appium-xcuitest-driver
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Passing process.env to child process for WDA signing is standard pattern for this driver. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding certificate content for iOS simulator simctl — legitimate driver functionality. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP is 127.0.0.1 (localhost) for WebDriverAgent communication — expected for this driver. | ai | |
| phantom-deps | phantom-dep:moment | AI (phantom-deps): moment is a declared runtime dependency; phantom-dep heuristic misfires here. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 11.7.6 | 23 / 23 | |
| 11.7.5 | 23 / 23 | |
| 11.7.4 | 23 / 23 | |
| 11.7.3 | 23 / 23 | |
| 11.7.2 | 23 / 23 | |
| 11.7.1 | 23 / 23 | |
| 11.7.0 | 23 / 23 | |
| 11.6.1 | 24 / 24 | |
| 11.6.0 | 24 / 24 | |
| 11.5.1 | 24 / 24 | |
| 11.5.0 | 24 / 24 | |
| 11.4.2 | 24 / 24 | |
| 11.4.1 | 24 / 24 | |
| 11.4.0 | 24 / 24 | |
| 11.3.1 | 24 / 24 | |
| 11.3.0 | 24 / 24 | |
| 11.2.4 | 24 / 24 | |
| 11.2.3 | 24 / 24 | |
| 11.2.2 | 24 / 24 | |
| 11.2.1 | 24 / 24 | |
| 11.2.0 | 24 / 24 | |
| 11.1.0 | 25 / 25 | |
| 11.0.4 | 25 / 25 | |
| 11.0.3 | 25 / 25 | |
| 11.0.2 | 25 / 25 | |
| 11.0.1 | 25 / 25 | |
| 10.36.3 | 26 / 25 | |
| 10.5.0 | 26 / 27 | |
| 10.4.3 | 26 / 27 | |
| 10.4.2 | 26 / 27 | |
| 10.4.1 | 26 / 27 | |
| 10.4.0 | 26 / 27 | |
| 10.3.0 | 26 / 27 |
v11.7.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.4
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/c2c973364daf40024ff49e599c9ed095b2d76404/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.3
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/0278419e4aee4ff600fc23c22ccc3b9b25330b80/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/a8d200affd7d95115dfba0f0b3bae9236591b871/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/7eb244689cbb6e554c03bfb3c21c254f19d8f29c/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.7.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/65d2c0c3c665877fb2e00aa1578888d258d22e2b/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.6.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/7641d6a8280c73b64dfbe18bec85d00070d89ed3/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.6.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/bbde86c40f44f30811628f0b6fb9c37f507b2913/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.5.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/844fd53989e43916f3b820f050144ab13648a215/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.5.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/7e996c812e01b3f00f0d7b466af714abb24c0cc4/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.4.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/79594cae01a1cda21bab8ac1379fae488933b1a6/scripts/sign-wda.mjs#L45 43 | log.info(`Running resigner to sign ${this._wdaPath}`); 44 | await exec(RESIGNER_BINARY_NAME, args, { > 45 | env: { 46 | ...process.env, 47 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.4.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/18c0b00446c7ccb0121625c9559e7602fc7423a9/scripts/sign-wda.mjs#L272 270 | log.info(`Running resigner to sign ${wdaPath}`); 271 | await exec(RESIGNER_BINARY_NAME, args, { > 272 | env: { 273 | ...process.env, 274 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.4.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/appium/appium-xcuitest-driver/blob/4c307a4d622b3ab9ff6b6c2e416001e8e3757b5a/scripts/sign-wda.mjs#L272 270 | log.info(`Running resigner to sign ${wdaPath}`); 271 | await exec(RESIGNER_BINARY_NAME, args, { > 272 | env: { 273 | ...process.env, 274 | P12_PASSWORD: options.p12Password,
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.3.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.3.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.2.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.2.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.2.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.2.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v11.0.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.36.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v10.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.