jest-watch-typeahead
Jest plugin for filtering by filename or test name
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (rickhanlonii, thymikee, orta, etc.) are well-known Jest core contributors in the jest-community org. Legitimate community transition, not a takeover. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): ansi-escapes and jest-regex-util are standard, well-known packages in the Jest ecosystem with no malicious history. | ai | |
| provenance | publisher-changed | AI (provenance): simenb (Simen Bekkhus) is a known Jest core contributor; transition from rogeliog to simenb within jest-community is a legitimate maintainer handoff. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is declared in dependencies and used in configuration; phantom-dep finding is a false positive for config-referenced utilities. | ai | |
| phantom-deps | phantom-dep:prompts | AI (phantom-deps): Phantom prompts dep is a minor code quality issue in an early version (0.0.1) of a legitimate package; not a security concern. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Minor metadata signals (README formatting, missing keywords) are cosmetic issues common in older packages; no malware indicators. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is due to shipping pre-built Babel/TS compiled output via prepack script; consistent with jest-community package build tooling changes, not injected payload. | ai | |
| phantom-deps | phantom-dep:strip-ansi | AI (phantom-deps): Used internally for ANSI code handling; phantom-dep is expected for indirect dependencies. | ai | |
| phantom-deps | phantom-dep:ansi-escapes | AI (phantom-deps): Used internally for terminal control; phantom-dep is expected for indirect dependencies. | ai | |
| phantom-deps | phantom-dep:jest-watcher | AI (phantom-deps): Core Jest plugin dependency; phantom-dep is expected as it's used through Jest's plugin interface. | ai | |
| phantom-deps | phantom-dep:string-length | AI (phantom-deps): Utility dependency used internally; phantom-dep is expected for indirect dependencies. | ai | |
| phantom-deps | phantom-dep:jest-regex-util | AI (phantom-deps): Jest utility used internally for regex handling; phantom-dep is expected for indirect dependencies. | ai | |
| phantom-deps | phantom-dep:slash | AI (phantom-deps): Utility dependency used internally by the plugin; phantom-dep is expected for indirect dependencies. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): Jest plugin legitimately uses chalk indirectly for terminal output; not directly imported but required for functionality. | ai | |
| npm-metadata | url-dep:prompts | AI (npm-metadata): Git URL is pinned to a specific commit hash, mitigating arbitrary swap risk. This is a v0.0.1 early release pattern; the package has since matured to use registry versions. | ai | |
| dependencies | unvetted-dep:prompts | AI (dependencies): Pinned to a specific commit hash — not a floating git reference. Risk is bounded and this is a historical v0.0.1 release of an established package. | ai | |
| dependencies | unvetted-dep:jest-regex-util | AI (dependencies): jest-regex-util is a core Jest ecosystem utility package; a direct and expected dependency for this plugin. | ai | |
| dependencies | unvetted-dep:string-length | AI (dependencies): string-length is a well-known utility package with no security concerns relevant to this package. | ai | |
| dependencies | unvetted-dep:jest-watcher | AI (dependencies): jest-watcher is a core Jest ecosystem package maintained by the Jest team; a direct and expected dependency for this plugin. | ai | |
| dependencies | unvetted-dep:slash | AI (dependencies): slash is a well-known, widely-used utility package for normalizing path separators; no security concern for this package. | ai | |
| dependencies | unvetted-dep:ansi-escapes | AI (dependencies): ansi-escapes is a widely-used, legitimate package for ANSI terminal escape codes; appropriate dependency for this plugin. | ai | |
| provenance | no-provenance | AI (provenance): Package published in 2017, before Sigstore provenance became standard; absence is expected and not a security concern. | ai |
Versions (showing 23 of 23)
| Version | Deps | Published |
|---|---|---|
| 3.0.1 | 7 / 28 | |
| 3.0.0 | 7 / 27 | |
| 2.2.2 | 7 / 27 | |
| 2.2.1 | 7 / 27 | |
| 2.2.0 | 7 / 27 | |
| 2.1.1 | 7 / 28 | |
| 2.1.0 | 7 / 28 | |
| 2.0.0 | 7 / 28 | |
| 1.1.0 | 7 / 27 | |
| 1.0.0 | 7 / 27 | |
| 0.6.5 | 7 / 24 | |
| 0.6.4 | 7 / 24 | |
| 0.6.3 | 7 / 21 | |
| 0.6.2 | 7 / 21 | |
| 0.6.1 | 7 / 17 | |
| 0.4.2 | 7 / 18 | |
| 0.4.1 | 7 / 18 | |
| 0.4.0 | 6 / 17 | |
| 0.3.1 | 6 / 17 | |
| 0.2.1 | 6 / 17 | |
| 0.2.0 | 5 / 14 | |
| 0.1.0 | 6 / 14 | |
| 0.0.1 | 7 / 14 |
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-04-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-10. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-20. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-05-05. This could indicate a legitimate maintainer transition or an account compromise.
v0.2.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: simenb.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-01-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.