defs — Greenflagged

Static scope analysis and transpilation of ES6 block scoped const and let variables, to ES3.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

olov

Keywords

defsscopeblockscopeblock-scopeletconstvares6transpiletranspilerlintlinter

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:ast-traverse	AI (dependencies): AST traversal utility; stable dependency of this transpiler package, consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:simple-is	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:stringmap	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:stringset	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:simple-fmt	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:alter	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:tryor	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
dependencies	unvetted-dep:yargs	AI (dependencies): Well-known CLI argument parser; stable dependency of this package across many versions.	ai	2026/04/22
dependencies	unvetted-dep:breakable	AI (dependencies): Stable dependency of this established transpiler package; consistent across versions, no security signals.	ai	2026/04/22
npm-metadata	url-dep:esprima	AI (npm-metadata): Historical git URL dependency on ariya/esprima#harmony is a well-known early ES6 tooling pattern from ~2013; the canonical repo is legitimate and this is stable across all versions of this package.	ai	2026/04/22
dependencies	unvetted-dep:esprima-fb	AI (dependencies): esprima-fb is Facebook's harmony-enabled fork of esprima, appropriate for an ES6 transpiler. The unusual version string is a known quirk of this fork's versioning, not a risk indicator.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package is 4746 days old; provenance attestation was not available at the time of initial publishing. Low signal for a package of this age and track record.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): child_process is used in test harness (run-tests.js) to execute test commands; legitimate for a transpiler's test suite.	ai	2026/04/21

Versions (showing 18 of 18)

Version	Deps	Published
1.1.1	10 / 1	2015-10-09
1.1.0	10 / 1	2014-11-28
1.0.1	10 / 1	2014-10-09
1.0.0	10 / 1	2014-07-18
0.6.2	9 / 1	2013-12-09
0.6.1	9 / 1	2013-12-09
0.6.0	9 / 1	2013-11-30
0.5.0	9 / 1	2013-09-30
0.4.3	8 / 0	2013-09-05
0.4.2	8 / 0	2013-09-01
0.4.1	7 / 0	2013-07-28
0.4.0	7 / 0	2013-07-09
0.3.0	7 / 0	2013-07-05
0.2.1	7 / 0	2013-05-04
0.2.0	7 / 0	2013-04-26
0.1.2	7 / 0	2013-04-24
0.1.1	7 / 0	2013-04-24
0.1.0	7 / 0	2013-04-24