@babel/plugin-proposal-export-namespace-from
Compile export namespace to ES2015
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Babel monorepo publish pipeline change; no security implication. nicolo-ribaudo is a trusted core Babel maintainer and this pattern is consistent across Babel packages. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of loganfsmyth and danez reflects legitimate Babel team org changes, not a takeover. nicolo-ribaudo is a known core maintainer. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from nicolo-ribaudo to jlhwung reflects normal Babel team rotation; both are documented core contributors to the babel/babel monorepo. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jlhwung is a known Babel team member; maintainer additions within the @babel org are routine and not a risk signal for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo is Henry Zhu, Babel project lead — spam flag is a false positive for this well-known open source maintainer. | ai | |
| dependencies | unvetted-dep:@babel/plugin-syntax-export-namespace-from | AI (dependencies): @babel/plugin-syntax-export-namespace-from is an official Babel monorepo package; this intra-Babel dependency is stable and expected for this plugin. | ai | |
| provenance | no-provenance | AI (provenance): Babel packages predate Sigstore provenance adoption; absence is expected and not a risk signal for this well-established publisher. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 7.18.9 | 2 / 2 | |
| 7.18.6 | 2 / 2 | |
| 7.17.12 | 2 / 2 | |
| 7.16.7 | 2 / 2 | |
| 7.16.5 | 2 / 2 | |
| 7.16.0 | 2 / 2 | |
| 7.14.5 | 2 / 2 | |
| 7.14.2 | 2 / 2 | |
| 7.12.13 | 2 / 2 | |
| 7.12.1 | 2 / 2 | |
| 7.12.0 | 2 / 2 | |
| 7.10.4 | 2 / 2 | |
| 7.10.1 | 2 / 2 | |
| 7.8.3 | 2 / 2 | |
| 7.8.0 | 2 / 2 | |
| 7.7.4 | 2 / 2 | |
| 7.5.2 | 2 / 2 | |
| 7.2.0 | 2 / 2 | |
| 7.0.0 | 2 / 2 |
v7.18.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.17.12
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.14.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.13
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.10.4
2 findingsThis version was published by a different npm account than previous versions on 2020-06-30. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.3
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: loganfsmyth, hzoo. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 4077 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.4
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: loganfsmyth, hzoo. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 4077 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.