gatsby-graphiql-explorer
GraphiQL IDE with custom features for Gatsby users
33
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
piehkathmbeckserhalp-netlifymlgualtieri-gatsbyfktylerbarnesdaniellewgatsby
Keywords
gatsbygraphiqlgatsby-graphiql
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:app.js | AI (source-diff): app.js is a legitimate webpack production bundle of the GraphiQL IDE. Minification is expected and documented in the build scripts. Content is GraphQL/Gatsby IDE code. | ai | |
| source-diff | net-exec-file:app.js | AI (source-diff): GraphiQL IDE bundle inherently contains network calls (GraphQL HTTP requests) and dynamic code patterns (code generation). Not indicative of malware for this package. | ai | |
| source-diff | obfuscated-file:dist/app.js | AI (source-diff): dist/app.js is a webpack-bundled GraphiQL IDE browser app; minified single-line output is expected and stable for this package across all versions. | ai | |
| source-diff | net-exec-file:dist/app.js | AI (source-diff): GraphiQL IDE legitimately makes network calls (GraphQL queries) and renders dynamic UI; this pattern is inherent to the package's purpose and not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects the known Netlify acquisition/stewardship of Gatsby packages. serhalp-netlify is a Netlify-affiliated account with a strong track record and no rejected packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (mlgualtieri-gatsby, serhalp-netlify) are Netlify/Gatsby org accounts, consistent with the known organizational transition of Gatsby ownership to Netlify. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of dschau is consistent with the Netlify/Gatsby org transition; not indicative of a hostile takeover given the context. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Legitimate Gatsby monorepo package. Mass-production signal reflects gatsby-* monorepo naming convention; README signals are typical for Gatsby sub-packages linking to central docs. | ai |
Versions (showing 33 of 133)
| Version | Deps | Published |
|---|---|---|
| 0.2.28 | 1 / 21 | |
| 0.2.27 | 1 / 21 | |
| 0.2.26 | 1 / 21 | |
| 0.2.25 | 1 / 21 | |
| 0.2.24 | 1 / 21 | |
| 0.2.23 | 1 / 21 | |
| 0.2.22 | 1 / 21 | |
| 0.2.21 | 1 / 21 | |
| 0.2.19 | 1 / 21 | |
| 0.2.18 | 1 / 21 | |
| 0.2.17 | 1 / 21 | |
| 0.2.16 | 1 / 21 | |
| 0.2.15 | 1 / 21 | |
| 0.2.14 | 1 / 21 | |
| 0.2.13 | 1 / 21 | |
| 0.2.12 | 1 / 21 | |
| 0.2.11 | 1 / 21 | |
| 0.2.10 | 1 / 20 | |
| 0.2.9 | 1 / 19 | |
| 0.2.8 | 1 / 19 | |
| 0.2.7 | 1 / 19 | |
| 0.2.6 | 1 / 19 | |
| 0.2.5 | 1 / 19 | |
| 0.2.4 | 1 / 19 | |
| 0.2.3 | 1 / 19 | |
| 0.2.2 | 1 / 19 | |
| 0.2.1 | 1 / 19 | |
| 0.2.0 | 1 / 19 | |
| 0.1.2 | 1 / 19 | |
| 0.1.1 | 6 / 14 | |
| 0.1.0 | 6 / 14 | |
| 3.17.0-next.0 | 0 / 24 | |
| 3.16.0-next.0 | 0 / 24 |