babel-plugin-transform-define
Babel plugin that replaces member expressions and typeof statements with strings
14
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
scottianstewartkeithluchtelcecepparobwalkercogksandersarahformidablescott-rippeymichaelmerrillsarmeyermariano-formidablecarlospaelinckryan.roemerformidable-ownereastridgeexogenformidablelabscarbonrobotmasiddeemjackson
Keywords
babel-pluginbabel-transformbabeldefineDefinePluginwebpack
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:babel-preset-es2015 | AI (dependencies): babel-preset-es2015 is a well-known Babel v6 preset used only during build; phantom-dep analysis confirms it is not imported at runtime. | ai | |
| dependencies | unvetted-dep:babel-cli | AI (dependencies): babel-cli is a well-known Babel v6 build tool used only during this package's own build process; phantom-dep analysis confirms it is not imported at runtime. | ai | |
| phantom-deps | phantom-dep:babel-cli | AI (phantom-deps): babel-cli is a build tool used only during prepublish; phantom-dep finding reflects misclassification as dependency, not a security concern. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is a build tool used in the build script; phantom-dep finding is a packaging quirk (should be devDep), not a security issue. | ai | |
| phantom-deps | phantom-dep:babel-preset-es2015 | AI (phantom-deps): babel-preset-es2015 is a build tool used only during prepublish; phantom-dep finding reflects misclassification as dependency, not a security concern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is confined to scripts/release.js, a developer release automation script not included in the published runtime. No risk to package consumers. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in lib/index.js is the plugin's intentional feature for loading user-specified config files. This is documented, expected behavior. | ai | |
| email-domain | unclaimed-email:michaelmerrill.io | AI (email-domain): This email belongs to a contributor field in package.json, not the active npm publisher. The publishing account (ryan.roemer) is unaffected; domain hijack risk is low and does not grant npm publish access. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers reflect FormidableLabs team turnover; part of the same legitimate org-level refresh. No malicious indicators present. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are FormidableLabs team members added as part of a legitimate org-level maintainer list refresh, confirmed by SLSA provenance. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher changed from individual (ryan.roemer) to org account (formidablelabs) — a legitimate consolidation for FormidableLabs. SLSA provenance attestation confirms CI/CD publication. | ai | |
| provenance | no-provenance | AI (provenance): Established FormidableLabs package; lack of provenance attestation is common and not a risk signal for this package. | ai |