jest-pnp-resolver — Greenflagged

plug'n'play resolver for Webpack

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

arcanis

Keywords

jestyarnplugnplaypnp

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
npm-metadata	suspicious-initial-version	AI (npm-metadata): jest-pnp-resolver 0.0.0 is a legitimate namespace-reservation stub by trusted publisher arcanis; 34.7M weekly downloads confirm legitimacy.	ai	2026/04/24
npm-metadata	no-description	AI (npm-metadata): Stub version 0.0.0 intentionally has no description; the real versions do. Trusted publisher with 148 approved packages.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): Tiny payload is by design (small resolver shim). Off-topic README signal is a false positive for this well-established package.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Publisher arcanis is the package author with strong track record; missing gitHead reflects publish env change, not a security concern.	ai	2026/04/24

Versions (showing 9 of 9)

Version	Deps	Published
1.2.3	0 / 0	2022-11-15
1.2.2	0 / 0	2020-06-24
1.2.1	0 / 0	2019-03-09
1.2.0	0 / 0	2019-02-22
1.1.0	0 / 0	2019-02-05
1.0.2	0 / 0	2018-11-14
1.0.1	0 / 0	2018-09-24
1.0.0	0 / 0	2018-09-24
0.0.0	0 / 0	2018-09-13

v1.2.2

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: arcanis.