jscoverage
a javascript coverage tool, can be used in node dev, and browser side js dev
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from kate.sf to fish occurred in 2012 (13+ years ago). Fish has 63 approved packages and has been active since the package's inception. This is a stable historical transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer 'fish' was added in 2012 alongside the publisher change. Long-established, no risk signal for this package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): node-waf configure is the canonical native addon build step for Node 0.4.x era packages; this is a legitimate C/C++ native binding. | ai | |
| install-scripts | install-script:install | AI (install-scripts): node-waf is the canonical native addon build tool for Node 0.4.x era; equivalent to node-gyp build in modern packages. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are compiled jscoverage C library and native Node.js addon (.node file); expected artifacts for a native binding package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() calls are in doc/example-jsunit JSUnit test framework files, not core package code. Historical test framework pattern, not a supply-chain risk. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 0.5.8 | 6 / 3 | |
| 0.5.7 | 6 / 3 | |
| 0.5.6 | 6 / 3 | |
| 0.5.4 | 4 / 3 | |
| 0.5.3 | 4 / 3 | |
| 0.5.2 | 4 / 3 | |
| 0.3.8 | 2 / 3 | |
| 0.3.7 | 2 / 3 | |
| 0.3.6 | 2 / 3 | |
| 0.3.5 | 2 / 3 | |
| 0.3.4 | 2 / 3 | |
| 0.3.3 | 2 / 3 | |
| 0.3.2 | 2 / 3 | |
| 0.3.1 | 2 / 3 | |
| 0.3.0 | 2 / 3 | |
| 0.1.7 | 0 / 0 | |
| 0.1.5 | 0 / 0 | |
| 0.0.8 | 0 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v0.5.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
2 findingsThis version was published by a different npm account than previous versions on 2012-04-17. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.3
3 findingsScript: node-waf configure
Script: node-waf
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
4 findingsScript: node-waf configure
Script: node-waf
Package contains compiled binaries that could be backdoors: • js/obj/js • js/obj/libjs.so • jscoverage.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.