← Home

@forsakringskassan/jest-config-vue

npm Repository Homepage

Shareable jest configuration for vue applications

4
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

extfk-jonatan-haqgglundtomasbjerreoloff

Keywords

jest

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): SLSA provenance via CI/CD confirms legitimate publish pipeline; maintainer addition is not suspicious here. ai
dependencies unvetted-dep:prettier-2 AI (dependencies): [email protected] is a well-known stable formatter; no security concerns with this pinned version. ai
provenance slsa-provenance AI (provenance): Package consistently published via CI/CD with Sigstore attestation; stable supply chain signal. ai
semgrep semgrep:child-process-import AI (semgrep): jest.js is the package's own CLI bin wrapper that spawns jest; child_process use is intentional and documented. ai
phantom-deps phantom-dep:consolidate AI (phantom-deps): Jest config package; consolidate likely a transitive/build dep, not an attack vector in this well-established org package. ai

Versions (showing 4 of 4)

Version Deps Published
29.11.2 6 / 0
29.9.1 6 / 0
29.9.0 6 / 0
29.6.4 6 / 0

v29.11.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.9.1

2 findings
HIGH Publisher changed: ext → GitHub Actions (on 2026-04-05) provenance

This version was published by a different npm account than previous versions on 2026-04-05. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v29.9.0

2 findings
HIGH Phantom dependency: consolidate phantom-deps

Declared in package.json dependencies but never imported in source code. Phantom dependencies may exist solely to execute install scripts or inject transitive malicious code. This was the exact attack vector in the axios compromise (plain-crypto-js).

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v29.6.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.