es6-module-loader
An ES6 Module Loader shim
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/es6-module-loader.src.js | AI (source-diff): This is a module loader polyfill — fetching and executing modules is its core purpose. The dist file is a legitimate build artifact, not malware. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader-sans-promises.src.js | AI (source-diff): This is a module loader polyfill — fetching and executing modules is its core purpose. The dist file is a legitimate build artifact, not malware. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader-sans-promises.js | AI (source-diff): Network fetch + eval is the core design of a module loader shim. The fetch loads modules; eval executes them. This is documented, expected behavior, not malware. | ai | |
| source-diff | obfuscated-file:dist/es6-module-loader-sans-promises.js | AI (source-diff): This is a standard minified build artifact of the es6-module-loader library. Minified dist files are expected for this package. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Triggered in a bundled jQuery 1.7.1 demo file — well-known legitimate JSON parsing pattern in older jQuery; not part of the package's own library code. | ai | |
| source-diff | obfuscated-file:dist/traceur.js | AI (source-diff): dist/traceur.js is the minified Google Traceur compiler bundle (v0.0.25), matching the declared dependency. Minification is expected for compiler dist files. | ai | |
| source-diff | obfuscated-file:dist/es6-module-loader.js | AI (source-diff): dist/es6-module-loader.js is the standard minified build artifact of this ES6 module loader package; minification is expected for dist files. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader.js | AI (source-diff): An ES6 module loader inherently performs network fetches and code evaluation — this is the package's core purpose, not malware behavior. | ai | |
| source-diff | obfuscated-file:dist/traceur-runtime.js | AI (source-diff): dist/traceur-runtime.js is the minified Google Traceur runtime, matching the declared [email protected] dependency. Minification is expected. | ai | |
| source-diff | net-exec-file:lib/loader.js | AI (source-diff): lib/loader.js is the core loader polyfill; network + eval is the fundamental design of an ES6 module loader per spec. | ai | |
| source-diff | obfuscated-file:lib/traceur.js | AI (source-diff): lib/traceur.js is the bundled Traceur compiler source, expected to contain long lines as a compiler/transpiler tool. | ai | |
| source-diff | net-exec-file:test/test.js | AI (source-diff): test/test.js is a standard test harness for a module loader; dynamic execution in tests is expected for this package type. | ai | |
| phantom-deps | phantom-dep:grunt-contrib-uglify | AI (phantom-deps): grunt-contrib-uglify is a build tool accidentally placed in runtime deps instead of devDependencies. It is never imported at runtime; this is a packaging mistake, not a security issue. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader.min.js | AI (source-diff): This is the expected minified build artifact of an ES6 module loader. Network calls are module fetching; eval is module execution — both are core functionality, not malware indicators. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader-sans-promises.min.js | AI (source-diff): This is the expected minified build artifact of an ES6 module loader. Network calls are module fetching; eval is module execution — both are core functionality, not malware indicators. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance on npm by many years; absence of attestation is expected for this era of publishing. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is the core mechanism of an ES6 module loader shim — it executes loaded module source code in a scoped wrapper. This is expected and documented behavior for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Same historical 2015 maintainer transition as publisher-changed finding. crisptrutski is a well-established publisher with strong track record. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from guybedford to crisptrutski occurred in 2015 (~10 years ago). crisptrutski has 690 approved packages and is a trusted publisher. Historical transition, not a recent compromise signal. | ai | |
| source-diff | obfuscated-file:dist/es6-module-loader-dev.js | AI (source-diff): This is a standard minified dist build artifact for the es6-module-loader shim. Minification of dist files is expected and stable for this package. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader-dev.js | AI (source-diff): An ES6 module loader shim inherently fetches modules over the network and evaluates them via new Function(). This is core functionality, not malware behavior. | ai | |
| source-diff | net-exec-file:dist/es6-module-loader-dev.src.js | AI (source-diff): Same rationale: the unminified source of the module loader shim legitimately combines network loading with dynamic code execution as its core feature. | ai |
Versions (showing 51 of 56)
| Version | Deps | Published |
|---|---|---|
| 0.17.11 | 1 / 22 | |
| 0.17.10 | 1 / 22 | |
| 0.17.9 | 1 / 22 | |
| 0.17.8 | 1 / 22 | |
| 0.17.7 | 1 / 22 | |
| 0.17.6 | 1 / 22 | |
| 0.17.5 | 1 / 22 | |
| 0.17.4 | 1 / 22 | |
| 0.17.3 | 1 / 22 | |
| 0.17.2 | 1 / 22 | |
| 0.17.1 | 1 / 22 | |
| 0.16.6 | 1 / 23 | |
| 0.16.5 | 1 / 23 | |
| 0.16.4 | 1 / 23 | |
| 0.16.3 | 1 / 23 | |
| 0.16.2 | 1 / 23 | |
| 0.16.1 | 1 / 23 | |
| 0.16.0 | 1 / 23 | |
| 0.15.0 | 3 / 21 | |
| 0.14.0 | 3 / 21 | |
| 0.13.1 | 4 / 21 | |
| 0.13.0 | 4 / 21 | |
| 0.12.0 | 4 / 21 | |
| 0.11.2 | 2 / 6 | |
| 0.11.1 | 2 / 6 | |
| 0.11.0 | 3 / 6 | |
| 0.10.0 | 3 / 6 | |
| 0.9.4 | 3 / 6 | |
| 0.9.3 | 3 / 6 | |
| 0.9.2 | 3 / 6 | |
| 0.9.1 | 2 / 6 | |
| 0.9.0 | 2 / 6 | |
| 0.8.2 | 2 / 4 | |
| 0.8.1 | 2 / 4 | |
| 0.8.0 | 2 / 4 | |
| 0.7.2 | 2 / 4 | |
| 0.7.1 | 2 / 4 | |
| 0.7.0 | 2 / 4 | |
| 0.6.1 | 2 / 4 | |
| 0.6.0 | 2 / 4 | |
| 0.5.4 | 1 / 4 | |
| 0.5.3 | 1 / 4 | |
| 0.5.2 | 1 / 4 | |
| 0.5.1 | 1 / 4 | |
| 0.5.0 | 1 / 4 | |
| 0.4.3 | 1 / 3 | |
| 0.4.2 | 1 / 3 | |
| 0.4.1 | 1 / 3 | |
| 0.4.0 | 1 / 3 | |
| 0.3.3 | 1 / 3 | |
| 0.3.2 | 1 / 3 |
v0.17.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.2
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.17.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2015-04-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.16.5
2 findingsThis version was published by a different npm account than previous versions on 2015-04-09. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: guybedford.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: guybedford.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
8 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.