babel-plugin-transform-regenerator
Explode async and generator functions into a state machine.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:.test/tests.es6.js | AI (source-diff): Test file with generator/iterator tests using standard assert patterns; not malicious. | ai | |
| source-diff | net-exec-file:.test/async.es5.js | AI (source-diff): Test file using Function('return this')() for global object access in assertions; not malicious. | ai | |
| source-diff | net-exec-file:runtime.js | AI (source-diff): Facebook's regenerator runtime uses Function('return this')() for global detection; standard pattern, not network/exec malware. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from Babel 6 restructuring adding runtime + test files; expected for this version transition. | ai | |
| source-diff | net-exec-file:.test/tests.es5.js | AI (source-diff): Test file using regeneratorRuntime patterns and assertions; not malicious. | ai | |
| source-diff | net-exec-file:.test/async.es6.js | AI (source-diff): Test file using Function('return this')() for global object access in assertions; not malicious. | ai | |
| provenance | publisher-changed | AI (provenance): sebmck→hzoo is the well-documented Babel maintainer transition; hzoo is a core Babel team member with extensive track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): amasad and thejameskyle are well-known Babel core team members; their addition is a legitimate and expected team expansion, not a suspicious takeover. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by years; absence of attestation is expected for this era of Babel packages. | ai | |
| dependencies | unvetted-dep:babel-traverse | AI (dependencies): babel-traverse is a core Babel ecosystem package; flagging it as unvetted is a false positive for any babel-plugin package. | ai | |
| phantom-deps | phantom-dep:commoner | AI (phantom-deps): commoner is declared in package.json dependencies; phantom-dep finding is a false positive for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage is confined to test/run.js for spawning mocha test runner — not in production code, stable false positive for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is in test/tests.transform.js to verify transpiler output correctness — standard testing pattern for a Babel transform plugin, not a supply-chain risk. | ai | |
| phantom-deps | phantom-dep:through | AI (phantom-deps): through is declared in package.json dependencies; phantom-dep finding is a false positive for this package. | ai | |
| phantom-deps | phantom-dep:babylon | AI (phantom-deps): babylon is a declared runtime dependency in package.json; phantom-dep fires because it's used indirectly via config/test files, not direct imports. Normal for Babel plugin architecture. | ai | |
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive license; analyzer's list simply doesn't include it. No legal concern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Babel monorepo packages from 2015 era commonly lack keywords and have minimal READMEs. Package has 1.5M weekly downloads and 9 approved dependents — clearly not spam. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-block-scoping | AI (phantom-deps): Declared runtime dependency used indirectly; standard Babel plugin composition pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-for-of | AI (phantom-deps): Declared runtime dependency used indirectly; standard Babel plugin composition pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-async-functions | AI (phantom-deps): Declared runtime dependency used indirectly; standard Babel plugin composition pattern. | ai | |
| phantom-deps | phantom-dep:babel-traverse | AI (phantom-deps): babel-traverse is a declared runtime dependency; indirect usage pattern is normal for Babel plugins. | ai | |
| phantom-deps | phantom-dep:babel-core | AI (phantom-deps): babel-core is a declared runtime dependency; indirect usage pattern is normal for Babel plugins in this monorepo ecosystem. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 6.26.0 | 1 / 1 | |
| 6.24.1 | 1 / 1 | |
| 6.22.0 | 1 / 1 | |
| 6.21.0 | 1 / 1 | |
| 6.20.0 | 1 / 1 | |
| 6.16.1 | 3 / 1 | |
| 6.16.0 | 2 / 1 | |
| 6.14.0 | 9 / 1 | |
| 6.11.4 | 9 / 1 | |
| 6.9.0 | 9 / 1 | |
| 6.8.0 | 9 / 1 | |
| 6.6.5 | 9 / 1 | |
| 6.6.0 | 9 / 1 | |
| 6.4.4 | 9 / 1 | |
| 6.4.3 | 9 / 1 | |
| 6.3.26 | 9 / 1 | |
| 6.3.13 | 9 / 1 | |
| 6.3.2 | 9 / 1 | |
| 6.2.4 | 9 / 1 | |
| 6.2.0 | 9 / 1 | |
| 6.1.18 | 11 / 0 | |
| 6.1.17 | 11 / 0 | |
| 6.1.4 | 11 / 0 | |
| 6.0.14 | 10 / 3 | |
| 6.0.12 | 10 / 3 | |
| 6.0.10 | 10 / 3 | |
| 6.0.2 | 0 / 0 |
v6.26.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.11.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.4
2 findingsThis version was published by a different npm account than previous versions on 2016-01-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.3.13
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.2
2 findingsThis version was published by a different npm account than previous versions on 2015-12-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.10
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.