babel-preset-es2017
Babel preset for all es2017 plugins.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Absolute sizes are trivially small (157B → 738B); relative increase is misleading at this scale for a simple preset package. | ai | |
| provenance | no-provenance | AI (provenance): Legacy Babel package published before Sigstore provenance was standard; not a security concern for this well-known package. | ai | |
| provenance | missing-githead | AI (provenance): Established Babel monorepo package; missing gitHead is a minor publish environment difference, not a security signal for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): bettiolo's removal is part of the Babel 6 monorepo consolidation; package moved under official Babel team ownership. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Publisher change from bettiolo to hzoo (Henry Zhu) reflects the documented Babel 6 monorepo consolidation in 2016. hzoo is a core Babel maintainer; this is not a malicious takeover. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to hzoo is the legitimate Babel 6 monorepo migration. hzoo is a core Babel maintainer with a strong track record. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Spam-flagged maintainers are Babel core team members (hzoo, sebmck, thejameskyle, etc.). Tiny payload is expected for a preset re-export package. False positive for this well-known Babel package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (amasad, jmm, loganfsmyth, sebmck, thejameskyle) are all recognized Babel core team members. Legitimate team expansion, not a takeover. | ai |
Versions (showing 15 of 15)
| Version | Deps | Published |
|---|---|---|
| 6.24.1 | 2 / 0 | |
| 6.22.0 | 2 / 0 | |
| 6.16.0 | 2 / 0 | |
| 6.14.0 | 2 / 0 | |
| 1.6.1 | 15 / 10 | |
| 1.6.0 | 15 / 10 | |
| 1.5.0 | 15 / 10 | |
| 1.4.0 | 14 / 10 | |
| 1.3.2 | 14 / 10 | |
| 1.3.1 | 14 / 11 | |
| 1.3.0 | 14 / 11 | |
| 1.2.0 | 14 / 11 | |
| 1.1.0 | 13 / 10 | |
| 1.0.1 | 13 / 10 | |
| 1.0.0 | 13 / 10 |
v6.24.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hzoo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.22.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hzoo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.16.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hzoo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.14.0
4 findingsAll previous maintainers (bettiolo) were replaced by new maintainers (hzoo). This is a strong signal of a potential package hijack and requires careful review.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: hzoo.
This version was published by a different npm account than previous versions on 2016-08-24. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.