@oracle/oraclejet-jest-preset
JET preset for Jest testing
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Oracle-maintained package with 175 versions; inactivity gap plausible for enterprise release cadence, no code changes introduced. | ai | |
| dependencies | unvetted-dep:jest-raw-loader | AI (dependencies): Standard Jest loader utility; no malware indicators, consistent with package's testing-preset purpose. | ai | |
| dependencies | unvetted-dep:jest-preset-preact | AI (dependencies): Standard Jest/Preact testing preset; no malware indicators, consistent with package's testing-preset purpose. | ai | |
| dependencies | unvetted-dep:babel-plugin-transform-amd-to-commonjs | AI (dependencies): Standard Babel transform plugin; no malware indicators, consistent with OracleJET's AMD module system. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-decorators | AI (phantom-deps): Babel plugins are loaded by convention in babel config, not direct imports. | ai | |
| phantom-deps | phantom-dep:jest-raw-loader | AI (phantom-deps): Jest preset packages reference loaders in config files, not via direct imports — expected pattern. | ai | |
| phantom-deps | phantom-dep:babel-plugin-transform-amd-to-commonjs | AI (phantom-deps): Babel plugin loaded via config convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@adobe/css-tools | AI (phantom-deps): CSS tools referenced in Jest config/transform setup, not imported directly. | ai | |
| phantom-deps | phantom-dep:identity-obj-proxy | AI (phantom-deps): identity-obj-proxy is a standard Jest moduleNameMapper entry, not directly imported. | ai | |
| phantom-deps | phantom-dep:preact-render-to-string | AI (phantom-deps): Referenced via jest-preset-preact config convention, not direct import. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 20.1.2 | 9 / 24 | |
| 20.1.1 | 9 / 24 | |
| 20.1.0 | 9 / 24 | |
| 20.0.5 | 9 / 24 | |
| 20.0.4 | 9 / 24 | |
| 20.0.3 | 9 / 24 | |
| 20.0.2 | 9 / 24 | |
| 20.0.1 | 9 / 24 | |
| 20.0.0 | 9 / 24 | |
| 19.0.8 | 9 / 24 | |
| 19.0.7 | 9 / 24 | |
| 19.0.6 | 9 / 24 | |
| 19.0.5 | 9 / 24 | |
| 19.0.4 | 9 / 24 | |
| 19.0.3 | 9 / 24 | |
| 19.0.2 | 9 / 24 | |
| 19.0.1 | 9 / 24 | |
| 18.1.9 | 8 / 17 | |
| 18.1.8 | 8 / 17 | |
| 18.1.7 | 8 / 17 | |
| 18.1.6 | 8 / 17 | |
| 18.0.14 | 8 / 17 | |
| 18.0.13 | 8 / 17 | |
| 18.0.12 | 8 / 17 | |
| 18.0.11 | 8 / 17 | |
| 18.0.10 | 8 / 17 | |
| 17.1.9 | 8 / 17 | |
| 17.1.8 | 8 / 17 | |
| 17.0.11 | 8 / 17 |
v20.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.1.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wlouie-orcl) than the most recent previously approved version (meghana-vadlapally) on 2026-05-19, but wlouie-orcl is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v20.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v20.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v20.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (meghana-vadlapally) than the most recent previously approved version (wlouie-orcl) on 2026-05-28, but meghana-vadlapally is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v19.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v19.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v19.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v19.0.2
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wlouie-orcl) than the most recent previously approved version (smadeghe-orcl) on 2026-01-21, but wlouie-orcl is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v19.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.1.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.1.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v18.1.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wlouie-orcl) than the most recent previously approved version (smadeghe-orcl) on 2026-01-23, but wlouie-orcl is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.13
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (meghana-vadlapally) than the most recent previously approved version (wlouie-orcl) on 2026-03-18, but meghana-vadlapally is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v18.0.11
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wlouie-orcl) than the most recent previously approved version (smadeghe-orcl) on 2026-01-23, but wlouie-orcl is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v18.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v17.1.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v17.1.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v17.0.11
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (wlouie-orcl) than the most recent previously approved version (smadeghe-orcl) on 2026-02-25, but wlouie-orcl is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.