Gathering detailed insights and metrics for @netlify/plugin-gatsby
Gathering detailed insights and metrics for @netlify/plugin-gatsby
A build plugin to integrate Gatsby seamlessly with Netlify
Installations
npm install @netlify/plugin-gatsbyDeveloper Guide
BETA
Typescript
No
Module System
CommonJS
Min. Node Version
>=14.17.0
Node Version
24.1.0
NPM Version
11.3.0
Releases
43
plugin-gatsby: v3.8.4
plugin-gatsby-v3.8.4
Updated on Jun 06, 2025
plugin-gatsby: v3.8.3
plugin-gatsby-v3.8.3
Updated on Mar 13, 2025
plugin-gatsby: v3.8.2
plugin-gatsby-v3.8.2
Updated on Jan 21, 2025
plugin-gatsby: v3.8.1
plugin-gatsby-v3.8.1
Updated on Apr 17, 2024
plugin-gatsby: v3.8.0
plugin-gatsby-v3.8.0
Updated on Dec 04, 2023
plugin-gatsby: v3.7.2
plugin-gatsby-v3.7.2
Updated on Oct 09, 2023
Languages
4
TypeScript
JavaScript
CSS
Shell
TypeScript (81.83%)
JavaScript (17.25%)
CSS (0.51%)
Shell (0.41%)
Developer
Download Statistics
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
GitHub Statistics
MIT License
97 Stars
706 Commits
19 Forks
5 Watchers
57 Branches
29 Contributors
Updated on Jul 14, 2025
Maintainers
16
Package Meta Information
Latest Version
3.8.4
Package Id
@netlify/plugin-gatsby@3.8.4
Unpacked Size
121.98 kB
Size
31.85 kB
File Count
22
NPM Version
11.3.0
Node Version
24.1.0
Published on
Jun 06, 2025
Total Downloads
Cumulative downloads
Total Downloads
NaN
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
17
Peer Dependencies
2
Essential Gatsby Plugin
The Essential Gatsby build plugin enables caching of builds, SSR and DSG render modes, image CDN and Gatsby Functions. It is installed automatically for all new Gatsby sites.
Note:
- Essential Gatsby includes functionality from the Gatsby Cache build plugin. If you already have the Gatsby Cache plugin installed on your Netlify site, you should remove it before installing this plugin.
- Essential Gatsby is not compatible with the Gatsby community plugin gatsby-plugin-netlify-cache.
Installation
Gatsby sites need two plugins to support all features.
- The Netlify build plugin, called "Essential Gatsby" or
@netlify/plugin-gatsby. This is installed automatically for all Gatsby sites deployed to Netlify. - The Gatsby plugin
gatsby-plugin-netlify. This needs to be manually installed.
Installing the Netlify build plugin
New Gatsby sites on Netlify automatically install the Essential Gatsby build plugin. You can confirm this in the build logs. If you need to install it manually, you have two options:
-
The Netlify UI. Here, you can search for "Essential Gatsby" and install the plugin.
-
File-based plugin installation. You can install the plugin as
@netlify/plugin-gatsbyin yournetlify.tomlfile.
Install the Gatsby Plugin
You should also install the Gatsby plugin gatsby-plugin-netlify. This is required for SSR and DSG pages, and adds support for Gatsby redirects and asset caching rules:
- Add the package as a dependency:
1npm install -D gatsby-plugin-netlify
- Then add the following to your
gatsby-config.jsfile:
1module.exports = { 2 plugins: ['gatsby-plugin-netlify'], 3}
See the gatsby-plugin-netlify docs for more information, including optional plugin configuration.
Disabling Netlify functions
In order to support Gatsby Functions and DSG and SSR render modes, this plugin
generates four Netlify Functions called __api, __ssr, __dsg and _ipx. If
you are not using any of these modes, then you can disable the creation of these
functions. If you are using the latest version of gatsby-plugin-netlify then
this will be handled automatically, disabling functions if the site has no
Gatsby Functions, or DSG/SSR pages. Otherwise, you can do this manually by
setting the environment variable NETLIFY_SKIP_GATSBY_FUNCTIONS to true. Be
aware that if you do this, any DSG or SSR pages will not work, and nor will any
Gatsby Functions or the remote image CDN.
Gatsby Image CDN
Gatsby includes beta support for deferred image resizing using a CDN. Netlify includes full support for Image CDN on all plans. For details on how to enable it, see the image CDN docs.
Caveats
Currently you cannot use StaticImage or gatsby-transformer-sharp in SSR or
DSG pages. Support for Gatsby Image CDN is coming soon. The best workaround is
to use an image CDN such as
Cloudinary
or imgix to host your images. This will give
you faster builds and rendering too.
Local development
When developing Gatsby Functions it is usually easier to use the built-in
gatsby develop functions server. However if you want to try the Netlify
functions wrapper it will run via netlify dev. You should be sure to run
netlify build first, so that the wrappers are generated and the functions
copied across.
Netlify Background and Scheduled Functions
In order to use Netlify Background or Netlify Scheduled Functions in your Gatsby project, you will need to create a netlify/functions directory at the root of the project, and put the Functions in there.
Once that's completed, the Background or Scheduled Function can be invoked like an ordinary Gatsby function.
No vulnerabilities found.
Reason
30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release-please.yml:7
Reason
security policy file detected
Details
- Info: security policy file detected: github.com/netlify/.github/SECURITY.md:1
- Info: Found linked content: github.com/netlify/.github/SECURITY.md:1
- Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy
- Info: Found text in security policy: github.com/netlify/.github/SECURITY.md:1
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/add-to-project.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/add-to-project.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add-to-project.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/add-to-project.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/add-zenhub-label.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/add-zenhub-label.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/fossa.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/fossa.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/labeler.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/labeler.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-release.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/pre-release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pre-release.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/pre-release.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/release-please.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/release-please.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release-please.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/release-please.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/release-please.yml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/release-please.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:42: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:53: update your workflow using https://app.stepsecurity.io/secureworkflow/netlify/netlify-plugin-gatsby/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: plugin/test/v3-e2e-test.sh:7
- Warn: npmCommand not pinned by hash: plugin/test/v4-e2e-test.sh:7
- Warn: npmCommand not pinned by hash: plugin/test/v5-e2e-test.sh:7
- Warn: downloadThenRun not pinned by hash: .github/workflows/fossa.yml:22
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:33
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:60
- Info: 0 out of 15 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 5 third-party GitHubAction dependencies pinned
- Info: 6 out of 11 npmCommand dependencies pinned
- Info: 0 out of 1 downloadThenRun dependencies pinned
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: no topLevel permission defined: .github/workflows/add-to-project.yml:1
- Warn: no topLevel permission defined: .github/workflows/add-zenhub-label.yml:1
- Warn: no topLevel permission defined: .github/workflows/fossa.yml:1
- Warn: no topLevel permission defined: .github/workflows/labeler.yml:1
- Warn: no topLevel permission defined: .github/workflows/pre-release.yml:1
- Warn: no topLevel permission defined: .github/workflows/release-please.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
- Info: no jobLevel write permissions found
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 30 are checked with a SAST tool
Reason
58 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8
- Warn: Project is vulnerable to: GHSA-xq7p-g2vc-g82p
- Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7
- Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw
- Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg
- Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-w573-4hg7-7wgq
- Warn: Project is vulnerable to: GHSA-4gmj-3p3h-gm8h
- Warn: Project is vulnerable to: GHSA-rv95-896h-c2vc
- Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx
- Warn: Project is vulnerable to: GHSA-h2pm-378c-pcxx
- Warn: Project is vulnerable to: GHSA-7ch4-rr99-cqcw
- Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv
- Warn: Project is vulnerable to: GHSA-7hpj-7hhx-2fgx
- Warn: Project is vulnerable to: GHSA-44fp-w29j-9vj5
- Warn: Project is vulnerable to: GHSA-4pg4-qvpc-4q3h
- Warn: Project is vulnerable to: GHSA-g5hg-p3ph-g8qg
- Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w
- Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j
- Warn: Project is vulnerable to: GHSA-rm97-x556-q36h
- Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw
- Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg
- Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p
- Warn: Project is vulnerable to: GHSA-54xq-cgqr-rpm3
- Warn: Project is vulnerable to: GHSA-pq67-2wwv-3xjx
- Warn: Project is vulnerable to: GHSA-8cj5-5rvv-wf4v
- Warn: Project is vulnerable to: GHSA-5r9g-qh6m-jxff
- Warn: Project is vulnerable to: GHSA-r6ch-mqf9-qc9w
- Warn: Project is vulnerable to: GHSA-wqq4-5wpv-mx2g
- Warn: Project is vulnerable to: GHSA-3787-6prv-h9w3
- Warn: Project is vulnerable to: GHSA-9qxr-qj54-h672
- Warn: Project is vulnerable to: GHSA-m4v8-wqvr-p9f7
- Warn: Project is vulnerable to: GHSA-c76h-2ccp-4975
- Warn: Project is vulnerable to: GHSA-cxrh-j4jr-qwg3
- Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7
- Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92
- Warn: Project is vulnerable to: GHSA-wf5p-g6vw-rhxx
- Warn: Project is vulnerable to: GHSA-jr5f-v2jv-69x6
- Warn: Project is vulnerable to: GHSA-q9mw-68c2-j6m5
- Warn: Project is vulnerable to: GHSA-pfrx-2q88-qq97
- Warn: Project is vulnerable to: GHSA-rc47-6667-2j5j
- Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h
- Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55
- Warn: Project is vulnerable to: GHSA-7fh5-64p2-3v2j
- Warn: Project is vulnerable to: GHSA-rjqq-98f6-6j3r
- Warn: Project is vulnerable to: GHSA-mjxr-4v3x-q3m4
- Warn: Project is vulnerable to: GHSA-cgfm-xwp7-2cvr
- Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5
- Warn: Project is vulnerable to: GHSA-25hc-qcg6-38wj
- Warn: Project is vulnerable to: GHSA-fhg7-m89q-25r3
- Warn: Project is vulnerable to: GHSA-hc6q-2mpp-qw7j
- Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986
- Warn: Project is vulnerable to: GHSA-wr3j-pwj9-hqq6
- Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q
- Warn: Project is vulnerable to: GHSA-3rfm-jhwj-7488
- Warn: Project is vulnerable to: GHSA-hhq3-ff78-jv3g
- Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3
Score
5.5
/10
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More