← Home

@testomatio/reporter

npm Repository Homepage
5
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

davertdenyskuchma2

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:aws-sdk AI (phantom-deps): aws-sdk is a declared dep used indirectly; phantom-dep heuristic false positive. ai
semgrep semgrep:env-bulk-read AI (semgrep): Filters only TESTOMATIO/S3_ keys for debug logging; not exfiltrating secrets. ai
semgrep semgrep:base64-decode AI (semgrep): Decodes WebDriver screenshot data from base64 — expected for screenshot capture. ai
semgrep semgrep:child-process-import AI (semgrep): Used in coverage pipe to run coverage tooling — legitimate for a test reporter. ai
semgrep semgrep:env-spread AI (semgrep): Passes process.env to spawned test subprocess — standard pattern for a test runner CLI. ai
phantom-deps phantom-dep:has-flag AI (phantom-deps): Stable false positive; declared dep used transitively or in config. ai
phantom-deps phantom-dep:lodash.memoize AI (phantom-deps): Stable false positive; declared dep used transitively or in config. ai
semgrep semgrep:dynamic-require AI (semgrep): Loads optional @testomatio/webdriver-hooks-enhancer by resolved path, not user input. ai

Versions (showing 5 of 5)

Version Deps Published
2.7.8 29 / 22
2.7.6 30 / 22
2.7.5 30 / 22
2.6.3 30 / 22
2.6.1 30 / 22

v2.7.8

3 findings
HIGH env-spread: lib/bin/cli.js:150 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/aef96fd21e79fd37bb459765501b3375338f38ea/lib/bin/cli.js#L150 148 | const cmd = (0, cross_spawn_1.spawn)(testCmds[0], testCmds.slice(1), { 149 | stdio: 'inherit', > 150 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 151 | }); 152 | cmd.on('close', async (code) => {

HIGH env-spread: src/bin/cli.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/aef96fd21e79fd37bb459765501b3375338f38ea/src/bin/cli.js#L166 164 | const cmd = spawn(testCmds[0], testCmds.slice(1), { 165 | stdio: 'inherit', > 166 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 167 | }); 168 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.6

3 findings
HIGH env-spread: lib/bin/cli.js:150 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/df96bfdf6d545897ca69c563a8adc96f96cfacf0/lib/bin/cli.js#L150 148 | const cmd = (0, cross_spawn_1.spawn)(testCmds[0], testCmds.slice(1), { 149 | stdio: 'inherit', > 150 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 151 | }); 152 | cmd.on('close', async (code) => {

HIGH env-spread: src/bin/cli.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/df96bfdf6d545897ca69c563a8adc96f96cfacf0/src/bin/cli.js#L166 164 | const cmd = spawn(testCmds[0], testCmds.slice(1), { 165 | stdio: 'inherit', > 166 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 167 | }); 168 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.7.5

3 findings
HIGH env-spread: lib/bin/cli.js:150 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/7f716c43c253074971f7841ff426498e80610041/lib/bin/cli.js#L150 148 | const cmd = (0, cross_spawn_1.spawn)(testCmds[0], testCmds.slice(1), { 149 | stdio: 'inherit', > 150 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 151 | }); 152 | cmd.on('close', async (code) => {

HIGH env-spread: src/bin/cli.js:166 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/7f716c43c253074971f7841ff426498e80610041/src/bin/cli.js#L166 164 | const cmd = spawn(testCmds[0], testCmds.slice(1), { 165 | stdio: 'inherit', > 166 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 167 | }); 168 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.3

3 findings
HIGH env-spread: lib/bin/cli.js:149 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/d8f6e34e0b46f50b52371149dc87b80366811739/lib/bin/cli.js#L149 147 | const cmd = (0, cross_spawn_1.spawn)(testCmds[0], testCmds.slice(1), { 148 | stdio: 'inherit', > 149 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 150 | }); 151 | cmd.on('close', async (code) => {

HIGH env-spread: src/bin/cli.js:165 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/d8f6e34e0b46f50b52371149dc87b80366811739/src/bin/cli.js#L165 163 | const cmd = spawn(testCmds[0], testCmds.slice(1), { 164 | stdio: 'inherit', > 165 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 166 | }); 167 |

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.6.1

3 findings
HIGH env-spread: lib/bin/cli.js:149 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/a566aebd6161ecfae18e76808926fe972ddfe8ef/lib/bin/cli.js#L149 147 | const cmd = (0, cross_spawn_1.spawn)(testCmds[0], testCmds.slice(1), { 148 | stdio: 'inherit', > 149 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 150 | }); 151 | cmd.on('close', async (code) => {

HIGH env-spread: src/bin/cli.js:165 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/testomatio/reporter/blob/a566aebd6161ecfae18e76808926fe972ddfe8ef/src/bin/cli.js#L165 163 | const cmd = spawn(testCmds[0], testCmds.slice(1), { 164 | stdio: 'inherit', > 165 | env: { ...process.env, TESTOMATIO_PROCEED: 'true', runId: client.runId, TESTOMATIO_RUN: client.runId }, 166 | }); 167 |

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.