@lambdatest/node-tunnel

Nodejs bindings for LambdaTest Tunnel

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

lambdatestdev

Keywords

lambdatesttunnellocalseleniumtesting

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Detached spawn is used to launch the LambdaTest tunnel binary as a background process — core functionality of this tunnel wrapper library.	ai	2026/04/23
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same detached spawn of the tunnel binary; expected behavior for a tunnel launcher package.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process is required for spawning and managing the tunnel binary subprocess — fundamental to this package's purpose.	ai	2026/04/23
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawning the LambdaTest tunnel binary is the core function of this package.	ai	2026/04/23
semgrep	semgrep:child-process-exec	AI (semgrep): taskkill on Windows is a standard cleanup pattern to terminate the tunnel process on shutdown.	ai	2026/04/23
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1 is localhost; used to call the tunnel's local info API for graceful shutdown — not exfiltration.	ai	2026/04/23

Versions (showing 45 of 45)

Version	Deps	Published
4.0.11	5 / 12	2026-02-17
4.0.10	5 / 12	2026-01-12
4.0.9	5 / 12	2025-02-21
4.0.8	5 / 12	2024-05-10
4.0.7	5 / 12	2023-12-14
4.0.6	5 / 12	2023-12-14
4.0.5	5 / 12	2023-11-13
4.0.4	5 / 12	2023-07-31
4.0.3	5 / 12	2023-07-25
4.0.2	5 / 12	2023-07-24
4.0.1	5 / 12	2023-04-20
4.0.0	5 / 12	2023-04-13
3.0.14	5 / 11	2023-04-11
3.0.13	5 / 11	2023-04-11
3.0.12	5 / 11	2023-01-16
3.0.11	5 / 11	2022-08-29
3.0.10	5 / 11	2022-08-16
3.0.9	5 / 11	2022-08-15
3.0.8	5 / 11	2022-08-05
3.0.7	5 / 11	2022-05-13
3.0.6	5 / 11	2022-03-25
3.0.5	5 / 11	2022-02-16
3.0.4	5 / 11	2022-02-16
3.0.3	5 / 11	2022-02-16
3.0.2	4 / 11	2022-01-25
3.0.1	4 / 11	2021-06-09
3.0.0	4 / 11	2020-11-03
2.0.2	4 / 11	2020-05-14
2.0.1	4 / 11	2020-05-05
2.0.0	4 / 11	2020-05-04
1.1.4	4 / 11	2020-05-04
1.1.3	4 / 11	2020-03-24
1.1.2	4 / 11	2020-02-17
1.1.1	4 / 11	2020-02-17
1.1.0	4 / 11	2020-02-17
1.0.9	4 / 11	2019-11-01
1.0.8	4 / 11	2019-11-01
1.0.7	4 / 11	2019-10-29
1.0.6	4 / 11	2019-10-29
1.0.5	4 / 11	2019-09-06
1.0.4	4 / 11	2019-09-03
1.0.3	4 / 11	2019-08-02
1.0.2	4 / 11	2019-08-02
1.0.1	4 / 11	2019-06-18
1.0.0	4 / 11	2019-05-03

v4.0.11

3 findings

HIGH silent-process-exec: lib/tunnel.js:1165 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/LambdaTest/node-tunnel/blob/27a4acbea1f8c5b95c8bfdb8c6956b0d939005c7/lib/tunnel.js#L1165 1163 | binaryArguments = [...data] 1164 | }) > 1165 | var subprocess = childProcess.spawn(self.binaryPath, binaryArguments, { 1166 | detached:true, 1167 | stdio:'ignore'

HIGH silent-process-exec-var: lib/tunnel.js:1165 semgrep

Silent detached process — runs invisibly in the background (reverse shells, miners) Source: https://github.com/LambdaTest/node-tunnel/blob/27a4acbea1f8c5b95c8bfdb8c6956b0d939005c7/lib/tunnel.js#L1165 1163 | binaryArguments = [...data] 1164 | }) > 1165 | var subprocess = childProcess.spawn(self.binaryPath, binaryArguments, { 1166 | detached:true, 1167 | stdio:'ignore'

LOW No provenance attestation provenance