nightwatch
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@types/chai | AI (phantom-deps): Type-only dependency; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:@types/selenium-webdriver | AI (phantom-deps): Type-only dependency; not directly imported at runtime by convention. | ai | |
| phantom-deps | phantom-dep:fs-extra | AI (phantom-deps): fs-extra is a declared runtime dep; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:nightwatch-axe-verbose | AI (phantom-deps): Referenced in config templates; phantom-dep heuristic false positive for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require used for plugin/API loading — documented pattern for this framework. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env to worker processes is core to Nightwatch's parallel test runner design. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): 127.0.0.1:4723 is Appium's well-known default local server address, not exfiltration. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Copying process.env for child process spawning is expected in a parallel test runner. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Spawning worker processes is fundamental to Nightwatch's parallel execution model. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process used in examples and concurrency runner — expected for a test framework. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 3.15.0 | 34 / 26 | |
| 3.14.0 | 34 / 26 | |
| 3.13.0 | 34 / 26 | |
| 3.12.2 | 34 / 26 | |
| 2.6.25 | 32 / 20 |
v3.15.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/nightwatchjs/nightwatch/blob/f3a57840ffca31c6f6da548d4b270691ce33fdee/lib/runner/concurrency/worker-process.js#L32 30 | maxThreads: maxWorkerCount, 31 | argv: args, > 32 | env: { 33 | ...process.env, 34 | __NIGHTWATCH_PARALLEL_MODE: '1'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.14.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/nightwatchjs/nightwatch/blob/a0817fff1eabb86e65848ae53f4ac2b5d6db0d2b/lib/runner/concurrency/worker-process.js#L32 30 | maxThreads: maxWorkerCount, 31 | argv: args, > 32 | env: { 33 | ...process.env, 34 | __NIGHTWATCH_PARALLEL_MODE: '1'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.13.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/nightwatchjs/nightwatch/blob/54c8550c75a16c61827c0bad043c7ffa073a52e6/lib/runner/concurrency/worker-process.js#L32 30 | maxThreads: maxWorkerCount, 31 | argv: args, > 32 | env: { 33 | ...process.env, 34 | __NIGHTWATCH_PARALLEL_MODE: '1'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.12.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/nightwatchjs/nightwatch/blob/a30d660efb745bce98abb9fb904bd1b19f066b6f/lib/runner/concurrency/worker-process.js#L32 30 | maxThreads: maxWorkerCount, 31 | argv: args, > 32 | env: { 33 | ...process.env, 34 | __NIGHTWATCH_PARALLEL_MODE: '1'
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v2.6.25
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.