chai
BDD/TDD assertion library for node.js and the browser. Test framework agnostic.
4
Versions
MIT
License
No
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
gitHead linked
Maintainers
chaijs
Keywords
testassertionasserttestingchai
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Legitimate transition to GitHub Actions CI/CD publishing, confirmed by SLSA provenance attestation from the canonical chaijs/chai repo. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get() is used inside a Proxy getter trap for chai's chainable assertion syntax — a documented, legitimate pattern for this package across all versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): The added deps (assertion-error, check-error, deep-eql, loupe, pathval) are established chai ecosystem packages representing an intentional architectural split of chai's internals. | ai | |
| typosquat | typosquat.levenshtein:chalk | AI (typosquat): Chai is a massively popular, long-established assertion library predating this comparison. It is not a typosquat of chalk. | ai | |
| typosquat | typosquat.levenshtein:hapi | AI (typosquat): Chai is a massively popular, long-established assertion library. It is not a typosquat of hapi. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in chai is used to evaluate constrained operator strings in assertion logic, a documented internal pattern — not arbitrary external code execution. | ai |