@babel/plugin-transform-named-capturing-groups-regex
Compile regular expressions using named groups to ES5.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): Babel team membership changes are well-documented org-level transitions, not suspicious takeovers. nicolo-ribaudo remains the publisher. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of danez/developit/loganfsmyth reflects known Babel core team evolution over years, not a hostile takeover. | ai | |
| dependencies | unvetted-dep:@babel/helper-create-regexp-features-plugin | AI (dependencies): This is a first-party Babel helper package, a standard and expected dependency for this plugin across all versions. Not a risk. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo is Henry Zhu, former Babel lead — not a spam actor. Tiny payload is expected for a single-purpose Babel transform plugin. | ai | |
| provenance | no-provenance | AI (provenance): Babel packages are published via GitHub Actions from the official babel/babel monorepo; lack of Sigstore provenance is a known gap for this publisher, not a risk indicator. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 2 / 3 | |
| 7.29.0 | 2 / 3 | |
| 7.27.1 | 2 / 3 | |
| 7.25.9 | 2 / 3 | |
| 7.25.7 | 2 / 3 | |
| 7.24.7 | 2 / 3 | |
| 7.24.6 | 2 / 3 | |
| 7.18.6 | 2 / 3 | |
| 7.8.3 | 1 / 4 | |
| 7.8.0 | 1 / 4 | |
| 7.7.4 | 1 / 4 | |
| 7.7.0 | 1 / 4 | |
| 7.6.3 | 1 / 4 | |
| 7.6.2 | 1 / 4 | |
| 7.6.0 | 1 / 3 | |
| 7.4.5 | 1 / 2 | |
| 7.4.4 | 1 / 2 | |
| 7.4.2 | 1 / 2 | |
| 7.3.0 | 1 / 2 |
v7.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.27.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.25.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.25.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.24.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.24.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.18.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.8.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3200 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.4
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3178 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.7.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3178 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.6.3
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 4035 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.6.2
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 4082 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.6.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3937 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.5
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3905 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.2
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3905 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.3.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_INFLATED_FIRST_SEMVER] First publish at version 7.3.0 — inflated semver on a brand-new package.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.