babel-minify
✂️ An ES6+ aware minifier based on the Babel toolchain (beta)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:babel-plugin-transform-function-to-arrow | AI (dependencies): First-party plugin from the same babel-minify monorepo by the same trusted publisher (boopathi). Consistent naming, versioning, and repository pattern with all other plugins in this package. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-global-defs | AI (dependencies): First-party plugin from the same babel-minify monorepo by the same trusted publisher (boopathi). Consistent naming, versioning, and repository pattern with all other plugins in this package. | ai | |
| provenance | publisher-changed | AI (provenance): hzoo (Henry Zhu) is a core Babel maintainer; the transition from boopathi to hzoo is a legitimate org-level handoff within the babel/minify project. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): babel-minify 0.0.0 is a legitimate placeholder initial release from 2015 by the known maintainer boopathi; the 0.0.0 version is not indicative of malice given the package's age and download history. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): babel-plugin-transform-remove-console and babel-plugin-transform-remove-debugger are core, expected dependencies for a Babel minifier; their addition is entirely legitimate for this package. | ai | |
| dependencies | unvetted-dep:babel-plugin-conditional-compile | AI (dependencies): babel-plugin-conditional-compile is a known Babel plugin dependency used by babel-minify; part of the established ecosystem around this package. | ai | |
| dependencies | unvetted-dep:babel-preset-min | AI (dependencies): babel-preset-min is a first-party package from the same author (boopathi) and monorepo as babel-minify; not a third-party unknown. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-dead-code-elimination | AI (dependencies): Part of the babel-minify monorepo by the same publisher (boopathi); expected dependency for this minification tool. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-mangle | AI (dependencies): Part of the babel-minify monorepo by the same publisher (boopathi); expected dependency for this minification tool. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-evaluate | AI (dependencies): Part of the babel-minify monorepo by the same publisher (boopathi); expected dependency for this minification tool. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-conditionals | AI (dependencies): Part of the babel-minify monorepo by the same publisher (boopathi); expected dependency for this minification tool. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; absence of attestation is expected for this era of publishing. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo and loganfsmyth are well-known legitimate Babel maintainers; spam flag is a false positive for this official Babel ecosystem package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of babeljs org account is consistent with the documented Babel project maintainer transition; no takeover indicators. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): nicolo-ribaudo is a known Babel core team member; transition from hzoo is a legitimate maintainer handoff within the Babel org. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 0.5.2 | 7 / 0 | |
| 0.5.1 | 7 / 0 | |
| 0.5.0 | 7 / 0 | |
| 0.4.3 | 6 / 0 | |
| 0.4.2 | 6 / 0 | |
| 0.4.1 | 6 / 0 | |
| 0.4.0 | 6 / 0 | |
| 0.3.0 | 6 / 0 | |
| 0.2.0 | 6 / 0 | |
| 0.1.12 | 16 / 0 | |
| 0.1.11 | 14 / 0 | |
| 0.1.10 | 14 / 0 | |
| 0.1.9 | 14 / 0 | |
| 0.1.8 | 14 / 0 | |
| 0.1.7 | 14 / 0 | |
| 0.1.6 | 14 / 0 | |
| 0.1.5 | 14 / 0 | |
| 0.1.4 | 14 / 0 | |
| 0.1.3 | 14 / 0 | |
| 0.1.2 | 14 / 0 | |
| 0.1.1 | 14 / 0 | |
| 0.1.0 | 8 / 0 | |
| 0.0.10 | 8 / 0 | |
| 0.0.7 | 4 / 0 | |
| 0.0.6 | 4 / 0 | |
| 0.0.1 | 4 / 0 | |
| 0.0.0 | 2 / 0 |
v0.5.2
2 findingsThis version was published by a different npm account than previous versions on 2022-05-06. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findingsThis version was published by a different npm account than previous versions on 2019-08-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.