selenium-webdriver — Greenflagged

The official WebDriver JavaScript bindings from the Selenium project

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sriharshaautomatedtesterdiemoltitusfortnerpujaganijmleyba

Keywords

automationseleniumtestingwebdriverwebdriverjs

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
maintainer-change	maintainer-removed	AI (maintainer-change): Routine SeleniumHQ maintainer rotation; not indicative of takeover for this project.	ai	2026/04/30
maintainer-change	maintainer-added	AI (maintainer-change): pujagani is a known SeleniumHQ contributor; org-level maintainer rotation for this established project.	ai	2026/04/30
semgrep	semgrep:http-module-request	AI (semgrep): HTTP requests are core to selenium-webdriver's function — it communicates with browser drivers via HTTP (WebDriver wire protocol). Not exfiltration.	ai	2026/04/22
semgrep	semgrep:eval-usage	AI (semgrep): eval() is used in Google Closure Library's JSON parser fallback (goog/json/json.js), a well-known legitimate pattern in Closure-based projects.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Package predates Sigstore provenance by many years; absence is expected for this legacy version of an established official Selenium package.	ai	2026/04/22
semgrep	semgrep:dll-injection-apis	AI (semgrep): LD_PRELOAD usage is selenium-webdriver's documented mechanism for Firefox no-focus library on Linux; stable and intentional for this package.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): titusfortner (Titus Fortner) is a known Selenium core maintainer; this is a legitimate project governance transition within SeleniumHQ, not a suspicious takeover.	ai	2026/04/22
semgrep	semgrep:child-process-import	AI (semgrep): Spawning browser processes via child_process is core to WebDriver functionality; expected and stable for this package.	ai	2026/04/22
semgrep	semgrep:child-process-spawn	AI (semgrep): child_process.spawn is used to launch browser drivers — fundamental to selenium-webdriver's purpose.	ai	2026/04/22
npm-metadata	bundled-binaries	AI (npm-metadata): Bundled .so files are the Firefox no-focus libraries required for Linux browser automation; legitimate and documented for this package.	ai	2026/04/22
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): 127.0.0.1 reference appears in a JSDoc comment example, not live network code; no actual raw IP requests.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require for loading atoms (./atoms/ + module) is a well-known internal pattern in selenium-webdriver for loading browser automation scripts.	ai	2026/04/22
semgrep	semgrep:base64-decode	AI (semgrep): Base64 decoding is used to handle WebDriver file downloads, which the protocol returns as base64-encoded zip content. Legitimate and documented behavior.	ai	2026/04/22