@swc/core
Super-fast alternative for babel
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:request | AI (dependencies): The `request` package is used during install to fetch prebuilt binaries; it is a well-known HTTP client and its use here is consistent with the package's install flow. | ai | |
| install-scripts | install-script:install | AI (install-scripts): @swc/core is a native Rust binding; install script fetches prebuilt binaries or builds via neon. Standard for this package. | ai | |
| phantom-deps | phantom-dep:neon-cli | AI (phantom-deps): neon-cli is used as a CLI tool in install/build scripts, not imported in JS. Expected for neon-based native bindings. | ai | |
| bogus-package | bogus-package | AI (bogus-package): @swc/core is a major ecosystem package (43M downloads); sparse metadata in early versions is not a spam signal. | ai | |
| phantom-deps | phantom-dep:@swc/core-linux-x64-gnu | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-linux-x64-musl | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-win32-x64-msvc | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-linux-arm64-gnu | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-win32-ia32-msvc | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-linux-arm64-musl | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-win32-arm64-msvc | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-linux-arm-gnueabihf | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-darwin-x64 | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-freebsd-x64 | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-darwin-arm64 | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| phantom-deps | phantom-dep:@swc/core-android-arm64 | AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime. | ai | |
| provenance | no-provenance | AI (provenance): @swc/core is a long-established, high-trust package; absence of Sigstore provenance is not a risk signal here. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @swc/core is a major scoped package under the @swc org, not a typosquat of 'cors'. The Levenshtein match is purely coincidental and will never be a real signal for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used only to run 'ldd --version' to detect musl libc for binary selection; hardcoded, benign, and stable for this package. | ai | |
| phantom-deps | phantom-dep:@swc/counter | AI (phantom-deps): @swc/counter is a same-org runtime dependency declared in package.json dependencies; phantom-dep detection is a false positive here. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): @swc/core uses postinstall to select the correct platform-specific prebuilt native binary via NAPI-RS; this is the documented and stable install flow for this package. | ai | |
| semgrep | semgrep:child-process-execsync | AI (semgrep): execSync('ldd --version') is a hardcoded, benign musl detection check in binding.js; stable false positive for this native binding package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in index.js loads either a user-specified binding override or ./binding.js; standard NAPI-RS pattern, stable for this package. | ai |
Versions (showing 51 of 217)
| Version | Deps | Published |
|---|---|---|
| 1.15.40 | 2 / 4 | |
| 1.15.33 | 2 / 4 | |
| 1.15.32 | 2 / 4 | |
| 1.11.31 | 2 / 4 | |
| 1.7.24 | 2 / 4 | |
| 1.7.11 | 2 / 4 | |
| 1.3.100 | 2 / 51 | |
| 1.3.99 | 2 / 51 | |
| 1.3.92 | 2 / 51 | |
| 1.3.91 | 2 / 51 | |
| 1.3.76 | 10 / 51 | |
| 1.3.75 | 10 / 51 | |
| 1.3.57 | 10 / 51 | |
| 1.3.44 | 10 / 51 | |
| 1.3.39 | 10 / 51 | |
| 1.3.32 | 10 / 51 | |
| 1.3.29 | 10 / 51 | |
| 1.3.26 | 10 / 51 | |
| 1.3.25 | 10 / 51 | |
| 1.3.11 | 13 / 51 | |
| 1.3.8 | 13 / 51 | |
| 1.3.7 | 13 / 51 | |
| 1.3.6 | 13 / 51 | |
| 1.3.4 | 13 / 51 | |
| 1.3.3 | 13 / 50 | |
| 1.2.247 | 13 / 46 | |
| 1.2.246 | 13 / 46 | |
| 1.2.232 | 13 / 46 | |
| 1.2.229 | 13 / 46 | |
| 1.2.222 | 13 / 46 | |
| 1.2.215 | 13 / 45 | |
| 1.2.213 | 13 / 44 | |
| 1.2.212 | 13 / 44 | |
| 1.2.211 | 13 / 44 | |
| 1.2.210 | 13 / 44 | |
| 1.2.209 | 13 / 44 | |
| 1.2.208 | 13 / 44 | |
| 1.2.207 | 13 / 44 | |
| 1.2.206 | 13 / 44 | |
| 1.2.205 | 13 / 44 | |
| 1.2.204 | 13 / 44 | |
| 1.2.203 | 13 / 44 | |
| 1.2.198 | 13 / 44 | |
| 1.2.197 | 13 / 44 | |
| 1.2.196 | 13 / 44 | |
| 1.2.194 | 13 / 44 | |
| 1.2.192 | 13 / 44 | |
| 1.2.189 | 13 / 44 | |
| 1.2.188 | 13 / 44 | |
| 1.2.187 | 13 / 44 | |
| 1.2.186 | 13 / 44 |
v1.15.40
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.15.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.11.31
2 findingsPackage name '@swc/core' is 1 edit(s) away from popular package 'cors'.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.24
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.7.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.100
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.99
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.92
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.91
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.3.76
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.3.75
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.
v1.3.57
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.39
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.247
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.246
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.232
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.229
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.222
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.215
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.213
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.212
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.211
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.210
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.209
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.208
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.207
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.206
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.205
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.204
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.203
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.198
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.197
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.196
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.194
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.192
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.189
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.188
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.187
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.2.186
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.