@babel/plugin-proposal-decorators
Compile class and object decorators to ES5
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): jlhwung is a trusted Babel core team publisher with 148 packages and strong approval history; publisher rotation within the Babel team is expected and not a risk signal for this package. | ai | |
| phantom-deps | phantom-dep:charcodes | AI (phantom-deps): charcodes is properly declared in dependencies; it's a legitimate utility used by the decorators plugin. False positive. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (charcodes, @babel/helper-replace-supers) are established Babel ecosystem packages; no malicious indicators. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase correlates with new decorator feature implementation, not payload injection. No obfuscation or suspicious patterns. | ai | |
| dependencies | unvetted-dep:charcodes | AI (dependencies): charcodes is a legitimate, widely-used Babel ecosystem utility for character code constants. Not a security concern for this package. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is an infrastructure signal, not a code risk. Babel's publish process may have changed; not disqualifying for an established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer changes in Babel are normal team reorganization. Publisher nicolo-ribaudo has strong track record; no takeover indicators. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainers is consistent with normal team transitions in large projects; not a disqualifier when combined with established publisher. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Spam signal references historical maintainer hzoo, not current publisher nicolo-ribaudo. Not a current risk. | ai | |
| provenance | no-provenance | AI (provenance): Official Babel monorepo package published via GitHub Actions CI/CD. Lack of Sigstore provenance is common and not a meaningful risk signal for this well-established package family. | ai |
Versions (showing 84 of 84)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 3 / 6 | |
| 7.29.0 | 3 / 6 | |
| 7.28.6 | 3 / 6 | |
| 7.28.0 | 3 / 6 | |
| 7.27.1 | 3 / 6 | |
| 7.25.9 | 3 / 6 | |
| 7.25.7 | 3 / 6 | |
| 7.24.7 | 3 / 6 | |
| 7.24.6 | 3 / 6 | |
| 7.24.1 | 3 / 6 | |
| 7.24.0 | 3 / 6 | |
| 7.23.9 | 3 / 6 | |
| 7.23.7 | 3 / 6 | |
| 7.23.6 | 6 / 8 | |
| 7.23.5 | 5 / 8 | |
| 7.23.3 | 5 / 8 | |
| 7.23.2 | 5 / 8 | |
| 7.23.0 | 5 / 8 | |
| 7.22.15 | 5 / 8 | |
| 7.22.10 | 5 / 8 | |
| 7.22.7 | 5 / 8 | |
| 7.22.6 | 5 / 8 | |
| 7.22.5 | 5 / 8 | |
| 7.22.3 | 5 / 8 | |
| 7.22.0 | 5 / 8 | |
| 7.21.0 | 5 / 8 | |
| 7.20.13 | 5 / 8 | |
| 7.20.7 | 5 / 8 | |
| 7.20.5 | 5 / 8 | |
| 7.20.2 | 5 / 8 | |
| 7.20.0 | 5 / 8 | |
| 7.19.6 | 5 / 8 | |
| 7.19.3 | 5 / 8 | |
| 7.19.1 | 5 / 8 | |
| 7.19.0 | 5 / 8 | |
| 7.18.10 | 5 / 8 | |
| 7.18.9 | 5 / 7 | |
| 7.18.6 | 5 / 7 | |
| 7.18.2 | 6 / 5 | |
| 7.17.12 | 6 / 5 | |
| 7.17.9 | 6 / 5 | |
| 7.17.8 | 5 / 5 | |
| 7.17.2 | 5 / 5 | |
| 7.17.0 | 5 / 5 | |
| 7.16.7 | 3 / 5 | |
| 7.16.5 | 3 / 5 | |
| 7.16.4 | 3 / 4 | |
| 7.16.0 | 3 / 4 | |
| 7.15.8 | 3 / 4 | |
| 7.15.4 | 3 / 4 | |
| 7.14.5 | 3 / 4 | |
| 7.14.2 | 3 / 4 | |
| 7.13.15 | 3 / 4 | |
| 7.13.5 | 3 / 4 | |
| 7.13.0 | 3 / 4 | |
| 7.12.13 | 3 / 4 | |
| 7.12.12 | 3 / 4 | |
| 7.12.1 | 3 / 2 | |
| 7.10.5 | 3 / 2 | |
| 7.10.4 | 3 / 2 | |
| 7.10.3 | 3 / 2 | |
| 7.10.1 | 3 / 2 | |
| 7.10.0 | 3 / 2 | |
| 7.8.3 | 3 / 2 | |
| 7.8.0 | 3 / 2 | |
| 7.7.4 | 3 / 2 | |
| 7.7.0 | 3 / 2 | |
| 7.6.0 | 3 / 2 | |
| 7.4.4 | 3 / 2 | |
| 7.4.0 | 3 / 2 | |
| 7.3.0 | 3 / 2 | |
| 7.2.3 | 3 / 2 | |
| 7.2.2 | 3 / 2 | |
| 7.2.0 | 4 / 2 | |
| 7.1.6 | 4 / 2 | |
| 7.1.2 | 4 / 2 | |
| 7.1.1 | 4 / 2 | |
| 7.1.0 | 4 / 2 | |
| 7.0.0 | 2 / 2 | |
| 8.0.0-rc.3 | 3 / 6 | |
| 8.0.0-rc.2 | 3 / 6 | |
| 8.0.0-rc.1 | 3 / 6 | |
| 8.0.0-beta.4 | 3 / 6 | |
| 8.0.0-beta.3 | 3 / 6 |
v7.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.29.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v8.0.0-beta.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.