 / 24 | |
| 3.2.0 | 0 / 24 | |
| 3.1.0 | 0 / 24 | |
| 3.0.0 | 0 / 24 | |
| 2.25.0 | 1 / 23 | |
| 2.24.0 | 1 / 23 | |
| 2.23.0 | 1 / 23 | |
| 2.22.0 | 1 / 23 | |
| 2.21.0 | 1 / 23 | |
| 2.20.0 | 1 / 23 | |
| 2.19.0 | 1 / 23 | |
| 2.18.0 | 1 / 23 | |
| 2.17.0 | 1 / 23 | |
| 2.16.0 | 1 / 23 | |
| 2.15.0 | 1 / 23 | |
| 2.14.0 | 1 / 23 | |
| 2.13.0 | 1 / 23 | |
| 2.12.1 | 1 / 23 | |
| 2.12.0 | 1 / 23 | |
| 2.11.0 | 1 / 23 | |
| 2.10.0 | 1 / 23 | |
| 2.9.0 | 1 / 23 | |
| 2.8.0 | 1 / 23 | |
| 2.7.0 | 1 / 23 | |
| 2.6.0 | 1 / 23 | |
| 2.5.0 | 1 / 23 | |
| 2.4.0 | 1 / 23 | |
| 2.3.0 | 1 / 23 | |
| 2.2.0 | 1 / 23 | |
| 2.1.0 | 1 / 23 | |
| 2.0.0 | 1 / 23 | |
| 1.15.0 | 1 / 23 | |
| 1.14.0 | 1 / 23 | |
| 1.13.0 | 1 / 23 | |
| 1.12.0 | 1 / 23 |
v3.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'pieh' owns 164 packages, ≥70% share a templated name shape. • [S_README_LINKDUMP] README is a link dump (5 URLs) that barely mentions the package — typical of phishing link farms. • [S_README_NO_CODE] Short README with no code block, no install instructions, and no usage/API section.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-07. This could indicate a legitimate maintainer transition or an account compromise.
v3.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v3.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
v3.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v3.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.25.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.23.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v2.22.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v2.21.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.20.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v2.19.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.18.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v2.17.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v2.16.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.15.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v2.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v2.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v2.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v2.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-25. This could indicate a legitimate maintainer transition or an account compromise.
v2.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-14. This could indicate a legitimate maintainer transition or an account compromise.
v2.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-02. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-21. This could indicate a legitimate maintainer transition or an account compromise.