pretty-format
Stringify any JavaScript value.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:react-is-18 | AI (dependencies): npm alias for canonical react-is@^18.3.1; legitimate multi-React-version support pattern. | ai | |
| dependencies | unvetted-dep:react-is-19 | AI (dependencies): npm alias for canonical react-is@^19.2.5; legitimate multi-React-version support pattern. | ai | |
| source-diff | net-exec-file:build-es5/index.js | AI (source-diff): build-es5/index.js is the documented browser entry point — a UMD bundle with core-js polyfills. The 'network+exec' pattern is the standard global-detection idiom (Function('return this')()) in polyfill code, not malware. | ai | |
| provenance | missing-githead | AI (provenance): pretty-format is a long-established Jest package; missing gitHead reflects a publish environment change, not a security concern. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@jest/types | AI (phantom-deps): Framework-scoped Jest package loaded by convention; phantom status is expected and benign. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Legitimate growth from v22 to v24; consistent with feature additions and build artifacts. | ai | |
| dependencies | unvetted-dep:@jest/types | AI (dependencies): @jest/types is a core Jest package; unvetted status is expected for internal monorepo dependencies. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Expected growth for a two-version bump with feature additions; no evidence of injected code. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): The maintainer transition reflects the well-documented handoff of the Jest project to the Facebook/Meta team. The new maintainers (simenb, aaronabramov, fb, etc.) are the official Jest maintainers at Facebook. This is not a hijack. | ai | |
| provenance | no-provenance | AI (provenance): Provenance absence is expected for packages predating Sigstore adoption; not a security risk. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change reflects documented Jest maintainer transition in 2020; stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions are part of documented Jest project transition; stable for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal is part of documented Jest project transition; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are all established packages appropriate for a formatting utility. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): new Function() is in a performance test with explicit eslint-disable; legitimate test case, not code execution risk. | ai | |
| dependencies | unvetted-dep:@jest/schemas | AI (dependencies): @jest/schemas is a first-party Jest monorepo package versioned in lockstep with pretty-format; not a suspicious third-party dependency. | ai |
Versions (showing 38 of 138)
| Version | Deps | Published |
|---|---|---|
| 18.1.0 | 1 / 0 | |
| 18.0.0 | 1 / 0 | |
| 4.3.1 | 0 / 4 | |
| 4.3.0 | 0 / 4 | |
| 4.2.3 | 0 / 4 | |
| 4.2.2 | 0 / 4 | |
| 4.2.1 | 0 / 4 | |
| 4.2.0 | 0 / 4 | |
| 4.1.0 | 0 / 4 | |
| 4.0.0 | 0 / 4 | |
| 3.8.0 | 0 / 4 | |
| 3.7.0 | 0 / 4 | |
| 3.6.0 | 0 / 4 | |
| 3.5.3 | 0 / 4 | |
| 3.5.2 | 0 / 4 | |
| 3.5.1 | 0 / 4 | |
| 3.5.0 | 0 / 4 | |
| 3.4.3 | 0 / 4 | |
| 3.4.2 | 0 / 4 | |
| 3.4.1 | 0 / 4 | |
| 3.4.0 | 0 / 4 | |
| 3.3.2 | 1 / 2 | |
| 3.3.1 | 1 / 2 | |
| 3.3.0 | 1 / 2 | |
| 3.2.0 | 1 / 2 | |
| 3.1.0 | 1 / 1 | |
| 3.0.0 | 1 / 1 | |
| 2.1.0 | 1 / 1 | |
| 2.0.0 | 1 / 1 | |
| 1.2.0 | 1 / 30 | |
| 1.1.1 | 1 / 30 | |
| 1.1.0 | 1 / 30 | |
| 1.0.0 | 1 / 30 | |
| 30.0.0-rc.1 | 3 / 8 | |
| 30.0.0-beta.8 | 3 / 8 | |
| 30.0.0-beta.7 | 3 / 8 | |
| 30.0.0-beta.6 | 3 / 8 | |
| 30.0.0-beta.3 | 3 / 8 |
v30.0.0-rc.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-09. This could indicate a legitimate maintainer transition or an account compromise.
v30.0.0-beta.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v30.0.0-beta.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-04. This could indicate a legitimate maintainer transition or an account compromise.
v30.0.0-beta.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-03. This could indicate a legitimate maintainer transition or an account compromise.
v30.0.0-beta.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-27. This could indicate a legitimate maintainer transition or an account compromise.