gatsby-legacy-polyfills
Polyfills for legacy browsers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/polyfills.js | AI (source-diff): dist/polyfills.js is a microbundle IIFE build of core-js polyfills + whatwg-fetch. Function('return this')() is standard globalThis polyfill; fetch is whatwg-fetch polyfill. Stable FP for this package. | ai | |
| provenance | publisher-changed | AI (provenance): pieh is a long-standing Gatsby core maintainer; publisher rotation within the Gatsby team is expected. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Adding Gatsby team members as maintainers is normal organizational practice for this monorepo package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Gatsby monorepo sub-package; templated names, sparse README, and no keywords are normal for this ecosystem pattern. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): @babel/runtime is used via Babel transform helpers, not direct imports; standard for this package. | ai | |
| phantom-deps | phantom-dep:core-js-compat | AI (phantom-deps): core-js-compat is used in build-time codegen for polyfill selection; not directly imported at runtime. | ai |
Versions (showing 76 of 76)
| Version | Deps | Published |
|---|---|---|
| 3.16.0 | 2 / 15 | |
| 3.15.0 | 2 / 15 | |
| 3.14.0 | 2 / 15 | |
| 3.13.1 | 2 / 15 | |
| 3.13.0 | 2 / 15 | |
| 3.12.0 | 2 / 15 | |
| 3.11.0 | 2 / 15 | |
| 3.10.0 | 2 / 15 | |
| 3.9.0 | 2 / 15 | |
| 3.8.0 | 2 / 15 | |
| 3.7.0 | 2 / 15 | |
| 3.6.0 | 2 / 15 | |
| 3.5.0 | 2 / 15 | |
| 3.4.0 | 2 / 15 | |
| 3.3.0 | 2 / 15 | |
| 3.2.0 | 2 / 15 | |
| 3.1.0 | 2 / 15 | |
| 3.0.0 | 2 / 15 | |
| 2.25.0 | 2 / 15 | |
| 2.24.0 | 2 / 15 | |
| 2.23.0 | 2 / 15 | |
| 2.22.0 | 2 / 15 | |
| 2.21.0 | 2 / 15 | |
| 2.20.0 | 2 / 15 | |
| 2.19.0 | 2 / 15 | |
| 2.18.0 | 2 / 15 | |
| 2.17.0 | 2 / 15 | |
| 2.16.0 | 2 / 15 | |
| 2.15.0 | 2 / 15 | |
| 2.14.0 | 2 / 15 | |
| 2.13.0 | 2 / 15 | |
| 2.12.1 | 2 / 15 | |
| 2.12.0 | 2 / 15 | |
| 2.11.0 | 2 / 15 | |
| 2.10.0 | 2 / 15 | |
| 2.9.0 | 2 / 15 | |
| 2.8.0 | 2 / 15 | |
| 2.7.0 | 2 / 15 | |
| 2.6.0 | 2 / 15 | |
| 2.5.0 | 2 / 15 | |
| 2.4.0 | 2 / 15 | |
| 2.3.0 | 2 / 15 | |
| 2.2.0 | 2 / 15 | |
| 2.1.0 | 2 / 15 | |
| 2.0.0 | 2 / 14 | |
| 1.15.0 | 2 / 13 | |
| 1.14.0 | 2 / 13 | |
| 1.13.0 | 1 / 13 | |
| 1.12.0 | 1 / 13 | |
| 1.11.0 | 1 / 13 | |
| 1.10.0 | 1 / 13 | |
| 1.9.0 | 1 / 13 | |
| 1.8.0 | 1 / 13 | |
| 1.7.0 | 1 / 13 | |
| 1.6.0 | 1 / 13 | |
| 1.5.0 | 1 / 13 | |
| 1.4.0 | 1 / 13 | |
| 1.3.0 | 1 / 13 | |
| 1.2.0 | 1 / 13 | |
| 1.1.1 | 1 / 13 | |
| 1.1.0 | 1 / 13 | |
| 1.0.0 | 1 / 13 | |
| 0.7.1 | 1 / 13 | |
| 0.7.0 | 1 / 13 | |
| 0.6.0 | 1 / 13 | |
| 0.5.0 | 1 / 13 | |
| 0.4.0 | 1 / 13 | |
| 0.3.0 | 1 / 13 | |
| 0.2.0 | 1 / 13 | |
| 0.1.0 | 1 / 13 | |
| 0.0.6 | 1 / 13 | |
| 0.0.5 | 1 / 13 | |
| 0.0.4 | 1 / 13 | |
| 0.0.3 | 1 / 13 | |
| 0.0.2 | 1 / 13 | |
| 0.0.1 | 1 / 14 |
v3.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
2 findingsThis version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
2 findingsThis version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v3.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v3.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.24.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.23.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v2.22.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v2.21.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.20.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v2.19.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.18.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v2.17.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v2.16.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v2.15.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v2.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v2.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.1
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v2.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v2.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v2.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.7.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v2.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-25. This could indicate a legitimate maintainer transition or an account compromise.
v2.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-14. This could indicate a legitimate maintainer transition or an account compromise.
v2.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-16. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-02. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-10-21. This could indicate a legitimate maintainer transition or an account compromise.