@babel/plugin-transform-runtime

Externalise references to helpers and builtins, automatically polyfilling your code without polluting globals

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

hzooexistentialismnicolo-ribaudojlhwung

Keywords

babel-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@nicolo-ribaudo/semver-v6	AI (dependencies): This is a scoped package under the publisher's own npm namespace, used as a vendored semver v6 replacement. Transparent provenance; stable pattern for this package.	ai	2026/04/22
provenance	missing-githead	AI (provenance): Babel monorepo publish environment change; missing gitHead is a process artifact, not a security signal. Stable for this well-established package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): The three new deps are established Babel ecosystem packages replacing inline polyfill logic. Legitimate architectural refactoring, not a supply chain injection.	ai	2026/04/22
source-diff	source-size-dropped	AI (source-diff): Size drop is explained by extraction of polyfill logic into dedicated packages (babel-plugin-polyfill-corejs2/3, babel-plugin-polyfill-regenerator). This is a documented Babel architectural change, not a stub replacement.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): jlhwung is a known Babel contributor; maintainer changes within the Babel org are routine team rotations, not takeover signals.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): developit's removal is consistent with normal Babel team rotation; package was still published by a trusted core maintainer (nicolo-ribaudo).	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): Flagged maintainers loganfsmyth and hzoo are well-known, legitimate Babel core contributors. This is a stable false positive for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Babel project migrated publishing to GitHub Actions CI/CD automation — a legitimate and documented security improvement for this org. Not an account compromise signal.	ai	2026/04/22
dependencies	unvetted-dep:babel-plugin-polyfill-corejs2	AI (dependencies): babel-plugin-polyfill-corejs2 is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk.	ai	2026/04/21
dependencies	unvetted-dep:babel-plugin-polyfill-regenerator	AI (dependencies): babel-plugin-polyfill-regenerator is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk.	ai	2026/04/21
dependencies	unvetted-dep:babel-plugin-polyfill-corejs3	AI (dependencies): babel-plugin-polyfill-corejs3 is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Babel publishes via GitHub Actions CI; lack of Sigstore provenance is common and not a risk signal for this established package.	ai	2026/04/21

Versions (showing 5 of 105)

Hide prereleases

Version	Deps	Published
8.0.0-rc.3	2 / 7	2026-03-16
8.0.0-rc.2	2 / 7	2026-02-15
8.0.0-rc.1	2 / 7	2026-01-31
8.0.0-beta.4	2 / 7	2026-01-12
8.0.0-beta.3	2 / 7	2025-10-23