← Home

pretty-format

npm Repository

Stringify any JavaScript value.

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:react-is-18 AI (dependencies): npm alias for canonical react-is@^18.3.1; legitimate multi-React-version support pattern. ai
dependencies unvetted-dep:react-is-19 AI (dependencies): npm alias for canonical react-is@^19.2.5; legitimate multi-React-version support pattern. ai
source-diff net-exec-file:build-es5/index.js AI (source-diff): build-es5/index.js is the documented browser entry point — a UMD bundle with core-js polyfills. The 'network+exec' pattern is the standard global-detection idiom (Function('return this')()) in polyfill code, not malware. ai
provenance missing-githead AI (provenance): pretty-format is a long-established Jest package; missing gitHead reflects a publish environment change, not a security concern. Stable false positive for this package. ai
phantom-deps phantom-dep:@jest/types AI (phantom-deps): Framework-scoped Jest package loaded by convention; phantom status is expected and benign. ai
source-diff source-size-tripled AI (source-diff): Legitimate growth from v22 to v24; consistent with feature additions and build artifacts. ai
dependencies unvetted-dep:@jest/types AI (dependencies): @jest/types is a core Jest package; unvetted status is expected for internal monorepo dependencies. ai
source-diff large-new-source-files AI (source-diff): Expected growth for a two-version bump with feature additions; no evidence of injected code. ai
maintainer-change maintainer-takeover AI (maintainer-change): The maintainer transition reflects the well-documented handoff of the Jest project to the Facebook/Meta team. The new maintainers (simenb, aaronabramov, fb, etc.) are the official Jest maintainers at Facebook. This is not a hijack. ai
provenance no-provenance AI (provenance): Provenance absence is expected for packages predating Sigstore adoption; not a security risk. ai
provenance publisher-changed AI (provenance): Publisher change reflects documented Jest maintainer transition in 2020; stable for this package. ai
maintainer-change maintainer-added AI (maintainer-change): Maintainer additions are part of documented Jest project transition; stable for this package. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer removal is part of documented Jest project transition; stable for this package. ai
publish-pattern new-deps-added AI (publish-pattern): New dependencies are all established packages appropriate for a formatting utility. ai
semgrep semgrep:new-function-constructor AI (semgrep): new Function() is in a performance test with explicit eslint-disable; legitimate test case, not code execution risk. ai
dependencies unvetted-dep:@jest/schemas AI (dependencies): @jest/schemas is a first-party Jest monorepo package versioned in lockstep with pretty-format; not a suspicious third-party dependency. ai

Versions (showing 100 of 133)

Show 5 prereleases
Version Deps Published
30.4.1 4 / 10
30.4.0 4 / 10
30.3.0 3 / 8
30.2.0 3 / 8
30.0.5 3 / 8
30.0.2 3 / 8
30.0.1 3 / 8
30.0.0 3 / 8
29.7.0 3 / 8
29.6.3 3 / 8
29.6.2 3 / 8
29.6.1 3 / 8
29.6.0 3 / 8
29.5.0 3 / 8
29.4.3 3 / 8
29.4.2 3 / 8
29.4.1 3 / 8
29.4.0 3 / 8
29.3.1 3 / 8
29.2.1 3 / 8
29.2.0 3 / 8
29.1.2 3 / 8
29.1.0 3 / 8
29.0.3 3 / 9
29.0.2 3 / 9
29.0.1 3 / 9
29.0.0 3 / 9
28.1.3 4 / 9
28.1.1 4 / 9
28.1.0 4 / 9
28.0.2 4 / 9
28.0.1 4 / 9
28.0.0 4 / 9
27.5.1 3 / 8
27.5.0 3 / 8
27.4.6 3 / 8
27.4.2 4 / 8
27.4.1 4 / 8
27.4.0 4 / 8
27.3.1 4 / 8
27.3.0 4 / 8
27.2.5 4 / 8
27.2.4 4 / 8
27.2.3 4 / 8
27.2.2 4 / 8
27.2.0 4 / 8
27.1.1 4 / 8
27.1.0 4 / 8
27.0.6 4 / 8
27.0.2 4 / 8
27.0.1 4 / 8
27.0.0 4 / 8
26.6.2 4 / 8
26.6.1 4 / 8
26.6.0 4 / 8
26.5.2 4 / 8
26.5.0 4 / 8
26.4.2 4 / 8
26.4.0 4 / 8
26.3.0 4 / 8
26.2.0 4 / 8
26.1.0 4 / 8
26.0.1 4 / 8
26.0.0 4 / 8
25.5.0 4 / 7
25.4.0 4 / 7
25.3.0 4 / 7
25.2.6 4 / 7
25.2.5 4 / 7
25.2.3 4 / 7
25.2.1 4 / 7
25.2.0 4 / 7
25.1.0 4 / 7
25.0.0 4 / 9
24.9.0 4 / 9
24.8.0 4 / 9
24.7.0 4 / 9
24.6.0 4 / 9
24.5.0 4 / 9
24.4.0 4 / 9
24.3.1 4 / 9
24.3.0 3 / 8
24.0.0 2 / 4
22.4.3 2 / 0
22.4.0 2 / 0
22.1.0 2 / 0
22.0.6 2 / 0
22.0.5 2 / 0
22.0.1 2 / 0
22.0.0 2 / 0
21.2.1 2 / 0
21.2.0 2 / 0
21.1.0 2 / 0
21.0.2 2 / 0
21.0.0 2 / 0
20.0.3 2 / 0
20.0.2 2 / 0
20.0.1 2 / 0
20.0.0 1 / 0
19.0.0 1 / 0
Showing 100 of 133 Next page →

v30.4.1

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cpojer → simenb (on 2026-05-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-08. This could indicate a legitimate maintainer transition or an account compromise.

v30.4.0

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: cpojer → simenb (on 2026-05-07) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.