@babel/template
Generate an AST from a string template.
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Babel migrated to GitHub Actions CI publishing; missing gitHead is a known artifact of this workflow change, not a security signal for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Babel team membership changes are routine for this long-lived monorepo package; removals reflect normal team evolution, not a takeover. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass-production signal is a false positive for @babel/* packages; loganfsmyth is a known Babel contributor. Missing keywords is typical for scoped Babel packages. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): nicolo-ribaudo is a well-known Babel core contributor; this is a legitimate team transition within the official Babel project, stable across versions. | ai | |
| provenance | publisher-changed | AI (provenance): Babel monorepo migrated to GitHub Actions for automated publishing; publisher change from nicolo-ribaudo to GitHub Actions is consistent with this known org-wide transition and not indicative of compromise. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): @babel/parser is a sibling package in the Babel monorepo, always co-released at the same version; not an independent unvetted dependency. | ai | |
| provenance | no-provenance | AI (provenance): @babel/template is a core Babel monorepo package published by a known Babel team member; lack of Sigstore provenance is not a meaningful risk signal for this package. | ai |
Versions (showing 47 of 47)
| Version | Deps | Published |
|---|---|---|
| 7.29.7 | 3 / 0 | |
| 7.28.6 | 3 / 0 | |
| 7.27.2 | 3 / 0 | |
| 7.27.1 | 3 / 0 | |
| 7.27.0 | 3 / 0 | |
| 7.26.9 | 3 / 0 | |
| 7.26.8 | 3 / 0 | |
| 7.25.9 | 3 / 0 | |
| 7.25.7 | 3 / 0 | |
| 7.25.0 | 3 / 0 | |
| 7.24.7 | 3 / 0 | |
| 7.24.6 | 3 / 0 | |
| 7.24.0 | 3 / 0 | |
| 7.23.9 | 3 / 0 | |
| 7.22.15 | 3 / 0 | |
| 7.22.5 | 3 / 0 | |
| 7.21.9 | 3 / 0 | |
| 7.20.7 | 3 / 0 | |
| 7.18.10 | 3 / 0 | |
| 7.18.6 | 3 / 0 | |
| 7.16.7 | 3 / 0 | |
| 7.16.0 | 3 / 0 | |
| 7.15.4 | 3 / 0 | |
| 7.14.5 | 3 / 0 | |
| 7.12.13 | 3 / 0 | |
| 7.12.7 | 3 / 0 | |
| 7.10.4 | 3 / 0 | |
| 7.10.3 | 3 / 0 | |
| 7.10.1 | 3 / 0 | |
| 7.10.0 | 3 / 0 | |
| 7.8.6 | 3 / 0 | |
| 7.8.3 | 3 / 0 | |
| 7.8.0 | 3 / 0 | |
| 7.7.4 | 3 / 0 | |
| 7.7.0 | 3 / 0 | |
| 7.6.0 | 3 / 0 | |
| 7.4.4 | 3 / 0 | |
| 7.4.0 | 3 / 0 | |
| 7.2.2 | 3 / 0 | |
| 7.1.2 | 3 / 0 | |
| 7.1.1 | 3 / 0 | |
| 7.1.0 | 3 / 0 | |
| 7.0.0 | 3 / 0 | |
| 8.0.0-rc.3 | 3 / 0 | |
| 8.0.0-rc.2 | 3 / 0 | |
| 8.0.0-rc.1 | 3 / 0 | |
| 8.0.0-beta.4 | 3 / 0 |
v7.29.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v8.0.0-rc.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-rc.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0-beta.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.