it — Greenflagged

A testing framework for node

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aheuermanndamartindustinsmith1024

Keywords

testingtestasyncfunction testingbddunitunit testing

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	net-exec-file:examples/requirejs/scripts/require.js	AI (source-diff): This is RequireJS 2.0.6 (header comment confirms it), a well-known AMD loader included as part of a browser example. Not malicious.	ai	2026/04/24
source-diff	net-exec-file:it.js	AI (source-diff): it.js is a browserify bundle of the testing framework itself. The require() shim pattern is standard browserify output, not malware. Explained by grunt-browserify devDependency.	ai	2026/04/24
source-diff	net-exec-file:examples/requirejs/scripts/it.js	AI (source-diff): Same browserify bundle as it.js, placed in the requirejs example directory. Legitimate browser build artifact.	ai	2026/04/24
email-domain	unclaimed-email:pollenware.com	AI (email-domain): Package is 14+ years old with a well-established publisher. Domain lapse is a theoretical risk but no active exploitation indicators exist for this dormant testing framework.	ai	2026/04/24
typosquat	typosquat.levenshtein:got	AI (typosquat): Package 'it' is a 2-char testing framework; Levenshtein match against 'got' is a false positive for such short names.	ai	2026/04/24
typosquat	typosquat.levenshtein:pg	AI (typosquat): Package 'it' is a 2-char testing framework; Levenshtein match against 'pg' is a false positive for such short names.	ai	2026/04/24
typosquat	typosquat.levenshtein:qs	AI (typosquat): Package 'it' is a 2-char testing framework; Levenshtein match against 'qs' is a false positive for such short names.	ai	2026/04/24
typosquat	typosquat.levenshtein:vite	AI (typosquat): Package 'it' is a 2-char testing framework predating vite by many years; Levenshtein match is a false positive for such short names.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Publisher change occurred in 2016 (9+ years ago); aheuermann has a strong track record (65 approved packages). Historical transition, not an active takeover signal.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval() is inside a bundled copy of RequireJS in the examples/ directory, not in the package's runtime code. Standard RequireJS behavior.	ai	2026/04/23
phantom-deps	phantom-dep:glob	AI (phantom-deps): glob is a legitimate declared dependency used by the CLI tooling; phantom-dep fires because it's not directly require()'d in source files.	ai	2026/04/23
phantom-deps	phantom-dep:grunt	AI (phantom-deps): grunt is a legitimate declared dependency used for build tasks; phantom-dep fires because it's not directly require()'d in source files.	ai	2026/04/23
phantom-deps	phantom-dep:commander	AI (phantom-deps): commander is a declared dependency used via CLI bin script; phantom-dep false positive for this package structure.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): new Function() usage is in jQuery v1.7.2 documentation asset, a well-known library. Not a security concern in this context.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): Size increase is entirely due to documentation assets (Bootstrap CSS/JS, jQuery) added to docs/assets/. No runtime payload.	ai	2026/04/23
source-diff	net-exec-file:docs/assets/js/jquery.js	AI (source-diff): jQuery v1.7.2 documentation asset. Network/exec patterns are standard jQuery AJAX and eval-equivalent features, not malicious.	ai	2026/04/23
source-diff	obfuscated-file:docs/assets/js/jquery.js	AI (source-diff): File is jQuery v1.7.2, a well-known minified library added as a documentation asset. Not runtime code; minification is expected and benign.	ai	2026/04/23

Versions (showing 18 of 18)

Version	Deps	Published
1.1.1	12 / 5	2016-01-27
1.1.0	12 / 5	2015-12-31
1.0.1	12 / 5	2015-12-21
1.0.0	12 / 5	2015-12-15
0.2.7	12 / 3	2013-06-20
0.2.6	12 / 3	2013-04-17
0.2.4	12 / 3	2013-04-13
0.2.3	12 / 3	2013-04-04
0.2.2	11 / 1	2013-02-28
0.2.1	11 / 1	2013-01-22
0.2.0	11 / 1	2013-01-21
0.1.1	2 / 0	2013-01-16
0.1.0	2 / 0	2013-01-12
0.0.5	2 / 0	2012-09-10
0.0.4	2 / 0	2012-09-03
0.0.3	2 / 0	2012-07-13
0.0.2	2 / 0	2012-06-05
0.0.1	2 / 0	2012-03-13

v1.1.1

2 findings

HIGH Publisher changed: dustinsmith1024 → aheuermann (on 2016-01-27) provenance

This version was published by a different npm account than previous versions on 2016-01-27. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: aheuermann → dustinsmith1024 (on 2015-12-31) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-12-31. This could indicate a legitimate maintainer transition or an account compromise.

v1.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: damartin → aheuermann (on 2015-12-15) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2015-12-15. This could indicate a legitimate maintainer transition or an account compromise.

v0.2.7

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.6

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.4

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.3

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.2

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

4 findings

HIGH New file with network + code execution: it.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: examples/requirejs/scripts/it.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH New file with network + code execution: examples/requirejs/scripts/require.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.5

4 findings

HIGH New obfuscated file: docs/assets/js/jquery.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: docs/assets/js/jquery.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.4

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.3

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

2 findings

HIGH Unclaimed maintainer email domain: pollenware.com email-domain

Maintainer email '[email protected]' uses domain 'pollenware.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.