query-selector-shadow-dom

use querySelector syntax to search for nodes inside of (nested) shadow roots

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

georgegriff

Keywords

webcomponentspuppeteerplaywrightautomationqueryselectorshadowdomweb-componentstestingwebdriverprotractorseleniumwebdriveriocodeceptjs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:steganography-image-eval	AI (semgrep): Reads own bundled UMD dist file for Playwright selector engine injection — standard browser automation pattern, not steganography.	ai	2026/04/23
semgrep	semgrep:new-function-constructor	AI (semgrep): Wraps package's own UMD bundle into Function for Playwright selector engine registration; input is self-authored code.	ai	2026/04/23
email-domain	unclaimed-email:georgegriff	AI (email-domain): Author field contains a username/handle, not an actual email with a registrable domain. False positive from field parsing.	ai	2026/04/23

Versions (showing 34 of 34)

Version	Deps	Published
1.0.1	0 / 24	2022-11-17
1.0.0	0 / 26	2021-02-04
0.8.0	0 / 25	2020-10-09
0.7.1	0 / 26	2020-09-01
0.7.0	0 / 26	2020-09-01
0.6.2	0 / 23	2020-08-23
0.6.1	0 / 23	2020-08-11
0.6.0	0 / 23	2020-07-14
0.5.0	0 / 21	2020-06-04
0.4.6	0 / 20	2020-03-23
0.4.5	0 / 20	2020-03-20
0.4.4	0 / 20	2020-03-20
0.4.2	0 / 20	2020-02-10
0.4.1	0 / 20	2020-02-10
0.4.0	0 / 20	2020-02-10
0.3.4	0 / 19	2019-09-15
0.3.3	0 / 18	2019-08-30
0.3.2	0 / 18	2018-12-21
0.3.1	0 / 18	2018-12-21
0.3.0	0 / 18	2018-11-18
0.2.5	0 / 18	2018-11-08
0.2.4	0 / 18	2018-11-08
0.2.3	0 / 18	2018-11-07
0.2.2	0 / 18	2018-11-06
0.2.1	0 / 18	2018-07-09
0.2.0	0 / 19	2018-07-09
0.1.0	1 / 18	2018-07-09
0.0.7	0 / 16	2018-07-03
0.0.6	0 / 16	2018-07-02
0.0.5	0 / 16	2018-07-02
0.0.4	0 / 16	2018-07-02
0.0.3	0 / 16	2018-07-02
0.0.2	0 / 16	2018-07-02
0.0.1	0 / 16	2018-07-02

v1.0.1

5 findings

HIGH Unclaimed maintainer email domain: georgegriff email-domain

Maintainer email 'GeorgeGriff' uses domain 'georgegriff' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.

HIGH steganography-image-eval: plugins/playwright/index.js:6 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/webdriverio/query-selector-shadow-dom/blob/2f6c4deb6a37c813483f0ca7c074b078f7d677c7/plugins/playwright/index.js#L6 4 | 5 | // load the library in UMD format which self executes and adds window.querySelectorShadowDom > 6 | const querySelectorShadowDomUMD = fs.readFileSync(path.resolve(__dirname, "../../dist/querySelectorShadowDom.js")) 7 | 8 | // a string because playwright does a .toString on a selector engine and we need to

HIGH steganography-image-eval: plugins/puppeteer/index.js:4 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/webdriverio/query-selector-shadow-dom/blob/2f6c4deb6a37c813483f0ca7c074b078f7d677c7/plugins/puppeteer/index.js#L4 2 | const path = require("path"); 3 | > 4 | const querySelectorShadowDomUMD = fs.readFileSync(path.resolve(__dirname, "../../dist/querySelectorShadowDom.js")) 5 | 6 | const QueryHandler = {

HIGH steganography-image-eval: plugins/webdriverio/index.js:3 semgrep

Data read from image file then executed — steganography attack pattern Source: https://github.com/webdriverio/query-selector-shadow-dom/blob/2f6c4deb6a37c813483f0ca7c074b078f7d677c7/plugins/webdriverio/index.js#L3 1 | const fs = require('fs'); 2 | const path = require('path'); > 3 | const querySelectorAllDeep = fs.readFileSync(path.resolve(__dirname, "../../dist/querySelectorShadowDom.js")) 4 | 5 | const selectorFunction = new Function('selector', 'element', `