jest-cli
Delightful JavaScript Testing.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): jest-cli v23 was a major refactor release; missing gitHead is consistent with a changed CI/CD publish environment for this well-established Facebook/Jest package, not a malicious indicator. | ai | |
| phantom-deps | phantom-dep:jest-jasmine1 | AI (phantom-deps): jest-jasmine1 is a legitimate test runner plugin referenced in Jest config; phantom-dep pattern is expected for pluggable test environments. | ai | |
| dependencies | unvetted-dep:node-haste | AI (dependencies): node-haste is a module resolution library; appropriate dependency for jest's module loading. | ai | |
| dependencies | unvetted-dep:jasmine-only | AI (dependencies): jasmine-only is a jasmine extension; appropriate for jest test framework. | ai | |
| dependencies | unvetted-dep:jasmine-pit | AI (dependencies): jasmine-pit extends jasmine test framework; legitimate jest dependency. | ai | |
| dependencies | unvetted-dep:node-worker-pool | AI (dependencies): node-worker-pool enables parallel test execution; appropriate for jest. | ai | |
| dependencies | unvetted-dep:node-find-files | AI (dependencies): node-find-files is a utility for test discovery; legitimate jest dependency. | ai | |
| dependencies | unvetted-dep:harmonize | AI (dependencies): harmonize is a standard utility for jest; stable dependency. | ai | |
| dependencies | unvetted-dep:cover | AI (dependencies): Cover is a legitimate coverage tool dependency for jest-cli; stable for this package. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): strip-ansi is a declared dependency used indirectly by CLI tools; phantom-dep is expected for CLI packages. | ai | |
| phantom-deps | phantom-dep:diff | AI (phantom-deps): diff is a declared dependency used indirectly via Jest's diff output utilities. Not a security concern. | ai | |
| phantom-deps | phantom-dep:jest-environment-node | AI (phantom-deps): jest-environment-node is a pluggable Jest environment referenced via config, not direct import. This is the intended Jest architecture. | ai | |
| dependencies | unvetted-dep:jest-jasmine1 | AI (dependencies): jest-jasmine1 is a first-party Jest sub-package published by the same Facebook team; unvetted status is an artifact of review order, not a risk signal. | ai | |
| install-scripts | install-script:postinstall | AI (install-scripts): jest-cli's postinstall runs 'node postinstall.js' — a transparent Node script from a trusted Facebook/Meta publisher. This is a stable pattern for this package. | ai | |
| dependencies | unvetted-dep:jest-jasmine2 | AI (dependencies): jest-jasmine2 is a core Jest monorepo sub-package, always co-released with jest-cli at matching versions. Not a third-party risk. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate handoff to Facebook-backed Jest team; cpojer is highly trusted (6026 approved packages). | ai | |
| source-diff | source-size-tripled | AI (source-diff): 3.4x source size increase is consistent with Jest's feature additions and dependency expansion in this release. | ai | |
| dependencies | unvetted-dep:ansi-escapes | AI (dependencies): ansi-escapes is a well-known sindresorhus utility for terminal escape codes; no security concern for this package. | ai | |
| dependencies | unvetted-dep:istanbul-lib-source-maps | AI (dependencies): istanbul-lib-source-maps is part of the established Istanbul coverage toolchain; no security concern for this package. | ai | |
| phantom-deps | phantom-dep:which | AI (phantom-deps): which is a declared dependency used indirectly; phantom-dep is expected for CLI packages. | ai | |
| phantom-deps | phantom-dep:jest-get-type | AI (phantom-deps): jest-get-type is a declared internal Jest dependency; phantom-dep is expected for monorepo-style packages. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 49 new files reflect Jest v21's modularization; consistent with major version rewrite, not code injection. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Legitimate maintainer transition in established Jest project; old maintainers naturally removed as new team took over. | ai | |
| phantom-deps | phantom-dep:jest-environment-jsdom | AI (phantom-deps): jest-environment-jsdom is a pluggable test environment referenced in Jest config; phantom-dep pattern is expected. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): 29 new deps are internal Jest modules (jest-config, jest-runner, etc.) reflecting v21 architecture; no suspicious external additions. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are part of Jest's official team transition; cpojer's track record confirms legitimacy. | ai | |
| source-diff | source-size-dropped | AI (source-diff): jest-cli is a thin CLI wrapper in Jest monorepo; size drop reflects expected structure where logic moved to @jest/core. | ai | |
| phantom-deps | phantom-dep:json-stable-stringify | AI (phantom-deps): json-stable-stringify is used internally by Jest's snapshot system; phantom-dep pattern is expected for transitive utilities. | ai | |
| phantom-deps | phantom-dep:jest-mock | AI (phantom-deps): jest-mock is a core Jest utility referenced in config; phantom-dep pattern is expected for Jest's modular architecture. | ai | |
| phantom-deps | phantom-dep:jest-jasmine2 | AI (phantom-deps): jest-jasmine2 is a legitimate test runner plugin referenced in Jest config; phantom-dep pattern is expected for pluggable test environments. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change (cpojer → simenb) aligns with legitimate Jest maintainer transition in May 2020. | ai | |
| phantom-deps | phantom-dep:jest-resolve | AI (phantom-deps): jest-resolve is loaded dynamically via Jest's plugin/config system; phantom detection is a false positive for this architecture. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): child_process.spawn() is used for git operations and test isolation; expected for test runner. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to load package.json version; benign utility pattern. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is in test mocks (__tests__ directory), not production code; expected for test utilities. | ai | |
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive license used by Facebook/Meta open source projects. Not a risk for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Child process import is necessary for jest to spawn test runners; legitimate use. | ai | |
| phantom-deps | phantom-dep:@jest/types | AI (phantom-deps): Framework-scoped package loaded by convention in Jest monorepo; expected pattern. | ai | |
| dependencies | unvetted-dep:prompts | AI (dependencies): prompts is an established interactive CLI library; appropriate for jest-cli's interactive mode. | ai | |
| provenance | no-provenance | AI (provenance): [email protected] predates widespread npm provenance adoption; absence is expected for this era of releases from this publisher. | ai | |
| phantom-deps | phantom-dep:@jest/test-result | AI (phantom-deps): Framework-scoped package loaded by convention in Jest monorepo; expected pattern. | ai |
Versions (showing 51 of 248)
| Version | Deps | Published |
|---|---|---|
| 30.4.2 | 10 / 1 | |
| 30.4.1 | 10 / 1 | |
| 30.4.0 | 10 / 1 | |
| 30.3.0 | 10 / 1 | |
| 30.2.0 | 10 / 1 | |
| 30.1.3 | 10 / 1 | |
| 30.1.2 | 10 / 1 | |
| 30.1.1 | 10 / 1 | |
| 30.1.0 | 10 / 1 | |
| 30.0.5 | 10 / 1 | |
| 30.0.4 | 10 / 1 | |
| 30.0.3 | 10 / 1 | |
| 30.0.2 | 10 / 1 | |
| 30.0.1 | 10 / 1 | |
| 30.0.0 | 10 / 1 | |
| 29.7.0 | 11 / 4 | |
| 29.6.4 | 12 / 6 | |
| 29.6.3 | 12 / 6 | |
| 29.6.2 | 12 / 6 | |
| 29.6.1 | 12 / 6 | |
| 29.6.0 | 12 / 6 | |
| 29.5.0 | 12 / 5 | |
| 29.4.3 | 12 / 4 | |
| 29.4.2 | 12 / 4 | |
| 29.4.1 | 12 / 4 | |
| 29.4.0 | 12 / 4 | |
| 29.3.1 | 12 / 4 | |
| 29.3.0 | 12 / 4 | |
| 29.2.2 | 12 / 4 | |
| 29.2.1 | 12 / 4 | |
| 29.2.0 | 12 / 4 | |
| 29.1.2 | 12 / 4 | |
| 29.1.1 | 12 / 4 | |
| 29.1.0 | 12 / 4 | |
| 29.0.3 | 12 / 4 | |
| 29.0.2 | 12 / 4 | |
| 29.0.1 | 12 / 4 | |
| 29.0.0 | 12 / 4 | |
| 28.1.3 | 12 / 4 | |
| 28.1.2 | 12 / 4 | |
| 28.1.1 | 12 / 4 | |
| 28.1.0 | 12 / 4 | |
| 28.0.3 | 12 / 4 | |
| 28.0.2 | 12 / 4 | |
| 28.0.1 | 12 / 4 | |
| 28.0.0 | 12 / 4 | |
| 27.5.1 | 12 / 4 | |
| 27.5.0 | 12 / 4 | |
| 27.4.7 | 12 / 4 | |
| 27.4.6 | 12 / 4 | |
| 27.4.5 | 12 / 5 |
v30.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.
v30.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v30.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.0
3 findingsAll previous maintainers (jeffmo) were replaced by new maintainers (scotthovestadt, rubennorte, simenb, fb, aaronabramov, davidzilburg). This is a strong signal of a potential package hijack and requires careful review.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-25. This could indicate a legitimate maintainer transition or an account compromise.
v27.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v27.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v27.4.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v27.4.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v27.4.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.