@babel/plugin-syntax-unicode-sets-regex
Parse regular expressions' unicodeSets (v) flag.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@babel/helper-create-regexp-features-plugin | AI (dependencies): This is a first-party Babel helper package from the same official Babel team/org, published by the same trusted maintainer. Not a real risk for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): All signals are false positives: Babel monorepo uses many small plugins, unified semver, and the flagged maintainers (hzoo, loganfsmyth, danez) are core Babel team members. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread Sigstore provenance adoption; published by the official Babel team with a strong track record. Not a meaningful risk signal for this package. | ai |
v7.17.0
2 findingsMatched 4 signal(s), weighted score 8: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3374 bytes total. • [S_INFLATED_FIRST_SEMVER] First publish at version 7.17.0 — inflated semver on a brand-new package.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.