@babel/parser
A JavaScript parser
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:lib/index.d.ts | AI (source-diff): lib/index.d.ts is a legitimate TypeScript declaration file for @babel/parser's public API. Long lines are caused by large union types, not obfuscation. Stable false positive for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): developit (Jason Miller) is a reputable, well-known JS ecosystem contributor; addition to Babel org is a legitimate collaboration, not a takeover signal. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is a known artifact of monorepo publish tooling changes in the Babel project; not indicative of tampering for this well-established package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Babel team membership has evolved over time; removal of loganfsmyth and danez reflects known team changes, not a takeover. nicolo-ribaudo is a core Babel maintainer. | ai | |
| source-diff | obfuscated-file:lib/util/identifier.js | AI (source-diff): Long lines in identifier.js are Unicode character range tables, a standard pattern in JavaScript parsers. The file is readable, clean code — not obfuscated. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo and loganfsmyth are long-standing Babel core contributors; spam flag is a false positive for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): New files are source maps and parser/plugin JS files consistent with a major version bump (7.18.11→7.22.5). Expected growth for a JavaScript parser adding new language features. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @babel/types is a core Babel package added only for type definitions (explicitly documented in package.json). Not a functional runtime dependency and not an attack vector. | ai | |
| provenance | publisher-changed | AI (provenance): Babel project transitioned to GitHub Actions CI/CD publishing — a security improvement over individual account publishing. Consistent with official babel/babel monorepo governance. | ai | |
| provenance | no-provenance | AI (provenance): Babel publishes via GitHub Actions CI without Sigstore attestation; this is consistent across all @babel/* packages and is not a risk indicator. | ai | |
| typosquat | typosquat.levenshtein:parcel | AI (typosquat): @babel/parser is the official Babel JS parser under the @babel scope — a completely distinct, well-established package from 'parcel'. Levenshtein match is a stable false positive for this package. | ai |
Versions (showing 4 of 204)
| Version | Deps | Published |
|---|---|---|
| 8.0.0-rc.3 | 1 / 6 | |
| 8.0.0-rc.2 | 1 / 6 | |
| 8.0.0-rc.1 | 1 / 6 | |
| 8.0.0-beta.4 | 1 / 6 |
v8.0.0-rc.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.