@babel/generator
Turns an AST into code.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/jsesc | AI (phantom-deps): Type-only packages are not directly imported; they are consumed by TypeScript tooling by convention. This is expected behavior for @types/* packages. | ai | |
| dependencies | unvetted-dep:@types/jsesc | AI (dependencies): @types/jsesc provides TypeScript types for jsesc, which is already a direct dependency. Including it as a runtime dep is unconventional but benign for a TypeScript-shipping package. | ai | |
| provenance | missing-githead | AI (provenance): Babel team changed their publish pipeline; missing gitHead is a process gap, not a security signal, for this well-established core package. | ai | |
| provenance | no-provenance | AI (provenance): Sigstore provenance was not yet standard practice for Babel at this version; no security risk given publisher track record and package history. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer rotation in the Babel project is routine; removal of developit does not indicate a takeover given the established team context. | ai | |
| provenance | publisher-changed | AI (provenance): jlhwung is a known Babel core team member; publisher rotation among Babel team members is normal for this monorepo package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): jlhwung is a legitimate Babel core team member with a strong track record; addition is consistent with normal Babel team operations. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @babel/parser and @jridgewell/* are well-known, legitimate Babel/source-map ecosystem packages; this dependency modernization is a routine refactor for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): hzoo (Henry Zhu) is the founder of Babel; spam flag is a false positive. No-keywords signal is irrelevant for a core Babel package. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): @babel/parser is a legitimate declared dependency in the Babel monorepo ecosystem; phantom-dep flag is a false positive for this package. | ai | |
| dependencies | unvetted-dep:jsesc | AI (dependencies): jsesc is a standard, well-known utility for escaping strings; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@babel/parser | AI (dependencies): @babel/parser is the official Babel parser from the same monorepo; a core and expected dependency for @babel/generator. | ai |
Versions (showing 51 of 146)
| Version | Deps | Published |
|---|---|---|
| 7.29.1 | 5 / 5 | |
| 7.29.0 | 5 / 5 | |
| 7.28.6 | 5 / 5 | |
| 7.28.5 | 5 / 5 | |
| 7.28.3 | 5 / 5 | |
| 7.28.0 | 5 / 6 | |
| 7.27.5 | 5 / 6 | |
| 7.27.3 | 5 / 6 | |
| 7.27.1 | 5 / 6 | |
| 7.27.0 | 5 / 6 | |
| 7.26.10 | 5 / 6 | |
| 7.26.9 | 5 / 6 | |
| 7.26.8 | 5 / 6 | |
| 7.26.5 | 5 / 6 | |
| 7.26.3 | 5 / 6 | |
| 7.26.2 | 5 / 6 | |
| 7.26.0 | 5 / 6 | |
| 7.25.9 | 4 / 5 | |
| 7.25.7 | 4 / 5 | |
| 7.25.6 | 4 / 5 | |
| 7.25.5 | 4 / 5 | |
| 7.25.4 | 4 / 5 | |
| 7.25.0 | 4 / 5 | |
| 7.24.10 | 4 / 5 | |
| 7.24.9 | 4 / 5 | |
| 7.24.8 | 4 / 5 | |
| 7.24.7 | 4 / 5 | |
| 7.24.6 | 4 / 5 | |
| 7.24.5 | 4 / 5 | |
| 7.24.4 | 4 / 5 | |
| 7.24.1 | 4 / 5 | |
| 7.23.6 | 4 / 5 | |
| 7.23.5 | 4 / 5 | |
| 7.23.4 | 4 / 5 | |
| 7.23.3 | 4 / 5 | |
| 7.23.0 | 4 / 5 | |
| 7.22.15 | 4 / 5 | |
| 7.22.10 | 4 / 5 | |
| 7.22.9 | 4 / 5 | |
| 7.22.7 | 4 / 5 | |
| 7.22.5 | 4 / 4 | |
| 7.22.3 | 4 / 4 | |
| 7.22.0 | 4 / 4 | |
| 7.21.9 | 4 / 4 | |
| 7.21.5 | 4 / 4 | |
| 7.21.4 | 4 / 4 | |
| 7.21.3 | 4 / 4 | |
| 7.21.1 | 4 / 4 | |
| 7.21.0 | 4 / 4 | |
| 7.20.14 | 3 / 5 | |
| 7.20.7 | 3 / 5 |
v7.29.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
v7.29.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-23. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.28.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-02. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.27.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-14. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-08. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.26.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-30. This could indicate a legitimate maintainer transition or an account compromise.
v7.26.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.25.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-08-29. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-08-23. This could indicate a legitimate maintainer transition or an account compromise.
v7.25.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.25.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-26. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.10
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-16. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-07-15. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.24.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v7.24.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.23.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.22.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.21.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.14
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.20.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: nicolo-ribaudo.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.