meteor-babel — Greenflagged

Babel wrapper package for use with Meteor

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

benjamnmdgfilipenevola

Keywords

meteorbabeles6es7transpilertranspilationcompilationtransformsyntaxast

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition from benjamn to mdg is the Meteor org account; legitimate org-level handoff.	ai	2026/05/17
maintainer-change	maintainer-added	AI (maintainer-change): filipenevola is a known Meteor contributor; addition consistent with org transition.	ai	2026/05/17
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy explained by org-level maintainer transition; not indicative of takeover.	ai	2026/05/17
publish-pattern	new-deps-added	AI (publish-pattern): typescript added as direct dep replacing @babel/plugin-transform-typescript; functionally equivalent swap.	ai	2026/05/17
semgrep	semgrep:dynamic-require	AI (semgrep): Cache file loading pattern in a Babel wrapper; not user-controlled arbitrary module loading.	ai	2026/05/17
phantom-deps	phantom-dep:@babel/traverse	AI (phantom-deps): Framework-scoped Babel package loaded by convention; stable false positive for this package.	ai	2026/05/17
phantom-deps	phantom-dep:lodash	AI (phantom-deps): lodash is a declared runtime dependency; phantom-dep heuristic false positive for this package.	ai	2026/05/17
phantom-deps	phantom-dep:@babel/types	AI (phantom-deps): Framework-scoped Babel package loaded by convention; stable false positive for this package.	ai	2026/05/17
phantom-deps	phantom-dep:@babel/parser	AI (phantom-deps): Framework-scoped Babel package loaded by convention; stable false positive for this package.	ai	2026/05/17

Versions (showing 2 of 2)

Version	Deps	Published
7.10.7	18 / 8	2021-03-18
7.2.0	19 / 7	2018-12-06

v7.10.7

2 findings

HIGH Publisher changed: benjamn → mdg (on 2021-03-18) provenance

This version was published by a different npm account than previous versions on 2021-03-18. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.2.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.