gatsby-telemetry
Gatsby Telemetry
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:async-retry-ng | AI (phantom-deps): async-retry-ng is a declared runtime dep in the official Gatsby telemetry package; phantom-dep flag is a false positive for this package's usage pattern. | ai | |
| dependencies | unvetted-dep:async-retry-ng | AI (dependencies): async-retry-ng is a declared dependency of gatsby-telemetry in the official Gatsby monorepo; its use is consistent with the package's retry logic for telemetry HTTP calls. | ai | |
| provenance | no-provenance | AI (provenance): gatsby-telemetry is a well-established Gatsby monorepo package; lack of Sigstore provenance is a process gap, not a security risk for this package. | ai | |
| phantom-deps | phantom-dep:node-fetch | AI (phantom-deps): node-fetch is a declared runtime dependency in package.json; phantom-dep false positive for compiled TypeScript packages where imports appear in lib/ output. | ai | |
| phantom-deps | phantom-dep:@babel/code-frame | AI (phantom-deps): @babel/code-frame is a declared runtime dependency; framework-scoped usage is expected in Gatsby packages. Stable false positive. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): gatsby-telemetry's postinstall (node src/postinstall.js || true) is a long-standing telemetry opt-out notification script, stable across hundreds of versions. Not a risk. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from pieh to serhalp-netlify reflects Netlify's acquisition of Gatsby; serhalp-netlify is a verified Netlify-affiliated account with strong track record (5550 approved, 0 rejected). | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers mlgualtieri-gatsby and serhalp-netlify are Netlify/Gatsby org accounts consistent with the documented Netlify acquisition of Gatsby. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in repository-id.js to run git commands for telemetry repo identification — expected and stable behavior for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of legacy Gatsby maintainers is consistent with the Netlify acquisition transition; not indicative of a malicious takeover. | ai |
Versions (showing 51 of 157)
| Version | Deps | Published |
|---|---|---|
| 4.14.0 | 5 / 6 | |
| 4.13.0 | 12 / 6 | |
| 4.12.1 | 12 / 6 | |
| 4.11.0 | 12 / 6 | |
| 4.9.0 | 12 / 6 | |
| 4.0.0 | 12 / 6 | |
| 3.22.0 | 12 / 6 | |
| 3.18.1 | 13 / 6 | |
| 3.5.2 | 13 / 6 | |
| 3.5.1 | 13 / 6 | |
| 3.3.0 | 13 / 10 | |
| 3.1.2 | 13 / 10 | |
| 2.15.0 | 14 / 10 | |
| 2.14.0 | 14 / 10 | |
| 2.13.0 | 14 / 10 | |
| 2.12.0 | 14 / 10 | |
| 2.11.0 | 14 / 10 | |
| 2.10.0 | 14 / 10 | |
| 2.9.0 | 14 / 10 | |
| 2.8.0 | 14 / 10 | |
| 2.7.1 | 14 / 10 | |
| 2.7.0 | 14 / 10 | |
| 2.6.0 | 14 / 10 | |
| 2.5.0 | 14 / 10 | |
| 2.4.1 | 14 / 10 | |
| 2.4.0 | 14 / 10 | |
| 2.3.0 | 14 / 10 | |
| 2.2.0 | 14 / 10 | |
| 2.1.0 | 14 / 10 | |
| 2.0.0 | 14 / 10 | |
| 1.10.2 | 14 / 10 | |
| 1.10.1 | 14 / 10 | |
| 1.10.0 | 14 / 10 | |
| 1.9.0 | 14 / 10 | |
| 1.8.1 | 14 / 10 | |
| 1.8.0 | 14 / 10 | |
| 1.7.1 | 14 / 10 | |
| 1.7.0 | 14 / 10 | |
| 1.6.0 | 14 / 10 | |
| 1.5.1 | 15 / 10 | |
| 1.5.0 | 15 / 10 | |
| 1.4.1 | 15 / 10 | |
| 1.4.0 | 15 / 10 | |
| 1.3.40 | 15 / 10 | |
| 1.3.39 | 15 / 10 | |
| 1.3.38 | 15 / 10 | |
| 1.3.37 | 15 / 10 | |
| 1.3.36 | 15 / 10 | |
| 1.3.35 | 15 / 10 | |
| 1.3.34 | 15 / 10 | |
| 1.3.33 | 15 / 10 |
v4.14.0
2 findingsThis version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.13.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-12-18. This could indicate a legitimate maintainer transition or an account compromise.
v4.12.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.9.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.0
3 findingsScript: node src/postinstall.js || true
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.
v3.22.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v3.18.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-17. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v3.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.