jest-mock — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-tripled	AI (source-diff): Size increase is explained by the addition of the new browser-targeted ES5 bundle with polyfills, an intentional build artifact for jest-mock.	ai	2026/04/22
source-diff	net-exec-file:build-es5/index.js	AI (source-diff): build-es5/index.js is an intentional UMD/ES5 browser bundle (referenced in package.json 'browser' field). The 'network+exec' signals are UMD boilerplate (typeof window, define(factory)) — not actual network I/O or malicious code execution.	ai	2026/04/22
dependencies	unvetted-dep:@jest/types	AI (dependencies): @jest/types is a first-party sibling package in the jestjs/jest monorepo, always released in lockstep with jest-mock. Not a third-party unknown dependency.	ai	2026/04/22
dependencies	unvetted-dep:jest-util	AI (dependencies): jest-util is a first-party sibling package in the jestjs/jest monorepo, always released in lockstep with jest-mock. Not a third-party unknown dependency.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): @jest/types and @types/node are legitimate Jest ecosystem packages introduced in the v26 monorepo refactor; not suspicious.	ai	2026/04/22
source-diff	source-size-dropped	AI (source-diff): Size drop from v22 to v26 reflects intentional refactoring (type extraction to @jest/types, TypeScript adoption); not a stub replacement.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): simenb is a known Jest core contributor at Meta/Facebook; the publisher change from cpojer reflects a legitimate team transition, not a compromise.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known Jest team members at Meta/Facebook; consistent with legitimate team evolution across major versions.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers reflect normal team turnover at Meta/Facebook; no signs of hostile takeover.	ai	2026/04/22
npm-metadata	suspicious-initial-version	AI (npm-metadata): jest-mock 0.0.0 is a well-known namespace reservation stub by the Jest core team (cpojer). The 0.0.0 version is intentional and not indicative of malicious activity.	ai	2026/04/22
provenance	no-provenance	AI (provenance): jest-mock is a long-established Facebook/Jest package; absence of Sigstore provenance is expected for packages of this age and is not a risk signal here.	ai	2026/04/22
semgrep	semgrep:new-function-constructor	AI (semgrep): jest-mock intentionally uses new Function() to create named mock constructors — a documented, stable internal pattern with no external input. Not a security risk for this package.	ai	2026/04/22
phantom-deps	phantom-dep:@jest/types	AI (phantom-deps): Type-only dependency; not directly imported at runtime is expected for TypeScript type packages in Jest's ecosystem.	ai	2026/04/21
npm-metadata	no-description	AI (npm-metadata): Jest monorepo packages routinely omit descriptions in published package.json; not a malware signal for this package.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): jest-mock is a core Jest monorepo package; inflated semver, missing description, and no keywords are expected artifacts of monorepo publishing, not spam indicators.	ai	2026/04/21
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): @types/node is a type-only dependency; not being directly imported at runtime is standard and expected.	ai	2026/04/21

Versions (showing 51 of 125)

View all versions

Version	Deps	Published
30.4.1	3 / 0	2026-05-08
30.4.0	3 / 0	2026-05-07
30.2.0	3 / 0	2025-09-28
30.0.5	3 / 0	2025-07-22
30.0.2	3 / 0	2025-06-19
30.0.1	3 / 0	2025-06-18
30.0.0	3 / 0	2025-06-10
29.7.0	3 / 2	2023-09-12
29.6.3	3 / 2	2023-08-21
29.6.2	3 / 2	2023-07-27
29.6.1	3 / 2	2023-07-06
29.6.0	3 / 2	2023-07-04
29.5.0	3 / 2	2023-03-06
29.4.3	3 / 2	2023-02-15
29.4.2	3 / 2	2023-02-07
29.4.1	3 / 2	2023-01-26
29.4.0	3 / 2	2023-01-24
29.3.1	3 / 2	2022-11-08
29.3.0	3 / 2	2022-11-07
29.2.2	3 / 2	2022-10-24
29.2.1	3 / 2	2022-10-18
29.2.0	3 / 2	2022-10-14
29.1.2	3 / 2	2022-09-30
29.1.1	3 / 2	2022-09-28
29.1.0	3 / 2	2022-09-28
29.0.3	2 / 2	2022-09-10
29.0.2	2 / 2	2022-09-03
29.0.1	2 / 2	2022-08-26
29.0.0	2 / 2	2022-08-25
28.1.3	2 / 2	2022-07-13
28.1.1	2 / 2	2022-06-07
28.1.0	2 / 2	2022-05-06
28.0.2	2 / 2	2022-04-27
28.0.1	2 / 2	2022-04-26
28.0.0	2 / 2	2022-04-25
27.5.1	2 / 0	2022-02-08
27.5.0	2 / 0	2022-02-05
27.4.6	2 / 0	2022-01-04
27.4.2	2 / 0	2021-11-30
27.4.1	2 / 0	2021-11-30
27.4.0	2 / 0	2021-11-29
27.3.0	2 / 0	2021-10-17
27.2.5	2 / 0	2021-10-08
27.2.4	2 / 0	2021-09-29
27.2.3	2 / 0	2021-09-28
27.1.1	2 / 0	2021-09-08
27.1.0	2 / 0	2021-08-27
27.0.6	2 / 0	2021-06-28
27.0.3	2 / 0	2021-05-29
27.0.2	2 / 0	2021-05-29
27.0.1	2 / 0	2021-05-25

v30.4.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.4.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cpojer → simenb (on 2026-05-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.

v30.2.0

2 findings

HIGH Publisher changed: simenb → cpojer (on 2025-09-28) provenance

This version was published by a different npm account than previous versions on 2025-09-28. This could indicate a legitimate maintainer transition or an account compromise.