babel-plugin-transform-property-literals
Turn valid property key literals to plain identifiers
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): loganfsmyth is a well-known Babel core contributor; addition is a legitimate team expansion for the babel/babili project. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): esutils is a foundational, widely-trusted AST utility library used throughout the Babel/ESLint ecosystem; its addition is benign and expected for identifier-checking logic. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from 807B to 3KB is explained by integration of esutils for identifier validation; total size remains tiny with no payload indicators. | ai | |
| provenance | publisher-changed | AI (provenance): sebmck→hzoo is the well-documented Babel maintainer transition; both are core team members. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Babel monorepo plugins are inherently tiny and share templated names; not spam indicators. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): babel-runtime is a standard declared dep for Babel plugins, referenced via transform helpers. | ai |
Versions (showing 21 of 21)
| Version | Deps | Published |
|---|---|---|
| 6.9.4 | 1 / 0 | |
| 6.9.3 | 1 / 0 | |
| 6.9.2 | 1 / 0 | |
| 6.9.1 | 1 / 0 | |
| 6.9.0 | 1 / 0 | |
| 6.8.5 | 1 / 0 | |
| 6.8.4 | 1 / 0 | |
| 6.8.3 | 0 / 0 | |
| 6.8.2 | 0 / 0 | |
| 6.8.1 | 0 / 0 | |
| 6.8.0 | 1 / 1 | |
| 6.5.0 | 1 / 1 | |
| 6.3.13 | 1 / 1 | |
| 6.2.4 | 1 / 1 | |
| 6.1.18 | 1 / 1 | |
| 6.1.17 | 1 / 1 | |
| 6.1.4 | 1 / 1 | |
| 6.0.14 | 1 / 0 | |
| 6.0.2 | 1 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v6.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.3
2 findingsThis version was published by a different npm account than previous versions on 2017-05-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.2
2 findingsThis version was published by a different npm account than previous versions on 2017-05-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.0
2 findingsThis version was published by a different npm account than previous versions on 2016-05-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.0
2 findingsThis version was published by a different npm account than previous versions on 2016-02-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.17
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.