gatsby — Greenflagged

Blazing fast modern site generator for React

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

piehkathmbeckserhalp-netlifymlgualtieri-gatsbyfktylerbarnesdaniellewgatsby

Keywords

bloggeneratorjekyllmarkdownreactssgwebsite

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@sigmacomputing/babel-plugin-lodash	AI (phantom-deps): Babel plugin loaded by convention in Gatsby's build pipeline; not a direct import by design.	ai	2026/04/24
phantom-deps	phantom-dep:style-to-object	AI (phantom-deps): Framework-level convention loading; stable false positive for Gatsby.	ai	2026/04/24
phantom-deps	phantom-dep:body-parser	AI (phantom-deps): Gatsby is a framework that loads many deps by convention; phantom dep findings are structural false positives for this package.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): Netlify acquired Gatsby; new maintainers with -netlify and -gatsby suffixes reflect legitimate organizational team changes, not a takeover.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of legacy maintainers is consistent with Netlify's acquisition and team restructuring of the Gatsby project.	ai	2026/04/24
dependencies	unvetted-dep:webpack-merge	AI (dependencies): webpack-merge is a mainstream, well-known webpack utility; standard dependency for a framework like Gatsby.	ai	2026/04/23
phantom-deps	phantom-dep:core-js	AI (phantom-deps): Gatsby uses core-js as a runtime polyfill loaded by convention via babel-preset-gatsby; not directly imported but legitimately used.	ai	2026/04/23
phantom-deps	phantom-dep:css-loader	AI (phantom-deps): Gatsby loads webpack loaders like css-loader dynamically via webpack config; phantom detection is a stable false positive for this framework.	ai	2026/04/23
phantom-deps	phantom-dep:babel-preset-gatsby	AI (phantom-deps): Loaded by convention as part of Gatsby's babel configuration; not directly imported but legitimately used.	ai	2026/04/23
phantom-deps	phantom-dep:react-refresh	AI (phantom-deps): Used by Gatsby's HMR infrastructure via webpack plugin; loaded by convention, not direct import.	ai	2026/04/23
dependencies	unvetted-dep:babel-loader	AI (dependencies): babel-loader is a mainstream, well-known webpack ecosystem package; standard dependency for a framework like Gatsby.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in SSR module tracking wrapper is intentional framework infrastructure for Gatsby's build system.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): pieh and serhalp-netlify are both Gatsby/Netlify team members; legitimate maintainer transition within the same org.	ai	2026/04/23
install-scripts	install-script:postinstall	AI (install-scripts): Gatsby's postinstall (node scripts/postinstall.js) is a long-standing part of the framework's install flow; stable across versions.	ai	2026/04/23

Versions (showing 100 of 1227)

Hide prereleases

Version	Deps	Published
5.16.1	167 / 30	2026-02-10
5.16.0	167 / 30	2026-01-26
5.14.1	167 / 31	2024-12-20
5.13.3	168 / 29	2024-01-25
5.12.7	167 / 29	2023-10-17
5.9.1	164 / 30	2023-05-09
4.25.9	166 / 30	2024-05-17
3.15.0	147 / 27	2022-12-07
3.14.6	147 / 27	2021-11-18
3.14.5	147 / 27	2021-10-28
3.14.4	147 / 27	2021-10-22
3.14.3	147 / 27	2021-10-15
3.14.2	148 / 27	2021-10-05
3.14.1	148 / 27	2021-09-30
3.14.0	148 / 27	2021-09-17
3.13.1	145 / 26	2021-09-16
3.13.0	145 / 26	2021-08-31
3.12.1	152 / 25	2021-08-26
3.12.0	152 / 25	2021-08-18
3.11.1	152 / 25	2021-08-09
3.11.0	152 / 25	2021-08-04
3.10.2	152 / 25	2021-07-26
3.10.1	152 / 25	2021-07-21
3.10.0	152 / 25	2021-07-20
3.9.1	152 / 25	2021-07-09
3.9.0	152 / 25	2021-07-06
3.8.1	152 / 25	2021-06-29
3.8.0	152 / 25	2021-06-22
3.7.2	153 / 24	2021-06-15
3.7.1	153 / 24	2021-06-10
3.7.0	153 / 24	2021-06-08
3.6.2	153 / 23	2021-06-02
3.6.1	153 / 23	2021-05-27
3.6.0	153 / 23	2021-05-25
3.5.1	153 / 23	2021-05-19
3.5.0	153 / 23	2021-05-11
3.4.2	154 / 23	2021-05-07
3.4.1	154 / 23	2021-05-04
3.4.0	154 / 23	2021-04-27
3.3.1	151 / 23	2021-04-19
3.3.0	151 / 23	2021-04-13
3.2.1	151 / 23	2021-04-01
3.2.0	151 / 23	2021-03-30
3.1.3	151 / 23	2021-03-30
3.1.2	151 / 23	2021-03-23
3.1.1	151 / 23	2021-03-18
3.1.0	151 / 23	2021-03-16
3.0.4	152 / 24	2021-03-09
3.0.3	152 / 24	2021-03-05
3.0.2	152 / 24	2021-03-04
3.0.1	152 / 24	2021-03-03
3.0.0	152 / 24	2021-03-02
2.32.13	154 / 25	2021-05-04
2.32.12	154 / 25	2021-04-07
2.32.11	154 / 25	2021-03-09
2.32.10	154 / 25	2021-03-08
2.32.9	154 / 25	2021-03-01
2.32.8	154 / 25	2021-02-25
2.32.7	154 / 26	2021-02-25
2.32.6	154 / 26	2021-02-24
2.32.5	154 / 26	2021-02-24
2.32.4	154 / 26	2021-02-18
2.32.3	155 / 26	2021-02-05
2.32.2	155 / 26	2021-02-04
2.32.1	155 / 26	2021-02-04
2.32.0	155 / 26	2021-02-02
2.31.1	153 / 26	2021-01-21
2.31.0	153 / 26	2021-01-19
2.30.3	153 / 26	2021-01-16
2.30.2	153 / 26	2021-01-13
2.30.1	153 / 26	2021-01-06
2.30.0	153 / 26	2021-01-05
2.29.3	153 / 26	2020-12-29
2.29.2	153 / 26	2020-12-23
2.29.1	153 / 26	2020-12-16
2.29.0	153 / 26	2020-12-15
2.28.2	153 / 26	2020-12-10
2.28.1	152 / 26	2020-12-07
2.28.0	152 / 26	2020-12-02
2.27.5	149 / 26	2020-11-30
2.27.4	149 / 26	2020-11-26
2.27.3	149 / 26	2020-11-25
2.27.2	149 / 26	2020-11-24
2.27.1	149 / 26	2020-11-23
2.27.0	149 / 26	2020-11-19
2.26.1	148 / 26	2020-11-13
2.26.0	148 / 26	2020-11-12
2.25.4	148 / 26	2020-11-11
2.25.3	148 / 26	2020-11-05
2.25.2	148 / 26	2020-11-04
2.25.1	148 / 26	2020-11-02
2.25.0	148 / 26	2020-11-02
2.24.92	148 / 26	2020-11-02
2.24.91	148 / 26	2020-10-28
2.24.90	148 / 26	2020-10-28
2.24.89	148 / 26	2020-10-27
2.24.88	148 / 26	2020-10-27
2.24.87	148 / 26	2020-10-26
2.24.86	148 / 26	2020-10-26
2.24.85	148 / 26	2020-10-22

Showing 100 of 1227 Next page →

v5.16.1

2 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.16.0

3 findings

HIGH Package has 'postinstall' script install-scripts

Script: node scripts/postinstall.js

HIGH Publisher changed: pieh → serhalp-netlify (on 2026-01-26) provenance

This version was published by a different npm account than previous versions on 2026-01-26. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.14.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.13.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.12.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.25.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.