nock
HTTP server mocking and expectations library for Node.js
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): lodash replaced with lodash.set (scoped sub-package) — a common bundle-size optimization, not a suspicious dependency addition. | ai | |
| dependencies | unvetted-dep:propagate | AI (dependencies): propagate is a legitimate, well-known Node.js event propagation utility; expected dependency for nock's HTTP mocking functionality. | ai | |
| dependencies | unvetted-dep:@mswjs/interceptors | AI (dependencies): @mswjs/interceptors is from the reputable Mock Service Worker (msw) project; a natural dependency for an HTTP mocking library like nock. | ai | |
| dependencies | unvetted-dep:lodash.set | AI (dependencies): lodash.set is an established utility library; adding it to a mature testing library is normal maintenance. No security concern. | ai | |
| provenance | publisher-changed | AI (provenance): nock migrated publishing to GitHub Actions CI/CD with SLSA provenance; the nockbot→GitHub Actions transition is a legitimate automation upgrade for this well-established package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): mikicho (Moshe Atlow) is a known Node.js core contributor and active nock maintainer; addition is a legitimate maintainer transition. | ai | |
| semgrep | semgrep:hex-decode | AI (semgrep): Hex decoding in playback_interceptor.js is legitimate decompression of stored gzip/deflate test fixtures, not obfuscation or payload hiding. Stable for this package's core functionality. | ai |
Versions (showing 49 of 49)
| Version | Deps | Published |
|---|---|---|
| 15.0.0 | 2 / 27 | |
| 14.0.15 | 3 / 25 | |
| 14.0.14 | 3 / 25 | |
| 14.0.13 | 3 / 25 | |
| 14.0.12 | 3 / 25 | |
| 14.0.11 | 3 / 25 | |
| 14.0.10 | 3 / 25 | |
| 14.0.9 | 3 / 25 | |
| 14.0.8 | 3 / 25 | |
| 14.0.7 | 3 / 25 | |
| 14.0.6 | 3 / 25 | |
| 14.0.5 | 3 / 25 | |
| 14.0.4 | 3 / 25 | |
| 14.0.3 | 3 / 25 | |
| 14.0.2 | 3 / 25 | |
| 14.0.1 | 3 / 25 | |
| 14.0.0 | 3 / 25 | |
| 13.5.6 | 3 / 25 | |
| 13.5.5 | 3 / 25 | |
| 13.5.4 | 3 / 25 | |
| 13.5.3 | 3 / 25 | |
| 13.5.2 | 3 / 25 | |
| 13.5.1 | 3 / 25 | |
| 13.5.0 | 3 / 24 | |
| 13.4.0 | 3 / 24 | |
| 13.3.8 | 3 / 24 | |
| 13.3.7 | 3 / 24 | |
| 13.3.6 | 3 / 24 | |
| 13.3.5 | 3 / 24 | |
| 13.3.4 | 4 / 24 | |
| 13.3.3 | 4 / 24 | |
| 13.3.2 | 4 / 24 | |
| 13.3.1 | 4 / 24 | |
| 13.3.0 | 4 / 24 | |
| 13.2.9 | 4 / 24 | |
| 13.2.8 | 4 / 24 | |
| 13.2.7 | 4 / 24 | |
| 13.2.6 | 4 / 24 | |
| 13.2.5 | 4 / 24 | |
| 13.2.4 | 4 / 24 | |
| 13.2.0 | 4 / 25 | |
| 13.1.4 | 4 / 25 | |
| 13.1.3 | 4 / 25 | |
| 13.1.2 | 4 / 25 | |
| 13.1.1 | 4 / 25 | |
| 13.0.7 | 4 / 27 | |
| 13.0.5 | 4 / 27 | |
| 13.0.1 | 4 / 26 | |
| 12.0.3 | 4 / 26 |
v15.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.13
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.12
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.11
2 findingsThis version was published by a different npm account than previous versions on 2026-02-09. This could indicate a legitimate maintainer transition or an account compromise.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v14.0.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v12.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.