babel-eslint
Custom parser for ESLint
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): hzoo → kaicataldo is a known Babel team handoff; both are long-standing core contributors. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): nicolo-ribaudo is a well-known Babel core team member; legitimate addition. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Standard ESLint custom parser pattern: resolve.sync + require to load ESLint internals from user's install. | ai | |
| bogus-package | bogus-package | AI (bogus-package): False positive: sebmck, hzoo, loganfsmyth, danez are all Babel core team members, not spam publishers. | ai |
Versions (showing 100 of 109)
| Version | Deps | Published |
|---|---|---|
| 10.1.0 | 6 / 12 | |
| 10.0.3 | 6 / 12 | |
| 10.0.2 | 6 / 12 | |
| 10.0.1 | 6 / 12 | |
| 10.0.0 | 6 / 12 | |
| 9.0.0 | 6 / 13 | |
| 8.2.6 | 6 / 13 | |
| 8.2.5 | 6 / 13 | |
| 8.2.4 | 6 / 13 | |
| 8.2.3 | 6 / 13 | |
| 8.2.2 | 6 / 13 | |
| 8.2.1 | 6 / 13 | |
| 8.2.0 | 6 / 13 | |
| 8.1.2 | 6 / 13 | |
| 8.1.1 | 6 / 13 | |
| 8.1.0 | 6 / 11 | |
| 8.0.3 | 4 / 11 | |
| 8.0.2 | 4 / 11 | |
| 8.0.1 | 4 / 11 | |
| 8.0.0 | 4 / 11 | |
| 7.2.3 | 4 / 7 | |
| 7.2.2 | 4 / 7 | |
| 7.2.1 | 4 / 6 | |
| 7.2.0 | 5 / 6 | |
| 7.1.1 | 5 / 7 | |
| 7.1.0 | 4 / 7 | |
| 7.0.0 | 4 / 6 | |
| 6.1.2 | 5 / 3 | |
| 6.1.1 | 5 / 3 | |
| 6.1.0 | 5 / 3 | |
| 6.0.5 | 5 / 3 | |
| 6.0.4 | 5 / 3 | |
| 6.0.3 | 5 / 3 | |
| 6.0.2 | 5 / 3 | |
| 6.0.1 | 5 / 3 | |
| 6.0.0 | 5 / 3 | |
| 5.0.4 | 6 / 3 | |
| 5.0.3 | 6 / 3 | |
| 5.0.2 | 6 / 3 | |
| 5.0.1 | 6 / 3 | |
| 5.0.0 | 6 / 3 | |
| 4.1.8 | 4 / 3 | |
| 4.1.7 | 6 / 3 | |
| 4.1.6 | 4 / 3 | |
| 4.1.5 | 4 / 3 | |
| 4.1.4 | 4 / 3 | |
| 4.1.3 | 4 / 3 | |
| 4.1.2 | 4 / 3 | |
| 4.1.1 | 4 / 3 | |
| 4.1.0 | 4 / 3 | |
| 4.0.10 | 3 / 3 | |
| 4.0.9 | 3 / 3 | |
| 4.0.8 | 3 / 3 | |
| 4.0.7 | 3 / 3 | |
| 4.0.6 | 3 / 3 | |
| 4.0.5 | 3 / 3 | |
| 4.0.4 | 3 / 3 | |
| 4.0.3 | 3 / 3 | |
| 4.0.2 | 3 / 3 | |
| 4.0.1 | 3 / 3 | |
| 4.0.0 | 3 / 3 | |
| 3.1.30 | 3 / 3 | |
| 3.1.29 | 3 / 3 | |
| 3.1.28 | 3 / 3 | |
| 3.1.27 | 3 / 3 | |
| 3.1.26 | 3 / 3 | |
| 3.1.25 | 3 / 3 | |
| 3.1.24 | 3 / 3 | |
| 3.1.23 | 3 / 3 | |
| 3.1.22 | 3 / 3 | |
| 3.1.21 | 3 / 3 | |
| 3.1.20 | 3 / 3 | |
| 3.1.19 | 3 / 3 | |
| 3.1.18 | 3 / 3 | |
| 3.1.17 | 3 / 4 | |
| 3.1.16 | 3 / 4 | |
| 3.1.15 | 3 / 4 | |
| 3.1.14 | 3 / 3 | |
| 3.1.13 | 3 / 3 | |
| 3.1.12 | 3 / 3 | |
| 3.1.11 | 3 / 3 | |
| 3.1.10 | 3 / 3 | |
| 3.1.9 | 2 / 3 | |
| 3.1.8 | 2 / 3 | |
| 3.1.7 | 2 / 3 | |
| 3.1.6 | 3 / 3 | |
| 3.1.5 | 2 / 3 | |
| 3.1.4 | 2 / 3 | |
| 3.1.3 | 2 / 3 | |
| 3.1.1 | 2 / 3 | |
| 3.1.0 | 2 / 3 | |
| 3.0.1 | 2 / 3 | |
| 3.0.0 | 2 / 3 | |
| 2.0.2 | 2 / 3 | |
| 2.0.0 | 2 / 3 | |
| 1.0.14 | 2 / 3 | |
| 1.0.13 | 2 / 0 | |
| 1.0.12 | 2 / 0 | |
| 1.0.11 | 2 / 0 | |
| 1.0.10 | 2 / 0 |
v10.1.0
2 findingsThis version was published by a different npm account than previous versions on 2020-02-26. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.