@babel/core
Babel compiler core.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Babel's publish pipeline change explains missing gitHead; nicolo-ribaudo is a trusted core maintainer. This metadata absence is not a security signal for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): @babel/core regularly adds source files across versions as the compiler evolves; 24 new files is consistent with normal Babel development cadence and not indicative of injected code. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals reflect normal Babel team evolution over time; no indication of takeover for this established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Babel is a large, well-governed project; maintainer rotation is normal and expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @jridgewell/remapping is a well-known, trusted source-map library replacing @ampproject/remapping — a straightforward, benign dependency swap. | ai | |
| provenance | publisher-changed | AI (provenance): nicolo-ribaudo is a known Babel core maintainer; the transition from jlhwung is a legitimate team change, not a takeover. | ai | |
| phantom-deps | phantom-dep:@types/gensync | AI (phantom-deps): @types/* packages are type-only and never directly imported at runtime; phantom-dep firing on them is a stable false positive for any package that ships @types deps at runtime. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo and loganfsmyth are well-known Babel project founders, not spam publishers. This is a stable false positive for @babel/core. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is fundamental to Babel's plugin/preset loading architecture; this is expected and stable behavior for @babel/core. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for established packages with strong ecosystem trust. | ai | |
| dependencies | unvetted-dep:convert-source-map | AI (dependencies): convert-source-map is a standard source-map utility; pinned constraint is safe. | ai | |
| typosquat | typosquat.levenshtein:cors | AI (typosquat): @babel/core is a scoped package in the @babel namespace; no plausible confusion with 'cors'. | ai | |
| dependencies | unvetted-dep:@babel/types | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helpers | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/template | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/traverse | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/generator | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helper-module-transforms | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:@babel/helper-compilation-targets | AI (dependencies): First-party @babel scoped package; expected dependency for @babel/core. | ai | |
| dependencies | unvetted-dep:debug | AI (dependencies): 'debug' is a well-known, widely-used npm package; its use as a dependency in @babel/core is expected and benign. | ai |
Versions (showing 51 of 156)
| Version | Deps | Published |
|---|---|---|
| 7.29.0 | 15 / 14 | |
| 7.28.6 | 15 / 14 | |
| 7.28.5 | 15 / 14 | |
| 7.28.4 | 15 / 14 | |
| 7.28.3 | 15 / 14 | |
| 7.28.0 | 15 / 14 | |
| 7.27.7 | 15 / 14 | |
| 7.27.4 | 15 / 13 | |
| 7.27.3 | 15 / 13 | |
| 7.27.1 | 15 / 13 | |
| 7.26.10 | 15 / 13 | |
| 7.26.9 | 15 / 13 | |
| 7.26.8 | 16 / 13 | |
| 7.26.7 | 15 / 14 | |
| 7.26.0 | 15 / 14 | |
| 7.25.9 | 15 / 14 | |
| 7.25.8 | 15 / 14 | |
| 7.25.7 | 15 / 14 | |
| 7.25.2 | 15 / 14 | |
| 7.24.9 | 15 / 14 | |
| 7.24.8 | 15 / 14 | |
| 7.24.7 | 15 / 14 | |
| 7.24.6 | 15 / 14 | |
| 7.24.5 | 15 / 14 | |
| 7.24.4 | 15 / 14 | |
| 7.24.3 | 15 / 14 | |
| 7.24.1 | 15 / 14 | |
| 7.24.0 | 15 / 14 | |
| 7.23.9 | 15 / 14 | |
| 7.23.7 | 15 / 14 | |
| 7.23.6 | 15 / 14 | |
| 7.23.5 | 15 / 14 | |
| 7.23.3 | 15 / 14 | |
| 7.23.2 | 15 / 14 | |
| 7.23.0 | 15 / 14 | |
| 7.22.20 | 15 / 14 | |
| 7.22.19 | 15 / 14 | |
| 7.22.18 | 15 / 14 | |
| 7.22.17 | 15 / 14 | |
| 7.22.15 | 15 / 14 | |
| 7.22.11 | 15 / 14 | |
| 7.22.10 | 15 / 14 | |
| 7.22.9 | 15 / 14 | |
| 7.22.8 | 15 / 14 | |
| 7.22.7 | 15 / 14 | |
| 7.22.6 | 15 / 14 | |
| 7.22.5 | 15 / 14 | |
| 7.22.1 | 15 / 14 | |
| 7.22.0 | 15 / 14 | |
| 7.21.8 | 15 / 14 | |
| 7.21.5 | 15 / 14 |
v7.29.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-05. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-02. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-26. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-24. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-25. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-10. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-15. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-11. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-06-05. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-29. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-03-20. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-02-28. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-01-25. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-12-29. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-12-11. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-11-09. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-12. This could indicate a legitimate maintainer transition or an account compromise.
v7.23.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-25. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.20
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-16. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.19
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.18
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.17
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-08. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.15
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-04. This could indicate a legitimate maintainer transition or an account compromise.
v7.22.11
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.