6to5-core — Greenflagged

Turn ES6 code into readable vanilla ES5 with source maps

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sebmck

Keywords

harmonyclassesmodulesletconstvares6transpiletranspiler6to5

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:lib/6to5/api/browser.js	AI (source-diff): This file is the browser-side transpiler API for 6to5. XHR + new Function() is the documented mechanism for fetching and executing transpiled scripts in-browser — core functionality, not malware.	ai	2026/04/24
source-diff	net-exec-file:lib/6to5/helpers/to-fast-properties.js	AI (source-diff): The eval() is dead code (after a return statement) — a documented V8 fast-properties optimization trick from Bluebird. No network calls exist in this file; the HIGH finding is a false positive for this package.	ai	2026/04/24
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in file.js resolves module formatters by name via util.resolve — standard plugin architecture for a transpiler, not arbitrary code loading.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): sebmck is Sebastian McKenzie, original author of 6to5/Babel. SPAM-FLAGGED is a false positive for this well-known developer. Package is legitimate with 4123 days of history.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval() in to-fast-properties.js is an unreachable V8 fast-properties optimization hint after a return statement — a well-known legitimate pattern, not malicious.	ai	2026/04/23
phantom-deps	phantom-dep:roadrunner	AI (phantom-deps): roadrunner is a declared dependency used conditionally; not directly imported in main source but legitimately referenced in config. Expected for this transpiler.	ai	2026/04/23
phantom-deps	phantom-dep:useragent	AI (phantom-deps): useragent is a declared dependency used conditionally; not directly imported in main source but legitimately referenced in config. Expected for this transpiler.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() in browser.js is the transpiler's browser runtime executing compiled ES6 code — core functionality of a transpiler, not a supply-chain risk.	ai	2026/04/23

Versions (showing 51 of 70)

View all versions

Version	Deps	Published
3.6.5	22 / 0	2015-02-14
3.6.4	22 / 0	2015-02-14
3.6.3	22 / 0	2015-02-14
3.6.2	22 / 0	2015-02-13
3.6.1	22 / 0	2015-02-13
3.6.0	22 / 0	2015-02-12
3.5.3	22 / 0	2015-02-08
3.5.2	22 / 0	2015-02-08
3.5.1	22 / 0	2015-02-08
3.5.0	22 / 0	2015-02-08
3.4.1	22 / 0	2015-02-07
3.4.0	22 / 0	2015-02-06
3.3.12	22 / 0	2015-02-04
3.3.11	22 / 0	2015-02-04
3.3.10	22 / 0	2015-02-04
3.3.9	22 / 0	2015-02-03
3.3.7	22 / 0	2015-02-03
3.3.5	22 / 0	2015-02-03
3.3.4	22 / 0	2015-02-02
3.3.3	22 / 0	2015-02-01
3.3.2	22 / 0	2015-02-01
3.3.1	22 / 0	2015-02-01
3.3.0	22 / 0	2015-02-01
3.2.1	22 / 0	2015-01-31
3.2.0	22 / 0	2015-01-30
3.1.1	22 / 0	2015-01-30
3.1.0	22 / 0	2015-01-29
3.0.16	22 / 0	2015-01-29
3.0.15	21 / 0	2015-01-29
3.0.14	21 / 0	2015-01-29
3.0.13	21 / 0	2015-01-28
3.0.12	21 / 0	2015-01-28
3.0.11	20 / 0	2015-01-28
3.0.10	20 / 0	2015-01-28
3.0.9	20 / 0	2015-01-28
3.0.8	20 / 0	2015-01-28
3.0.7	20 / 0	2015-01-28
3.0.6	20 / 0	2015-01-28
3.0.5	20 / 0	2015-01-28
3.0.4	20 / 0	2015-01-28
3.0.3	20 / 0	2015-01-28
3.0.2	20 / 0	2015-01-28
3.0.1	20 / 0	2015-01-28
3.0.0	20 / 0	2015-01-28
2.13.7	17 / 0	2015-01-24
2.13.3	17 / 0	2015-01-18
2.13.2	17 / 0	2015-01-18
2.13.1	17 / 0	2015-01-18
2.13.0	17 / 0	2015-01-18
2.12.6	17 / 0	2015-01-16
2.12.5	17 / 0	2015-01-15