@babel/helper-compilation-targets
Helper functions on Babel compilation targets
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Babel migrated to GitHub Actions publishing; missing gitHead is a known side effect of this CI/CD workflow change, not a supply-chain risk indicator. | ai | |
| provenance | no-provenance | AI (provenance): Babel publishes via GitHub Actions without Sigstore attestation; consistent across the entire @babel/* namespace. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jlhwung is a known Babel core team member; this reflects a legitimate team roster change within the official Babel project, not a takeover. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): developit's removal is consistent with normal Babel team transitions; paired with addition of another known Babel contributor, not a takeover signal. | ai | |
| provenance | publisher-changed | AI (provenance): Babel monorepo migrated to GitHub Actions for automated publishing; this is a legitimate CI/CD transition, not an account compromise. Consistent across all @babel/* packages. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): lru-cache is a well-established, trusted npm package; its addition for caching in a compilation-targets helper is benign and intentional. | ai | |
| dependencies | unvetted-dep:@nicolo-ribaudo/semver-v6 | AI (dependencies): This is a first-party scoped semver fork maintained by the same Babel core team member (nicolo-ribaudo) who publishes this package. The swap from semver to this fork is a deliberate, documented Babel ecosystem pattern. | ai | |
| dependencies | unvetted-dep:browserslist | AI (dependencies): browserslist is a well-established, widely-trusted package and a standard dependency in the Babel ecosystem; its presence here is expected and benign across all versions. | ai |
Versions (showing 64 of 64)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 5 / 3 | |
| 7.28.6 | 5 / 3 | |
| 7.27.2 | 5 / 3 | |
| 7.27.1 | 5 / 3 | |
| 7.27.0 | 5 / 3 | |
| 7.26.5 | 5 / 3 | |
| 7.25.9 | 5 / 3 | |
| 7.25.7 | 5 / 3 | |
| 7.25.2 | 5 / 3 | |
| 7.24.8 | 5 / 3 | |
| 7.24.7 | 5 / 3 | |
| 7.24.6 | 5 / 3 | |
| 7.23.6 | 5 / 3 | |
| 7.22.15 | 5 / 3 | |
| 7.22.10 | 5 / 3 | |
| 7.22.9 | 5 / 4 | |
| 7.22.6 | 5 / 4 | |
| 7.22.5 | 5 / 4 | |
| 7.22.1 | 5 / 4 | |
| 7.21.5 | 5 / 4 | |
| 7.21.4 | 5 / 4 | |
| 7.20.7 | 5 / 4 | |
| 7.20.0 | 4 / 3 | |
| 7.19.3 | 4 / 3 | |
| 7.19.1 | 4 / 3 | |
| 7.19.0 | 4 / 3 | |
| 7.18.9 | 4 / 3 | |
| 7.18.6 | 4 / 3 | |
| 7.18.2 | 4 / 3 | |
| 7.17.10 | 4 / 3 | |
| 7.17.7 | 4 / 3 | |
| 7.16.7 | 4 / 3 | |
| 7.16.3 | 4 / 3 | |
| 7.16.0 | 4 / 3 | |
| 7.15.4 | 4 / 3 | |
| 7.15.0 | 4 / 3 | |
| 7.14.5 | 4 / 3 | |
| 7.14.4 | 4 / 3 | |
| 7.13.16 | 4 / 1 | |
| 7.13.13 | 4 / 1 | |
| 7.13.10 | 4 / 1 | |
| 7.13.8 | 4 / 1 | |
| 7.13.0 | 4 / 1 | |
| 7.12.17 | 4 / 1 | |
| 7.12.16 | 4 / 1 | |
| 7.12.13 | 4 / 1 | |
| 7.12.5 | 4 / 1 | |
| 7.12.1 | 4 / 1 | |
| 7.12.0 | 4 / 2 | |
| 7.10.4 | 5 / 2 | |
| 7.10.2 | 5 / 2 | |
| 7.10.1 | 5 / 2 | |
| 7.10.0 | 5 / 2 | |
| 7.9.6 | 5 / 2 | |
| 7.8.7 | 5 / 2 | |
| 7.8.6 | 5 / 2 | |
| 7.8.4 | 5 / 2 | |
| 7.8.3 | 5 / 2 | |
| 7.8.1 | 5 / 2 | |
| 7.8.0 | 5 / 2 | |
| 8.0.0-rc.3 | 5 / 3 | |
| 8.0.0-rc.2 | 5 / 3 | |
| 8.0.0-rc.1 | 5 / 3 | |
| 8.0.0-beta.4 | 5 / 3 |
v7.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.0-rc.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.