jscoverage
a javascript coverage tool, can be used in node dev, and browser side js dev
20
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
kate.sffishsunfang1cnfishbar
Keywords
jscoveragenodejavascriptcoveragedevtool
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from kate.sf to fish occurred in 2012 (13+ years ago). Fish has 63 approved packages and has been active since the package's inception. This is a stable historical transition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer 'fish' was added in 2012 alongside the publisher change. Long-established, no risk signal for this package. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): node-waf configure is the canonical native addon build step for Node 0.4.x era packages; this is a legitimate C/C++ native binding. | ai | |
| install-scripts | install-script:install | AI (install-scripts): node-waf is the canonical native addon build tool for Node 0.4.x era; equivalent to node-gyp build in modern packages. | ai | |
| npm-metadata | bundled-binaries | AI (npm-metadata): Binaries are compiled jscoverage C library and native Node.js addon (.node file); expected artifacts for a native binding package. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() calls are in doc/example-jsunit JSUnit test framework files, not core package code. Historical test framework pattern, not a supply-chain risk. | ai |