istanbul-instrumenter-loader

Istanbul instrumenter loader for webpack

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bebrawd3viant0nedeepsweet

Keywords

webpackloaderistanbulcoverage

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
email-domain	unclaimed-email:soulshine.in	AI (email-domain): Maintainer's email domain has been this way since package inception; publisher deepsweet is long-established with consistent history. Low practical risk of domain takeover exploitation.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Legitimate transfer to webpack-contrib org; d3viant0ne is established webpack-contrib maintainer with strong track record.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): d3viant0ne and bebraw are known webpack-contrib maintainers; transfer to webpack-contrib org is well-documented.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): schema-utils is the standard webpack-contrib options validation package; expected dependency for webpack loaders.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Published in 2017, before Sigstore provenance existed; not applicable.	ai	2026/04/24

Versions (showing 11 of 11)

Version	Deps	Published
3.0.1	4 / 19	2018-03-28
3.0.0	4 / 19	2017-07-26
2.0.0	4 / 0	2017-02-09
1.2.0	4 / 0	2016-12-23
1.1.0	3 / 0	2016-11-27
1.0.0	3 / 0	2016-09-15
0.2.0	3 / 0	2016-02-15
0.1.3	1 / 2	2015-05-11
0.1.2	0 / 2	2014-09-28
0.1.1	0 / 2	2014-09-25
0.1.0	0 / 2	2014-09-25

v3.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

2 findings

HIGH Publisher changed: deepsweet → d3viant0ne (on 2017-07-26) provenance

This version was published by a different npm account than previous versions on 2017-07-26. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

2 findings

HIGH Unclaimed maintainer email domain: soulshine.in email-domain

Maintainer email '[email protected]' uses domain 'soulshine.in' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.