jasmine-reporters
Reporters for the Jasmine BDD Framework
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:ext/env.rhino.1.2.js | AI (source-diff): ext/env.rhino.1.2.js is the well-known Envjs browser environment emulator (by John Resig, MIT licensed), bundled for Rhino-based test execution. Long lines are inherent to its minified distribution format, not obfuscation. | ai | |
| source-diff | net-exec-file:ext/env.rhino.1.2.js | AI (source-diff): Envjs is a browser environment emulator that must simulate network (XHR) and dynamic code execution by design. This is expected behavior for this legitimate library, not dropper/loader malware. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is fully explained by bundling of Rhino JAR, Envjs, and Jasmine — standard test-runner dependencies for headless Jasmine/Rhino execution. No injected payload. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): xmldom addition is justified by XML report generation functionality in this major version bump; not a suspicious injection. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Diff is against v1.1.0 (major version gap); size reduction reflects legitimate v2.x restructuring, not a stub/redirect. | ai | |
| dependencies | unvetted-dep:xmldom | AI (dependencies): xmldom is a legitimate XML DOM library; jasmine-reporters uses it to generate JUnit XML output, making it a natural and expected runtime dependency. | ai | |
| source-diff | net-exec-file:lib/jasmine-2.0.0/jasmine.js | AI (source-diff): This is the bundled Jasmine 2.0.0 core library (MIT, Pivotal Labs). Network/exec pattern is Jasmine's module loading + timer eval — not malware. Stable false positive for this package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in jasmine.js is Jasmine core's intentional string-function execution for timer/clock mocking, acknowledged with jshint comments. Not a supply-chain risk. | ai | |
| provenance | no-provenance | AI (provenance): Established package predating Sigstore provenance workflows; no CI/CD provenance is expected for this project's release process. | ai |
Versions (showing 28 of 28)
| Version | Deps | Published |
|---|---|---|
| 2.5.2 | 2 / 2 | |
| 2.5.1 | 2 / 2 | |
| 2.5.0 | 2 / 2 | |
| 2.3.2 | 2 / 2 | |
| 2.3.0 | 2 / 2 | |
| 2.2.1 | 2 / 1 | |
| 2.2.0 | 3 / 0 | |
| 2.1.1 | 1 / 0 | |
| 2.1.0 | 1 / 0 | |
| 2.0.8 | 1 / 0 | |
| 2.0.7 | 1 / 0 | |
| 2.0.6 | 1 / 0 | |
| 2.0.5 | 1 / 0 | |
| 2.0.4 | 1 / 0 | |
| 2.0.3 | 1 / 0 | |
| 2.0.2 | 1 / 0 | |
| 2.0.1 | 1 / 0 | |
| 2.0.0 | 1 / 0 | |
| 1.0.2 | 1 / 0 | |
| 1.0.1 | 1 / 0 | |
| 1.0.0 | 0 / 0 | |
| 0.4.1 | 0 / 0 | |
| 0.4.0 | 0 / 0 | |
| 0.3.2 | 0 / 0 | |
| 0.3.0 | 0 / 0 | |
| 0.2.1 | 0 / 0 | |
| 0.2.0 | 0 / 0 | |
| 0.1.0 | 0 / 0 |
v2.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.7
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.6
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.4
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.