gatsby-telemetry — Greenflagged

Gatsby Telemetry

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mlgualtieri-gatsbyserhalp-netlifykathmbeckpiehtylerbarnesdaniellewgatsbyfk

Keywords

telemetry

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:async-retry-ng	AI (phantom-deps): async-retry-ng is a declared runtime dep in the official Gatsby telemetry package; phantom-dep flag is a false positive for this package's usage pattern.	ai	2026/04/24
dependencies	unvetted-dep:async-retry-ng	AI (dependencies): async-retry-ng is a declared dependency of gatsby-telemetry in the official Gatsby monorepo; its use is consistent with the package's retry logic for telemetry HTTP calls.	ai	2026/04/24
provenance	no-provenance	AI (provenance): gatsby-telemetry is a well-established Gatsby monorepo package; lack of Sigstore provenance is a process gap, not a security risk for this package.	ai	2026/04/24
phantom-deps	phantom-dep:node-fetch	AI (phantom-deps): node-fetch is a declared runtime dependency in package.json; phantom-dep false positive for compiled TypeScript packages where imports appear in lib/ output.	ai	2026/04/24
phantom-deps	phantom-dep:@babel/code-frame	AI (phantom-deps): @babel/code-frame is a declared runtime dependency; framework-scoped usage is expected in Gatsby packages. Stable false positive.	ai	2026/04/24
install-scripts	install-script:postinstall	AI (install-scripts): gatsby-telemetry's postinstall (node src/postinstall.js \|\| true) is a long-standing telemetry opt-out notification script, stable across hundreds of versions. Not a risk.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change from pieh to serhalp-netlify reflects Netlify's acquisition of Gatsby; serhalp-netlify is a verified Netlify-affiliated account with strong track record (5550 approved, 0 rejected).	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers mlgualtieri-gatsby and serhalp-netlify are Netlify/Gatsby org accounts consistent with the documented Netlify acquisition of Gatsby.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in repository-id.js to run git commands for telemetry repo identification — expected and stable behavior for this package.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of legacy Gatsby maintainers is consistent with the Netlify acquisition transition; not indicative of a malicious takeover.	ai	2026/04/23

Versions (showing 100 of 157)

Version	Deps	Published
4.14.0	5 / 6	2024-11-06
4.13.0	12 / 6	2023-12-18
4.12.1	12 / 6	2023-10-26
4.11.0	12 / 6	2023-06-15
4.9.0	12 / 6	2023-04-18
4.0.0	12 / 6	2022-11-08
3.22.0	12 / 6	2022-08-30
3.18.1	13 / 6	2022-07-12
3.5.2	13 / 6	2022-01-17
3.5.1	13 / 6	2022-01-12
3.3.0	13 / 10	2021-12-01
3.1.2	13 / 10	2021-11-11
2.15.0	14 / 10	2022-12-07
2.14.0	14 / 10	2021-09-17
2.13.0	14 / 10	2021-08-31
2.12.0	14 / 10	2021-08-18
2.11.0	14 / 10	2021-08-04
2.10.0	14 / 10	2021-07-20
2.9.0	14 / 10	2021-07-06
2.8.0	14 / 10	2021-06-22
2.7.1	14 / 10	2021-06-10
2.7.0	14 / 10	2021-06-08
2.6.0	14 / 10	2021-05-25
2.5.0	14 / 10	2021-05-11
2.4.1	14 / 10	2021-05-04
2.4.0	14 / 10	2021-04-27
2.3.0	14 / 10	2021-04-13
2.2.0	14 / 10	2021-03-30
2.1.0	14 / 10	2021-03-16
2.0.0	14 / 10	2021-03-02
1.10.2	14 / 10	2021-05-04
1.10.1	14 / 10	2021-02-24
1.10.0	14 / 10	2021-02-02
1.9.0	14 / 10	2021-01-19
1.8.1	14 / 10	2021-01-13
1.8.0	14 / 10	2021-01-05
1.7.1	14 / 10	2020-12-23
1.7.0	14 / 10	2020-12-15
1.6.0	14 / 10	2020-12-02
1.5.1	15 / 10	2020-11-25
1.5.0	15 / 10	2020-11-19
1.4.1	15 / 10	2020-11-13
1.4.0	15 / 10	2020-11-12
1.3.40	15 / 10	2020-11-04
1.3.39	15 / 10	2020-11-02
1.3.38	15 / 10	2020-10-06
1.3.37	15 / 10	2020-10-01
1.3.36	15 / 10	2020-09-28
1.3.35	15 / 10	2020-09-16
1.3.34	15 / 10	2020-09-15
1.3.33	15 / 10	2020-09-14
1.3.32	15 / 10	2020-09-08
1.3.31	15 / 10	2020-09-07
1.3.30	15 / 8	2020-08-28
1.3.29	15 / 8	2020-08-26
1.3.28	15 / 8	2020-08-24
1.3.27	15 / 8	2020-08-11
1.3.26	15 / 8	2020-08-05
1.3.25	15 / 8	2020-08-03
1.3.24	15 / 8	2020-07-30
1.3.23	12 / 8	2020-07-24
1.3.22	12 / 8	2020-07-22
1.3.21	12 / 8	2020-07-21
1.3.20	12 / 8	2020-07-20
1.3.19	12 / 8	2020-07-09
1.3.18	12 / 8	2020-07-03
1.3.17	17 / 8	2020-07-02
1.3.16	17 / 8	2020-07-01
1.3.14	17 / 8	2020-06-24
1.3.13	17 / 8	2020-06-22
1.3.12	17 / 8	2020-06-19
1.3.11	17 / 8	2020-06-09
1.3.10	17 / 8	2020-06-02
1.3.9	17 / 8	2020-05-22
1.3.8	17 / 8	2020-05-20
1.3.7	17 / 8	2020-05-20
1.3.6	17 / 8	2020-05-19
1.3.5	17 / 8	2020-05-18
1.3.4	17 / 8	2020-05-13
1.3.3	17 / 8	2020-05-08
1.3.2	17 / 8	2020-05-05
1.3.1	17 / 8	2020-05-01
1.3.0	17 / 8	2020-04-27
1.2.6	17 / 8	2020-04-24
1.2.5	17 / 8	2020-04-17
1.2.4	17 / 8	2020-04-16
1.2.3	17 / 8	2020-04-01
1.2.2	17 / 8	2020-03-25
1.2.1	17 / 8	2020-03-23
1.2.0	17 / 8	2020-03-20
1.1.56	17 / 8	2020-03-16
1.1.55	17 / 8	2020-03-12
1.1.54	17 / 8	2020-03-11
1.1.53	17 / 8	2020-03-10
1.1.52	17 / 8	2020-03-09
1.1.51	17 / 8	2020-03-06
1.1.50	17 / 8	2020-03-06
1.1.49	17 / 8	2020-02-01
1.1.48	17 / 8	2020-01-29
1.1.47	17 / 8	2020-01-09

Showing 100 of 157 Next page →

v4.14.0

2 findings

HIGH Publisher changed: pieh → serhalp-netlify (on 2024-11-06) provenance

This version was published by a different npm account than previous versions on 2024-11-06. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.13.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: lekoarts → pieh (on 2023-12-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-12-18. This could indicate a legitimate maintainer transition or an account compromise.

v4.12.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.11.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.9.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: pieh → lekoarts (on 2023-04-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-18. This could indicate a legitimate maintainer transition or an account compromise.

v4.0.0

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node src/postinstall.js || true

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: marvinjudehk → pieh (on 2022-11-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-08. This could indicate a legitimate maintainer transition or an account compromise.

v3.22.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: marvinjudehk → pieh (on 2022-08-30) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-08-30. This could indicate a legitimate maintainer transition or an account compromise.

v3.18.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.2

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: lekoarts → marvinjudehk (on 2022-01-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-17. This could indicate a legitimate maintainer transition or an account compromise.

v3.5.1

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: wardpeet → lekoarts (on 2022-01-12) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2022-01-12. This could indicate a legitimate maintainer transition or an account compromise.

v3.3.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: lekoarts → wardpeet (on 2021-12-01) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-12-01. This could indicate a legitimate maintainer transition or an account compromise.

v3.1.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.