blanket
seamless js code coverage
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:src/blanket_browser.js | AI (source-diff): blanket_browser.js is the browser adapter for the blanket coverage library; _loadFile loads user-configured adapters/loaders, not external malicious payloads. This is documented library behavior. | ai | |
| phantom-deps | phantom-dep:requirejs | AI (phantom-deps): requirejs is a legitimate runtime dependency used as a module loader, referenced in config rather than directly imported in source. | ai | |
| source-diff | obfuscated-file:test/vendor/coffee-script.js | AI (source-diff): File is the well-known CoffeeScript compiler v1.5.0 minified bundle, included as a test vendor dependency. Not malicious obfuscation. | ai | |
| source-diff | net-exec-file:test/vendor/coffee-script.js | AI (source-diff): CoffeeScript compiler uses eval() to run compiled code and has URL references in comments. Not a dropper/loader — this is standard compiler behavior in a test vendor file. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in blanket_browser.js executes a user-supplied callback string — expected behavior for a code coverage/instrumentation tool. Not a supply-chain risk. | ai | |
| source-diff | net-exec-file:test/usage/underscore.js | AI (source-diff): File is the canonical Underscore.js 1.4.3 library added as a test fixture. The detected patterns are standard Underscore internals, not malware. Stable false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load a user-configured loader (e.g. CoffeeScript). This is a documented extensibility feature of blanket, not a security risk. | ai | |
| source-diff | obfuscated-file:dist/mocha/blanket_mocha.js | AI (source-diff): blanket ships browser-targeted bundled dist files as part of its normal release artifacts; long lines are minification, not obfuscation. The bundle header confirms legitimate open-source content. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 1.2.3 | 6 / 16 | |
| 1.2.2 | 6 / 16 | |
| 1.2.1 | 6 / 16 | |
| 1.2.0 | 6 / 16 | |
| 1.1.10 | 6 / 16 | |
| 1.1.9 | 3 / 16 | |
| 1.1.8 | 3 / 16 | |
| 1.1.7 | 3 / 13 | |
| 1.1.6 | 3 / 6 | |
| 1.1.5 | 3 / 6 | |
| 1.1.4 | 4 / 5 | |
| 1.1.3 | 4 / 5 | |
| 1.1.2 | 4 / 5 | |
| 1.1.1 | 4 / 5 | |
| 1.1.0 | 4 / 4 | |
| 1.0.9 | 4 / 4 | |
| 1.0.8 | 3 / 4 | |
| 1.0.7 | 3 / 4 |
v1.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.5
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.7
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.