← Home

@jest/environment-jsdom-abstract

npm Repository
12
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): simenb is a known Jest core maintainer; cpojer→simenb is a legitimate team handoff. ai
publish-pattern dormant-publish AI (publish-pattern): Jest publishes in batches with gaps between major releases; dormancy is normal. ai
bogus-package bogus-package AI (bogus-package): Inflated semver is a false positive for Jest monorepo packages; version matches the Jest release cycle. No description/keywords are cosmetic issues in monorepo packages. ai
phantom-deps phantom-dep:@types/node AI (phantom-deps): @types/node is a standard TypeScript type dependency in Jest packages; loaded by convention, not a phantom dep concern. ai
phantom-deps phantom-dep:@types/jsdom AI (phantom-deps): @types/jsdom is a standard TypeScript type dependency for jsdom environments; loaded by convention. ai
npm-metadata no-description AI (npm-metadata): Missing description is a cosmetic issue common in Jest monorepo packages; not a malware indicator for this publisher. ai

Versions (showing 12 of 12)

Version Deps Published
30.4.1 7 / 2
30.4.0 7 / 2
30.3.0 7 / 2
30.2.0 7 / 2
30.1.2 7 / 1
30.1.1 7 / 1
30.1.0 7 / 1
30.0.5 7 / 1
30.0.4 7 / 1
30.0.2 7 / 1
30.0.1 7 / 1
30.0.0 7 / 1

v30.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.4.0

2 findings
HIGH Publisher changed: cpojer → simenb (on 2026-05-07) provenance

This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.1.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.