sinon
JavaScript test spies, stubs and mocks.
51
Versions
BSD-3-Clause
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
fatso83cjohansenmantonimrgnrdrck
Keywords
sinontesttestingunitstubspyfaketimeclockmockxhrassert
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:pkg/sinon-1.17.5.js | AI (source-diff): sinon bundles fake XHR (network simulation) and eval-based spy proxies as core features; this is not malware — it is the library's documented test-double functionality. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.4.js | AI (source-diff): sinon ships versioned bundle files as build artifacts; the net+exec pattern is sinon's XHR-faking + UMD wrapper, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-4.0.0.js | AI (source-diff): Same as sinon-4.0.0.js: network calls are fake XHR, dynamic execution is Browserify loader. No-sourcemaps variant of the same legitimate bundle. | ai | |
| source-diff | net-exec-file:pkg/sinon-4.0.0.js | AI (source-diff): Network calls are sinon's fake XHR/server implementation (core library feature). Dynamic code execution is the Browserify module loader pattern. No malicious indicators. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-4.0.0.js | AI (source-diff): Standard Browserify browser bundle variant without sourcemaps. Same benign pattern as sinon-4.0.0.js and previously accepted sinon-3.2.0.js variants. | ai | |
| source-diff | obfuscated-file:pkg/sinon-4.0.0.js | AI (source-diff): Standard Browserify browser bundle of sinon itself, with BSD-3 license header. Minified build artifact in pkg/ directory, consistent with sinon's documented build process. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.11.0.js | AI (source-diff): Sinon's versioned standalone bundle; identical pattern to accepted sinon-1.10.x.js files — fake XHR + eval proxy for argument length preservation. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.11.0.js | AI (source-diff): Sinon's versioned server bundle; 'network' is fake XHR implementation and 'exec' is arity-preserving eval proxy — both are core Sinon features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.11.0.js | AI (source-diff): Sinon's versioned timers bundle; same pattern as previously accepted 1.10.x bundles — fake timer API with eval proxy, not malicious. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.5.js | AI (source-diff): Standard browserify bundle artifact (no-sourcemaps variant) in sinon's pkg/ directory. Same pattern as already-accepted pkg/sinon-no-sourcemaps.js. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.5.js | AI (source-diff): Same as net-exec-file:pkg/sinon-2.3.5.js — sinon's fake network capabilities and dynamic require() trigger this rule legitimately. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.5.js | AI (source-diff): Standard browserify bundle artifact in sinon's pkg/ directory. Long lines are minified/bundled output, not obfuscation. Consistent with sinon's documented build process. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.5.js | AI (source-diff): Network+exec signals come from sinon's fake XHR/fetch mocking capabilities and dynamic require() — core legitimate functionality of this testing library. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.15.1.js | AI (source-diff): Standard sinon UMD bundle; same pattern as accepted 1.14.1 and 1.15.0 bundles. Benign for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.15.4.js | AI (source-diff): Standard sinon UMD bundle; network calls are XHR-faking for test purposes, eval is for arity-matching proxy creation. Not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.5.2.js | AI (source-diff): Sinon's bundled fake-server distribution file. Network calls are the fake XHR/server API sinon provides for testing. Not a dropper. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.5.2.js | AI (source-diff): Sinon's bundled fake-timers distribution file. Flagged pattern is sinon's legitimate test-utility code, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.5.2.js | AI (source-diff): This is sinon's own bundled distribution file (v1.5.2). Network refs are fake XHR simulation; eval is arity-proxy construction. Legitimate sinon artifact, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.4.js | AI (source-diff): Network+exec pattern is the standard browserify module loader, not malicious. Confirmed legitimate Sinon bundle artifact. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.4.js | AI (source-diff): Standard browserify bundle artifact for Sinon browser distribution. Long lines are expected minified output, not obfuscation. Header confirms legitimate Sinon.JS 2.3.4 release. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.4.js | AI (source-diff): Network+exec pattern is the standard browserify module loader (require calls), not malicious dropper behavior. Confirmed legitimate Sinon bundle. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.4.js | AI (source-diff): Standard browserify bundle artifact (no-sourcemaps variant). Long lines are expected minified output for browser distribution. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.11.1.js | AI (source-diff): sinon-timers is a build artifact implementing fake timer APIs. Network references are part of the mocking library's design, not malicious activity. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.11.1.js | AI (source-diff): sinon-server is a build artifact implementing fake XHR/server mocking — network calls are the feature, not malware. Legitimate Sinon.JS bundle with proper license headers. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-3.3.0.js | AI (source-diff): Same as sinon-3.3.0.js — fake XHR and fake timer eval are documented sinon features, not malicious network+exec patterns. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-3.3.0.js | AI (source-diff): Same as sinon-3.3.0.js — standard browser bundle without source maps. Expected build artifact for sinon test library. | ai | |
| source-diff | net-exec-file:pkg/sinon-3.3.0.js | AI (source-diff): Network calls are sinon's fake XHR implementation; code execution is fake timer eval for string-based timer callbacks. Both are documented sinon features, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-3.3.0.js | AI (source-diff): Standard browserify browser bundle artifact for sinon test library. Minified format is expected for CDN/browser distribution. Content is clearly legitimate sinon API code. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.7.2.js | AI (source-diff): Sinon's bundled timer distribution file; same false-positive pattern as sinon-1.7.2.js. Consistent with prior accepted versions. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.7.2.js | AI (source-diff): Sinon's bundled browser distribution file; 'network' is fake XHR mocking, 'exec' is arity-preserving eval in spy. Legitimate pattern consistent with prior accepted versions. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.7.2.js | AI (source-diff): Sinon's bundled server distribution file; 'network' is fake XHR/server mocking functionality. Consistent with prior accepted versions. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.8.3.js | AI (source-diff): Sinon timers bundle; fake timer API triggers net-exec rule but is a documented testing feature. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.9.0.js | AI (source-diff): Sinon timers bundle; fake timer API triggers net-exec rule but is a documented testing feature. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.9.0.js | AI (source-diff): Versioned sinon build bundle; 'network' is fake XHR simulation and 'exec' is arity-matching eval proxy — core library features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.9.0.js | AI (source-diff): Sinon server bundle; fake HTTP server simulation triggers net-exec rule but is a documented testing feature. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.8.3.js | AI (source-diff): Sinon server bundle; fake HTTP server simulation triggers net-exec rule but is a documented testing feature. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.8.3.js | AI (source-diff): Versioned sinon build bundle; same pattern as other accepted sinon pkg files — fake XHR + eval proxy, not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.7.1.js | AI (source-diff): Versioned build artifact for sinon's fake server module. Network patterns are the core feature (XHR mocking), not malicious behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.7.1.js | AI (source-diff): This is sinon's versioned build artifact. Network and eval patterns are inherent to sinon's XHR mocking and spy proxy functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.7.1.js | AI (source-diff): Versioned build artifact for sinon's fake timer module. Patterns are part of sinon's legitimate test mocking functionality. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.14.0.js | AI (source-diff): sinon's bundled UMD file legitimately uses XHR (for fake XHR testing) and eval (for proxy function length). This is core library functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.14.1.js | AI (source-diff): This is sinon's standard bundled distribution file. Network calls are fake XHR mocking (core feature) and eval is used for arity-matching proxy creation. Not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-3.1.0.js | AI (source-diff): Standard UMD browser bundle shipped by sinon in pkg/ directory; minification is expected for browser distribution, not obfuscation. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-3.1.0.js | AI (source-diff): Same as sinon-3.1.0.js: XHR mocking and dynamic execution are sinon's core features, not malware indicators. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-3.1.0.js | AI (source-diff): Standard UMD browser bundle (no-sourcemaps variant) shipped by sinon in pkg/ directory; minification is expected for browser distribution. | ai | |
| source-diff | net-exec-file:pkg/sinon-3.1.0.js | AI (source-diff): Sinon's core purpose is mocking XHR/network calls; network and dynamic execution patterns in the bundle are the library's intended functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.4.0.js | AI (source-diff): sinon-timers-1.4.0.js is a legitimate build artifact. eval() simulates setTimeout(string) behavior — a documented feature of fake timer APIs, not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.4.0.js | AI (source-diff): sinon-server-1.4.0.js is a legitimate build artifact providing fake XHR/server mocking. Network API usage is the library's core feature, not exfiltration. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.4.0.js | AI (source-diff): sinon-1.4.0.js is a legitimate build bundle for the sinon test mocking library. Network calls are fake XHR mocking; eval is for timer callback simulation. Not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.0.js | AI (source-diff): Network+exec pattern triggered by sinon's XHR mocking internals, which is the library's core purpose. Not a dropper/loader. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.0.js | AI (source-diff): Network+exec pattern triggered by sinon's XHR mocking internals. Same pattern as already-accepted pkg/sinon-no-sourcemaps.js. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.0.js | AI (source-diff): Versioned no-sourcemaps build artifact from sinon's standard browserify prepublish step. Same pattern as already-accepted pkg/sinon-no-sourcemaps.js. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.0.js | AI (source-diff): Versioned build artifact from sinon's standard browserify prepublish step. Content is legitimate sinon source bundled for browser use, not obfuscated malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.10.1.js | AI (source-diff): Sinon's own bundled server build artifact; fake XHR/server is the library's core purpose. No malicious behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.10.1.js | AI (source-diff): Sinon's own bundled timers build artifact; dynamic code patterns are part of sinon's fake timer implementation. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.10.1.js | AI (source-diff): Sinon's own bundled build artifact; 'network' is fake XHR mocking, 'exec' is arity-preserving eval in spy proxies. Legitimate library behavior. | ai | |
| source-diff | obfuscated-file:pkg/sinon-server-1.17.0.js | AI (source-diff): Sinon ships minified browser bundles in pkg/ as a core part of its distribution. These are standard UMD-wrapped builds, not obfuscated malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.3.js | AI (source-diff): Sinon's fake XHR and eval-based spy proxying are core features. This is the primary versioned bundle for this release. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.6.0.js | AI (source-diff): Sinon's fake XHR and eval-based spy proxying are core features. Legitimate sinon source confirmed in sample. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.0.0-pre.js | AI (source-diff): Sinon's fake XHR/server and eval-based spy proxying are core features. Legitimate sinon source with BSD license header confirmed in sample. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.0.0-pre.js | AI (source-diff): Sinon ships minified browser bundles in pkg/ as a core part of its distribution. These are standard UMD-wrapped builds, not obfuscated malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.6.0.js | AI (source-diff): Sinon's fake timer implementation combined with eval for spy proxying is a core feature, not malware. Legitimate sinon source with BSD license header. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-2.0.0-pre.js | AI (source-diff): Sinon's fake XHR/server implementation simulates network calls; eval is used for spy arity preservation. Both are documented core features, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.6.0.js | AI (source-diff): Sinon's fake XHR/server implementation simulates network calls; eval is used for spy arity preservation. Both are documented core features, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.10.0.js | AI (source-diff): Bundled distribution artifact of Sinon.JS; network calls are fake XHR mocking (core feature), dynamic code is eval for spy proxy length matching. Not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.10.0.js | AI (source-diff): Bundled distribution artifact of Sinon.JS timers module; legitimate fake timer implementation, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.10.0.js | AI (source-diff): Bundled distribution artifact of Sinon.JS server module; fake XHR/server mocking is the library's core purpose, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.8.2.js | AI (source-diff): Sinon's bundled browser distribution files legitimately contain XHR simulation (network) and eval-based proxy creation (code exec). These are core features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.8.2.js | AI (source-diff): sinon-server bundle implements fake XHR/server for testing. Network calls are the simulated API, not exfiltration. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.8.2.js | AI (source-diff): sinon-timers bundle implements fake timer APIs (setTimeout etc.) for testing. No actual network or malicious exec. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.8.0.js | AI (source-diff): Same as sinon-1.8.2.js — versioned build artifact with legitimate XHR simulation and eval-based proxy. Not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.8.1.js | AI (source-diff): Same as sinon-1.8.2.js — versioned build artifact with legitimate XHR simulation and eval-based proxy. Not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.8.1.js | AI (source-diff): Same as sinon-server-1.8.2.js — legitimate fake server bundle. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.8.0.js | AI (source-diff): Same as sinon-server-1.8.2.js — legitimate fake server bundle. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.8.1.js | AI (source-diff): Same as sinon-timers-1.8.2.js — legitimate fake timers bundle. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.8.0.js | AI (source-diff): Same as sinon-timers-1.8.2.js — legitimate fake timers bundle. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.3.js | AI (source-diff): Sinon's core purpose is mocking XHR/network and spying on code execution; network+exec patterns are inherent to the library, not malware indicators. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.3.js | AI (source-diff): Version-stamped browser bundle built by prepublish script; identical structure to already-accepted sinon.js bundle. Minification is expected for Sinon's pkg/ distribution artifacts. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.3.js | AI (source-diff): Version-stamped browser bundle (no sourcemaps variant) built by prepublish script; same pattern as already-accepted sinon-no-sourcemaps.js. Minification is expected. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.3.js | AI (source-diff): Sinon's core purpose is mocking XHR/network and spying on code execution; network+exec patterns are inherent to the library, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.15.3.js | AI (source-diff): Sinon's pkg/ directory contains bundled distribution files. Network simulation and eval-based proxies are core library features, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.15.2.js | AI (source-diff): Sinon's pkg/ directory contains bundled distribution files. Network simulation and eval-based proxies are core library features, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.15.0.js | AI (source-diff): Sinon's pkg/ directory contains bundled distribution files. Network simulation and eval-based proxies are core library features, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.2.0.js | AI (source-diff): Sinon is a test mocking library; network patterns are XHR/fetch mocking capabilities, not dropper behavior. UMD loader pattern triggers false positive. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.2.0.js | AI (source-diff): Standard Browserify/UMD browser bundle shipped by sinon for CDN/browser use. Long lines are minified output, not obfuscation. BSD-3 license header confirms legitimacy. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.2.0.js | AI (source-diff): Standard Browserify/UMD browser bundle (no-sourcemaps variant) shipped by sinon for CDN/browser use. Identical pattern to already-accepted sinon-no-sourcemaps.js. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.2.0.js | AI (source-diff): Same false positive as sinon-2.2.0.js — sinon's XHR mocking and UMD loader pattern, not malware. Identical to already-accepted sinon-no-sourcemaps.js finding. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.12.1.js | AI (source-diff): Sinon ships versioned build artifacts in pkg/. These contain fake XHR (network) and eval-based spy proxies — core library features, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.12.2.js | AI (source-diff): Same as above — sinon's own bundled build artifact with fake XHR and eval-based spy proxies. Legitimate library code, not a dropper. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.1.js | AI (source-diff): This is sinon's standard bundled build artifact. Network calls are XHR mocking; eval is for spy proxy arity — both are core documented features, not malware indicators. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.0.0.js | AI (source-diff): Sinon ships versioned browser bundles in pkg/; these are standard minified UMD builds, not obfuscated malware. Pattern is consistent across all sinon releases. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.0.0.js | AI (source-diff): Same rationale as net-exec-file:pkg/sinon-2.0.0.js — inherent to sinon's test-double functionality. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.0.0.js | AI (source-diff): Sinon's core functionality requires XHR interception and dynamic dispatch for test doubles; net+exec pattern is inherent to the library, not malicious. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.0.0.js | AI (source-diff): Versioned no-sourcemaps bundle is a standard build artifact; same pattern as accepted pkg/sinon-no-sourcemaps.js. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.7.js | AI (source-diff): Network/exec pattern is the browserify require() module loader, not malicious network calls. Identical to already-accepted pkg/sinon.js pattern. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.7.js | AI (source-diff): Standard browserify bundle (no-sourcemaps variant) with BSD-3 license header. Same legitimate build artifact pattern as accepted sinon-no-sourcemaps.js. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.7.js | AI (source-diff): Network/exec pattern is the browserify require() module loader. Identical to already-accepted pkg/sinon-no-sourcemaps.js pattern. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.7.js | AI (source-diff): Standard browserify bundle with BSD-3 license header. The long lines are minified build output from sinon's prepublish step, not obfuscation. Pattern matches accepted sinon.js variant. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.8.js | AI (source-diff): Version-stamped browser bundle build artifact produced by sinon's prepublish build step. Standard minified distribution for browser use, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.8.js | AI (source-diff): Sinon is a test mocking library that simulates XHR/network calls by design. Network+exec pattern is inherent to its core functionality, not dropper behavior. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.8.js | AI (source-diff): Version-stamped browser bundle build artifact (no-sourcemaps variant). Standard minified distribution for browser use, not malicious obfuscation. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.8.js | AI (source-diff): Sinon is a test mocking library that simulates XHR/network calls by design. Network+exec pattern is inherent to its core functionality, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.7.0.js | AI (source-diff): Sinon timers bundle fakes setTimeout/setInterval. Network+exec pattern is inherent to the library's purpose, not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.7.0.js | AI (source-diff): Sinon server bundle legitimately fakes XMLHttpRequest for testing. Network+exec pattern is inherent to the library's purpose, not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.7.0.js | AI (source-diff): Sinon's bundled distribution file legitimately combines XHR faking (network) and dynamic proxy generation (code exec) as core test-mocking functionality. Not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.7.3.js | AI (source-diff): Sinon's bundled distribution file legitimately combines fake XHR/network mocking with eval-based spy proxies — core library features, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.7.3.js | AI (source-diff): Sinon timers bundle legitimately implements fake timer APIs. Network + eval pattern is a core feature of this test library, not a dropper. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.7.3.js | AI (source-diff): Sinon server bundle legitimately implements fake HTTP server mocking. Network + eval pattern is a core feature of this test library, not a dropper. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.2.js | AI (source-diff): Version-stamped browser bundle produced by sinon's standard prepublish build step. Content is identical in structure to already-accepted sinon.js bundle — minified browserify output, not obfuscation. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.2.js | AI (source-diff): Same rationale as sinon-2.3.2.js: XHR simulation and dynamic execution are sinon's core testing features, not malware indicators. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.2.js | AI (source-diff): Version-stamped no-sourcemaps browser bundle from sinon's standard build. Same content as already-accepted sinon-no-sourcemaps.js — minified browserify output. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.2.js | AI (source-diff): Sinon's core functionality includes XHR simulation (network) and spy/stub mechanics (dynamic execution). These are not dropper indicators; they are the library's documented purpose. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-3.2.0.js | AI (source-diff): Versioned no-sourcemaps browser bundle for CDN distribution. Same content as already-accepted pkg/sinon-no-sourcemaps.js. Standard sinon build artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-3.2.0.js | AI (source-diff): Network patterns are sinon's fake XHR (nise) functionality. Same pattern as already-accepted pkg/sinon-no-sourcemaps.js. Core library purpose, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-3.2.0.js | AI (source-diff): Versioned browser bundle (UMD/browserify output) for CDN distribution. Same content pattern as already-accepted pkg/sinon.js. Standard sinon build artifact, not malicious. | ai | |
| source-diff | net-exec-file:pkg/sinon-3.2.0.js | AI (source-diff): Network patterns are sinon's fake XHR (nise) functionality; dynamic execution is UMD wrapper. Same pattern as already-accepted pkg/sinon.js. Core library purpose, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon.cjs | AI (source-diff): sinon ships Browserify bundles in pkg/ as part of its standard build; long lines are minified bundle output, not obfuscation. Stable pattern for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon.cjs | AI (source-diff): Network calls in sinon.cjs are fake XHR/server mocking APIs (sinon's core feature); dynamic require() is Browserify bundle boilerplate. Not malicious. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.1.js | AI (source-diff): Version-stamped browser bundle built by prepublish script; same pattern as pkg/sinon.js which was already accepted. Legitimate minified Sinon library output. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.1.js | AI (source-diff): Network/exec patterns are Sinon's XHR faking and fake timer features — core test mocking functionality, not malware. Same pattern accepted in pkg/sinon.js. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.1.js | AI (source-diff): Version-stamped browser bundle (no sourcemaps variant) built by prepublish script. Identical content to accepted pkg/sinon-no-sourcemaps.js, just version-stamped filename. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.1.js | AI (source-diff): Network/exec patterns are Sinon's XHR faking and fake timer features — core test mocking functionality. Same pattern accepted in pkg/sinon-no-sourcemaps.js. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-3.2.1.js | AI (source-diff): Same as sinon-3.2.1.js — standard browser bundle without sourcemaps. Minification is expected for pkg/ browser builds. | ai | |
| source-diff | net-exec-file:pkg/sinon-3.2.1.js | AI (source-diff): Network calls are sinon's fake XHR feature; dynamic execution is browserify module system. Both are core library features, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-3.2.1.js | AI (source-diff): Same as sinon-3.2.1.js — network/exec patterns are sinon's fake XHR and browserify module system, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-3.2.1.js | AI (source-diff): This is sinon's standard browser bundle (browserify output), clearly identified by BSD-3 license header. Minification is expected for pkg/ browser builds. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.12.0.js | AI (source-diff): Same as sinon-1.11.1.js: legitimate sinon distribution bundle with XHR faking and eval proxy construction. Not malicious. | ai | |
| phantom-deps | phantom-dep:lolex | AI (phantom-deps): lolex is explicitly declared as a runtime dependency in package.json; phantom-dep finding is a false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.11.1.js | AI (source-diff): Sinon ships versioned bundle files in pkg/; the 'network+exec' pattern is sinon's XHR faking and arity-matching eval proxy — core library features, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.3.6.js | AI (source-diff): Version-stamped browser bundle of sinon; identical structure to already-accepted pkg/sinon.js. Standard browserify minification for a test library, not obfuscation. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.3.6.js | AI (source-diff): Sinon's core purpose is mocking network calls (XHR/fetch); dynamic require() in browserify bundle is expected. Not a dropper/loader pattern. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.3.6.js | AI (source-diff): Version-stamped browser bundle without sourcemaps; identical structure to already-accepted pkg/sinon-no-sourcemaps.js. Standard build artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.3.6.js | AI (source-diff): Same rationale as sinon-2.3.6.js: sinon mocks network calls by design; browserify bundle dynamic require() is not malicious. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-4.0.1.js | AI (source-diff): Versioned browser bundle without sourcemaps. Same structure as already-accepted pkg/sinon-no-sourcemaps.js. Minification is expected for CDN distribution. | ai | |
| source-diff | net-exec-file:pkg/sinon-4.0.1.js | AI (source-diff): Network signals are from sinon's fake XHR mocking functionality, not malicious network calls. No external URL fetching or remote code execution present. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-4.0.1.js | AI (source-diff): Network signals are from sinon's fake XHR mocking functionality, not malicious network calls. No external URL fetching or remote code execution present. | ai | |
| source-diff | obfuscated-file:pkg/sinon-4.0.1.js | AI (source-diff): Versioned browser bundle (browserify/UMD) with BSD-3 license header. Same structure as already-accepted pkg/sinon.js. Minification is expected for CDN distribution. | ai | |
| source-diff | obfuscated-file:pkg/sinon-4.0.2.js | AI (source-diff): Standard browserify browser bundle for sinon testing library; minification is expected for browser distribution builds. Content is sinon's documented API. | ai | |
| source-diff | net-exec-file:pkg/sinon-4.0.2.js | AI (source-diff): Network calls are sinon's fake XHR implementation; dynamic code execution is browserify module loader pattern. Both are core sinon features, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-4.0.2.js | AI (source-diff): Standard browserify browser bundle variant without sourcemaps; minification is expected for browser distribution builds. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-4.0.2.js | AI (source-diff): Network calls are sinon's fake XHR implementation; dynamic code execution is browserify module loader pattern. Both are core sinon features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.16.1.js | AI (source-diff): Sinon's bundled distribution files legitimately combine XHR interception (network) with eval-based proxy construction (code exec) — this is the library's core test-mocking functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.0.js | AI (source-diff): Same as above — standard Sinon UMD bundle with XHR faking and arity-matching eval; false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.17.0.js | AI (source-diff): Sinon-server bundle legitimately combines XHR server simulation (network) with dynamic code execution; core library functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.2.js | AI (source-diff): Same as above — standard Sinon UMD bundle with XHR faking and arity-matching eval; false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.4.1.js | AI (source-diff): sinon-timers fakes browser timer APIs; eval(timer.func) simulates setTimeout(string) browser behavior. Legitimate test utility, not a dropper. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.4.1.js | AI (source-diff): sinon-server is a fake XHR/server implementation for testing — network API usage is the core feature, not malware. Stable false positive for this package. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.4.1.js | AI (source-diff): sinon-1.4.1.js is the main distribution bundle combining all sinon modules. Network + eval patterns are core test-mocking features, not malware indicators. | ai | |
| provenance | no-provenance | AI (provenance): sinon 1.16.0 was published in 2015, predating Sigstore provenance. No provenance is expected for this package era. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.16.0.js | AI (source-diff): This is sinon's standard UMD build artifact. Network calls are XHR faking; eval is for spy proxy arity construction. Both are core library features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.1.0.js | AI (source-diff): Sinon's core purpose is intercepting XHR/network calls for testing. Network+exec pattern is inherent to the library's functionality, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.1.0.js | AI (source-diff): Standard Browserify/UMD browser bundle with BSD-3 license header. Sinon ships versioned browser bundles as part of its normal release process. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.1.0.js | AI (source-diff): Same as sinon-2.1.0.js — network interception is sinon's core testing functionality, not malicious behavior. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.1.0.js | AI (source-diff): Standard Browserify/UMD browser bundle variant without sourcemaps. Normal sinon release artifact. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.4.1.js | AI (source-diff): Same as sinon-2.4.1.js — standard browserify bundle variant without source maps. Identical benign pattern. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.4.1.js | AI (source-diff): Standard browserify UMD bundle for sinon's browser distribution. Long lines are minification, not obfuscation. Content is recognizable sinon source with BSD-3 license header. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.4.1.js | AI (source-diff): Same as sinon-2.4.1.js — XHR mocking and UMD loader pattern in the no-sourcemaps bundle variant. Core library functionality, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.4.1.js | AI (source-diff): Network calls are sinon's XHR/fetch mocking functionality; dynamic execution is the UMD module loader pattern. Both are core features of this testing library, not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.7.js | AI (source-diff): pkg/sinon-*.js is sinon's standard UMD build artifact. Network calls are fake XHR implementation; dynamic code execution is eval-based spy proxy. Both are core, documented sinon features, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-2.4.0.js | AI (source-diff): sinon ships versioned browser bundles in pkg/; the no-sourcemaps variant is a standard distribution artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-2.4.0.js | AI (source-diff): sinon is a test spy/stub library that mocks XHR/network calls; net+exec pattern in its browser bundle is core functionality, not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-2.4.0.js | AI (source-diff): sinon ships versioned browser bundles (browserified builds) in pkg/; minified output is expected and stable for this package. | ai | |
| phantom-deps | phantom-dep:native-promise-only | AI (phantom-deps): native-promise-only is used in sinon's browser bundle build process; not directly required in main entry but legitimately declared. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-2.4.0.js | AI (source-diff): Same as sinon-2.4.0.js — net+exec pattern in sinon's browser bundle reflects XHR mocking functionality, not malicious behavior. | ai | |
| source-diff | obfuscated-file:pkg/sinon.js | AI (source-diff): Browserified bundle with UMD wrapper; standard build artifact for sinon's browser distribution. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.10.2.js | AI (source-diff): Pre-built browser bundle for sinon testing library; network simulation + eval are core documented features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.10.2.js | AI (source-diff): Pre-built sinon-server browser bundle; fake XHR server implementation triggers network pattern; legitimate testing library artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.10.3.js | AI (source-diff): Pre-built sinon-server browser bundle; fake XHR server implementation triggers network pattern; legitimate testing library artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.10.2.js | AI (source-diff): Pre-built sinon-timers browser bundle; fake timer API triggers code execution pattern; legitimate testing library artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.10.3.js | AI (source-diff): Pre-built sinon-timers browser bundle; fake timer API triggers code execution pattern; legitimate testing library artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.10.3.js | AI (source-diff): Pre-built browser bundle for sinon testing library; network simulation (fake XHR) + eval for arity-preserving proxies are core documented features, not malware. | ai | |
| source-diff | net-exec-file:pkg/sinon.js | AI (source-diff): Browserify UMD wrapper contains require() machinery; false positive for bundled code. | ai | |
| source-diff | net-exec-file:pkg/sinon-server-1.9.1.js | AI (source-diff): Bundled Sinon.JS server distribution file; fake server/XHR is a documented core feature, not malicious network activity. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.9.1.js | AI (source-diff): Bundled Sinon.JS distribution file; network simulation and eval are core library features (fake XHR, spy arity matching), not malware indicators. | ai | |
| source-diff | net-exec-file:pkg/sinon-timers-1.9.1.js | AI (source-diff): Bundled Sinon.JS timers distribution file; fake timer implementation is a documented core feature, not malicious. | ai | |
| dependencies | unvetted-dep:@sinonjs/formatio | AI (dependencies): @sinonjs/formatio is the sinonjs org's own formatting library, a legitimate first-party dependency for this package. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps.cjs | AI (source-diff): Legitimate browserify bundle with license header and readable require() calls; standard build artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps.cjs | AI (source-diff): Dynamic require() in bundler output is normal; not indicative of dropper/loader malware. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New dependencies are established packages in sinonjs ecosystem; no suspicious additions. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps-3.0.0.js | AI (source-diff): Standard browserify UMD bundle variant without sourcemaps; same legitimate browser distribution artifact as the main bundle. | ai | |
| source-diff | obfuscated-file:pkg/sinon-3.0.0.js | AI (source-diff): Standard browserify UMD bundle for browser distribution; sinon ships minified pkg/ builds as part of its documented release process. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects addition of pre-built bundles for multiple module formats; expected for major refactor. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps-3.0.0.js | AI (source-diff): Same as sinon-3.0.0.js — FakeXMLHttpRequest test utility and browserify require() patterns, not malicious network+exec. | ai | |
| source-diff | net-exec-file:pkg/sinon-3.0.0.js | AI (source-diff): FakeXMLHttpRequest is sinon's core test utility simulating XHR; dynamic require() is standard browserify module resolution, not dropper behavior. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.13.0.js | AI (source-diff): Sinon's bundled build artifact legitimately contains XHR simulation (network) and eval-based proxy creation (code exec) as core test library functionality. Not malware. | ai | |
| source-diff | obfuscated-file:pkg/sinon-esm.js | AI (source-diff): Legitimate browserify bundle with license header and readable require() calls; standard build artifact. | ai | |
| source-diff | net-exec-file:pkg/sinon-esm.js | AI (source-diff): Dynamic require() in bundler output is normal; not indicative of dropper/loader malware. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 36 new files are pre-built bundles in pkg/ directory; intentional distribution artifacts listed in package.json files array. | ai | |
| source-diff | net-exec-file:pkg/sinon-no-sourcemaps.js | AI (source-diff): Browserify UMD wrapper contains require() machinery; false positive for bundled code. | ai | |
| source-diff | obfuscated-file:pkg/sinon-no-sourcemaps.js | AI (source-diff): Browserified bundle variant; standard build artifact for sinon's browser distribution. | ai | |
| source-diff | net-exec-file:pkg/sinon-1.17.6.js | AI (source-diff): This is Sinon's standard bundled distribution file with canonical BSD license header and UMD wrapper. Network APIs are for fake XHR mocking; eval is for spy proxy construction. Not malware. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition; new publisher has strong history, repository URL unchanged. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): seeflanigan removal is part of a documented team transition for the sinon project. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): fatso83, mantoni, mrgnrdrck are recognized sinon project contributors; this is a legitimate team expansion. | ai | |
| dependencies | unvetted-dep:formatio | AI (dependencies): formatio is a formatting utility; tight constraint (~1.1.1) and standard dependency for this library. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval in sinon/spy.js is used to create proxy functions with correct arity — a well-known, intentional pattern in sinon's spy implementation across all versions. | ai | |
| dependencies | unvetted-dep:nise | AI (dependencies): nise is a mock HTTP library maintained by the sinonjs org; stable dependency for this package. | ai | |
| phantom-deps | phantom-dep:npm-run-all | AI (phantom-deps): Build orchestration tool used in scripts; not a runtime dependency; stable pattern for this package. | ai | |
| dependencies | unvetted-dep:npm-run-all | AI (dependencies): npm-run-all is a legitimate build utility used in sinon's test scripts; stable for this package. | ai | |
| typosquat | typosquat.levenshtein:pino | AI (typosquat): sinon is an established testing library with distinct identity; Levenshtein match to pino is a false positive. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in minified UMD build artifact is standard for universal module detection; not hand-written code. | ai | |
| dependencies | unvetted-dep:@sinonjs/fake-timers | AI (dependencies): @sinonjs/fake-timers is an official sub-package of the sinon project; legitimate and expected. | ai | |
| dependencies | unvetted-dep:@sinonjs/samsam | AI (dependencies): @sinonjs/samsam is an official sub-package of the sinon project; legitimate and expected. | ai | |
| dependencies | unvetted-dep:diff | AI (dependencies): diff is a well-known, legitimate text diffing library; expected dependency for sinon's assertion output. | ai | |
| dependencies | unvetted-dep:@sinonjs/commons | AI (dependencies): Official sinonjs organization dependency; trusted internal package for this ecosystem. | ai |
Versions (showing 51 of 196)
| Version | Deps | Published |
|---|---|---|
| 22.0.0 | 4 / 28 | |
| 21.1.2 | 4 / 28 | |
| 21.1.1 | 5 / 26 | |
| 21.1.0 | 5 / 26 | |
| 21.0.3 | 5 / 23 | |
| 21.0.2 | 5 / 23 | |
| 21.0.1 | 5 / 23 | |
| 21.0.0 | 5 / 24 | |
| 20.0.0 | 5 / 24 | |
| 19.0.5 | 6 / 24 | |
| 19.0.4 | 6 / 24 | |
| 19.0.3 | 6 / 24 | |
| 19.0.2 | 6 / 25 | |
| 19.0.1 | 6 / 25 | |
| 19.0.0 | 6 / 25 | |
| 18.0.1 | 6 / 20 | |
| 18.0.0 | 6 / 20 | |
| 17.0.2 | 6 / 20 | |
| 17.0.1 | 6 / 20 | |
| 17.0.0 | 6 / 20 | |
| 16.1.3 | 6 / 23 | |
| 16.1.0 | 6 / 24 | |
| 16.0.0 | 6 / 24 | |
| 15.2.0 | 6 / 24 | |
| 15.1.2 | 6 / 24 | |
| 15.1.1 | 6 / 24 | |
| 15.1.0 | 6 / 24 | |
| 15.0.4 | 6 / 24 | |
| 15.0.3 | 6 / 24 | |
| 15.0.2 | 6 / 24 | |
| 15.0.1 | 6 / 24 | |
| 15.0.0 | 6 / 24 | |
| 14.0.2 | 6 / 24 | |
| 14.0.1 | 6 / 24 | |
| 14.0.0 | 6 / 24 | |
| 13.0.2 | 6 / 24 | |
| 13.0.1 | 6 / 24 | |
| 13.0.0 | 6 / 22 | |
| 12.0.1 | 6 / 23 | |
| 12.0.0 | 6 / 23 | |
| 11.1.2 | 6 / 22 | |
| 11.1.1 | 6 / 22 | |
| 11.1.0 | 6 / 22 | |
| 11.0.0 | 6 / 22 | |
| 10.0.1 | 6 / 20 | |
| 10.0.0 | 6 / 20 | |
| 9.2.4 | 6 / 25 | |
| 9.2.3 | 6 / 25 | |
| 9.2.2 | 7 / 27 | |
| 9.2.1 | 7 / 27 | |
| 9.2.0 | 7 / 27 |
v22.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v21.0.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2025-06-13)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-13. This could indicate a legitimate maintainer transition or an account compromise.
v20.0.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2025-03-24)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v19.0.5
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2025-03-24)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v19.0.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v16.0.0
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2023-09-13)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-13. This could indicate a legitimate maintainer transition or an account compromise.
v15.2.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.1.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.1.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.3
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v15.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.2
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2022-11-07)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-07. This could indicate a legitimate maintainer transition or an account compromise.
v14.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2022-05-07)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2022-05-07. This could indicate a legitimate maintainer transition or an account compromise.
v13.0.2
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.1
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.1
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: mrgnrdrck → fatso83 (on 2021-11-04)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-04. This could indicate a legitimate maintainer transition or an account compromise.
v12.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.2
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2021-07-27)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2021-07-27. This could indicate a legitimate maintainer transition or an account compromise.
v11.1.1
5 findings
HIGH
New obfuscated file: pkg/sinon-esm.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: pkg/sinon-esm.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
HIGH
New obfuscated file: pkg/sinon-no-sourcemaps.js
source-diff
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
HIGH
New file with network + code execution: pkg/sinon-no-sourcemaps.js
source-diff
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.1.0
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v11.0.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: mrgnrdrck → fatso83 (on 2021-05-24)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2021-05-24. This could indicate a legitimate maintainer transition or an account compromise.
v10.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2021-03-22)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2021-03-22. This could indicate a legitimate maintainer transition or an account compromise.
v9.2.4
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.2.3
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mrgnrdrck (on 2021-01-06)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-06. This could indicate a legitimate maintainer transition or an account compromise.
v9.2.2
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: mantoni → mrgnrdrck (on 2020-12-11)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-11. This could indicate a legitimate maintainer transition or an account compromise.
v9.2.1
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: mantoni → mrgnrdrck (on 2020-10-28)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-28. This could indicate a legitimate maintainer transition or an account compromise.
v9.2.0
2 findings
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: fatso83 → mantoni (on 2020-10-06)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2020-10-06. This could indicate a legitimate maintainer transition or an account compromise.