ts-jest
A Jest transformer with source map support that lets you use Jest to test projects written in TypeScript
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): anhpnnd (Anh Pham) is a named contributor in package.json; this is a documented team member, not an unknown actor. Publisher transition is legitimate. | ai | |
| provenance | no-provenance | AI (provenance): ts-jest is a long-established, trusted package; lack of Sigstore provenance is a hygiene gap but not a security risk for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): Dependency swap from ejs to handlebars is a routine substitution between two well-established templating libraries; handlebars 4.7.8+ is the patched version. Not a suspicious addition. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers (anhpnnd, tsjest) are listed in package.json contributors and consistent with known ts-jest project history. Legitimate project evolution. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy signal is an artifact of diffing against v24.0.0 (last vetted version). ts-jest has 215 versions and has been continuously maintained; not a real dormancy signal. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers (geewee, huafu) reflect normal contributor turnover on a long-running project. Repository and authorship remain consistent with the original ts-jest project. | ai | |
| dependencies | unvetted-dep:handlebars | AI (dependencies): handlebars is a well-established templating library used by ts-jest for code generation; no malicious indicators. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver is explicitly listed as a direct dependency in package.json; phantom detection is a false positive likely due to config-file vs. import analysis. | ai | |
| dependencies | unvetted-dep:fast-json-stable-stringify | AI (dependencies): fast-json-stable-stringify is a widely-used, stable utility; its use in ts-jest is expected and benign. | ai | |
| dependencies | unvetted-dep:bs-logger | AI (dependencies): bs-logger is a long-standing ts-jest dependency with no known malicious history; unvetted status reflects registry gap, not risk. | ai |
Versions (showing 35 of 35)
| Version | Deps | Published |
|---|---|---|
| 29.4.9 | 9 / 46 | |
| 29.4.0 | 9 / 47 | |
| 29.3.4 | 10 / 46 | |
| 29.3.3 | 10 / 46 | |
| 29.3.2 | 10 / 46 | |
| 29.3.1 | 10 / 46 | |
| 29.3.0 | 10 / 46 | |
| 29.2.6 | 9 / 41 | |
| 29.2.5 | 9 / 41 | |
| 29.2.4 | 9 / 43 | |
| 29.2.3 | 9 / 43 | |
| 29.2.2 | 9 / 43 | |
| 29.2.1 | 9 / 43 | |
| 29.2.0 | 8 / 44 | |
| 29.1.5 | 8 / 45 | |
| 29.1.4 | 8 / 46 | |
| 29.1.3 | 8 / 46 | |
| 29.1.2 | 8 / 46 | |
| 29.1.1 | 8 / 46 | |
| 29.1.0 | 8 / 46 | |
| 29.0.5 | 8 / 47 | |
| 29.0.4 | 8 / 47 | |
| 29.0.3 | 8 / 47 | |
| 29.0.2 | 8 / 47 | |
| 29.0.1 | 8 / 47 | |
| 29.0.0 | 8 / 47 | |
| 28.0.8 | 8 / 47 | |
| 28.0.6 | 8 / 47 | |
| 28.0.5 | 8 / 47 | |
| 28.0.4 | 8 / 47 | |
| 28.0.3 | 8 / 47 | |
| 28.0.2 | 8 / 47 | |
| 28.0.1 | 8 / 47 | |
| 28.0.0 | 8 / 47 | |
| 24.0.0 | 9 / 36 |
v29.4.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v29.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.2.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.1.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v29.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v29.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: anhpnnd.
This version was published by a different npm account than previous versions on 2022-07-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v28.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v24.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.