← Home

babel-plugin-syntax-do-expressions

npm Repository

Allow parsing of do expressions

17
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amasadhzoojmmloganfsmythsebmckthejameskyle

Keywords

babel-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): The sebmck→hzoo transition is the well-documented Babel project maintainership handoff in early 2016; both are trusted Babel core team members. ai
phantom-deps phantom-dep:babel-runtime AI (phantom-deps): babel-runtime is a standard indirect dependency in Babel 6 plugin packages; not directly imported but used via transpiled output. Expected pattern for this package. ai
bogus-package bogus-package AI (bogus-package): Babel plugins are intentionally tiny, templated, and dependency-free. The spam-publisher flags are false positives for the known Babel core team (hzoo, sebmck, loganfsmyth, etc.). ai
provenance no-provenance AI (provenance): This is a Babel 6 era package (published ~2016-2017); provenance attestation was not available at that time. No-provenance is expected for this package. ai

Versions (showing 17 of 17)

Version Deps Published
6.13.0 0 / 0
6.8.0 1 / 1
6.5.0 1 / 1
6.3.13 1 / 1
6.2.4 1 / 1
6.1.18 1 / 1
6.1.17 1 / 1
6.1.16 1 / 1
6.1.13 1 / 1
6.1.10 1 / 1
6.1.8 1 / 1
6.1.7 1 / 1
6.1.6 1 / 1
6.1.5 1 / 1
6.1.4 1 / 1
6.0.14 1 / 0
6.0.2 1 / 0

v6.13.0

2 findings
HIGH Low-value / spam package indicators (4 signals, score 8) bogus-package

Matched 4 signal(s), weighted score 8: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: sebmck, jmm, amasad, thejameskyle, hzoo, loganfsmyth. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_NO_DEPS] No runtime, dev, peer, or optional dependencies declared. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 1099 bytes total.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.8.0

2 findings
HIGH Publisher changed: sebmck → hzoo (on 2016-05-02) provenance

This version was published by a different npm account than previous versions on 2016-05-02. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.5.0

2 findings
HIGH Publisher changed: sebmck → hzoo (on 2016-02-07) provenance

This version was published by a different npm account than previous versions on 2016-02-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.3.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.2.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.16

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.13

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.10

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.1.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.0.14

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v6.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.