@swc/core — Greenflagged

Super-fast alternative for babel

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kdy1

Keywords

swcswcpackbabeltypescriptrustwebpacktsc

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:request	AI (dependencies): The `request` package is used during install to fetch prebuilt binaries; it is a well-known HTTP client and its use here is consistent with the package's install flow.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): @swc/core is a native Rust binding; install script fetches prebuilt binaries or builds via neon. Standard for this package.	ai	2026/04/24
phantom-deps	phantom-dep:neon-cli	AI (phantom-deps): neon-cli is used as a CLI tool in install/build scripts, not imported in JS. Expected for neon-based native bindings.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): @swc/core is a major ecosystem package (43M downloads); sparse metadata in early versions is not a spam signal.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-linux-x64-gnu	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-linux-x64-musl	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-win32-x64-msvc	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-linux-arm64-gnu	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-win32-ia32-msvc	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-linux-arm64-musl	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-win32-arm64-msvc	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-linux-arm-gnueabihf	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-darwin-x64	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-freebsd-x64	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-darwin-arm64	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
phantom-deps	phantom-dep:@swc/core-android-arm64	AI (phantom-deps): Platform-specific optional dependency for NAPI native binding; declared in napi config and loaded conditionally at runtime.	ai	2026/04/24
provenance	no-provenance	AI (provenance): @swc/core is a long-established, high-trust package; absence of Sigstore provenance is not a risk signal here.	ai	2026/04/24
typosquat	typosquat.levenshtein:cors	AI (typosquat): @swc/core is a major scoped package under the @swc org, not a typosquat of 'cors'. The Levenshtein match is purely coincidental and will never be a real signal for this package.	ai	2026/04/24
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used only to run 'ldd --version' to detect musl libc for binary selection; hardcoded, benign, and stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@swc/counter	AI (phantom-deps): @swc/counter is a same-org runtime dependency declared in package.json dependencies; phantom-dep detection is a false positive here.	ai	2026/04/23
install-scripts	install-script:postinstall	AI (install-scripts): @swc/core uses postinstall to select the correct platform-specific prebuilt native binary via NAPI-RS; this is the documented and stable install flow for this package.	ai	2026/04/23
semgrep	semgrep:child-process-execsync	AI (semgrep): execSync('ldd --version') is a hardcoded, benign musl detection check in binding.js; stable false positive for this native binding package.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in index.js loads either a user-specified binding override or ./binding.js; standard NAPI-RS pattern, stable for this package.	ai	2026/04/23

Versions (showing 100 of 217)

Show 66 prereleases

Version	Deps	Published
1.15.40	2 / 4	2026-05-23
1.15.33	2 / 4	2026-05-02
1.15.32	2 / 4	2026-04-27
1.11.31	2 / 4	2025-06-05
1.7.24	2 / 4	2024-09-08
1.7.11	2 / 4	2024-08-14
1.3.100	2 / 51	2023-11-30
1.3.99	2 / 51	2023-11-21
1.3.92	2 / 51	2023-10-05
1.3.91	2 / 51	2023-10-01
1.3.76	10 / 51	2023-08-10
1.3.75	10 / 51	2023-08-08
1.3.57	10 / 51	2023-05-09
1.3.44	10 / 51	2023-03-30
1.3.39	10 / 51	2023-03-10
1.3.32	10 / 51	2023-02-01
1.3.29	10 / 51	2023-01-26
1.3.26	10 / 51	2023-01-11
1.3.25	10 / 51	2023-01-06
1.3.11	13 / 51	2022-10-26
1.3.8	13 / 51	2022-10-14
1.3.7	13 / 51	2022-10-12
1.3.6	13 / 51	2022-10-08
1.3.4	13 / 51	2022-09-30
1.3.3	13 / 50	2022-09-23
1.2.247	13 / 46	2022-09-04
1.2.246	13 / 46	2022-09-01
1.2.232	13 / 46	2022-08-15
1.2.229	13 / 46	2022-08-13
1.2.222	13 / 46	2022-08-01
1.2.215	13 / 45	2022-07-14
1.2.213	13 / 44	2022-07-13
1.2.212	13 / 44	2022-07-11
1.2.211	13 / 44	2022-07-09
1.2.210	13 / 44	2022-07-05
1.2.209	13 / 44	2022-07-05
1.2.208	13 / 44	2022-07-01
1.2.207	13 / 44	2022-06-28
1.2.206	13 / 44	2022-06-27
1.2.205	13 / 44	2022-06-24
1.2.204	13 / 44	2022-06-18
1.2.203	13 / 44	2022-06-14
1.2.198	13 / 44	2022-06-11
1.2.197	13 / 44	2022-06-05
1.2.196	13 / 44	2022-05-31
1.2.194	13 / 44	2022-05-25
1.2.192	13 / 44	2022-05-24
1.2.189	13 / 44	2022-05-21
1.2.188	13 / 44	2022-05-21
1.2.187	13 / 44	2022-05-20
1.2.186	13 / 44	2022-05-17
1.2.185	13 / 43	2022-05-16
1.2.183	13 / 43	2022-05-13
1.2.182	13 / 43	2022-05-11
1.2.181	13 / 43	2022-05-09
1.2.179	13 / 43	2022-05-08
1.2.178	13 / 43	2022-05-07
1.2.177	13 / 42	2022-05-04
1.2.176	13 / 42	2022-05-04
1.2.175	13 / 42	2022-05-03
1.2.174	13 / 42	2022-04-30
1.2.173	13 / 42	2022-04-28
1.2.172	13 / 42	2022-04-26
1.2.171	13 / 42	2022-04-22
1.2.170	13 / 42	2022-04-20
1.2.169	13 / 42	2022-04-20
1.2.168	13 / 42	2022-04-17
1.2.167	13 / 42	2022-04-17
1.2.165	13 / 42	2022-04-09
1.2.164	13 / 42	2022-04-07
1.2.163	13 / 42	2022-04-03
1.2.162	13 / 42	2022-03-31
1.2.161	13 / 42	2022-03-28
1.2.160	13 / 42	2022-03-22
1.2.159	13 / 42	2022-03-19
1.2.158	13 / 42	2022-03-18
1.2.157	13 / 42	2022-03-17
1.2.156	13 / 40	2022-03-16
1.2.155	13 / 39	2022-03-14
1.2.154	13 / 39	2022-03-12
1.2.153	13 / 38	2022-03-11
1.2.152	13 / 38	2022-03-10
1.2.151	13 / 38	2022-03-07
1.2.150	13 / 38	2022-03-06
1.2.149	13 / 38	2022-03-06
1.2.148	13 / 38	2022-03-04
1.2.147	13 / 38	2022-03-02
1.2.146	13 / 38	2022-02-27
1.2.145	13 / 38	2022-02-24
1.2.144	13 / 38	2022-02-22
1.2.143	13 / 38	2022-02-19
1.2.142	13 / 38	2022-02-18
1.2.141	13 / 38	2022-02-16
1.2.140	13 / 38	2022-02-15
1.2.139	13 / 38	2022-02-12
1.2.138	13 / 38	2022-02-08
1.2.137	14 / 37	2022-02-07
1.2.136	13 / 37	2022-02-03
1.2.135	13 / 37	2022-01-27
1.2.133	13 / 37	2022-01-20

Showing 100 of 217 Next page →

v1.15.40

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.15.33

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.11.31

2 findings

HIGH typosquat.levenshtein: Possible typosquat of 'cors' typosquat

Package name '@swc/core' is 1 edit(s) away from popular package 'cors'.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.24

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.7.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.3.100

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.99

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.92

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.91

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.3.76

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

v1.3.75

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.