core-js-pure
Standard library
7
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
zloirock
Keywords
ES3ES5ES6ES7ES2015ES2016ES2017ES2018ES2019ES2020ES2021ES2022ES2023ES2024ES2025ES2026ECMAScript 3ECMAScript 5ECMAScript 6ECMAScript 7ECMAScript 2015ECMAScript 2016ECMAScript 2017ECMAScript 2018ECMAScript 2019ECMAScript 2020ECMAScript 2021ECMAScript 2022ECMAScript 2023ECMAScript 2024ECMAScript 2025ECMAScript 2026MapSetWeakMapWeakSetTypedArrayPromiseObservableSymbolIteratorAsyncIteratorURLURLSearchParamsqueueMicrotasksetImmediatestructuredClonepolyfillponyfillshim
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): slowcheetah is a known co-maintainer of core-js with extensive approved history; publisher change from 2020 is legitimate. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): slowcheetah removal with zloirock remaining as primary maintainer is a legitimate housekeeping change, not a takeover signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): zloirock is the canonical core-js maintainer; collaborator additions are routine for this large OSS project and do not indicate compromise. | ai | |
| source-diff | large-new-source-files | AI (source-diff): core-js-pure ships hundreds of individual polyfill modules by design; large file counts are expected and not indicative of injected code. | ai | |
| provenance | no-provenance | AI (provenance): Established package predating Sigstore provenance; no provenance is expected and not a risk signal here. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): core-js-pure's postinstall is a well-documented, long-standing funding prompt that silently no-ops on error. Stable and benign for this package. | ai | |
| bogus-package | bogus-package | AI (bogus-package): core-js-pure is a canonical polyfill library; short README and no runtime deps are structural characteristics, not spam indicators. | ai |
Versions (showing 7 of 7)
| Version | Deps | Published |
|---|---|---|
| 3.28.0 | 0 / 0 | |
| 3.25.4 | 0 / 0 | |
| 3.8.2 | 0 / 0 | |
| 3.4.1 | 0 / 0 | |
| 3.0.1 | 0 / 0 | |
| 3.0.0 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v0.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.