jest-environment-jsdom — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	no-description	AI (npm-metadata): jest-environment-jsdom is a well-known Jest monorepo sub-package; missing description is a cosmetic issue, not a malware indicator.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): jest-mock is a core Jest monorepo package from the same publisher (cpojer/facebook); adding internal Jest dependencies is expected and benign for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from cpojer to mjesun reflects a documented Jest team transition in 2017; mjesun is a known Jest core contributor with strong track record.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (mjesun, aaronabramov, jeanlauliac) are recognized Jest ecosystem contributors; addition is consistent with legitimate team expansion.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of dmitriiabramov is consistent with the same 2017 Jest team transition; no evidence of malicious takeover.	ai	2026/04/22
phantom-deps	phantom-dep:@types/jsdom	AI (phantom-deps): @types/jsdom is framework-scoped and loaded by convention in Jest packages; not a real dependency issue.	ai	2026/04/22
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is framework-scoped and loaded by convention in Jest packages; not a real dependency issue.	ai	2026/04/22
bogus-package	bogus-package	AI (bogus-package): jest-environment-jsdom is an official Jest monorepo package; inflated semver matches Jest's release train, and missing description/keywords are cosmetic gaps common in monorepo packages.	ai	2026/04/21

Versions (showing 57 of 157)

Version	Deps	Published
23.0.0	3 / 0	2018-05-24
22.4.3	3 / 0	2018-03-21
22.4.1	3 / 0	2018-02-22
22.4.0	3 / 0	2018-02-20
22.3.0	3 / 0	2018-02-13
22.2.2	3 / 0	2018-02-09
22.2.0	3 / 0	2018-02-07
22.1.4	3 / 0	2018-01-19
22.1.2	3 / 0	2018-01-17
22.1.0	3 / 0	2018-01-15
22.0.6	3 / 0	2018-01-11
22.0.5	3 / 0	2018-01-09
22.0.4	3 / 0	2017-12-22
22.0.3	3 / 0	2017-12-19
22.0.2	3 / 0	2017-12-19
22.0.1	3 / 0	2017-12-18
22.0.0	3 / 0	2017-12-18
21.2.1	3 / 0	2017-09-27
21.2.0	3 / 0	2017-09-26
21.1.0	3 / 0	2017-09-14
21.0.2	3 / 0	2017-09-08
21.0.0	3 / 0	2017-09-04
20.0.3	3 / 0	2017-05-17
20.0.2	3 / 0	2017-05-17
20.0.1	3 / 0	2017-05-11
20.0.0	3 / 0	2017-05-06
19.0.2	3 / 0	2017-02-23
19.0.1	3 / 0	2017-02-22
19.0.0	3 / 0	2017-02-21
18.1.0	3 / 0	2016-12-29
18.0.0	3 / 0	2016-12-15
17.0.2	3 / 0	2016-11-15
17.0.0	3 / 0	2016-11-08
16.0.2	3 / 0	2016-10-20
16.0.0	3 / 0	2016-10-03
15.1.1	2 / 0	2016-09-02
15.1.0	2 / 0	2016-09-01
15.0.1	2 / 0	2016-09-01
15.0.0	2 / 0	2016-08-31
14.0.0	2 / 0	2016-07-27
13.2.2	2 / 0	2016-07-07
13.2.1	2 / 0	2016-07-07
13.2.0	2 / 0	2016-07-07
13.1.3	2 / 0	2016-07-07
13.1.2	2 / 0	2016-07-07
13.1.1	2 / 0	2016-07-06
13.1.0	2 / 0	2016-07-05
13.0.0	2 / 0	2016-06-22
12.1.0	2 / 0	2016-05-20
12.0.2	2 / 0	2016-04-28
12.0.1	2 / 0	2016-04-27
12.0.0	2 / 0	2016-04-27
11.0.2	2 / 0	2016-04-18
11.0.1	2 / 0	2016-04-15
11.0.0	2 / 0	2016-04-12
10.0.2	2 / 0	2016-04-11
1.0.0	0 / 0	2016-03-28

v23.0.0

2 findings

HIGH Publisher changed: cpojer → mjesun (on 2018-05-24) provenance

This version was published by a different npm account than previous versions on 2018-05-24. This could indicate a legitimate maintainer transition or an account compromise.