gatsby-transformer-sharp
2
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
piehkathmbeckserhalp-netlifymlgualtieri-gatsbyfktylerbarnesdaniellewgatsby
Keywords
gatsbygatsby-pluginimagesharp
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:child-process-import | AI (semgrep): safe-sharp.js child_process usage is documented Gatsby pattern for Sharp subprocess isolation; stable across versions. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): Babel-compiled monorepo package; imports appear in compiled output not directly traceable by static analysis. | ai | |
| phantom-deps | phantom-dep:bluebird | AI (phantom-deps): Same Babel-compiled monorepo false positive pattern. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): Same Babel-compiled monorepo false positive pattern. | ai | |
| phantom-deps | phantom-dep:common-tags | AI (phantom-deps): Same Babel-compiled monorepo false positive pattern. | ai | |
| phantom-deps | phantom-dep:probe-image-size | AI (phantom-deps): Same Babel-compiled monorepo false positive pattern. | ai | |
| phantom-deps | phantom-dep:gatsby-plugin-utils | AI (phantom-deps): Same Babel-compiled monorepo false positive pattern. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped runtime dep loaded by convention in Babel-compiled packages. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official Gatsby monorepo plugin; mass-production signal is expected, empty index.js is intentional (compiled output pattern). | ai |
v5.15.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.