jest-message-util — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps (@jest/types, graceful-fs, @types/stack-utils) are all legitimate, well-known packages consistent with Jest v26 refactoring.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change from cpojer to simenb reflects a legitimate Jest team transition at Facebook; simenb is a well-known Jest core contributor with a strong track record.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known Jest/Facebook contributors; this reflects the documented Jest team evolution, not a takeover.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers are consistent with team changes within the Jest project at Facebook; no compromise indicators.	ai	2026/04/22
dependencies	unvetted-dep:@jest/types	AI (dependencies): @jest/types is a core Jest monorepo package; always co-released with jest-message-util at the same version. Stable false positive for this package.	ai	2026/04/22
dependencies	unvetted-dep:stack-utils	AI (dependencies): stack-utils is a well-known, stable utility used by Jest for stack trace parsing. No security concerns.	ai	2026/04/22
dependencies	unvetted-dep:@types/stack-utils	AI (dependencies): Type definitions package for stack-utils; no runtime risk. Stable false positive for this package.	ai	2026/04/22
npm-metadata	suspicious-initial-version	AI (npm-metadata): [email protected] is a well-known Jest monorepo placeholder version published by the core Jest maintainer; 0.0.0 is a standard stub pattern in this ecosystem.	ai	2026/04/22
npm-metadata	no-description	AI (npm-metadata): Jest monorepo internal utility; missing description is standard for such packages and not a risk signal.	ai	2026/04/21
phantom-deps	phantom-dep:@types/stack-utils	AI (phantom-deps): @types/stack-utils is a TypeScript type declaration used at compile time, not imported at runtime. Phantom-dep detection is a stable false positive for @types/* packages.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Monorepo-published package; empty description and inflated semver are expected patterns in Jest's versioning scheme, not malware indicators.	ai	2026/04/21

Versions (showing 51 of 108)

View all versions

Version	Deps	Published
30.4.1	10 / 4	2026-05-08
30.4.0	10 / 4	2026-05-07
30.3.0	9 / 4	2026-03-10
30.2.0	9 / 4	2025-09-28
30.1.0	9 / 4	2025-08-27
30.0.5	9 / 4	2025-07-22
30.0.2	9 / 4	2025-06-19
30.0.1	9 / 4	2025-06-18
30.0.0	9 / 4	2025-06-10
29.7.0	9 / 4	2023-09-12
29.6.3	9 / 4	2023-08-21
29.6.2	9 / 4	2023-07-27
29.6.1	9 / 4	2023-07-06
29.6.0	9 / 4	2023-07-04
29.5.0	9 / 4	2023-03-06
29.4.3	9 / 4	2023-02-15
29.4.2	9 / 4	2023-02-07
29.4.1	9 / 3	2023-01-26
29.4.0	9 / 3	2023-01-24
29.3.1	9 / 3	2022-11-08
29.2.1	9 / 3	2022-10-18
29.2.0	9 / 3	2022-10-14
29.1.2	9 / 3	2022-09-30
29.1.0	9 / 3	2022-09-28
29.0.3	9 / 3	2022-09-10
29.0.2	9 / 3	2022-09-03
29.0.1	9 / 3	2022-08-26
29.0.0	9 / 3	2022-08-25
28.1.3	9 / 3	2022-07-13
28.1.1	9 / 3	2022-06-07
28.1.0	9 / 3	2022-05-06
28.0.2	9 / 3	2022-04-27
28.0.1	9 / 3	2022-04-26
28.0.0	9 / 3	2022-04-25
27.5.1	9 / 3	2022-02-08
27.5.0	9 / 3	2022-02-05
27.4.6	9 / 3	2022-01-04
27.4.2	9 / 3	2021-11-30
27.4.1	9 / 3	2021-11-30
27.4.0	9 / 3	2021-11-29
27.3.1	9 / 3	2021-10-19
27.3.0	9 / 3	2021-10-17
27.2.5	9 / 3	2021-10-08
27.2.4	9 / 3	2021-09-29
27.2.3	9 / 3	2021-09-28
27.2.2	9 / 3	2021-09-25
27.2.0	9 / 3	2021-09-13
27.1.1	9 / 3	2021-09-08
27.1.0	9 / 3	2021-08-27
27.0.6	9 / 3	2021-06-28
27.0.2	9 / 3	2021-05-29