@babel/preset-env
A Babel preset for each environment.
47
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
hzooexistentialismnicolo-ribaudojlhwung
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@babel/plugin-bugfix-safari-rest-destructuring-rhs-array | AI (dependencies): First-party @babel/ scoped bugfix plugin added in lockstep with preset-env; consistent with Babel's established release pattern. | ai | |
| phantom-deps | phantom-dep:core-js-compat | AI (phantom-deps): core-js-compat is a declared direct dependency used via data/config references in preset-env, not via ES import statements. This is the expected usage pattern for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-nullish-coalescing-operator | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-private-property-in-object | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-optional-catch-binding | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-export-namespace-from | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-unicode-sets-regex | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-object-rest-spread | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-class-static-block | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-optional-chaining | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-numeric-separator | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-class-properties | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-async-generators | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-top-level-await | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-dynamic-import | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-json-strings | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in available-plugins.js is intentional: it lazily loads @babel/plugin-syntax-* packages from a hardcoded list of names. Not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-import-meta | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-syntax-logical-assignment-operators | AI (phantom-deps): Loaded dynamically via the available-plugins pattern; declared in package.json deps. False positive for this package. | ai | |
| phantom-deps | phantom-dep:browserslist | AI (phantom-deps): browserslist is a core runtime dependency of preset-env used for browser target resolution; phantom-dep detection is a false positive here. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): developit (Jason Miller) is a well-known, reputable JS developer; his addition to Babel maintainers is a legitimate ecosystem event, not a suspicious takeover. | ai | |
| dependencies | unvetted-dep:@nicolo-ribaudo/semver-v6 | AI (dependencies): Scoped dependency by the same maintainer as a semver replacement; stable pattern for this package. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead reflects a CI/CD publish environment change in the Babel monorepo, not a security concern. Publisher nicolo-ribaudo is a trusted Babel core maintainer. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Babel team maintainer rotation (danez, loganfsmyth → nicolo-ribaudo) is a documented, legitimate transition for this major open-source project, not a takeover. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo is Henry Zhu, founder of Babel — not a spam publisher. This is a false positive for the @babel/ namespace. No keywords is also normal for this monorepo package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy is an artifact of registry approval history gap, not actual npm inactivity. @babel/preset-env has been continuously maintained and published on npm. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps are all @babel/plugin-transform-* replacements for deprecated @babel/plugin-proposal-* packages — a well-documented, intentional Babel project rename, not suspicious additions. | ai | |
| provenance | publisher-changed | AI (provenance): Babel monorepo uses GitHub Actions for automated publishing; transition from individual maintainer account to CI publisher is documented and expected for this package. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-dynamic-import | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-json-strings | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-export-namespace-from | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-logical-assignment-operators | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-async-generator-functions | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-unicode-property-regex | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-optional-catch-binding | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-syntax-export-namespace-from | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| dependencies | unvetted-dep:@babel/plugin-proposal-class-static-block | AI (dependencies): First-party Babel monorepo package published by the same trusted maintainer; unvetted status reflects pipeline lag, not a security concern. | ai | |
| provenance | no-provenance | AI (provenance): Published via GitHub Actions from the official babel/babel monorepo. Lack of Sigstore provenance is common and not a risk signal for this well-established package. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-private-property-in-object | AI (phantom-deps): Known intentional placeholder pattern used by Babel team (version 7.21.0-placeholder-for-preset-env.2) to avoid peer dependency warnings. Documented Babel behavior. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-regenerator | AI (dependencies): Official Babel ecosystem polyfill plugin; legitimate dependency. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-corejs3 | AI (dependencies): Official Babel ecosystem polyfill plugin; legitimate dependency. | ai | |
| dependencies | unvetted-dep:@babel/preset-modules | AI (dependencies): Official Babel monorepo package; legitimate first-party dependency of @babel/preset-env. | ai | |
| dependencies | unvetted-dep:babel-plugin-polyfill-corejs2 | AI (dependencies): Official Babel ecosystem polyfill plugin; legitimate dependency. | ai | |
| dependencies | unvetted-dep:core-js-compat | AI (dependencies): core-js-compat is a well-known, legitimate dependency of @babel/preset-env for polyfill compatibility data. Not a security risk. | ai |
Versions (showing 47 of 147)
| Version | Deps | Published |
|---|---|---|
| 7.10.3 | 64 / 5 | |
| 7.10.2 | 64 / 5 | |
| 7.10.1 | 64 / 5 | |
| 7.10.0 | 64 / 5 | |
| 7.9.6 | 60 / 5 | |
| 7.9.5 | 60 / 5 | |
| 7.9.0 | 60 / 5 | |
| 7.8.7 | 57 / 5 | |
| 7.8.6 | 57 / 5 | |
| 7.8.4 | 57 / 5 | |
| 7.8.3 | 57 / 5 | |
| 7.8.2 | 57 / 5 | |
| 7.8.0 | 57 / 5 | |
| 7.7.7 | 51 / 7 | |
| 7.7.6 | 51 / 8 | |
| 7.7.5 | 51 / 8 | |
| 7.7.4 | 51 / 8 | |
| 7.7.1 | 51 / 8 | |
| 7.7.0 | 51 / 8 | |
| 7.6.3 | 50 / 8 | |
| 7.6.2 | 50 / 8 | |
| 7.6.0 | 50 / 8 | |
| 7.5.5 | 50 / 8 | |
| 7.5.4 | 50 / 8 | |
| 7.5.3 | 50 / 8 | |
| 7.5.2 | 50 / 8 | |
| 7.5.0 | 50 / 8 | |
| 7.4.5 | 48 / 8 | |
| 7.4.4 | 48 / 8 | |
| 7.4.3 | 48 / 8 | |
| 7.4.2 | 45 / 8 | |
| 7.4.1 | 45 / 8 | |
| 7.4.0 | 45 / 8 | |
| 7.3.4 | 43 / 7 | |
| 7.3.1 | 43 / 7 | |
| 7.3.0 | 43 / 7 | |
| 7.2.3 | 41 / 7 | |
| 7.2.0 | 41 / 7 | |
| 7.1.6 | 41 / 7 | |
| 7.1.5 | 41 / 7 | |
| 7.1.0 | 41 / 7 | |
| 7.0.0 | 41 / 7 | |
| 8.0.0-rc.3 | 65 / 4 | |
| 8.0.0-rc.2 | 64 / 4 | |
| 8.0.0-rc.1 | 64 / 4 | |
| 8.0.0-beta.4 | 64 / 4 | |
| 8.0.0-beta.3 | 64 / 4 |
v8.0.0-rc.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.3
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: nicolo-ribaudo → GitHub Actions (on 2025-10-23)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.