traceur
ES6 to ES5 compiler
4
Versions
Apache-2.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
arvjohnjbarton
Keywords
javascriptecmascriptlanguagees5es6ES.nextharmonycompilertranspiler
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects bundling the compiled compiler and runtime into bin/ files, replacing the regexpu dep. Expected for a transpiler shipping self-contained binaries. | ai | |
| source-diff | obfuscated-file:bin/traceur.js | AI (source-diff): bin/traceur.js is Traceur's bundled/minified compiler output — standard practice for this transpiler tool. Long lines are from minification, not obfuscation. Stable for this package. | ai | |
| source-diff | obfuscated-file:dist/commonjs/outputgeneration/regexpuRewritePattern.js | AI (source-diff): This is a bundled/compiled version of the regexpu library in Traceur's dist/ output. Long lines are expected minified build artifacts for this transpiler project, not obfuscation. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): source-map-support is a well-known, benign package; its addition is natural for a compiler/transpiler like Traceur. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Usage is in vendored Google Closure Library; the pattern is a trivial identity function (return a) — benign and stable across versions. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop is explained by the explicit 'files' whitelist in package.json scoping the publish to only src/node/*.js and bin/ files — a deliberate packaging optimization, not code replacement. | ai | |
| source-diff | obfuscated-file:bin/BrowserSystem.js | AI (source-diff): BrowserSystem.js is a legitimate minified browser bundle for the Traceur compiler runtime. Long lines are expected in bundled build artifacts for this transpiler package. | ai | |
| source-diff | net-exec-file:src/util/parseProlog.js | AI (source-diff): parseProlog.js is a legitimate compiler utility parsing comment directives in source files. The eval() evaluates skip-directive expressions from test files; the 'network' signal is a false positive from ES6 import statements, not actual network calls. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change johnjbarton→arv occurred in 2014; arv has 575 approved packages and is a known Google Traceur maintainer. Historical transition, not a compromise. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is declared in both dependencies and devDependencies; phantom-dep finding is a false positive for this package's build/config usage pattern. | ai | |
| phantom-deps | phantom-dep:regexpu | AI (phantom-deps): regexpu is a legitimate runtime dependency for Unicode regex support in the transpiler; indirect usage via config is expected. | ai | |
| license | uncommon-license:Apache License 2.0 | AI (license): Apache License 2.0 is a standard permissive license used by Google projects; the 'uncommon' flag is a false positive for this well-known license string. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is core functionality in traceur-runtime.js — it implements module resolution for transpiled ES6 code. Expected and stable for this compiler package. | ai | |
| provenance | no-provenance | AI (provenance): Established Google-authored package (4791 days old) with consistent publisher history; lack of Sigstore provenance is expected for this era of package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in parseProlog.js is used to evaluate prolog directives in source files being compiled — inherent to a JS compiler/transpiler's design. | ai |
v0.0.4
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.