6to5
Turn ES6 code into readable vanilla ES5 with source maps
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:packages/6to5-runtime/regenerator/runtime.js | AI (source-diff): Facebook regenerator runtime bundle; legitimate runtime dependency. | ai | |
| source-diff | net-exec-file:packages/6to5-runtime/core-js.js | AI (source-diff): Bundled core-js 0.4.5 polyfill matching declared dependency; not malware. | ai | |
| source-diff | net-exec-file:lib/6to5/to-fast-properties.js | AI (source-diff): Dead-code eval after return statement; V8 fast-properties trick from Bluebird. No network calls in this file. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Core transpiler behavior: executes user-supplied transformed code in browser API; expected pattern for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): to-fast-properties V8 optimization trick; eval(obj) after unreachable return is a known perf pattern, not malicious. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Module formatter plugin loader; resolves user-configured module format types, stable pattern for this transpiler. | ai | |
| phantom-deps | phantom-dep:kexec | AI (phantom-deps): kexec is declared as an optionalDependency and used conditionally in CLI code; phantom-dep detection is a false positive here. | ai | |
| source-diff | net-exec-file:lib/6to5/api/browser.js | AI (source-diff): browser.js is the legitimate browser API for the 6to5 transpiler; XHR+new Function() is the documented mechanism for fetching and running transpiled scripts in-browser. Not malware. | ai | |
| phantom-deps | phantom-dep:useragent | AI (phantom-deps): useragent is a declared dependency used in server-side register/node code; false positive for this package. | ai | |
| phantom-deps | phantom-dep:roadrunner | AI (phantom-deps): roadrunner is a declared dependency used for caching in the CLI; false positive for this package. | ai | |
| source-diff | net-exec-file:lib/6to5/helpers/to-fast-properties.js | AI (source-diff): The eval() in to-fast-properties.js is dead code after a return statement — a documented V8 fast-properties optimization trick from Bluebird. No network call exists in this file. False positive for this package. | ai |
Versions (showing 100 of 257)
| Version | Deps | Published |
|---|---|---|
| 3.6.5 | 23 / 12 | |
| 3.6.4 | 23 / 12 | |
| 3.6.3 | 23 / 12 | |
| 3.6.2 | 23 / 12 | |
| 3.6.1 | 23 / 12 | |
| 3.6.0 | 23 / 12 | |
| 3.5.3 | 24 / 11 | |
| 3.5.2 | 24 / 11 | |
| 3.5.1 | 24 / 11 | |
| 3.5.0 | 24 / 11 | |
| 3.4.1 | 24 / 11 | |
| 3.4.0 | 24 / 11 | |
| 3.3.12 | 24 / 11 | |
| 3.3.11 | 24 / 11 | |
| 3.3.10 | 24 / 11 | |
| 3.3.9 | 24 / 11 | |
| 3.3.7 | 24 / 11 | |
| 3.3.5 | 24 / 11 | |
| 3.3.4 | 24 / 11 | |
| 3.3.3 | 24 / 11 | |
| 3.3.2 | 24 / 11 | |
| 3.3.1 | 24 / 11 | |
| 3.3.0 | 24 / 11 | |
| 3.2.1 | 24 / 11 | |
| 3.2.0 | 24 / 11 | |
| 3.1.1 | 24 / 10 | |
| 3.1.0 | 24 / 10 | |
| 3.0.16 | 24 / 10 | |
| 3.0.15 | 23 / 10 | |
| 3.0.14 | 23 / 10 | |
| 3.0.13 | 23 / 10 | |
| 3.0.12 | 23 / 10 | |
| 3.0.11 | 22 / 10 | |
| 3.0.10 | 22 / 10 | |
| 3.0.9 | 22 / 10 | |
| 3.0.8 | 22 / 10 | |
| 3.0.7 | 22 / 10 | |
| 3.0.6 | 22 / 10 | |
| 3.0.5 | 22 / 10 | |
| 3.0.4 | 22 / 10 | |
| 3.0.3 | 22 / 10 | |
| 3.0.2 | 22 / 10 | |
| 3.0.1 | 22 / 10 | |
| 3.0.0 | 22 / 10 | |
| 2.13.7 | 19 / 8 | |
| 2.13.6 | 19 / 8 | |
| 2.13.5 | 19 / 8 | |
| 2.13.4 | 19 / 8 | |
| 2.13.3 | 19 / 8 | |
| 2.13.2 | 19 / 8 | |
| 2.13.1 | 19 / 8 | |
| 2.13.0 | 19 / 8 | |
| 2.12.6 | 19 / 8 | |
| 2.12.5 | 19 / 8 | |
| 2.12.4 | 19 / 8 | |
| 2.12.3 | 19 / 8 | |
| 2.12.2 | 19 / 8 | |
| 2.12.1 | 19 / 8 | |
| 2.12.0 | 19 / 8 | |
| 2.11.4 | 19 / 8 | |
| 2.11.3 | 19 / 8 | |
| 2.11.2 | 19 / 8 | |
| 2.11.1 | 19 / 8 | |
| 2.11.0 | 19 / 8 | |
| 2.10.1 | 19 / 8 | |
| 2.10.0 | 19 / 8 | |
| 2.9.4 | 19 / 8 | |
| 2.9.3 | 19 / 8 | |
| 2.9.2 | 19 / 8 | |
| 2.9.1 | 19 / 8 | |
| 2.9.0 | 19 / 8 | |
| 2.8.2 | 19 / 8 | |
| 2.8.1 | 19 / 8 | |
| 2.8.0 | 19 / 8 | |
| 2.7.4 | 19 / 8 | |
| 2.7.3 | 19 / 8 | |
| 2.7.2 | 19 / 8 | |
| 2.7.1 | 19 / 8 | |
| 2.7.0 | 19 / 8 | |
| 2.6.3 | 19 / 8 | |
| 2.6.2 | 19 / 8 | |
| 2.6.1 | 19 / 8 | |
| 2.6.0 | 19 / 8 | |
| 2.5.0 | 18 / 8 | |
| 2.4.10 | 18 / 8 | |
| 2.4.9 | 18 / 8 | |
| 2.4.8 | 18 / 8 | |
| 2.4.7 | 18 / 8 | |
| 2.4.6 | 18 / 8 | |
| 2.4.5 | 18 / 8 | |
| 2.4.4 | 18 / 8 | |
| 2.4.3 | 18 / 8 | |
| 2.4.2 | 18 / 8 | |
| 2.4.1 | 18 / 8 | |
| 2.4.0 | 18 / 8 | |
| 2.3.2 | 18 / 8 | |
| 2.3.1 | 18 / 8 | |
| 2.3.0 | 18 / 8 | |
| 2.2.0 | 18 / 8 | |
| 2.1.0 | 18 / 8 |
v3.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.4
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.3
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.13.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.12.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.12.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.10.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.9.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.8.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.7.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.5.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.