← Home

core-js-pure

npm Repository Homepage

Standard library

7
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

zloirock

Keywords

ES3ES5ES6ES7ES2015ES2016ES2017ES2018ES2019ES2020ES2021ES2022ES2023ES2024ES2025ES2026ECMAScript 3ECMAScript 5ECMAScript 6ECMAScript 7ECMAScript 2015ECMAScript 2016ECMAScript 2017ECMAScript 2018ECMAScript 2019ECMAScript 2020ECMAScript 2021ECMAScript 2022ECMAScript 2023ECMAScript 2024ECMAScript 2025ECMAScript 2026MapSetWeakMapWeakSetTypedArrayPromiseObservableSymbolIteratorAsyncIteratorURLURLSearchParamsqueueMicrotasksetImmediatestructuredClonepolyfillponyfillshim

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): slowcheetah is a known co-maintainer of core-js with extensive approved history; publisher change from 2020 is legitimate. ai
maintainer-change maintainer-removed AI (maintainer-change): slowcheetah removal with zloirock remaining as primary maintainer is a legitimate housekeeping change, not a takeover signal. ai
maintainer-change maintainer-added AI (maintainer-change): zloirock is the canonical core-js maintainer; collaborator additions are routine for this large OSS project and do not indicate compromise. ai
source-diff large-new-source-files AI (source-diff): core-js-pure ships hundreds of individual polyfill modules by design; large file counts are expected and not indicative of injected code. ai
provenance no-provenance AI (provenance): Established package predating Sigstore provenance; no provenance is expected and not a risk signal here. ai
install-scripts install-script:postinstall AI (install-scripts): core-js-pure's postinstall is a well-documented, long-standing funding prompt that silently no-ops on error. Stable and benign for this package. ai
bogus-package bogus-package AI (bogus-package): core-js-pure is a canonical polyfill library; short README and no runtime deps are structural characteristics, not spam indicators. ai

Versions (showing 7 of 7)

Version Deps Published
3.28.0 0 / 0
3.25.4 0 / 0
3.8.2 0 / 0
3.4.1 0 / 0
3.0.1 0 / 0
3.0.0 0 / 0
0.0.1 0 / 0

v3.28.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.25.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.8.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v3.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.