metro-babel-transformer

🚇 Base Babel transformer for Metro.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbmetro-bot

Keywords

transformermetro

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Meta/facebook migrated metro packages to GitHub Actions CI publishing; SLSA attestation confirms legitimate CI origin.	ai	2026/04/28
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy reflects upstream release cadence for facebook/metro, not account takeover; SLSA attestation confirms integrity.	ai	2026/04/28
phantom-deps	phantom-dep:flow-enums-runtime	AI (phantom-deps): flow-enums-runtime is a runtime dep used by Flow-typed code at runtime, not directly imported in JS; stable false positive for this package.	ai	2026/04/28

Versions (showing 18 of 18)

Version	Deps	Published
0.84.4	5 / 0	2026-04-30
0.84.3	5 / 0	2026-04-13
0.84.2	4 / 0	2026-02-27
0.84.1	4 / 0	2026-02-25
0.84.0	4 / 0	2026-02-20
0.83.7	5 / 0	2026-04-29
0.83.6	5 / 0	2026-04-13
0.83.5	4 / 0	2026-03-01
0.83.4	4 / 0	2026-02-20
0.83.3	4 / 0	2025-10-01
0.83.2	4 / 0	2025-09-18
0.83.1	4 / 0	2025-07-24
0.83.0	4 / 0	2025-07-13
0.82.5	4 / 0	2025-07-06
0.82.4	4 / 0	2025-05-21
0.82.3	4 / 0	2025-05-06
0.82.2	4 / 0	2025-04-29
0.81.5	4 / 0	2025-05-06

v0.84.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.2

2 findings

HIGH Publisher changed: metro-bot → GitHub Actions (on 2026-02-27) provenance

This version was published by a different npm account than previous versions on 2026-02-27. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.1

2 findings

HIGH Publisher changed: metro-bot → GitHub Actions (on 2026-02-25) provenance

This version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.0

2 findings

HIGH Publisher changed: metro-bot → GitHub Actions (on 2026-02-20) provenance

This version was published by a different npm account than previous versions on 2026-02-20. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.5

2 findings

HIGH Publisher changed: metro-bot → GitHub Actions (on 2026-03-01) provenance

This version was published by a different npm account than previous versions on 2026-03-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.