jest-haste-map — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	large-new-source-files	AI (source-diff): jest-haste-map is a core Jest package; large file additions are expected across major version bumps (e.g., 24.x series refactors and TypeScript type additions). No malicious content indicated.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is in a test file mocking worker farm behavior — standard Jest test pattern, not a runtime risk for consumers.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process import is in test files for the node crawler; expected behavior for testing filesystem crawling utilities.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): simenb is a well-known Jest core maintainer at Facebook; the cpojer→simenb transition is a documented Jest team handoff, not a compromise.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Provenance attestation is absent on ~88% of npm packages; not a material risk for established packages with strong publisher history.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): jest-docblock is a first-party Jest package versioned in lockstep (^20.0.0); not a suspicious third-party dependency.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): davidaurelio is a known Facebook/Jest contributor; maintainer rotation in the Jest monorepo is expected and not a takeover signal.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): gaearon and kentaromiura stepping back from jest-haste-map is consistent with normal team evolution at Facebook; no hostile takeover indicators.	ai	2026/04/23
npm-metadata	suspicious-initial-version	AI (npm-metadata): Package is a 10-year-old namespace reservation by trusted Jest maintainer cpojer; 0.0.0 is a historical placeholder, not a malicious pattern.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Monorepo packages often omit descriptions; not indicative of malice in this context.	ai	2026/04/23
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a framework-scoped type package; expected for Node.js utilities.	ai	2026/04/23
phantom-deps	phantom-dep:@types/graceful-fs	AI (phantom-deps): @types/graceful-fs is intentionally listed as a runtime dep in Jest packages to provide types to consumers; standard Jest monorepo pattern.	ai	2026/04/23
dependencies	unvetted-dep:@types/graceful-fs	AI (dependencies): @types/graceful-fs is a DefinitelyTyped type-only package with no runtime code; negligible risk for this well-known Jest package.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Signals are false positives for monorepo packages versioned to match Jest's release cycle (30.3.0), not inflated semver on a new package.	ai	2026/04/21
dependencies	unvetted-dep:fb-watchman	AI (dependencies): fb-watchman is Facebook's file-system watcher; core dependency for jest-haste-map's caching strategy.	ai	2026/04/21
dependencies	unvetted-dep:jest-regex-util	AI (dependencies): jest-regex-util is an internal Jest package; appropriate internal dependency.	ai	2026/04/21
dependencies	unvetted-dep:walker	AI (dependencies): walker is a legitimate file-system traversal library; appropriate for jest-haste-map's file-hashing use case.	ai	2026/04/21

Versions (showing 49 of 149)

Version	Deps	Published
23.0.0	7 / 0	2018-05-24
22.4.3	7 / 0	2018-03-21
22.4.2	7 / 0	2018-02-22
22.4.1	7 / 0	2018-02-22
22.4.0	7 / 0	2018-02-20
22.3.0	6 / 0	2018-02-13
22.2.2	6 / 0	2018-02-09
22.2.0	6 / 0	2018-02-07
22.1.0	6 / 0	2018-01-15
22.0.6	6 / 0	2018-01-11
22.0.3	6 / 0	2017-12-19
22.0.2	6 / 0	2017-12-19
22.0.1	6 / 0	2017-12-18
22.0.0	6 / 0	2017-12-18
21.2.0	6 / 0	2017-09-26
21.1.0	6 / 0	2017-09-14
21.0.2	6 / 0	2017-09-08
21.0.0	6 / 0	2017-09-04
20.0.5	6 / 0	2017-07-17
20.0.4	6 / 0	2017-05-24
20.0.3	6 / 0	2017-05-17
20.0.2	6 / 0	2017-05-17
20.0.1	6 / 0	2017-05-11
20.0.0	6 / 0	2017-05-06
19.0.2	5 / 0	2017-04-26
19.0.1	5 / 0	2017-04-17
19.0.0	5 / 0	2017-02-21
18.1.0	5 / 0	2016-12-29
18.0.0	5 / 0	2016-12-15
17.0.3	5 / 0	2016-11-17
17.0.2	5 / 0	2016-11-15
17.0.0	5 / 0	2016-11-08
16.0.2	4 / 0	2016-10-20
16.0.0	4 / 0	2016-10-03
15.0.1	4 / 0	2016-09-01
15.0.0	3 / 1	2016-08-31
14.1.0	3 / 1	2016-08-01
14.0.0	3 / 0	2016-07-27
13.2.2	3 / 0	2016-07-07
13.2.1	3 / 0	2016-07-07
13.1.1	3 / 0	2016-07-06
13.0.0	3 / 0	2016-06-22
12.1.0	3 / 0	2016-05-20
12.0.2	3 / 0	2016-04-28
12.0.1	3 / 0	2016-04-27
12.0.0	3 / 0	2016-04-27
11.0.2	3 / 0	2016-04-21
11.0.0	3 / 0	2016-04-21
0.0.0	0 / 0	2016-04-14

v23.0.0

2 findings

HIGH Publisher changed: cpojer → mjesun (on 2018-05-24) provenance

This version was published by a different npm account than previous versions on 2018-05-24. This could indicate a legitimate maintainer transition or an account compromise.