babel-plugin-transform-object-assign

Replace Object.assign with an inline helper

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

amasadhzoojmmloganfsmythsebmckthejameskyle

Keywords

babel-plugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): The sebmck→hzoo transition is the well-documented handoff of Babel project stewardship in early 2016; hzoo is the canonical Babel maintainer and this is not a suspicious change.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Flagged maintainers are legitimate Babel core team members; mass-production reflects Babel monorepo structure; tiny payload is expected for a single-purpose transform plugin.	ai	2026/04/23
phantom-deps	phantom-dep:babel-runtime	AI (phantom-deps): babel-runtime is a standard peer/runtime dep in Babel 6.x plugins; injected by the transform pipeline, not directly imported in source.	ai	2026/04/23

Versions (showing 10 of 10)

Version	Deps	Published
6.22.0	1 / 1	2017-01-20
6.8.0	1 / 1	2016-05-02
6.5.0	1 / 1	2016-02-07
6.3.13	1 / 1	2015-12-04
6.2.4	1 / 1	2015-11-25
6.1.18	1 / 1	2015-11-12
6.1.17	1 / 1	2015-11-12
6.1.4	1 / 1	2015-11-11
6.0.14	1 / 0	2015-10-30
6.0.2	1 / 0	2015-10-29

v6.22.0

2 findings

HIGH Low-value / spam package indicators (3 signals, score 7) bogus-package

Matched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: sebmck, jmm, amasad, thejameskyle, hzoo, loganfsmyth. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 2907 bytes total.