babel-plugin-undeclared-variables-check
Throw a compile-time error on references to undeclared variables
13
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
No source commit
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
amasadhzoojmmloganfsmythsebmckthejameskyle
Keywords
babel-plugin
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Provenance absence is common (88% of npm packages); not a material risk for this established Babel plugin. | ai | |
| provenance | publisher-changed | AI (provenance): The sebmck→hzoo transition is the well-documented Babel project stewardship handoff in 2016; hzoo is a recognized Babel core maintainer. This generalizes to all versions of this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): All added maintainers (amasad, hzoo, jmm, loganfsmyth, thejameskyle) are known Babel core team members from the 2016 project transition. Stable for this package. | ai | |
| dependencies | unvetted-dep:babel-runtime | AI (dependencies): babel-runtime is a standard Babel dependency; unvetted status is expected for core Babel ecosystem packages. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): Phantom dependency pattern is normal for Babel plugins; babel-runtime is referenced in config, not direct imports. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Mass production signal reflects hzoo's legitimate Babel plugin maintenance; tiny payload is appropriate for a focused linting plugin. | ai |