codeceptjs — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

davertalex_vorobeythanh.nguyenegor_bodnar

Keywords

acceptanceend2endend 2 endpuppeteerwebdriverplaywrightbddtddtesting

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; legitimate automation.	ai	2026/05/30
semgrep	semgrep:env-spread	AI (semgrep): Test runner spawning child processes with inherited env is standard behavior.	ai	2026/05/30
semgrep	semgrep:eval-usage	AI (semgrep): Used in heal.js to execute AI-generated code snippets; documented feature of the framework.	ai	2026/05/14
semgrep	semgrep:dynamic-require	AI (semgrep): Test framework plugin/module loader pattern; stable across versions.	ai	2026/05/14
semgrep	semgrep:new-function-constructor	AI (semgrep): Used in Playwright helper for custom locator strategies; expected browser automation pattern.	ai	2026/05/14
semgrep	semgrep:base64-decode	AI (semgrep): Appium pullFile returns base64-encoded file content; standard Appium API usage.	ai	2026/05/14
semgrep	semgrep:child-process-import	AI (semgrep): Used in info/diagnostic command; expected for a CLI test framework.	ai	2026/05/14

Versions (showing 9 of 9)

Version	Deps	Published
4.0.3	45 / 55	2026-05-28
4.0.2	45 / 55	2026-05-24
4.0.1	45 / 55	2026-05-23
4.0.0	45 / 55	2026-05-21
3.7.9	42 / 55	2026-04-23
3.7.8	42 / 55	2026-04-08
3.7.7	42 / 55	2026-03-18
3.7.6	42 / 55	2026-01-16
3.7.5	43 / 55	2025-09-22

v4.0.3

3 findings

HIGH Publisher changed: thanh.nguyen → GitHub Actions (on 2026-05-28) provenance

This version was published by a different npm account than previous versions on 2026-05-28. This could indicate a legitimate maintainer transition or an account compromise.

HIGH env-spread: bin/mcp-server.js:195 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/codeceptjs/CodeceptJS/blob/06cdb0c41250dfa532571218741066d8d5198a82/bin/mcp-server.js#L195 193 | const child = spawn(cmd, args, { 194 | cwd, > 195 | env: { ...process.env, NODE_ENV: process.env.NODE_ENV || 'test' }, 196 | stdio: ['ignore', 'pipe', 'pipe'], 197 | })

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.2

3 findings

HIGH Publisher changed: thanh.nguyen → GitHub Actions (on 2026-05-24) provenance

This version was published by a different npm account than previous versions on 2026-05-24. This could indicate a legitimate maintainer transition or an account compromise.

HIGH env-spread: bin/mcp-server.js:195 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/codeceptjs/CodeceptJS/blob/16b2f32c5876829fd39d456ab2ed084bbde08373/bin/mcp-server.js#L195 193 | const child = spawn(cmd, args, { 194 | cwd, > 195 | env: { ...process.env, NODE_ENV: process.env.NODE_ENV || 'test' }, 196 | stdio: ['ignore', 'pipe', 'pipe'], 197 | })

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

4 findings

HIGH Publisher changed: thanh.nguyen → GitHub Actions (on 2026-05-23) provenance

This version was published by a different npm account than previous versions on 2026-05-23. This could indicate a legitimate maintainer transition or an account compromise.

HIGH Unclaimed maintainer email domain: codegyre.com email-domain

Maintainer email '[email protected]' uses domain 'codegyre.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

HIGH env-spread: bin/mcp-server.js:195 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/codeceptjs/CodeceptJS/blob/2c898288d0900e9bf953121db97c16b221f08883/bin/mcp-server.js#L195 193 | const child = spawn(cmd, args, { 194 | cwd, > 195 | env: { ...process.env, NODE_ENV: process.env.NODE_ENV || 'test' }, 196 | stdio: ['ignore', 'pipe', 'pipe'], 197 | })

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

3 findings

HIGH Publisher changed: thanh.nguyen → GitHub Actions (on 2026-05-21) provenance

This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

HIGH env-spread: bin/mcp-server.js:195 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/codeceptjs/CodeceptJS/blob/a7683e776ffbe143ba91c9ca550661ab3aa87c67/bin/mcp-server.js#L195 193 | const child = spawn(cmd, args, { 194 | cwd, > 195 | env: { ...process.env, NODE_ENV: process.env.NODE_ENV || 'test' }, 196 | stdio: ['ignore', 'pipe', 'pipe'], 197 | })

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.