All jest-canvas-mock versions

[email protected] rejected Risk: 60 MIT

jest-canvas-mock @2.5.3

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
60
Risk Score
MIT
License
Yes
Install Scripts
2
Dependencies
13
Dev Dependencies
22.1 KB
Package Size
Published

Mock a canvas in your jest tests.

Maintainers

jtenneratool

Keywords

mockjestjest-mockechartscanvastestunit

Dependencies (2)

PackageConstraintRegistry Status
moo-color ^1.0.2 auto_approved
cssfontparser ^1.2.1 auto_approved

Dev Dependencies (13)

PackageConstraintRegistry Status
jest ^25.3.0 auto_approved
husky ^4.2.5 auto_approved
prettier ^2.0.4 auto_approved
coveralls ^3.0.11 auto_approved
@babel/cli ^7.8.4 auto_approved
babel-jest ^25.3.0 auto_approved
@babel/core ^7.9.0 auto_approved
@antv/g2plot ^2.3.11 auto_approved
@commitlint/cli ^8.3.5 No greenflagged match
@babel/preset-env ^7.9.5 auto_approved
babel-plugin-version ^0.2.3 Not imported
@commitlint/config-angular ^8.3.4 No greenflagged match
@babel/plugin-proposal-class-properties ^7.8.3 auto_approved

Transitive Dependency Tree

3 transitive deps max depth 2
  ├─ cssfontparser ^1.2.1 → 1.2.1
├─ moo-color ^1.0.2 → 1.0.3
  ├─ color-name ^1.1.4 → 1.1.4

Changes from v2.5.2

No metadata changes detected.

File Changes

0 added 0 removed 1 modified size delta: +.1 KB

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
url-dep:@antv/setup npm-metadata reject AI AI (npm-metadata): Unrelated GitHub URL dep in optionalDependencies; classic supply-chain attack pattern.

SAST Findings (3)

HIGH SHA-pinned github dependency (optionalDependencies): @antv/setup npm-metadata

Dependency '@antv/setup' in `optionalDependencies` points to 'github:antvis/G2#1916faa365f2788b6e193514872d51a242876569' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atool.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

Review Summary

Risk score: 60. Findings: 2 high (+50), 1 medium (+10), 1 info (+0).

Published to npm: