← Home

tape

npm Repository Homepage

tap-producing test harness for node and browsers

52
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljharbdomenicraynos

Keywords

taptestharnessassertbrowser

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata suspicious-initial-version AI (npm-metadata): [email protected] is the legitimate first release of the well-known TAP test harness by substack, published ~13 years ago. The 0.0.0 version reflects early release conventions, not malicious intent. ai
provenance publisher-changed AI (provenance): substack (James Halliday) is the original author of tape; the change from domenic back to substack is a legitimate maintainer transition, not a compromise. ai
maintainer-change maintainer-added AI (maintainer-change): ljharb is a well-known, trusted npm ecosystem contributor; this addition is a legitimate maintainer expansion for tape. ai
publish-pattern new-deps-added AI (publish-pattern): function-bind and has are foundational, widely-trusted utility packages with no malicious history; their addition is consistent with normal library evolution. ai
phantom-deps phantom-dep:minimatch AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
provenance no-provenance AI (provenance): Provenance attestation is uncommon (~12% adoption); not a disqualifier for established packages with long history and trusted publishers. ai
dependencies unvetted-dep:resumer AI (dependencies): resumer is a known transitive dependency; tape's 4895-day history and ecosystem trust mitigate unvetted-dep risk. ai
phantom-deps phantom-dep:glob AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
phantom-deps phantom-dep:resolve AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
phantom-deps phantom-dep:minimist AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
phantom-deps phantom-dep:dotignore AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
phantom-deps phantom-dep:object.assign AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
phantom-deps phantom-dep:has-dynamic-import AI (phantom-deps): Build/config dependency; stable pattern for tape across versions. ai
semgrep semgrep:dynamic-require AI (semgrep): Legitimate dual-module-system support (import vs require); controlled variable, not user input. ai
typosquat typosquat.levenshtein:hapi AI (typosquat): tape is a distinct, well-known testing framework; no brand confusion with hapi despite edit distance. ai

Versions (showing 52 of 152)

Version Deps Published
2.8.0 6 / 3
2.7.3 6 / 3
2.7.2 6 / 3
2.7.1 6 / 3
2.7.0 6 / 3
2.6.1 6 / 2
2.6.0 6 / 2
2.5.1 6 / 2
2.5.0 6 / 2
2.4.3 6 / 2
2.4.2 6 / 2
2.4.1 6 / 2
2.4.0 6 / 2
2.3.3 6 / 2
2.3.2 6 / 2
2.3.1 6 / 2
2.3.0 8 / 2
2.2.2 8 / 2
2.2.1 8 / 2
2.2.0 7 / 2
2.1.1 4 / 2
2.1.0 4 / 2
2.0.2 4 / 2
2.0.1 4 / 2
2.0.0 4 / 2
1.1.2 4 / 3
1.1.1 4 / 2
1.1.0 4 / 2
1.0.4 4 / 2
1.0.3 4 / 2
1.0.2 4 / 2
1.0.1 4 / 2
1.0.0 3 / 2
0.3.3 3 / 2
0.3.2 3 / 2
0.3.1 3 / 2
0.3.0 3 / 2
0.2.2 3 / 2
0.2.1 3 / 2
0.2.0 3 / 2
0.1.5 3 / 2
0.1.4 3 / 2
0.1.3 3 / 2
0.1.2 3 / 2
0.1.1 3 / 2
0.1.0 3 / 2
0.0.5 3 / 2
0.0.4 3 / 2
0.0.3 3 / 2
0.0.2 2 / 2
0.0.1 2 / 2
0.0.0 2 / 2

v2.4.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.4.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.