enzyme
JavaScript Testing utilities for React
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are all established packages (lodash, uuid, object polyfills) appropriate for a React testing utility. | ai | |
| dependencies | unvetted-dep:mocha-jsdom | AI (dependencies): mocha-jsdom is listed as an optionalDependency used only in testing contexts; it is not a required runtime dep and poses minimal risk for this well-established Airbnb package. | ai | |
| dependencies | unvetted-dep:in-publish | AI (dependencies): in-publish is a standard build-time dependency used in config; appropriate for this package's context. | ai | |
| phantom-deps | phantom-dep:in-publish | AI (phantom-deps): in-publish is a phantom dep used in build config, not a direct import; normal pattern for build tooling. | ai | |
| dependencies | unvetted-dep:function.prototype.name | AI (dependencies): function.prototype.name is a well-known polyfill maintained by ljharb, the same publisher as enzyme. No security risk; stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition to ljharb, a trusted long-standing publisher with strong track record. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): gdborton is a known Enzyme contributor; addition is consistent with the legitimate community maintainer transition of this package. | ai | |
| dependencies | unvetted-dep:object-is | AI (dependencies): object-is is a well-known ES6 polyfill maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:lodash.escape | AI (dependencies): lodash.escape is a well-known lodash utility with no malicious history. | ai | |
| dependencies | unvetted-dep:object.assign | AI (dependencies): object.assign is a well-known ES6 polyfill maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:object.values | AI (dependencies): object.values is a well-known ES6 polyfill maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:lodash.isequal | AI (dependencies): lodash.isequal is a well-known lodash utility with no malicious history. | ai | |
| dependencies | unvetted-dep:object.entries | AI (dependencies): object.entries is a well-known ES6 polyfill maintained by ljharb with no malicious history. | ai | |
| provenance | no-provenance | AI (provenance): Enzyme is a long-established package from a reputable publisher; lack of Sigstore provenance is not a meaningful risk signal here. | ai | |
| dependencies | unvetted-dep:is-number-object | AI (dependencies): is-number-object is a well-known utility maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:is-boolean-object | AI (dependencies): is-boolean-object is a well-known utility maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:rst-selector-parser | AI (dependencies): rst-selector-parser is a legitimate CSS selector parser used by enzyme with no malicious history. | ai | |
| dependencies | unvetted-dep:array.prototype.flat | AI (dependencies): array.prototype.flat is a well-known ES2019 polyfill maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:enzyme-shallow-equal | AI (dependencies): enzyme-shallow-equal is a legitimate companion package to enzyme with no malicious history. | ai | |
| dependencies | unvetted-dep:string.prototype.trim | AI (dependencies): string.prototype.trim is a well-known ES6 polyfill maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:html-element-map | AI (dependencies): html-element-map is a legitimate utility used by enzyme with no malicious history. | ai | |
| dependencies | unvetted-dep:has | AI (dependencies): has is a well-known, widely-used utility package with no malicious history. | ai | |
| dependencies | unvetted-dep:raf | AI (dependencies): raf is a well-known requestAnimationFrame polyfill with no malicious history. | ai | |
| dependencies | unvetted-dep:cheerio | AI (dependencies): cheerio is a widely-used HTML parsing library with no malicious history. | ai | |
| dependencies | unvetted-dep:is-regex | AI (dependencies): is-regex is a well-known utility maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:is-string | AI (dependencies): is-string is a well-known utility maintained by ljharb with no malicious history. | ai | |
| dependencies | unvetted-dep:is-subset | AI (dependencies): is-subset is a well-known utility with no malicious history. | ai |
Versions (showing 42 of 42)
| Version | Deps | Published |
|---|---|---|
| 3.11.0 | 22 / 12 | |
| 3.10.0 | 21 / 12 | |
| 3.9.0 | 21 / 12 | |
| 3.8.0 | 19 / 12 | |
| 3.7.0 | 19 / 12 | |
| 3.6.0 | 19 / 12 | |
| 3.5.1 | 19 / 12 | |
| 3.5.0 | 18 / 12 | |
| 3.4.4 | 17 / 12 | |
| 3.4.3 | 17 / 12 | |
| 3.4.2 | 17 / 12 | |
| 3.4.1 | 17 / 12 | |
| 3.4.0 | 17 / 12 | |
| 3.3.0 | 16 / 10 | |
| 3.2.0 | 11 / 9 | |
| 3.1.1 | 10 / 9 | |
| 3.1.0 | 10 / 4 | |
| 3.0.0 | 10 / 4 | |
| 2.9.1 | 10 / 38 | |
| 2.9.0 | 10 / 37 | |
| 2.8.2 | 10 / 36 | |
| 2.8.1 | 10 / 36 | |
| 2.8.0 | 9 / 34 | |
| 2.7.1 | 9 / 34 | |
| 2.7.0 | 9 / 34 | |
| 2.6.0 | 10 / 33 | |
| 2.5.2 | 10 / 33 | |
| 2.5.1 | 6 / 32 | |
| 2.5.0 | 6 / 32 | |
| 2.4.2 | 10 / 24 | |
| 2.4.1 | 6 / 23 | |
| 2.4.0 | 6 / 23 | |
| 2.3.0 | 6 / 21 | |
| 2.2.0 | 5 / 21 | |
| 2.1.0 | 5 / 21 | |
| 2.0.0 | 5 / 21 | |
| 1.6.0 | 8 / 15 | |
| 1.4.1 | 7 / 15 | |
| 1.4.0 | 7 / 11 | |
| 1.3.1 | 6 / 11 | |
| 1.3.0 | 6 / 11 | |
| 1.1.0 | 5 / 11 |
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.