← Home

buble

npm Repository Homepage

The blazing fast, batteries-included ES2015 compiler

9
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

adrianheinemarijnmournerrich_harris

Keywords

javascripttranspilationcompilationesnextes2015es2017es6es7

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:minimist AI (phantom-deps): minimist is used by the CLI binary (bin/buble); declared correctly in dependencies. ai
phantom-deps phantom-dep:vlq AI (phantom-deps): vlq is used by the bundled dist output; declared correctly in dependencies. ai
source-diff obfuscated-file:dist/buble-browser.es.js AI (source-diff): Rollup-bundled output of buble's source; long lines are from bundling, not obfuscation. Source maps included. ai
source-diff large-new-source-files AI (source-diff): Package ships src/ and dist/ with source maps; large file count is normal for a compiler/transpiler. ai
source-diff obfuscated-file:dist/buble.deps.js AI (source-diff): Standard Rollup UMD bundle with inlined deps (acorn, etc.); long lines from bundled code, not obfuscation. ai
source-diff obfuscated-file:dist/buble.es.js AI (source-diff): Standard Rollup ES module build output; long lines from bundled code, not obfuscation. ai
bogus-package bogus-package AI (bogus-package): The S_KNOWN_SPAM_PUBLISHER signal for 'marijn' is a false positive; Marijn Haverbeke is a highly reputable developer (acorn, CodeMirror). Buble is a legitimate, well-known ES2015 compiler. ai
provenance publisher-changed AI (provenance): mourner is Rich Harris, the original author of buble. The transfer from adrianheine back to mourner is a legitimate maintainer transition consistent with the project's history. ai

Versions (showing 9 of 109)

Version Deps Published
0.3.4 3 / 5
0.3.3 3 / 5
0.3.2 3 / 5
0.3.1 3 / 5
0.3.0 3 / 5
0.2.2 3 / 4
0.2.1 3 / 4
0.2.0 3 / 4
0.1.0 3 / 4

v0.3.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.