jest-date-mock @1.0.11
Maintainers
Keywords
Dev Dependencies (6)
| Package | Constraint | Registry Status |
|---|---|---|
| jest | ^24.9.0 | auto_approved |
| @babel/cli | ^7.7.7 | auto_approved |
| babel-jest | ^24.9.0 | auto_approved |
| @babel/core | ^7.7.7 | auto_approved |
| @babel/preset-env | ^7.7.7 | auto_approved |
| babel-plugin-version | ^0.2.2 | Not imported |
Changes from v1.0.10
No metadata changes detected.
File Changes
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
url-dep:@antv/setup |
npm-metadata | reject | AI | AI (npm-metadata): Illegitimate GitHub dep in a Date-mock library; matches known supply-chain attack pattern. |
SAST Findings (3)
Dependency '@antv/setup' in `optionalDependencies` points to 'github:antvis/G2#dc3d62a2181beb9f326952a2d212900c94f2e13d' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.
This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: atool.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 63. Findings: 2 high (+50), 1 medium (+10), 1 low (+3).
Published to npm: