iedriver — Greenflagged

IEDriver for Selenium

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

barretts

Keywords

iedriveriedriverserverselenium

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Long-established package (11+ years) with consistent publisher history; lack of Sigstore provenance is not a meaningful risk signal here.	ai	2026/04/24
dependencies	unvetted-dep:request	AI (dependencies): request is a well-known HTTP client; its use here is consistent with iedriver's documented purpose of downloading/verifying the IEDriverServer binary during install.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): The added request dependency is a legitimate HTTP client needed for binary download/verification in this driver installer package.	ai	2026/04/24
license	uncommon-license:Apache 2.0	AI (license): Apache 2.0 is a well-known permissive license; the analyzer's 'uncommon' flag is a false positive for this package.	ai	2026/04/24
install-scripts	install-script:install	AI (install-scripts): iedriver's install script downloads/extracts the IEDriverServer binary — standard pattern for Selenium WebDriver binary distribution packages.	ai	2026/04/23
semgrep	semgrep:child-process-import	AI (semgrep): child_process.execFile is used to launch IEDriverServer.exe — the intended functionality of this WebDriver launcher package.	ai	2026/04/23
npm-metadata	bundled-binaries	AI (npm-metadata): IEDriverServer.exe is the core deliverable of this package; bundling the Selenium IE WebDriver binary is its entire purpose.	ai	2026/04/23

Versions (showing 25 of 25)

Version	Deps	Published
4.0.0	6 / 0	2022-04-01
3.150.1	6 / 0	2020-09-30
3.14.1	8 / 0	2019-02-08
3.9.2	8 / 0	2018-03-15
3.9.1	7 / 0	2018-03-05
3.9.0	7 / 0	2018-03-05
3.6.0	7 / 0	2018-03-05
3.5.0	7 / 0	2017-08-18
3.4.0	6 / 0	2017-06-06
3.3.0	6 / 0	2017-03-30
3.2.0	6 / 0	2017-03-30
3.1.0	6 / 0	2017-03-30
3.0.0	6 / 0	2016-11-11
2.53.1	6 / 0	2016-05-23
2.53.0	6 / 0	2016-03-18
2.52.2	6 / 0	2016-03-10
2.52.0	6 / 0	2016-03-10
2.51.0	6 / 0	2016-02-09
2.50.0	6 / 0	2016-02-09
2.49.0	6 / 0	2016-02-09
2.48.0	6 / 0	2016-02-09
2.47.0	6 / 0	2015-08-05
2.46.0	6 / 0	2015-06-26
2.45.1	6 / 0	2015-06-26
2.1.1	6 / 0	2014-11-06

v4.0.0

3 findings

HIGH Package has 'install' script install-scripts

Script: node install.js

HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • lib/iedriver/IEDriverServer.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.150.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.14.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.9.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.6.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.