istanbul
Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests
8
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
gotwarlostdavglass
Keywords
coveragecode coverageJS code coverageJS coverage
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): davglass (Dav Glass) is explicitly listed as a contributor in package.json; this is a legitimate maintainer transition, not a compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): js-yaml and resolve are well-established, widely-trusted packages entirely consistent with istanbul's use case (config file parsing and module resolution). No malicious signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): davglass (Dav Glass) is a listed contributor in package.json and a known Yahoo/Salesforce engineer; legitimate addition. | ai | |
| source-diff | obfuscated-file:lib/assets/vendor/prettify.js | AI (source-diff): prettify.js is the well-known Google Code Prettify syntax highlighter, a standard minified vendor file used in istanbul's HTML coverage reports. | ai | |
| dependencies | unvetted-dep:fileset | AI (dependencies): fileset is a utility for glob-based file selection; pinned to 0.1.x and appropriate for istanbul's file instrumentation. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): [email protected] is a well-known templating engine; acceptable for a mature coverage tool from this era. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of postLoadHookFile is an intentional, documented feature of istanbul's instrumentation hook system, not arbitrary code execution. | ai | |
| provenance | no-provenance | AI (provenance): Istanbul 0.4.5 is a mature package predating Sigstore provenance. No provenance is expected and not a risk signal here. | ai |
Versions (showing 8 of 8)
| Version | Deps | Published |
|---|---|---|
| 0.4.2 | 14 / 6 | |
| 0.3.22 | 14 / 6 | |
| 0.3.8 | 14 / 6 | |
| 0.2.1 | 11 / 5 | |
| 0.1.46 | 11 / 5 | |
| 0.1.41 | 11 / 5 | |
| 0.1.15 | 10 / 4 | |
| 0.1.2 | 10 / 2 |
v0.1.15
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.