regexpu-core — Greenflagged

regexpu’s core functionality (i.e. `rewritePattern(pattern, flag)`), capable of translating ES6 Unicode regular expressions to ES5.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

mathiasjridgewellnicolo-ribaudogoogle-wombot

Keywords

codegendesugaringecmascriptes5es6harmonyjavascriptrefactoringregexregexpregular expressionsrewritingsyntaxtransformationtranspiletranspilerunicode

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:unicode-match-property-value	AI (dependencies): New dependency serves core Unicode regex functionality; maintainer's track record and semantic versioning constraint mitigate risk.	ai	2026/04/22
dependencies	unvetted-dep:unicode-match-property	AI (dependencies): New dependency serves core Unicode regex functionality; maintainer's track record and semantic versioning constraint mitigate risk.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance; published by a highly trusted, long-standing maintainer (mathias). Absence of provenance is not a meaningful risk signal here.	ai	2026/04/22
dependencies	unvetted-dep:@babel/regjsgen	AI (dependencies): @babel/regjsgen is a legitimate Babel-maintained fork of regjsgen; its use here is a straightforward dependency swap consistent with Babel ecosystem integration.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): The new dep @babel/regjsgen directly replaces regjsgen; this is a known, legitimate Babel package, not a suspicious addition.	ai	2026/04/22
source-diff	obfuscated-file:data/all-characters.js	AI (source-diff): data/all-characters.js is a build-generated file containing Unicode code point arrays for regenerate(). Long lines are dense hex data, not obfuscation. Stable pattern for this package.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Size increase is explained by addition of data/all-characters.js encoding full Unicode character sets — legitimate data expansion for a Unicode regex transpiler.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Legitimate transition from Mathias Bynens to nicolo-ribaudo (Babel core team); well-documented ecosystem handoff, not a compromise.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (nicolo-ribaudo, jridgewell, google-wombot) reflect legitimate adoption by Babel/Google ecosystem; stable for this package.	ai	2026/04/22
phantom-deps	phantom-dep:regenerate-unicode-properties	AI (phantom-deps): regenerate-unicode-properties is a declared runtime dependency and is used via dynamic require in rewrite-pattern.js; the phantom-dep finding is a false positive for this package.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is scoped to loading Unicode property data files from regenerate-unicode-properties; legitimate data-driven code generation pattern, not arbitrary module loading.	ai	2026/04/21

Versions (showing 53 of 53)

Version	Deps	Published
6.4.0	6 / 2	2025-09-22
6.3.1	6 / 2	2025-09-10
6.3.0	6 / 2	2025-09-10
6.2.0	6 / 2	2024-11-21
6.1.1	6 / 2	2024-09-20
6.1.0	6 / 2	2024-09-18
6.0.0	6 / 2	2023-09-25
5.3.2	6 / 7	2023-03-10
5.3.1	6 / 7	2023-02-16
5.3.0	6 / 7	2023-02-08
5.2.2	6 / 7	2022-11-14
5.2.1	6 / 7	2022-09-14
5.1.0	6 / 7	2022-06-27
5.0.1	6 / 7	2022-01-10
5.0.0	6 / 7	2022-01-08
4.8.0	6 / 7	2021-09-14
4.7.1	6 / 7	2020-09-18
4.7.0	6 / 7	2020-03-11
4.6.0	6 / 7	2019-09-13
4.5.5	6 / 7	2019-08-10
4.5.4	6 / 7	2019-03-11
4.5.3	6 / 7	2019-03-06
4.5.2	6 / 7	2019-03-05
4.5.1	6 / 7	2019-03-05
4.5.0	6 / 7	2019-03-05
4.4.0	6 / 7	2018-12-05
4.3.0	6 / 7	2018-12-05
4.2.0	6 / 7	2018-06-07
4.1.5	6 / 7	2018-05-14
4.1.4	6 / 7	2018-05-12
4.1.3	6 / 8	2017-09-18
4.1.2	6 / 8	2017-08-17
4.1.1	6 / 8	2017-06-20
4.1.0	6 / 8	2017-06-20
4.0.11	6 / 8	2017-04-15
4.0.10	6 / 8	2017-04-15
4.0.9	6 / 8	2017-04-15
4.0.8	6 / 8	2017-04-15
4.0.7	6 / 8	2017-04-14
4.0.6	6 / 8	2017-04-13
4.0.5	6 / 8	2017-04-11
4.0.4	6 / 8	2017-03-08
4.0.3	6 / 8	2017-03-08
4.0.2	6 / 8	2016-11-29
4.0.1	6 / 8	2016-11-18
4.0.0	6 / 7	2016-11-02
3.3.0	6 / 7	2016-08-17
3.2.0	6 / 7	2016-06-23
3.1.0	6 / 7	2016-06-21
3.0.2	5 / 7	2016-06-14
3.0.1	5 / 7	2016-06-02
2.0.0	3 / 7	2016-02-08
1.0.0	3 / 8	2016-01-11

v6.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.3.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v5.3.1

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: nicolo-ribaudo → google-wombot (on 2023-02-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-16. This could indicate a legitimate maintainer transition or an account compromise.

v5.3.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: google-wombot → nicolo-ribaudo (on 2023-02-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-08. This could indicate a legitimate maintainer transition or an account compromise.

v4.8.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: mathias → google-wombot (on 2021-09-14) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2021-09-14. This could indicate a legitimate maintainer transition or an account compromise.

v4.7.1

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: mathias → jridgewell (on 2020-09-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-18. This could indicate a legitimate maintainer transition or an account compromise.

v4.7.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.4.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.11

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.10

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.9

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.8

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.