regexpu — Greenflagged

A source code transpiler that enables the use of ES2015 Unicode regular expressions in ES5.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mathiasjridgewellgoogle-wombot

Keywords

codegendesugaringecmascriptes5es6es2015harmonyjavascriptrefactoringregexregexpregular expressionsrewritingsyntaxtransformationtranspiletranspilerunicode

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Publisher change from mathias to google-wombot is a known legitimate transfer (Mathias Bynens → Google). Stable for this package.	ai	2026/04/22
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy explained by maintainer transition to Google publishing infrastructure; stable for this package.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): jridgewell and google-wombot are known Google-affiliated maintainers; legitimate organizational transfer.	ai	2026/04/22
npm-metadata	url-dep:esprima	AI (npm-metadata): The URL dep points to the author's own esprima fork on the same GitHub org, created to add ES6 regexp support before upstream support existed. Stable and expected for this package.	ai	2026/04/22
dependencies	unvetted-dep:jsesc	AI (dependencies): jsesc is a well-known, legitimate package by the same author (Mathias Bynens); its use here is expected and benign.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): jsesc was already a devDependency; promotion to runtime dep is a natural, low-risk change by the same trusted author.	ai	2026/04/22
provenance	no-provenance	AI (provenance): regexpu is a long-established package (4257 days old); lack of Sigstore provenance is expected for packages of this vintage and is not a security risk here.	ai	2026/04/21
phantom-deps	phantom-dep:jsesc	AI (phantom-deps): jsesc is a legitimate runtime dependency by the same author; its indirect usage via config/build scripts is a known pattern for this package, not a security concern.	ai	2026/04/21

Versions (showing 48 of 48)

Version	Deps	Published
4.8.0	3 / 7	2021-09-14
4.6.0	3 / 7	2020-03-11
4.5.4	3 / 7	2019-08-10
4.5.3	3 / 7	2019-03-06
4.5.2	3 / 7	2019-03-05
4.5.1	3 / 7	2019-03-05
4.5.0	3 / 7	2019-03-05
4.4.0	3 / 7	2018-12-05
4.3.0	3 / 7	2018-12-05
4.2.0	3 / 7	2018-06-07
4.1.3	3 / 7	2017-09-18
4.1.2	3 / 7	2017-08-17
4.1.1	3 / 8	2017-06-24
4.1.0	3 / 8	2017-06-20
4.0.10	3 / 8	2017-04-15
4.0.9	3 / 8	2017-04-15
4.0.8	3 / 8	2017-04-15
4.0.7	3 / 8	2017-04-15
4.0.6	3 / 8	2017-04-14
4.0.5	3 / 8	2017-04-13
4.0.4	3 / 8	2017-04-11
4.0.3	3 / 7	2016-11-30
4.0.2	2 / 7	2016-11-29
4.0.1	2 / 7	2016-11-18
3.3.0	2 / 7	2016-08-17
3.2.0	2 / 8	2016-06-23
3.1.0	2 / 8	2016-06-21
3.0.1	2 / 8	2016-06-14
3.0.0	2 / 8	2016-06-02
2.1.0	2 / 6	2016-02-08
2.0.4	2 / 8	2016-02-01
2.0.3	5 / 8	2016-01-14
2.0.2	6 / 8	2016-01-12
2.0.1	6 / 8	2016-01-12
2.0.0	6 / 8	2016-01-11
1.3.0	5 / 7	2015-09-24
1.2.0	4 / 7	2015-06-18
1.1.2	4 / 7	2015-03-01
1.1.1	4 / 7	2015-02-10
1.1.0	4 / 7	2015-01-24
1.0.0	4 / 7	2015-01-13
0.3.1	4 / 7	2015-01-03
0.3.0	4 / 7	2014-10-10
0.2.3	4 / 7	2014-10-09
0.2.2	5 / 7	2014-10-08
0.2.1	5 / 6	2014-09-02
0.1.1	5 / 6	2014-08-25
0.1.0	5 / 4	2014-08-24

v4.8.0

2 findings

HIGH Publisher changed: mathias → google-wombot (on 2021-09-14) provenance

This version was published by a different npm account than previous versions on 2021-09-14. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance