@jest/reporters
Jest's reporters
1
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
aaronabramovsimenbrickhanloniiopenjs-operationscpojer
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Major version release gap for a large monorepo project; consistent with Jest's release cadence. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is not yet standard for Jest monorepo packages; absence is not a security concern for this established project. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are established packages (istanbul, v8-coverage) needed for coverage reporting; consistent with Jest's evolution. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition within Jest monorepo; simenb is established maintainer with strong track record. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Expected for Jest monorepo release; new source files are part of normal package development, not injected code. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): source-map is used in config and indirectly through dependencies; phantom-dep finding is expected for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals are normal for active projects; combined with additions, reflects team evolution not takeover. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions are documented Jest project contributors; legitimate team expansion. | ai | |
| dependencies | unvetted-dep:v8-to-istanbul | AI (dependencies): v8-to-istanbul is a standard V8 coverage tooling package; expected dependency for Jest reporters across all versions. | ai | |
| phantom-deps | phantom-dep:@jridgewell/trace-mapping | AI (phantom-deps): Referenced in config files; expected phantom dep for source map handling. | ai | |
| dependencies | unvetted-dep:istanbul-reports | AI (dependencies): istanbul-reports is a standard Istanbul coverage package; expected dependency for Jest reporters across all versions. | ai | |
| dependencies | unvetted-dep:@bcoe/v8-coverage | AI (dependencies): @bcoe/v8-coverage is a standard V8 coverage utility; expected dependency for Jest reporters across all versions. | ai | |
| dependencies | unvetted-dep:istanbul-lib-report | AI (dependencies): istanbul-lib-report is a standard Istanbul coverage package; expected dependency for Jest reporters across all versions. | ai | |
| dependencies | unvetted-dep:istanbul-lib-coverage | AI (dependencies): istanbul-lib-coverage is a standard Istanbul coverage package; expected dependency for Jest reporters across all versions. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Framework-scoped type definitions loaded by convention; expected in Jest packages. | ai | |
| phantom-deps | phantom-dep:collect-v8-coverage | AI (phantom-deps): Referenced in config files; expected phantom dep for coverage instrumentation. | ai | |
| dependencies | unvetted-dep:istanbul-lib-source-maps | AI (dependencies): istanbul-lib-source-maps is a standard coverage library; stable dependency for Jest's reporters package. | ai |
Versions (showing 1 of 101)
| Version | Deps | Published |
|---|---|---|
| 24.3.0 | 20 / 7 |
v24.3.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.