@babel/plugin-transform-runtime
Externalise references to helpers and builtins, automatically polyfilling your code without polluting globals
51
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
hzooexistentialismnicolo-ribaudojlhwung
Keywords
babel-plugin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@nicolo-ribaudo/semver-v6 | AI (dependencies): This is a scoped package under the publisher's own npm namespace, used as a vendored semver v6 replacement. Transparent provenance; stable pattern for this package. | ai | |
| provenance | missing-githead | AI (provenance): Babel monorepo publish environment change; missing gitHead is a process artifact, not a security signal. Stable for this well-established package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The three new deps are established Babel ecosystem packages replacing inline polyfill logic. Legitimate architectural refactoring, not a supply chain injection. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop is explained by extraction of polyfill logic into dedicated packages (babel-plugin-polyfill-corejs2/3, babel-plugin-polyfill-regenerator). This is a documented Babel architectural change, not a stub replacement. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jlhwung is a known Babel contributor; maintainer changes within the Babel org are routine team rotations, not takeover signals. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): developit's removal is consistent with normal Babel team rotation; package was still published by a trusted core maintainer (nicolo-ribaudo). | ai | |
| bogus-package | bogus-package | AI (bogus-package): Flagged maintainers loganfsmyth and hzoo are well-known, legitimate Babel core contributors. This is a stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Babel project migrated publishing to GitHub Actions CI/CD automation — a legitimate and documented security improvement for this org. Not an account compromise signal. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-corejs2 | AI (dependencies): babel-plugin-polyfill-corejs2 is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-regenerator | AI (dependencies): babel-plugin-polyfill-regenerator is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-corejs3 | AI (dependencies): babel-plugin-polyfill-corejs3 is a standard, well-known Babel ecosystem dependency that has been part of this plugin for many versions. Not a risk. | ai | |
| provenance | no-provenance | AI (provenance): Babel publishes via GitHub Actions CI; lack of Sigstore provenance is common and not a risk signal for this established package. | ai |
Versions (showing 51 of 105)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 6 / 8 | |
| 7.29.0 | 6 / 8 | |
| 7.28.5 | 6 / 8 | |
| 7.28.3 | 6 / 8 | |
| 7.28.0 | 6 / 8 | |
| 7.27.4 | 6 / 8 | |
| 7.27.3 | 6 / 8 | |
| 7.27.1 | 6 / 8 | |
| 7.26.10 | 6 / 8 | |
| 7.26.9 | 6 / 8 | |
| 7.26.8 | 6 / 8 | |
| 7.25.9 | 6 / 8 | |
| 7.25.7 | 6 / 8 | |
| 7.25.4 | 6 / 8 | |
| 7.24.7 | 6 / 8 | |
| 7.24.6 | 6 / 8 | |
| 7.24.3 | 6 / 8 | |
| 7.24.1 | 6 / 8 | |
| 7.24.0 | 6 / 7 | |
| 7.23.9 | 6 / 7 | |
| 7.23.7 | 6 / 7 | |
| 7.23.6 | 6 / 7 | |
| 7.23.4 | 6 / 7 | |
| 7.23.3 | 6 / 7 | |
| 7.23.2 | 6 / 7 | |
| 7.22.15 | 6 / 7 | |
| 7.22.10 | 6 / 7 | |
| 7.22.9 | 6 / 7 | |
| 7.22.7 | 6 / 9 | |
| 7.22.6 | 6 / 9 | |
| 7.22.5 | 6 / 9 | |
| 7.22.4 | 6 / 9 | |
| 7.22.2 | 6 / 9 | |
| 7.22.0 | 6 / 9 | |
| 7.21.4 | 6 / 9 | |
| 7.21.0 | 6 / 9 | |
| 7.19.6 | 6 / 9 | |
| 7.19.1 | 6 / 9 | |
| 7.18.10 | 6 / 9 | |
| 7.18.9 | 6 / 9 | |
| 7.18.6 | 6 / 9 | |
| 7.18.5 | 6 / 9 | |
| 7.18.2 | 6 / 9 | |
| 7.18.0 | 6 / 9 | |
| 7.17.12 | 6 / 9 | |
| 7.17.10 | 6 / 9 | |
| 7.17.0 | 6 / 9 | |
| 7.16.10 | 6 / 9 | |
| 7.16.8 | 6 / 10 | |
| 7.16.7 | 6 / 10 | |
| 7.16.5 | 6 / 10 |
v7.29.7
1 finding
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v7.22.7
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.