@datadog/datadog-ci-plugin-coverage Apache-2.0 20 versions

@datadog/datadog-ci-plugin-coverage

npm Repository Homepage

Datadog CI plugin for `coverage` commands

20

Versions

Apache-2.0

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

datadog

Keywords

datadogdatadog-ciplugin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:dist/bundle.js	AI (source-diff): Official Datadog CI package; bundle.js is a rolldown-bundled artifact, not a dropper. SLSA provenance confirms CI/CD origin.	ai	2026/05/11
source-diff	source-size-tripled	AI (source-diff): Size increase explained by bundling previously-external deps (chalk, fast-xml-parser, form-data, upath) into dist/bundle.js.	ai	2026/05/11
source-diff	encoded-string-file:dist/bundle.js	AI (source-diff): Encoded string is the llhttp WASM binary in undici — a standard bundled dependency, not obfuscated malware.	ai	2026/05/08
provenance	publisher-changed	AI (provenance): DataDog migrated publishing to GitHub Actions CI with SLSA attestation; stable pattern for this org's packages.	ai	2026/05/04
provenance	slsa-provenance	AI (provenance): SLSA provenance attestation present; strong supply chain integrity signal for this package.	ai	2026/05/04
phantom-deps	phantom-dep:simple-git	AI (phantom-deps): simple-git is a declared runtime dep; phantom-dep heuristic false positive for this package.	ai	2026/05/04

Versions (showing 20 of 20)

Version	Deps	Published
5.17.0	0 / 6	2026-05-19
5.16.1	0 / 6	2026-05-06
5.16.0	0 / 6	2026-05-01
5.15.0	0 / 6	2026-04-27
5.14.0	0 / 6	2026-04-24
5.13.1	0 / 6	2026-04-15
5.13.0	0 / 6	2026-04-13
5.12.1	4 / 2	2026-04-07
5.12.0	4 / 2	2026-04-06
5.11.0	4 / 2	2026-03-31
5.10.0	4 / 2	2026-03-25
5.9.1	6 / 0	2026-03-12
5.9.0	6 / 0	2026-03-03
5.8.0	6 / 0	2026-02-17
5.7.0	6 / 0	2026-02-10
5.6.0	6 / 0	2026-02-03
5.5.0	6 / 0	2026-01-30
5.4.0	6 / 0	2026-01-21
5.3.0	6 / 0	2026-01-19
0.0.1	0 / 0	2026-01-19

v5.17.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.16.1

2 findings

HIGH Long encoded string in modified file: dist/bundle.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.16.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.15.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.14.0

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.1

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.0

2 findings

HIGH New file with network + code execution: dist/bundle.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.11.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.10.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-25) provenance

This version was published by a different npm account than previous versions on 2026-03-25. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.1

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-12) provenance

This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.9.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-03-03) provenance

This version was published by a different npm account than previous versions on 2026-03-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.8.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-17) provenance

This version was published by a different npm account than previous versions on 2026-02-17. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.7.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-10) provenance

This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.6.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-02-03) provenance

This version was published by a different npm account than previous versions on 2026-02-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.5.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-30) provenance

This version was published by a different npm account than previous versions on 2026-01-30. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.4.0

2 findings

HIGH Publisher changed: datadog → GitHub Actions (on 2026-01-21) provenance

This version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.