jest-changed-files — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-added	AI (maintainer-change): Facebook/Jest team roster changes; all named maintainers are known Jest contributors.	ai	2026/05/30
publish-pattern	new-deps-added	AI (publish-pattern): `throat` is a well-established concurrency utility; legitimate addition for Jest's parallel execution needs.	ai	2026/05/30
maintainer-change	maintainer-removed	AI (maintainer-change): Routine team change within the Facebook/Jest org, not a hostile takeover signal.	ai	2026/05/30
source-diff	source-size-tripled	AI (source-diff): Size increase reflects new functionality/refactoring in this major version bump, not injected payload.	ai	2026/05/30
provenance	publisher-changed	AI (provenance): simenb is a known long-standing Jest maintainer; legitimate transition from cpojer.	ai	2026/05/26
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawning 'git' and 'hg' processes is the explicit purpose of this package. No arbitrary or user-controlled command execution.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): jest-changed-files shells out to git/hg by design; child_process usage is core functionality, not malicious. Stable across all versions.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Monorepo package; missing description is expected and not indicative of malice.	ai	2026/04/23
npm-metadata	suspicious-initial-version	AI (npm-metadata): jest-changed-files 0.0.0 is a name-reservation stub in the Jest monorepo published by the core Jest maintainer; 0.0.0 is an intentional placeholder pattern, not a malicious throwaway.	ai	2026/04/23
dependencies	unvetted-dep:execa	AI (dependencies): execa is a well-known, widely-used process execution library; its use is appropriate for a package that shells out to git/hg to detect changed files.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Signals reflect monorepo structure (no keywords, version matches Jest release), not spam indicators.	ai	2026/04/21

Versions (showing 26 of 26)

Version	Deps	Published
30.4.1	3 / 0	2026-05-08
30.4.0	3 / 0	2026-05-07
30.3.0	3 / 0	2026-03-10
30.2.0	3 / 0	2025-09-28
30.0.5	3 / 0	2025-07-22
30.0.2	3 / 0	2025-06-19
30.0.1	3 / 0	2025-06-18
30.0.0	3 / 0	2025-06-10
29.6.3	3 / 0	2023-08-21
29.5.0	2 / 0	2023-03-06
29.4.3	2 / 0	2023-02-15
29.4.2	2 / 0	2023-02-07
29.4.0	2 / 0	2023-01-24
29.2.0	2 / 0	2022-10-14
29.0.0	2 / 0	2022-08-25
21.2.0	1 / 0	2017-09-26
20.0.3	0 / 0	2017-05-17
20.0.2	0 / 0	2017-05-17
19.0.2	0 / 0	2017-02-23
15.0.0	0 / 1	2016-08-31
13.2.2	0 / 1	2016-07-07
13.2.1	0 / 1	2016-07-07
13.0.0	0 / 1	2016-06-22
12.1.0	0 / 1	2016-05-20
12.0.2	0 / 1	2016-05-17
0.0.0	0 / 0	2016-05-11

v30.4.1

2 findings

HIGH Publisher changed: cpojer → simenb (on 2026-05-08) provenance

This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.