test
Node.js 18's node:test, as an npm package
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): nodejs-foundation is the legitimate steward of this Node.js core backport package; the handoff from gozala is expected and the repo is under the official nodejs org. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): nodejs-foundation taking over node-core-test is a legitimate organizational transition; publisher has strong track record (212 approved packages). | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Test runner spawns child processes and must propagate process.env to worker subprocesses. This is expected, documented behavior for node:test backport. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): A test runner that parallelizes tests via child processes inherently requires child_process. Core functionality, not malicious. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): primordials.js is a direct copy of Node.js core's prototype-pollution defense pattern. Reflect.get usage here is not obfuscation. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of a builtin path in a Node.js compatibility shim is a standard pattern, not arbitrary module loading. | ai |
Versions (showing 29 of 29)
| Version | Deps | Published |
|---|---|---|
| 3.3.0 | 3 / 1 | |
| 3.2.1 | 2 / 1 | |
| 3.2.0 | 2 / 1 | |
| 3.1.0 | 2 / 1 | |
| 3.0.1 | 2 / 1 | |
| 3.0.0 | 2 / 2 | |
| 0.6.0 | 1 / 1 | |
| 0.5.2 | 1 / 1 | |
| 0.5.1 | 1 / 0 | |
| 0.4.4 | 0 / 0 | |
| 0.4.3 | 0 / 0 | |
| 0.4.2 | 0 / 0 | |
| 0.4.1 | 0 / 0 | |
| 0.4.0 | 0 / 0 | |
| 0.3.0 | 0 / 0 | |
| 0.2.1 | 0 / 0 | |
| 0.2.0 | 0 / 0 | |
| 0.1.1 | 0 / 0 | |
| 0.1.0 | 0 / 0 | |
| 0.0.11 | 0 / 0 | |
| 0.0.10 | 0 / 0 | |
| 0.0.9 | 0 / 0 | |
| 0.0.8 | 0 / 0 | |
| 0.0.7 | 0 / 0 | |
| 0.0.6 | 0 / 0 | |
| 0.0.5 | 0 / 0 | |
| 0.0.4 | 0 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.2 | 0 / 0 |
v3.3.0
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/nodejs/node-core-test/blob/414743a74ef26ba383ae6c4d87e5b806bf7dc831/lib/internal/test_runner/runner.js#L226 224 | const args = getRunArgs({ path, inspectPort }) 225 | const stdio = ['pipe', 'pipe', 'pipe'] > 226 | const env = { ...process.env } 227 | if (filesWatcher) { 228 | stdio.push('ipc')
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2022-06-02. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.