← Home

jest-changed-files

npm Repository
23
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

aaronabramovsimenbrickhanloniiopenjs-operationscpojer

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:child-process-import AI (semgrep): jest-changed-files shells out to git/hg by design; child_process usage is core functionality, not malicious. Stable across all versions. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawning 'git' and 'hg' processes is the explicit purpose of this package. No arbitrary or user-controlled command execution. ai
npm-metadata suspicious-initial-version AI (npm-metadata): jest-changed-files 0.0.0 is a name-reservation stub in the Jest monorepo published by the core Jest maintainer; 0.0.0 is an intentional placeholder pattern, not a malicious throwaway. ai
npm-metadata no-description AI (npm-metadata): Monorepo package; missing description is expected and not indicative of malice. ai
dependencies unvetted-dep:execa AI (dependencies): execa is a well-known, widely-used process execution library; its use is appropriate for a package that shells out to git/hg to detect changed files. ai
bogus-package bogus-package AI (bogus-package): Signals reflect monorepo structure (no keywords, version matches Jest release), not spam indicators. ai

Versions (showing 23 of 23)

Version Deps Published
30.3.0 3 / 0
30.2.0 3 / 0
30.0.5 3 / 0
30.0.2 3 / 0
30.0.1 3 / 0
30.0.0 3 / 0
29.6.3 3 / 0
29.5.0 2 / 0
29.4.3 2 / 0
29.4.2 2 / 0
29.4.0 2 / 0
29.2.0 2 / 0
29.0.0 2 / 0
20.0.3 0 / 0
20.0.2 0 / 0
19.0.2 0 / 0
15.0.0 0 / 1
13.2.2 0 / 1
13.2.1 0 / 1
13.0.0 0 / 1
12.1.0 0 / 1
12.0.2 0 / 1
0.0.0 0 / 0

v30.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v30.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v30.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v29.6.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v29.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v29.4.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v29.4.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v29.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v29.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v29.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v20.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v15.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.2.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v13.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v13.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v12.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v12.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.