gatsby-plugin-typescript
Adds TypeScript support to Gatsby
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): pieh (Lennart Jörgens) is a known Gatsby core maintainer publishing from the same gatsbyjs org; this transition is a legitimate team rotation, not a takeover. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior Gatsby maintainers is consistent with Netlify's organizational transition of the Gatsby monorepo. Not a takeover signal. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal reflects monorepo publishing pattern; empty main is standard for Gatsby plugins using the plugin API hook convention. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Babel packages are framework-scoped dependencies loaded by convention in Gatsby's plugin system, not directly imported. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped Babel dependency; standard Gatsby plugin pattern. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Netlify-affiliated accounts (serhalp-netlify, mlgualtieri-gatsby) are the new stewards of the Gatsby ecosystem after Netlify's acquisition. Legitimate organizational transition. | ai | |
| phantom-deps | phantom-dep:babel-plugin-remove-graphql-queries | AI (phantom-deps): Referenced in Gatsby config files by convention, not directly imported. Standard Gatsby plugin pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-numeric-separator | AI (phantom-deps): Framework-scoped Babel plugin; standard Gatsby plugin pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-optional-chaining | AI (phantom-deps): Framework-scoped Babel plugin; standard Gatsby plugin pattern. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-nullish-coalescing-operator | AI (phantom-deps): Framework-scoped Babel plugin; standard Gatsby plugin pattern. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Framework-scoped Babel preset; standard Gatsby TypeScript plugin pattern. | ai |
Versions (showing 51 of 188)
| Version | Deps | Published |
|---|---|---|
| 5.16.0 | 7 / 4 | |
| 5.15.0 | 7 / 4 | |
| 5.14.0 | 7 / 4 | |
| 5.13.1 | 7 / 4 | |
| 5.13.0 | 7 / 4 | |
| 5.12.1 | 7 / 4 | |
| 5.12.0 | 7 / 4 | |
| 5.11.0 | 7 / 4 | |
| 5.10.0 | 7 / 4 | |
| 5.9.0 | 7 / 4 | |
| 5.8.0 | 7 / 4 | |
| 5.7.0 | 7 / 4 | |
| 5.6.0 | 7 / 4 | |
| 5.5.0 | 7 / 4 | |
| 5.4.0 | 7 / 4 | |
| 5.3.1 | 7 / 4 | |
| 5.3.0 | 7 / 4 | |
| 5.2.0 | 7 / 4 | |
| 5.1.0 | 7 / 4 | |
| 5.0.0 | 7 / 4 | |
| 4.25.0 | 7 / 4 | |
| 4.24.0 | 7 / 4 | |
| 4.23.0 | 7 / 4 | |
| 4.22.0 | 7 / 4 | |
| 4.21.0 | 7 / 4 | |
| 4.20.0 | 7 / 4 | |
| 4.19.0 | 7 / 4 | |
| 4.18.1 | 7 / 4 | |
| 4.18.0 | 7 / 4 | |
| 4.17.0 | 7 / 4 | |
| 4.16.0 | 7 / 4 | |
| 4.15.0 | 7 / 4 | |
| 4.14.0 | 7 / 4 | |
| 4.13.0 | 7 / 4 | |
| 4.12.1 | 7 / 4 | |
| 4.12.0 | 7 / 4 | |
| 4.11.1 | 7 / 4 | |
| 4.11.0 | 7 / 4 | |
| 4.10.1 | 7 / 4 | |
| 4.10.0 | 7 / 4 | |
| 4.9.1 | 7 / 4 | |
| 4.9.0 | 7 / 4 | |
| 4.8.2 | 7 / 4 | |
| 4.8.1 | 7 / 4 | |
| 4.8.0 | 7 / 4 | |
| 4.7.0 | 7 / 4 | |
| 4.6.0 | 7 / 4 | |
| 4.5.2 | 7 / 4 | |
| 4.5.1 | 7 / 4 | |
| 4.5.0 | 7 / 4 | |
| 4.4.0 | 7 / 4 |
v5.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-08-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsThis version was published by a different npm account than previous versions on 2023-02-21. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.4.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-01-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-22. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.24.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v4.23.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.22.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v4.21.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.20.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-02. This could indicate a legitimate maintainer transition or an account compromise.
v4.19.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-19. This could indicate a legitimate maintainer transition or an account compromise.
v4.18.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.18.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-07-05. This could indicate a legitimate maintainer transition or an account compromise.
v4.17.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-21. This could indicate a legitimate maintainer transition or an account compromise.
v4.16.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-06-07. This could indicate a legitimate maintainer transition or an account compromise.
v4.15.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v4.14.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-10. This could indicate a legitimate maintainer transition or an account compromise.
v4.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v4.11.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.10.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.10.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-16. This could indicate a legitimate maintainer transition or an account compromise.
v4.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v4.8.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v4.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.