babel-plugin-transform-react-jsx-self
Add a __self prop to all JSX Elements
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| bogus-package | bogus-package | AI (bogus-package): Babel core team members are flagged due to mass monorepo publishing patterns. This is a legitimate official Babel plugin, not spam. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Added maintainers (jmm, loganfsmyth, sebmck, thejameskyle) are all recognized Babel core contributors, not a hostile takeover. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): babel-runtime is used via Babel's plugin resolution, not direct require(). Normal pattern for Babel plugins. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-jsx | AI (phantom-deps): babel-plugin-syntax-jsx is loaded via Babel's plugin system, not direct require(). Normal pattern for Babel transform plugins. | ai |
v6.22.0
2 findingsMatched 3 signal(s), weighted score 7: • [S_KNOWN_SPAM_PUBLISHER] Maintainer(s) previously flagged as spam: jmm, sebmck, thejameskyle, hzoo, loganfsmyth. • [S_PUBLISHER_MASS_PRODUCTION] Maintainer 'loganfsmyth' owns 167 packages, ≥70% share a templated name shape. • [S_TINY_PAYLOAD] Tiny payload: 1 code file(s), 1701 bytes total.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.