fancy-test
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Intentional test-helper pattern for setting/restoring process.env; not a secret-capture risk. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): tryRequire pattern for optional chai peer dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): @types packages are convention-loaded TypeScript type declarations, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): @types packages are convention-loaded TypeScript type declarations, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/sinon | AI (phantom-deps): @types packages are convention-loaded TypeScript type declarations, not runtime imports. | ai | |
| phantom-deps | phantom-dep:@types/lodash | AI (phantom-deps): @types packages are convention-loaded TypeScript type declarations, not runtime imports. | ai |
v3.0.16
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/oclif/fancy-test/blob/f8fae11f3620c8da720ce0f4998f584c7356c445/lib/env.js#L16 14 | } 15 | else { > 16 | process.env = { ...process.env, ...normalizedEnv }; 17 | Object.entries(normalizedEnv) 18 | .filter(([, v]) => v === undefined)
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.