testem
Test'em 'scripts! Javascript Unit testing made easy.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | no-provenance | AI (provenance): Established package with long history; provenance is a best-practice enhancement, not a blocker. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): step2yeung added as maintainer is a legitimate transition; long-standing contributor with clean track record. | ai | |
| provenance | publisher-changed | AI (provenance): step2yeung is a known testem/Ember ecosystem contributor with 310 approved packages; legitimate maintainer transition from stefanpenner. | ai | |
| dependencies | unvetted-dep:xmldom | AI (dependencies): xmldom is a legitimate XML parsing dependency used in testem's browser testing infrastructure; its presence is expected and stable across versions. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Dependency change consolidates multiple lodash sub-packages into the canonical lodash package — a routine refactoring with no security concern for this well-established test runner. | ai | |
| dependencies | unvetted-dep:http-proxy | AI (dependencies): http-proxy is a long-standing, widely-used reverse proxy package; its use in testem for proxying test requests is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:rimraf | AI (phantom-deps): rimraf is declared and referenced in config; phantom-dep annotation is a false positive for this use case. | ai | |
| phantom-deps | phantom-dep:mustache | AI (phantom-deps): mustache is declared and referenced in config; phantom-dep annotation is a false positive for this use case. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Enumerating process.env for PATH variable is standard CLI tool pattern for cross-platform compatibility. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require for user config files is legitimate for a testing framework; path is controlled via resolveConfigPath(). | ai |
Versions (showing 51 of 353)
| Version | Deps | Published |
|---|---|---|
| 3.20.1 | 24 / 19 | |
| 3.20.0 | 24 / 20 | |
| 3.19.1 | 24 / 17 | |
| 3.19.0 | 25 / 18 | |
| 3.18.0 | 25 / 18 | |
| 3.17.0 | 25 / 18 | |
| 3.16.0 | 25 / 18 | |
| 3.15.2 | 25 / 18 | |
| 3.15.1 | 25 / 18 | |
| 3.15.0 | 29 / 18 | |
| 3.14.0 | 29 / 18 | |
| 3.13.0 | 29 / 19 | |
| 3.12.0 | 29 / 19 | |
| 3.11.0 | 29 / 19 | |
| 3.10.1 | 29 / 19 | |
| 3.10.0 | 29 / 19 | |
| 3.9.0 | 29 / 19 | |
| 3.8.0 | 29 / 19 | |
| 3.7.0 | 29 / 19 | |
| 3.6.0 | 29 / 19 | |
| 3.5.0 | 29 / 19 | |
| 3.4.3 | 29 / 19 | |
| 3.4.1 | 29 / 18 | |
| 3.3.0 | 29 / 18 | |
| 3.2.1 | 29 / 18 | |
| 3.2.0 | 29 / 18 | |
| 3.0.0 | 29 / 18 | |
| 2.17.0 | 29 / 18 | |
| 2.7.1 | 27 / 18 | |
| 2.3.0 | 27 / 18 | |
| 2.2.1 | 27 / 18 | |
| 2.0.0 | 27 / 18 | |
| 1.18.5 | 26 / 18 | |
| 1.18.4 | 26 / 18 | |
| 1.18.3 | 26 / 18 | |
| 1.18.2 | 26 / 18 | |
| 1.18.1 | 26 / 18 | |
| 1.18.0 | 26 / 18 | |
| 1.17.0 | 26 / 18 | |
| 1.16.2 | 26 / 18 | |
| 1.16.1 | 26 / 18 | |
| 1.16.0 | 26 / 18 | |
| 1.15.0 | 25 / 18 | |
| 1.14.3 | 25 / 18 | |
| 1.14.2 | 25 / 18 | |
| 1.14.1 | 26 / 18 | |
| 1.14.0 | 26 / 18 | |
| 1.13.0 | 26 / 17 | |
| 1.12.0 | 26 / 17 | |
| 1.11.0 | 26 / 17 | |
| 1.10.4 | 25 / 17 |
v3.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.19.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.17.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.16.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findingsThis version was published by a different npm account than previous versions on 2020-06-04. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2019-09-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.17.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-07-11. This could indicate a legitimate maintainer transition or an account compromise.
v2.7.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.