regenerator
Source transformer enabling ECMAScript 6 generator functions (yield) in JavaScript-of-today (ES5)
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
benjamn
Keywords
generatoryieldcoroutinerewritingtransformationsyntaxcodegenrewritingrefactoringtranspilerdesugaringES6
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Legitimate use in GeneratorFunction prototype setup; not dynamic code execution from untrusted input. | ai | |
| source-diff | net-exec-file:runtime.js | AI (source-diff): runtime.js is the legitimate regenerator runtime polyfill from Facebook; the 'network + code execution' pattern is a false positive on standard module detection and Symbol usage. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to large documentation/demo files (docs/bundle.js, docs/codemirror) added for GitHub Pages demo. Not a runtime risk. | ai | |
| source-diff | net-exec-file:docs/bundle.js | AI (source-diff): docs/bundle.js is a browserify documentation/demo bundle for the regenerator project. The detected patterns are standard module loader boilerplate, not malware. Stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): The dynamic require(runtime.dev) is a documented pattern in regenerator for lazily loading the dev runtime module path — not an arbitrary code execution risk. Stable for this package. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander is declared and used as CLI argument parser for bin/regenerator; false positive for a tool dependency. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies (babel-core, regenerator-preset, regenerator-runtime) are established packages appropriate for ES6 transpilation; stable pattern for this package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Source reduction reflects refactoring to use Babel infrastructure; legitimate architectural change. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-for-of | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-types | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:regenerator-transform | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-async-functions | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-async-generators | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-classes | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:private | AI (phantom-deps): Phantom dependency referenced in config files only; expected pattern in build tools. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-block-scoping | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-es2015-arrow-functions | AI (phantom-deps): Monorepo/lerna setup; deps used in sub-packages or Babel config, not directly imported in main. Stable false positive for this package. | ai | |
| dependencies | unvetted-dep:mocha | AI (dependencies): mocha is an optional dev dependency used only for testing; it poses no runtime risk to consumers of this package. | ai | |
| dependencies | unvetted-dep:browserify | AI (dependencies): browserify is an optional dev dependency used only for building; it poses no runtime risk to consumers of this package. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is an optionalDependency referenced only in config/scripts; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:browserify | AI (phantom-deps): browserify is an optionalDependency used only for bundling; not imported at runtime. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:mocha | AI (phantom-deps): mocha is an optionalDependency used only for testing; not imported at runtime. Stable false positive for this package. | ai | |
| npm-metadata | url-dep:esprima | AI (npm-metadata): Historical git dependency on esprima harmony branch was standard practice for early ES6 tooling; points to canonical upstream repo by original author. | ai | |
| dependencies | unvetted-dep:esprima-fb | AI (dependencies): esprima-fb is Facebook's ES6-capable fork of esprima; appropriate for ES6 generator transpilation. | ai | |
| phantom-deps | phantom-dep:commoner | AI (phantom-deps): Phantom dependency referenced in config files only; expected pattern in build tools. | ai | |
| dependencies | unvetted-dep:regenerator-transform | AI (dependencies): regenerator-transform is a first-party companion package in the regenerator ecosystem, maintained by the same author (benjamn/facebook). Expected dependency for this package. | ai | |
| dependencies | unvetted-dep:regenerator-preset | AI (dependencies): regenerator-preset is a first-party companion package in the regenerator ecosystem, maintained by the same author (benjamn/facebook). Expected dependency for this package. | ai | |
| provenance | no-provenance | AI (provenance): Package is 4578 days old; Sigstore provenance predates its publication era. Not a meaningful risk signal for this package. | ai | |
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive license; the uncommon-license flag is a stable false positive for this package. | ai |
Versions (showing 51 of 77)
| Version | Deps | Published |
|---|---|---|
| 0.14.12 | 9 / 10 | |
| 0.14.11 | 9 / 10 | |
| 0.14.10 | 10 / 10 | |
| 0.14.9 | 10 / 10 | |
| 0.14.7 | 10 / 10 | |
| 0.14.6 | 10 / 10 | |
| 0.14.5 | 10 / 10 | |
| 0.14.4 | 10 / 10 | |
| 0.14.3 | 10 / 11 | |
| 0.14.2 | 10 / 11 | |
| 0.14.1 | 10 / 9 | |
| 0.14.0 | 10 / 9 | |
| 0.13.4 | 10 / 9 | |
| 0.13.3 | 10 / 9 | |
| 0.13.2 | 10 / 9 | |
| 0.13.1 | 10 / 8 | |
| 0.13.0 | 10 / 8 | |
| 0.12.4 | 16 / 11 | |
| 0.12.3 | 16 / 11 | |
| 0.12.2 | 16 / 11 | |
| 0.12.1 | 16 / 11 | |
| 0.12.0 | 16 / 11 | |
| 0.11.1 | 16 / 11 | |
| 0.11.0 | 16 / 11 | |
| 0.10.1 | 16 / 11 | |
| 0.10.0 | 16 / 11 | |
| 0.9.7 | 6 / 4 | |
| 0.9.6 | 6 / 4 | |
| 0.9.5 | 6 / 4 | |
| 0.9.4 | 6 / 4 | |
| 0.9.3 | 6 / 4 | |
| 0.9.2 | 6 / 4 | |
| 0.9.1 | 8 / 4 | |
| 0.8.12 | 6 / 3 | |
| 0.4.12 | 5 / 2 | |
| 0.4.11 | 5 / 2 | |
| 0.4.10 | 5 / 2 | |
| 0.4.9 | 5 / 2 | |
| 0.4.8 | 5 / 2 | |
| 0.4.7 | 5 / 2 | |
| 0.4.6 | 5 / 2 | |
| 0.4.5 | 5 / 2 | |
| 0.4.4 | 6 / 2 | |
| 0.4.3 | 6 / 2 | |
| 0.4.2 | 6 / 2 | |
| 0.4.1 | 6 / 2 | |
| 0.4.0 | 6 / 2 | |
| 0.3.9 | 6 / 2 | |
| 0.3.8 | 6 / 2 | |
| 0.3.7 | 6 / 2 | |
| 0.3.6 | 6 / 2 |