systemjs-builder
SystemJS Build Tool
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is the legitimate initial release of systemjs-builder by guybedford, a well-established maintainer. Package is 12 years old with 139 versions; not a throwaway. | ai | |
| npm-metadata | url-dep:traceur | AI (npm-metadata): Early 2014-era release; git URL for traceur was common practice before consistent npm publishing. No security risk for this historical v0.0.1 artifact from a trusted publisher. | ai | |
| provenance | no-provenance | AI (provenance): Package predates npm provenance attestation by many years; absence is expected and not a risk signal for this package. | ai | |
| source-diff | obfuscated-file:test/fixtures/test-tree/register.js | AI (source-diff): Test fixture containing Babel-transpiled ES6 code (System.register format). Long lines are from transpiler output, not malicious obfuscation. Stable false positive for this build tool's test suite. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in lib/builder.js is part of SystemJS's documented module evaluation pipeline — evaluating module source code during builds, not arbitrary external input. Stable pattern across all versions of this build tool. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in compile.js is a standard plugin-dispatch pattern for a multi-format build tool; compilerMap is an internal lookup table, not user-controlled input. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() in output.js is a documented workaround to access Terser's unexported SourceMap internals; not arbitrary user-input execution. | ai |
Versions (showing 51 of 138)
| Version | Deps | Published |
|---|---|---|
| 0.16.15 | 17 / 9 | |
| 0.16.14 | 17 / 9 | |
| 0.16.13 | 17 / 9 | |
| 0.16.12 | 17 / 9 | |
| 0.16.11 | 17 / 9 | |
| 0.16.10 | 17 / 9 | |
| 0.16.9 | 17 / 9 | |
| 0.16.8 | 17 / 9 | |
| 0.16.7 | 16 / 9 | |
| 0.16.6 | 16 / 9 | |
| 0.16.5 | 16 / 9 | |
| 0.16.4 | 16 / 9 | |
| 0.16.3 | 16 / 9 | |
| 0.16.2 | 16 / 9 | |
| 0.16.1 | 16 / 9 | |
| 0.16.0 | 16 / 9 | |
| 0.15.36 | 15 / 8 | |
| 0.15.35 | 15 / 8 | |
| 0.15.34 | 15 / 7 | |
| 0.15.33 | 15 / 7 | |
| 0.15.32 | 15 / 7 | |
| 0.15.31 | 15 / 7 | |
| 0.15.30 | 15 / 7 | |
| 0.15.29 | 15 / 7 | |
| 0.15.28 | 15 / 7 | |
| 0.15.27 | 15 / 7 | |
| 0.15.26 | 14 / 7 | |
| 0.15.25 | 14 / 7 | |
| 0.15.24 | 14 / 7 | |
| 0.15.23 | 12 / 7 | |
| 0.15.22 | 12 / 7 | |
| 0.15.21 | 12 / 7 | |
| 0.15.20 | 12 / 7 | |
| 0.15.19 | 12 / 8 | |
| 0.15.18 | 12 / 8 | |
| 0.15.17 | 13 / 8 | |
| 0.15.16 | 11 / 8 | |
| 0.15.15 | 9 / 8 | |
| 0.15.14 | 9 / 8 | |
| 0.15.13 | 9 / 8 | |
| 0.15.12 | 9 / 8 | |
| 0.15.11 | 9 / 8 | |
| 0.15.10 | 9 / 8 | |
| 0.15.9 | 9 / 8 | |
| 0.15.8 | 9 / 8 | |
| 0.15.7 | 9 / 8 | |
| 0.15.6 | 9 / 8 | |
| 0.15.5 | 9 / 8 | |
| 0.15.4 | 9 / 8 | |
| 0.15.3 | 9 / 8 | |
| 0.15.2 | 9 / 8 |
v0.16.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.16.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.36
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.35
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.34
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.33
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.32
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.31
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.30
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.29
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.28
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.27
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.17
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.