@babel/core
Babel compiler core.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Babel's publish pipeline change explains missing gitHead; nicolo-ribaudo is a trusted core maintainer. This metadata absence is not a security signal for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): @babel/core regularly adds source files across versions as the compiler evolves; 24 new files is consistent with normal Babel development cadence and not indicative of injected code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals reflect normal Babel team evolution over time; no indication of takeover for this established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Babel is a large, well-governed project; maintainer rotation is normal and expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @jridgewell/remapping is a well-known, trusted source-map library replacing @ampproject/remapping — a straightforward, benign dependency swap. | ai | |
| provenance | publisher-changed | AI (provenance): nicolo-ribaudo is a known Babel core maintainer; the transition from jlhwung is a legitimate team change, not a takeover. | ai | |
| phantom-deps | phantom-dep:@types/gensync | AI (phantom-deps): @types/* packages are type-only and never directly imported at runtime; phantom-dep firing on them is a stable false positive for any package that ships @types deps at runtime. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo and loganfsmyth are well-known Babel project founders, not spam publishers. This is a stable false positive for @babel/core. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is fundamental to Babel's plugin/preset loading architecture; this is expected and stable behavior for @babel/core. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for established packages with strong ecosystem trust. | ai | |
| dependencies | unvetted-dep:convert-source-map | AI (dependencies): convert-source-map is a standard source-map utility; pinned constraint is safe. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @babel/core is a scoped package in the @babel namespace; no plausible confusion with 'cors'. | ai | |
| dependencies | unvetted-dep:@babel/types | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helpers | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/template | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/traverse | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/generator | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helper-module-transforms | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helper-compilation-targets | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:debug | AI (dependencies): 'debug' is a well-known, widely-used npm package; its use as a dependency in @babel/core is expected and benign. | ai |
Versions (showing 59 of 159)
| Version | Deps | Published |
|---|---|---|
| 7.13.10 | 16 / 1 | |
| 7.13.8 | 16 / 1 | |
| 7.13.1 | 16 / 1 | |
| 7.13.0 | 16 / 1 | |
| 7.12.17 | 15 / 1 | |
| 7.12.16 | 15 / 1 | |
| 7.12.13 | 15 / 1 | |
| 7.12.10 | 15 / 1 | |
| 7.12.9 | 16 / 1 | |
| 7.12.8 | 16 / 1 | |
| 7.12.7 | 16 / 1 | |
| 7.12.3 | 16 / 1 | |
| 7.12.1 | 16 / 1 | |
| 7.12.0 | 16 / 1 | |
| 7.11.6 | 16 / 1 | |
| 7.11.5 | 16 / 1 | |
| 7.11.4 | 16 / 1 | |
| 7.11.1 | 16 / 1 | |
| 7.11.0 | 16 / 1 | |
| 7.10.5 | 16 / 1 | |
| 7.10.4 | 16 / 1 | |
| 7.10.3 | 16 / 1 | |
| 7.10.2 | 16 / 1 | |
| 7.10.1 | 16 / 1 | |
| 7.10.0 | 16 / 1 | |
| 7.9.6 | 16 / 1 | |
| 7.9.0 | 16 / 1 | |
| 7.8.7 | 15 / 1 | |
| 7.8.6 | 15 / 1 | |
| 7.8.4 | 15 / 1 | |
| 7.8.3 | 15 / 1 | |
| 7.8.0 | 15 / 1 | |
| 7.7.7 | 14 / 1 | |
| 7.7.5 | 14 / 1 | |
| 7.7.4 | 14 / 1 | |
| 7.7.2 | 14 / 1 | |
| 7.7.0 | 14 / 1 | |
| 7.6.4 | 14 / 1 | |
| 7.6.3 | 14 / 1 | |
| 7.6.2 | 14 / 1 | |
| 7.6.0 | 14 / 2 | |
| 7.5.5 | 14 / 2 | |
| 7.5.4 | 14 / 2 | |
| 7.5.0 | 14 / 2 | |
| 7.4.5 | 14 / 2 | |
| 7.4.4 | 14 / 2 | |
| 7.4.3 | 14 / 2 | |
| 7.4.0 | 14 / 2 | |
| 7.3.4 | 14 / 2 | |
| 7.3.3 | 14 / 2 | |
| 7.2.2 | 14 / 2 | |
| 7.2.0 | 14 / 2 | |
| 7.1.6 | 14 / 2 | |
| 7.1.5 | 14 / 2 | |
| 7.1.2 | 14 / 2 | |
| 7.1.1 | 14 / 2 | |
| 7.1.0 | 14 / 2 | |
| 7.0.1 | 14 / 2 | |
| 7.0.0 | 14 / 2 |
v7.13.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-08. This could indicate a legitimate maintainer transition or an account compromise.
v7.13.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v7.13.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-23. This could indicate a legitimate maintainer transition or an account compromise.
v7.13.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-22. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.17
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-18. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.16
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-11. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.13
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-03. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-09. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-11-24. This could indicate a legitimate maintainer transition or an account compromise.
v7.12.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.11.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-03. This could indicate a legitimate maintainer transition or an account compromise.
v7.11.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-31. This could indicate a legitimate maintainer transition or an account compromise.
v7.11.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-20. This could indicate a legitimate maintainer transition or an account compromise.
v7.11.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-04. This could indicate a legitimate maintainer transition or an account compromise.
v7.11.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: jlhwung.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.10.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.10.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.10.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-19. This could indicate a legitimate maintainer transition or an account compromise.
v7.10.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.9.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.5.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-07-17. This could indicate a legitimate maintainer transition or an account compromise.
v7.5.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-07-09. This could indicate a legitimate maintainer transition or an account compromise.
v7.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.4.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v7.4.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v7.4.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-04-02. This could indicate a legitimate maintainer transition or an account compromise.
v7.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.