jasmine-node
DOM-less simple JavaScript BDD testing framework for Node
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:lib/jasmine-node/jasmine/jasmine-2.0.0.js | AI (source-diff): File is the canonical Jasmine 2.0.0 framework source (MIT license, Pivotal Labs). The eval() is in Jasmine's Clock/spy infrastructure, not malicious dropper code. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): minimist is a well-known, widely-used CLI argument parser; its addition is consistent with v2.0.0 CLI refactoring. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): jasmine-node's autotest feature legitimately spawns child processes to re-run tests on file changes; stable expected behavior for this package. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn in autotest.js is the documented mechanism for re-running tests; not malicious for this test runner package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Primary instance loads own package.json for version printing; other instances are CLI utility patterns. All paths are controlled/static within the package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval in spec-requirejs-coffee/requirejs-setup.js reads a hardcoded local template file path — not user-controlled input. Benign requirejs wrapper pattern for this test framework. | ai |
Versions (showing 65 of 65)
| Version | Deps | Published |
|---|---|---|
| 3.0.0 | 8 / 0 | |
| 2.0.1 | 10 / 3 | |
| 2.0.0 | 7 / 3 | |
| 1.16.2 | 8 / 0 | |
| 1.16.1 | 8 / 0 | |
| 1.16.0 | 8 / 0 | |
| 1.15.0 | 8 / 0 | |
| 1.14.6 | 8 / 0 | |
| 1.14.5 | 8 / 0 | |
| 1.14.4 | 8 / 0 | |
| 1.14.3 | 8 / 0 | |
| 1.14.2 | 8 / 0 | |
| 1.14.1 | 8 / 0 | |
| 1.14.0 | 8 / 0 | |
| 1.13.1 | 8 / 0 | |
| 1.13.0 | 8 / 0 | |
| 1.12.1 | 8 / 0 | |
| 1.12.0 | 8 / 0 | |
| 1.11.0 | 8 / 0 | |
| 1.10.2 | 7 / 0 | |
| 1.10.1 | 7 / 0 | |
| 1.10.0 | 7 / 0 | |
| 1.9.1 | 7 / 0 | |
| 1.9.0 | 7 / 0 | |
| 1.8.1 | 7 / 0 | |
| 1.8.0 | 7 / 0 | |
| 1.7.1 | 7 / 0 | |
| 1.7.0 | 7 / 0 | |
| 1.6.0 | 6 / 0 | |
| 1.5.0 | 6 / 0 | |
| 1.4.0 | 6 / 0 | |
| 1.3.1 | 6 / 0 | |
| 1.3.0 | 6 / 0 | |
| 1.2.3 | 6 / 0 | |
| 1.2.2 | 6 / 0 | |
| 1.2.1 | 6 / 0 | |
| 1.2.0 | 6 / 0 | |
| 1.1.0 | 5 / 0 | |
| 1.0.28 | 5 / 0 | |
| 1.0.27 | 5 / 0 | |
| 1.0.26 | 5 / 0 | |
| 1.0.25 | 5 / 0 | |
| 1.0.24 | 5 / 0 | |
| 1.0.23 | 5 / 0 | |
| 1.0.22 | 5 / 0 | |
| 1.0.21 | 4 / 0 | |
| 1.0.20 | 4 / 0 | |
| 1.0.19 | 4 / 0 | |
| 1.0.18 | 3 / 0 | |
| 1.0.17 | 3 / 0 | |
| 1.0.16 | 3 / 0 | |
| 1.0.15 | 3 / 0 | |
| 1.0.13 | 3 / 0 | |
| 1.0.12 | 2 / 0 | |
| 1.0.11 | 2 / 0 | |
| 1.0.10 | 2 / 0 | |
| 1.0.9 | 2 / 0 | |
| 1.0.8 | 1 / 0 | |
| 1.0.7 | 1 / 0 | |
| 1.0.6 | 1 / 0 | |
| 1.0.5 | 1 / 0 | |
| 1.0.4 | 1 / 0 | |
| 1.0.3 | 1 / 0 | |
| 1.0.2 | 1 / 0 | |
| 1.0.1 | 1 / 0 |
v3.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.