babel-jest — Greenflagged

Jest plugin to use babel for transformation.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:babel-core	AI (dependencies): babel-core is the canonical Babel 6 core package; its use is expected and appropriate for a Babel-Jest integration package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): babel-jest is a long-established, high-download package from the official Jest monorepo; lack of Sigstore provenance is not a meaningful risk signal here.	ai	2026/04/23
dependencies	unvetted-dep:@jest/transform	AI (dependencies): @jest/transform is a core Jest monorepo package, always a legitimate dependency of babel-jest.	ai	2026/04/23
dependencies	unvetted-dep:slash	AI (dependencies): slash is a well-known, widely used utility package; a stable legitimate dependency of babel-jest across versions.	ai	2026/04/23
dependencies	unvetted-dep:babel-preset-jest	AI (dependencies): babel-preset-jest is a core Jest monorepo package, always a legitimate dependency of babel-jest.	ai	2026/04/23
dependencies	unvetted-dep:@types/babel__core	AI (dependencies): @types/babel__core is a standard DefinitelyTyped package; legitimate type dependency for babel-jest.	ai	2026/04/23
dependencies	unvetted-dep:babel-plugin-istanbul	AI (dependencies): babel-plugin-istanbul is a well-established coverage instrumentation plugin; a stable legitimate dependency of babel-jest.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers reflect normal team evolution during Jest's OpenJS Foundation transition.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): rickhanlonii and openjs-operations reflect Jest's OpenJS Foundation governance; legitimate additions.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): cpojer is the original Jest creator and long-standing maintainer; publisher change from simenb is a legitimate team rotation.	ai	2026/04/23
phantom-deps	phantom-dep:@types/babel__core	AI (phantom-deps): @types/babel__core is intentionally listed as a runtime dep in the Jest monorepo to provide TypeScript types; this is a stable, known pattern for this package.	ai	2026/04/21

Versions (showing 51 of 159)

View all versions

Version	Deps	Published
30.4.1	7 / 4	2026-05-08
30.4.0	7 / 4	2026-05-07
30.2.0	7 / 4	2025-09-28
30.1.2	7 / 3	2025-09-01
30.1.1	7 / 3	2025-08-27
30.1.0	7 / 3	2025-08-27
30.0.5	7 / 3	2025-07-22
30.0.4	7 / 3	2025-07-02
30.0.2	7 / 3	2025-06-19
30.0.1	7 / 3	2025-06-18
30.0.0	7 / 3	2025-06-10
29.7.0	7 / 3	2023-09-12
29.6.4	7 / 3	2023-08-24
29.6.3	7 / 3	2023-08-21
29.6.2	7 / 3	2023-07-27
29.6.1	7 / 3	2023-07-06
29.6.0	7 / 3	2023-07-04
29.5.0	7 / 3	2023-03-06
29.4.3	7 / 3	2023-02-15
29.4.2	7 / 3	2023-02-07
29.4.1	7 / 3	2023-01-26
29.4.0	7 / 3	2023-01-24
29.3.1	7 / 3	2022-11-08
29.3.0	7 / 3	2022-11-07
29.2.2	7 / 3	2022-10-24
29.2.1	7 / 3	2022-10-18
29.2.0	7 / 3	2022-10-14
29.1.2	7 / 3	2022-09-30
29.1.0	7 / 3	2022-09-28
29.0.3	7 / 3	2022-09-10
29.0.2	7 / 3	2022-09-03
29.0.1	7 / 3	2022-08-26
29.0.0	7 / 3	2022-08-25
28.1.3	7 / 3	2022-07-13
28.1.2	7 / 3	2022-06-29
28.1.1	7 / 3	2022-06-07
28.1.0	7 / 3	2022-05-06
28.0.3	7 / 3	2022-04-29
28.0.2	7 / 3	2022-04-27
28.0.1	7 / 3	2022-04-26
28.0.0	7 / 3	2022-04-25
27.5.1	8 / 3	2022-02-08
27.5.0	8 / 3	2022-02-05
27.4.6	8 / 3	2022-01-04
27.4.5	8 / 3	2021-12-13
27.4.4	8 / 3	2021-12-10
27.4.2	8 / 3	2021-11-30
27.4.1	8 / 3	2021-11-30
27.4.0	8 / 3	2021-11-29
27.3.1	8 / 3	2021-10-19
27.3.0	8 / 3	2021-10-17

v30.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.4.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cpojer → simenb (on 2026-05-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.