gatsby-theme-docz — Greenflagged

Gatsby theme created to use Docz

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

pedronauckrenatobenks

Keywords

gatsbygatsby-themedocz

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:gatsby-plugin-catch-links	AI (phantom-deps): Gatsby theme plugins are declared as deps but resolved via gatsby-config.js, not direct imports. Standard Gatsby pattern.	ai	2026/04/24
phantom-deps	phantom-dep:to-style	AI (phantom-deps): Referenced in config files; standard for Gatsby theme architecture.	ai	2026/04/24
phantom-deps	phantom-dep:@mdx-js/react	AI (phantom-deps): MDX pipeline dependency referenced in Gatsby config, not directly imported. Standard pattern.	ai	2026/04/24
phantom-deps	phantom-dep:change-case	AI (phantom-deps): Utility dep used in config/build context; phantom detection is a false positive for this Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:styled-components	AI (phantom-deps): styled-components is injected via gatsby-plugin-styled-components config; not directly imported but legitimately used.	ai	2026/04/24
phantom-deps	phantom-dep:chokidar	AI (phantom-deps): Gatsby theme packages reference deps in config files rather than direct imports; this is standard Gatsby theme architecture.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-styled-components	AI (phantom-deps): Gatsby plugin referenced in gatsby-config.js; phantom detection is a known false positive for Gatsby theme packages.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-react-helmet	AI (phantom-deps): Gatsby plugin referenced in gatsby-config.js; phantom detection is a known false positive for Gatsby theme packages.	ai	2026/04/24
phantom-deps	phantom-dep:react-dom	AI (phantom-deps): react-dom is a peer/config dependency for Gatsby themes, not directly imported in source files.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-mdx	AI (phantom-deps): Gatsby plugin deps are referenced in gatsby-config.js programmatically; phantom detection is a false positive for this pattern.	ai	2026/04/24
phantom-deps	phantom-dep:@emotion/styled	AI (phantom-deps): Emotion packages used via Gatsby plugin pipeline; stable false positive for this theme.	ai	2026/04/24
phantom-deps	phantom-dep:emotion-theming	AI (phantom-deps): Emotion theming used via plugin pipeline; stable false positive for this theme.	ai	2026/04/24
phantom-deps	phantom-dep:mdx-utils	AI (phantom-deps): MDX utility used in build/config context; stable false positive for this Gatsby theme.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): rakannimer (Rakan Nimer) is a known Docz project maintainer/contributor; the transition from pedronauck is a legitimate org-level handoff documented in the Docz project history.	ai	2026/04/24
phantom-deps	phantom-dep:@mdx-js/mdx	AI (phantom-deps): MDX core used via gatsby-plugin-mdx pipeline, not directly imported. Stable false positive for this Gatsby theme.	ai	2026/04/24
phantom-deps	phantom-dep:babel-plugin-export-metadata	AI (phantom-deps): Babel plugin referenced in Gatsby/Babel config, not directly imported. Standard pattern.	ai	2026/04/24
phantom-deps	phantom-dep:typescript	AI (phantom-deps): TypeScript declared as dep for type support in consuming projects; not directly imported. Stable false positive.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-mdx	AI (phantom-deps): Gatsby plugins are referenced in gatsby-config.js arrays, not directly imported. This is standard Gatsby theme pattern and a stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-emotion	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-manifest	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-source-filesystem	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-alias-imports	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-react-helmet-async	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-root-import	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:gatsby-plugin-compile-es6-packages	AI (phantom-deps): Gatsby plugin referenced in config, not directly imported. Standard Gatsby theme pattern.	ai	2026/04/24
phantom-deps	phantom-dep:@loadable/component	AI (phantom-deps): Referenced in Gatsby config/build setup rather than direct import; stable false positive for this Gatsby theme.	ai	2026/04/24

Versions (showing 15 of 15)

Version	Deps	Published
2.4.0	36 / 0	2022-02-11
2.3.1	36 / 3	2020-04-05
2.3.0	36 / 3	2020-04-02
2.2.0	37 / 3	2019-12-11
2.1.0	34 / 3	2019-11-27
2.0.0	34 / 3	2019-11-25
1.2.0	28 / 8	2019-05-08
1.1.0	28 / 8	2019-05-01
1.0.4	28 / 7	2019-04-18
1.0.3	28 / 7	2019-04-15
1.0.2	28 / 7	2019-04-15
1.0.1	28 / 7	2019-04-14
1.0.0	28 / 7	2019-04-11
0.13.5	24 / 7	2019-02-08
0.0.1	0 / 0	2018-11-16

v2.4.0

2 findings

HIGH Publisher changed: rakannimer → renatobenks (on 2022-02-11) provenance

This version was published by a different npm account than previous versions on 2022-02-11. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance