es6-module-transpiler
es6-module-transpiler is an experimental compiler that allows you to write your JavaScript using a subset of the current ES6 module syntax, and compile it into various formats.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| license | uncommon-license:Apache 2 | AI (license): Apache 2 is a minor formatting variant of the standard Apache-2.0 SPDX identifier; not a real licensing concern for this package. | ai | |
| npm-metadata | url-dep:jasmine-node | AI (npm-metadata): URL dep points to the publisher's own fork of a test-only dependency; no runtime risk to consumers. Consistent across all versions of this package. | ai | |
| phantom-deps | phantom-dep:jasmine-node | AI (phantom-deps): jasmine-node is a CLI test runner invoked via npm scripts, not require()'d directly. Phantom dep finding is a stable false positive for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): esprima-fb is a legitimate ES6-capable esprima fork, appropriate for an ES6 transpiler. The swap from esprima to esprima-fb is a coherent, purposeful upgrade. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): tboyt added as maintainer in 2013 as part of Square org transition. No evidence of compromise; package repo remains under square GitHub org. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from eventualbuddha to tboyt occurred in 2013 within the Square org (repo is square/es6-module-transpiler). Legitimate internal transition, not a hostile takeover. | ai | |
| provenance | no-provenance | AI (provenance): Package was first published in 2013, well before Sigstore provenance was available. No provenance is expected for this era of package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in CLI is an intentional plugin-loading pattern for custom formatters; stable and documented behavior for this transpiler tool. | ai | |
| dependencies | unvetted-dep:esprima-fb | AI (dependencies): esprima-fb is Facebook's ES6-capable esprima fork; the unusual version string (7001.x) is Facebook's versioning convention, not a malware signal. Standard dep for ES6 tooling of this era. | ai |
Versions (showing 27 of 27)
| Version | Deps | Published |
|---|---|---|
| 0.10.0 | 5 / 6 | |
| 0.9.6 | 4 / 6 | |
| 0.9.3 | 4 / 6 | |
| 0.9.2 | 4 / 6 | |
| 0.9.1 | 4 / 5 | |
| 0.9.0 | 4 / 5 | |
| 0.8.2 | 4 / 5 | |
| 0.8.1 | 4 / 5 | |
| 0.8.0 | 5 / 2 | |
| 0.7.0 | 5 / 2 | |
| 0.6.2 | 5 / 2 | |
| 0.6.1 | 5 / 2 | |
| 0.6.0 | 5 / 2 | |
| 0.5.1 | 5 / 1 | |
| 0.4.0 | 2 / 14 | |
| 0.3.6 | 2 / 14 | |
| 0.3.5 | 2 / 14 | |
| 0.3.4 | 2 / 14 | |
| 0.3.3 | 2 / 14 | |
| 0.3.2 | 2 / 14 | |
| 0.3.1 | 2 / 14 | |
| 0.3.0 | 2 / 14 | |
| 0.2.0 | 2 / 8 | |
| 0.1.3 | 2 / 6 | |
| 0.1.2 | 3 / 4 | |
| 0.1.1 | 3 / 2 | |
| 0.1.0 | 3 / 2 |
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: eventualbuddha.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
2 findingsThis version was published by a different npm account than previous versions on 2014-06-25. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-12-16. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.5
2 findingsThis version was published by a different npm account than previous versions on 2013-12-01. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-10-25. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
2 findingsThis version was published by a different npm account than previous versions on 2013-10-16. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.