expect — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall script is minimal and auditable; stable pattern for this assertion library package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process import in postinstall is used for build automation, not malicious code execution or data exfiltration.	ai	2026/04/23
source-diff	obfuscated-file:build-es5/index.js	AI (source-diff): build-es5/index.js is a legitimate UMD browser bundle (rollup/webpack output with core-js polyfills) explicitly referenced in package.json's 'browser' field. Not obfuscation.	ai	2026/04/23
phantom-deps	phantom-dep:jest-regex-util	AI (phantom-deps): jest-regex-util is explicitly declared in package.json dependencies and is a legitimate Jest monorepo sub-package; false positive for this package.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() in Jest's ES5 browser build is a standard callback coercion pattern in a testing library; input is controlled by the test author, not external parties.	ai	2026/04/23
source-diff	net-exec-file:umd/expect.min.js	AI (source-diff): Standard webpack UMD minified bundle produced by documented build scripts. The 'network calls' and 'dynamic code execution' are webpack's module system boilerplate, not malware. Identical pattern to already-accepted umd/expect.js.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): Package growth over time; 24 new files reflect normal refactoring, not injection.	ai	2026/04/23
source-diff	net-exec-file:umd/expect.js	AI (source-diff): File is webpack-bundled UMD output with standard module-loading boilerplate, not malware. Minified bundles inherently contain dynamic code patterns.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): New deps (is-regexp, deep-equal, object-inspect) are established utility packages.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Historical transition in 2015; mjackson has maintained the package cleanly for nearly a decade.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are Facebook/Jest core team members (cpojer, dmitriiabramov, fb, etc.) — legitimate transfer.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Size increase reflects legitimate package maturation and feature additions.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Original placeholder maintainer removed as part of legitimate Facebook/Jest namespace acquisition.	ai	2026/04/23
source-diff	net-exec-file:build-es5/index.js	AI (source-diff): Same UMD browser bundle; network/exec patterns are from bundled browser polyfills (core-js), not malicious dropper behavior.	ai	2026/04/23
maintainer-change	maintainer-takeover	AI (maintainer-change): Transition occurred in 2015 (9 years ago); mjackson is established publisher with strong track record.	ai	2026/04/23
npm-metadata	suspicious-initial-version	AI (npm-metadata): 0.0.0 is the legitimate initial release of a 14-year-old test library with 257 subsequent versions; not a malicious throwaway package.	ai	2026/04/23
dependencies	unvetted-dep:jest-util	AI (dependencies): jest-util is a sibling Jest monorepo package released in lockstep; its presence as a dependency of expect is expected and legitimate.	ai	2026/04/21
dependencies	unvetted-dep:jest-mock	AI (dependencies): jest-mock is a sibling Jest monorepo package released in lockstep; its presence as a dependency of expect is expected and legitimate.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): expect is a core Jest monorepo package with 257 versions and 5258 days of history; bogus-package signals are false positives for this well-known sub-package.	ai	2026/04/21
dependencies	unvetted-dep:jest-message-util	AI (dependencies): jest-message-util is a sibling Jest monorepo package released in lockstep; its presence as a dependency of expect is expected and legitimate.	ai	2026/04/21
npm-metadata	no-description	AI (npm-metadata): Missing description is typical of Jest monorepo sub-packages; not a malicious indicator for this established package.	ai	2026/04/21

Versions (showing 51 of 157)

View all versions

Version	Deps	Published
30.4.1	6 / 4	2026-05-08
30.4.0	6 / 4	2026-05-07
30.3.0	6 / 4	2026-03-10
30.2.0	6 / 4	2025-09-28
30.1.2	6 / 4	2025-09-01
30.1.1	6 / 4	2025-08-27
30.1.0	6 / 4	2025-08-27
30.0.5	6 / 4	2025-07-22
30.0.4	6 / 4	2025-07-02
30.0.3	6 / 4	2025-06-25
30.0.2	6 / 4	2025-06-19
30.0.1	6 / 4	2025-06-18
30.0.0	6 / 4	2025-06-10
29.7.0	5 / 6	2023-09-12
29.6.4	5 / 6	2023-08-24
29.6.3	5 / 6	2023-08-21
29.6.2	6 / 6	2023-07-27
29.6.1	6 / 6	2023-07-06
29.6.0	6 / 6	2023-07-04
29.5.0	5 / 6	2023-03-06
29.4.3	5 / 6	2023-02-15
29.4.2	5 / 6	2023-02-07
29.4.1	5 / 6	2023-01-26
29.4.0	5 / 6	2023-01-24
29.3.1	5 / 6	2022-11-08
29.3.0	5 / 6	2022-11-07
29.2.2	5 / 6	2022-10-24
29.2.1	5 / 6	2022-10-18
29.2.0	5 / 6	2022-10-14
29.1.2	5 / 6	2022-09-30
29.1.0	5 / 6	2022-09-28
29.0.3	5 / 6	2022-09-10
29.0.2	5 / 6	2022-09-03
29.0.1	5 / 6	2022-08-26
29.0.0	5 / 6	2022-08-25
28.1.3	5 / 6	2022-07-13
28.1.1	5 / 6	2022-06-07
28.1.0	5 / 6	2022-05-06
28.0.2	5 / 6	2022-04-27
28.0.1	5 / 6	2022-04-26
28.0.0	4 / 6	2022-04-25
27.5.1	4 / 6	2022-02-08
27.5.0	4 / 6	2022-02-05
27.4.6	4 / 4	2022-01-04
27.4.2	6 / 5	2021-11-30
27.4.1	6 / 5	2021-11-30
27.4.0	6 / 4	2021-11-29
27.3.1	6 / 4	2021-10-19
27.3.0	6 / 4	2021-10-17
27.2.5	6 / 4	2021-10-08
27.2.4	6 / 4	2021-09-29