← Home

rollup-plugin-babel

npm Repository Homepage

Seamless integration between Rollup and Babel.

40
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

andaristdanezdevelopiteventualbuddhaexistentialismhzoologanfsmythnicolo-ribaudorich_harrisshellscapetrysoundvictorystick

Keywords

rollup-pluginbabeles2015es6

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:babel-core AI (dependencies): babel-core is the canonical Babel compiler; expected dependency for a Babel plugin. Stable for this package. ai
maintainer-change maintainer-added AI (maintainer-change): andarist and xtuc are known Rollup/Babel ecosystem contributors; addition reflects a legitimate team transition, not a compromise. ai
provenance publisher-changed AI (provenance): Transition from danez to andarist is a documented legitimate maintainer handoff within the Rollup ecosystem. Andarist has a strong track record (454 approved packages). ai
dependencies unvetted-peer-dep:rollup AI (dependencies): rollup is the canonical bundler this plugin integrates with; peer dependency is expected and stable. ai
dependencies unvetted-peer-dep:@babel/core AI (dependencies): @babel/core is the official Babel compiler; peer dependency is expected and stable for this plugin. ai
dependencies unvetted-dep:rollup-pluginutils AI (dependencies): rollup-pluginutils is the canonical utility library for rollup plugins; stable dependency for this package across all versions. ai
dependencies unvetted-dep:@babel/helper-module-imports AI (dependencies): @babel/helper-module-imports is an official Babel scoped package; stable and expected dependency for a rollup-babel integration plugin. ai
bogus-package bogus-package AI (bogus-package): Flagged maintainers (hzoo, loganfsmyth) are well-known legitimate Babel ecosystem contributors (Henry Zhu, Logan Smyth); spam flag is a false positive for this package. ai
provenance no-provenance AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for established packages. ai

Versions (showing 40 of 40)

Version Deps Published
4.4.0 2 / 18
4.3.3 2 / 18
4.3.2 2 / 18
4.3.1 2 / 18
4.3.0 2 / 18
4.2.0 2 / 16
4.1.0 2 / 16
4.0.3 2 / 13
4.0.2 2 / 13
4.0.1 2 / 13
4.0.0 2 / 13
3.0.7 1 / 13
3.0.6 1 / 13
3.0.5 1 / 13
3.0.4 1 / 13
3.0.3 1 / 12
3.0.2 1 / 12
3.0.1 1 / 12
3.0.0 1 / 12
2.7.1 4 / 11
2.7.0 4 / 11
2.6.1 4 / 10
2.6.0 4 / 10
2.5.1 4 / 10
2.5.0 4 / 9
2.4.0 4 / 10
2.3.9 4 / 10
2.3.8 4 / 10
2.3.6 4 / 10
2.3.5 4 / 10
2.3.4 4 / 10
2.3.3 3 / 10
2.3.2 3 / 10
2.3.1 3 / 10
2.3.0 3 / 10
2.2.0 3 / 5
2.1.0 3 / 5
2.0.1 3 / 4
2.0.0 2 / 3
1.0.0 2 / 3

v4.4.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.7.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.7.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.6.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.5.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.4.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: rich_harris → victorystick (on 2016-02-23) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-02-23. This could indicate a legitimate maintainer transition or an account compromise.

v2.3.9

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: rich_harris → eventualbuddha (on 2016-01-16) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-01-16. This could indicate a legitimate maintainer transition or an account compromise.

v2.3.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.6

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.