6to5
Turn ES6 code into readable vanilla ES5 with source maps
57
Versions
—
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
sebmck
Keywords
harmonyclassesmodulesletconstvares6transpiletranspiler6to5
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:packages/6to5-runtime/regenerator/runtime.js | AI (source-diff): Facebook regenerator runtime bundle; legitimate runtime dependency. | ai | |
| source-diff | net-exec-file:packages/6to5-runtime/core-js.js | AI (source-diff): Bundled core-js 0.4.5 polyfill matching declared dependency; not malware. | ai | |
| source-diff | net-exec-file:lib/6to5/to-fast-properties.js | AI (source-diff): Dead-code eval after return statement; V8 fast-properties trick from Bluebird. No network calls in this file. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Core transpiler behavior: executes user-supplied transformed code in browser API; expected pattern for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): to-fast-properties V8 optimization trick; eval(obj) after unreachable return is a known perf pattern, not malicious. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Module formatter plugin loader; resolves user-configured module format types, stable pattern for this transpiler. | ai | |
| phantom-deps | phantom-dep:kexec | AI (phantom-deps): kexec is declared as an optionalDependency and used conditionally in CLI code; phantom-dep detection is a false positive here. | ai | |
| source-diff | net-exec-file:lib/6to5/api/browser.js | AI (source-diff): browser.js is the legitimate browser API for the 6to5 transpiler; XHR+new Function() is the documented mechanism for fetching and running transpiled scripts in-browser. Not malware. | ai | |
| phantom-deps | phantom-dep:useragent | AI (phantom-deps): useragent is a declared dependency used in server-side register/node code; false positive for this package. | ai | |
| phantom-deps | phantom-dep:roadrunner | AI (phantom-deps): roadrunner is a declared dependency used for caching in the CLI; false positive for this package. | ai | |
| source-diff | net-exec-file:lib/6to5/helpers/to-fast-properties.js | AI (source-diff): The eval() in to-fast-properties.js is dead code after a return statement — a documented V8 fast-properties optimization trick from Bluebird. No network call exists in this file. False positive for this package. | ai |
Versions (showing 57 of 257)
| Version | Deps | Published |
|---|---|---|
| 1.9.3 | 11 / 13 | |
| 1.9.2 | 11 / 13 | |
| 1.9.1 | 11 / 13 | |
| 1.9.0 | 11 / 13 | |
| 1.8.4 | 9 / 13 | |
| 1.8.3 | 9 / 13 | |
| 1.8.2 | 9 / 13 | |
| 1.8.1 | 9 / 13 | |
| 1.8.0 | 9 / 13 | |
| 1.7.17 | 10 / 12 | |
| 1.7.16 | 10 / 12 | |
| 1.7.15 | 10 / 12 | |
| 1.7.14 | 10 / 12 | |
| 1.7.13 | 10 / 11 | |
| 1.7.12 | 10 / 11 | |
| 1.7.11 | 10 / 11 | |
| 1.7.10 | 10 / 11 | |
| 1.7.9 | 10 / 11 | |
| 1.7.8 | 10 / 11 | |
| 1.7.7 | 10 / 11 | |
| 1.7.6 | 9 / 12 | |
| 1.7.5 | 9 / 12 | |
| 1.7.4 | 9 / 12 | |
| 1.7.3 | 9 / 12 | |
| 1.7.2 | 9 / 12 | |
| 1.7.1 | 9 / 12 | |
| 1.7.0 | 9 / 11 | |
| 1.6.0 | 11 / 11 | |
| 1.5.5 | 11 / 11 | |
| 1.5.4 | 11 / 11 | |
| 1.5.3 | 11 / 11 | |
| 1.5.2 | 11 / 11 | |
| 1.5.1 | 12 / 9 | |
| 1.5.0 | 11 / 8 | |
| 1.4.0 | 10 / 8 | |
| 1.3.1 | 10 / 7 | |
| 1.3.0 | 9 / 7 | |
| 1.2.0 | 9 / 7 | |
| 1.0.1 | 9 / 7 | |
| 1.0.0 | 9 / 7 | |
| 0.2.0 | 9 / 7 | |
| 0.1.7 | 9 / 7 | |
| 0.1.6 | 9 / 2 | |
| 0.1.5 | 9 / 2 | |
| 0.1.4 | 9 / 2 | |
| 0.1.3 | 8 / 2 | |
| 0.1.2 | 8 / 2 | |
| 0.1.1 | 8 / 2 | |
| 0.1.0 | 8 / 2 | |
| 0.0.10 | 9 / 2 | |
| 0.0.9 | 9 / 2 | |
| 0.0.8 | 9 / 2 | |
| 0.0.7 | 9 / 2 | |
| 0.0.5 | 9 / 2 | |
| 0.0.4 | 9 / 2 | |
| 0.0.3 | 9 / 2 | |
| 0.0.2 | 9 / 2 |