babel-loader
babel module loader for webpack
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
loganfsmythhzooexistentialismnicolo-ribaudo
Keywords
webpackloaderbabeles6transpilermodule
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): babel-loader is a canonical, high-download Babel ecosystem package. The mass-production and off-topic README signals are false positives for this well-established project. | ai | |
| source-diff | obfuscated-file:coverage/lcov-report/prettify.js | AI (source-diff): This is Google's code-prettify library bundled in Istanbul/lcov HTML coverage reports — standard minified JS, not malicious obfuscation. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from 3KB to 18KB reflects legitimate feature additions (caching, options, object-assign integration) across multiple minor versions of a well-established webpack loader. | ai | |
| dependencies | unvetted-dep:babel-core | AI (dependencies): babel-core is the canonical Babel core package and an entirely expected dependency for a Babel webpack loader; not suspicious in this context. | ai | |
| provenance | publisher-changed | AI (provenance): nicolo-ribaudo is a known Babel core team member; transition from danez is a legitimate org handoff within the babel GitHub org. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): schema-utils is a standard webpack ecosystem validation package; its addition replaces loader-utils for option validation in webpack 5 compatibility. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (nicolo-ribaudo, existentialism) are Babel ecosystem contributors; this is a legitimate team transition, not a compromise. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): babel-loader is maintained by the Babel core team; maintainer rotation within the org is expected and not indicative of a takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): The long gap reflects a major version release (v8 to v10) aligned with Babel 8 beta; dormancy is explained by the major rewrite cycle. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is babel-loader's documented 'customize' option feature; user-controlled, not attacker-controlled. Stable pattern for this package. | ai |
Versions (showing 1 of 1)
| Version | Deps | Published |
|---|---|---|
| 9.2.1 | 2 / 15 |
v9.2.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.