← Home

@parcel/transformer-js

npm Repository Homepage
68
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

devongovett

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance no-provenance AI (provenance): Provenance attestation is optional; absence is not a security risk for established packages. ai
npm-metadata no-description AI (npm-metadata): Monorepo package; missing description is common and not a malware indicator here. ai
dependencies unvetted-dep:detect-libc AI (dependencies): detect-libc is a standard utility for detecting Linux libc variant; used here to select the correct platform-specific .node binary. Expected and benign for native Node.js packages. ai
npm-metadata bundled-binaries AI (npm-metadata): @parcel/transformer-js ships platform-specific NAPI/SWC native bindings as its core functionality; bundled .node files are expected and documented. ai
phantom-deps phantom-dep:regenerator-runtime AI (phantom-deps): regenerator-runtime is used by SWC-transformed output at runtime, not directly imported in source. Standard pattern for SWC-based transformers. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in native.js is the standard NAPI multi-platform binary loader pattern, constructing a filename from platform/arch to load the correct .node file. ai
phantom-deps phantom-dep:@swc/helpers AI (phantom-deps): @swc/helpers is a runtime dependency injected by the SWC compiler into transformed output, not directly imported in JS source. This is expected behavior. ai

Versions (showing 68 of 68)

Hide prereleases
Version Deps Published
2.16.4 11 / 0
2.16.3 11 / 0
2.16.2 11 / 0
2.16.1 11 / 0
2.16.0 11 / 0
2.15.4 11 / 0
2.15.3 11 / 0
2.15.2 11 / 0
2.15.1 11 / 0
2.15.0 11 / 0
2.14.4 11 / 0
2.14.3 11 / 0
2.14.2 11 / 0
2.14.1 11 / 0
2.14.0 11 / 0
2.13.3 11 / 0
2.13.2 11 / 0
2.13.1 11 / 0
2.13.0 11 / 0
2.12.0 11 / 0
2.11.0 11 / 0
2.10.3 11 / 1
2.10.2 11 / 1
2.10.1 11 / 1
2.10.0 11 / 1
2.9.3 10 / 1
2.9.2 10 / 1
2.9.1 10 / 1
2.9.0 10 / 1
2.8.3 11 / 1
2.8.2 11 / 1
2.8.1 11 / 1
2.8.0 11 / 1
2.7.0 11 / 1
2.6.2 11 / 1
2.6.1 11 / 1
2.6.0 11 / 1
2.5.0 11 / 1
2.4.1 11 / 1
2.4.0 11 / 1
2.3.2 11 / 1
2.3.1 11 / 1
2.3.0 11 / 1
2.2.1 12 / 1
2.2.0 12 / 1
2.1.1 12 / 1
2.1.0 12 / 1
2.0.1 11 / 1
2.0.0 11 / 1
2.0.0-canary.1875 11 / 0
2.0.0-canary.1873 11 / 0
2.0.0-canary.1866 11 / 0
2.0.0-canary.1864 11 / 0
2.0.0-canary.1863 11 / 0
2.0.0-canary.1861 11 / 0
2.0.0-canary.1860 11 / 0
2.0.0-canary.1853 11 / 0
2.0.0-canary.1850 11 / 0
2.0.0-canary.1849 11 / 0
2.0.0-canary.1842 11 / 0
2.0.0-canary.1837 11 / 0
2.0.0-canary.1835 11 / 0
2.0.0-canary.1833 11 / 0
2.0.0-canary.1832 11 / 0
2.0.0-canary.1826 11 / 0
2.0.0-canary.1820 11 / 0
2.0.0-canary.1819 11 / 0
2.0.0-canary.1818 11 / 0

v2.16.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.16.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.15.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.14.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.13.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.8.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.5.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.1.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.