jest-resolve — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer rotation on the official Facebook/Jest project by a trusted core maintainer (cpojer); consistent with normal team evolution, not a takeover signal.	ai	2026/04/23
dependencies	unvetted-dep:jest-pnp-resolver	AI (dependencies): jest-pnp-resolver is a well-known PnP resolver adapter for Jest; stable legitimate dependency.	ai	2026/04/23
dependencies	unvetted-dep:jest-util	AI (dependencies): jest-util is a core Jest monorepo package; always a legitimate dependency of jest-resolve.	ai	2026/04/23
dependencies	unvetted-dep:jest-validate	AI (dependencies): jest-validate is a core Jest monorepo package; always a legitimate dependency of jest-resolve.	ai	2026/04/23
dependencies	unvetted-dep:jest-haste-map	AI (dependencies): jest-haste-map is a core Jest monorepo package; always a legitimate dependency of jest-resolve.	ai	2026/04/23
dependencies	unvetted-dep:slash	AI (dependencies): slash is a widely-used path separator utility; no security concern for this package.	ai	2026/04/23
dependencies	unvetted-dep:unrs-resolver	AI (dependencies): unrs-resolver is a Rust-based module resolver used by Jest; legitimate dependency for this package.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): browser-resolve is a legitimate, established package for browser module resolution — a natural dependency for jest-resolve which handles both Node and browser environments.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): dmitriiabramov and fb are recognized Jest/Facebook contributors; additions are consistent with the official Jest project's maintainer evolution, not a suspicious takeover.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Both cpojer and mjesun are known Jest core contributors at Facebook/Meta. Publisher transitions within the Jest team are expected and this pattern is stable for this package.	ai	2026/04/23
npm-metadata	suspicious-initial-version	AI (npm-metadata): [email protected] is a namespace reservation by trusted Jest maintainer cpojer; 0.0.0 is intentional for placeholder packages in this ecosystem.	ai	2026/04/23
dependencies	unvetted-dep:resolve.exports	AI (dependencies): resolve.exports is a legitimate, purpose-built package for resolving package.json exports fields; its use in jest-resolve is appropriate and expected across all versions.	ai	2026/04/23
npm-metadata	no-description	AI (npm-metadata): Monorepo sub-packages from the Jest project commonly omit descriptions; not a malicious signal for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Publisher cpojer is a long-standing Jest maintainer; lack of provenance is not unusual for this ecosystem and does not indicate risk here.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): jest-resolve is a monorepo sub-package of the official Jest project; inflated semver, no description, and no keywords are expected for monorepo packages and not spam indicators.	ai	2026/04/21