@babel/plugin-transform-react-pure-annotations
Mark top-level React method calls as pure for tree shaking
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Babel monorepo moved to GitHub Actions publishing with SLSA provenance; stable transition. | ai | |
| dependencies | unvetted-dep:@babel/helper-annotate-as-pure | AI (dependencies): This is a standard internal Babel helper from the same monorepo and publisher (nicolo-ribaudo/Babel team). It is a routine dependency stable across all versions of this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Official Babel monorepo plugin; tiny payload is expected for a focused transform plugin; inflated semver matches Babel's versioning convention; flagged maintainers are known Babel core contributors. | ai | |
| provenance | no-provenance | AI (provenance): Official @babel monorepo package published by a long-standing Babel core team member; lack of Sigstore provenance is not a meaningful risk signal here. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 2 / 2 | |
| 7.27.1 | 2 / 2 | |
| 7.25.9 | 2 / 2 | |
| 7.25.7 | 2 / 2 | |
| 7.24.7 | 2 / 2 | |
| 7.24.6 | 2 / 2 | |
| 7.24.1 | 2 / 2 | |
| 7.23.3 | 2 / 2 | |
| 7.22.5 | 2 / 2 | |
| 7.18.6 | 2 / 2 | |
| 7.18.0 | 2 / 2 | |
| 7.16.7 | 2 / 2 | |
| 7.16.5 | 2 / 2 | |
| 7.16.0 | 2 / 2 | |
| 7.14.5 | 2 / 2 | |
| 7.12.1 | 2 / 2 | |
| 7.10.4 | 2 / 2 | |
| 7.10.3 | 2 / 2 | |
| 7.10.1 | 2 / 2 | |
| 7.10.0 | 2 / 2 |
v7.29.7
2 findingsThis version was published by a different npm account than previous versions on 2026-05-25. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.25.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.25.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.24.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.24.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.18.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.18.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.7
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3999 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.16.5
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3999 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.16.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3532 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.14.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.12.1
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3553 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.10.4
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3612 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.10.3
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3612 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.10.1
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: hzoo, loganfsmyth, danez. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 3595 bytes total.
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.