@babel/helper-validator-identifier

Validate identifier/keywords name

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hzooexistentialismnicolo-ribaudojlhwung

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Babel monorepo publish tooling change; gitHead presence varies across versions. Not a security concern for this well-established package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Published before Sigstore provenance was standard practice; expected for older Babel versions.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Both nicolo-ribaudo and jlhwung are long-standing Babel core team members; publisher rotation is normal for @babel/* monorepo releases.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): jlhwung is a known Babel core maintainer (3368 days, 5550 approved packages); addition is legitimate.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Mass-production signal is expected for @babel/* monorepo; no-keywords is trivial for an internal helper.	ai	2026/04/24

Versions (showing 27 of 27)

Version	Deps	Published
7.29.7	0 / 2	2026-05-25
7.28.5	0 / 2	2025-10-23
7.27.1	0 / 2	2025-04-30
7.25.9	0 / 2	2024-10-22
7.25.7	0 / 2	2024-10-02
7.24.7	0 / 2	2024-06-05
7.24.6	0 / 2	2024-05-24
7.24.5	0 / 2	2024-04-29
7.22.20	0 / 2	2023-09-16
7.22.19	0 / 2	2023-09-14
7.22.18	0 / 2	2023-09-14
7.22.15	0 / 2	2023-09-04
7.22.5	0 / 2	2023-06-08
7.19.1	0 / 2	2022-09-14
7.18.6	0 / 2	2022-06-27
7.16.7	0 / 2	2021-12-31
7.15.7	0 / 2	2021-09-17
7.14.9	0 / 2	2021-08-01
7.14.8	0 / 4	2021-07-20
7.14.5	0 / 4	2021-06-09
7.14.0	0 / 4	2021-04-29
7.12.11	0 / 2	2020-12-15
7.10.4	0 / 2	2020-06-30
7.10.3	0 / 2	2020-06-19
7.10.1	0 / 2	2020-05-27
7.9.5	0 / 2	2020-04-07
7.9.0	0 / 2	2020-03-20

v7.29.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v7.27.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.25.9

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.25.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.24.7

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.24.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.24.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.22.20

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.22.19

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.22.18

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.22.15

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.22.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.19.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.18.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.16.7

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.15.7

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.14.9

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.14.8

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.14.5

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.14.0

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jlhwung → nicolo-ribaudo (on 2021-04-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-29. This could indicate a legitimate maintainer transition or an account compromise.

v7.12.11

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: jlhwung → nicolo-ribaudo (on 2020-12-15) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-15. This could indicate a legitimate maintainer transition or an account compromise.

v7.10.4

2 findings

HIGH Publisher changed: nicolo-ribaudo → jlhwung (on 2020-06-30) provenance

This version was published by a different npm account than previous versions on 2020-06-30. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.10.3

2 findings

HIGH Publisher changed: nicolo-ribaudo → jlhwung (on 2020-06-19) provenance

This version was published by a different npm account than previous versions on 2020-06-19. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.10.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.9.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v7.9.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.