wd
WebDriver/Selenium 2 node.js client
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:test/e2e/async.js | AI (source-diff): E2E test using WebDriver: browser navigation + eval is core test functionality. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Large version jump (0.1.5→0.2.4) naturally adds many files; wd is a well-established package. | ai | |
| source-diff | net-exec-file:test/e2e/promise-no-chain-specs.js | AI (source-diff): E2E test for promise API: standard Selenium test. | ai | |
| source-diff | net-exec-file:test/e2e/promise-chain-specs.js | AI (source-diff): E2E test for promise chain API: standard Selenium test. | ai | |
| source-diff | net-exec-file:test/e2e/deprecated-chain-specs.js | AI (source-diff): E2E test for deprecated chain API: standard Selenium test. | ai | |
| source-diff | net-exec-file:examples/promise/firefox.js | AI (source-diff): Promise-based WebDriver example: standard Selenium usage. | ai | |
| source-diff | net-exec-file:test/e2e/basic-specs.js | AI (source-diff): E2E test using WebDriver: standard Selenium test, not malware. | ai | |
| source-diff | net-exec-file:examples/async/chrome.js | AI (source-diff): WebDriver example script: browser.get() + browser.eval() is standard Selenium usage, not malware. | ai | |
| source-diff | net-exec-file:examples/async/firefox.js | AI (source-diff): WebDriver example script: browser.get() + browser.eval() is standard Selenium usage, not malware. | ai | |
| source-diff | net-exec-file:examples/async/sauce.ie.js | AI (source-diff): WebDriver example script for SauceLabs: standard Selenium usage, not malware. | ai | |
| source-diff | net-exec-file:examples/async/sauce.js | AI (source-diff): WebDriver example script for SauceLabs: standard Selenium usage, not malware. | ai | |
| source-diff | net-exec-file:examples/deprecated/deprecated.chain.js | AI (source-diff): Deprecated WebDriver example: browser.get() + browser.eval() is standard Selenium usage. | ai | |
| source-diff | net-exec-file:examples/promise/chrome.js | AI (source-diff): Promise-based WebDriver example: standard Selenium usage, not malware. | ai | |
| source-diff | net-exec-file:examples/promise/mocha-specs.js | AI (source-diff): Mocha test example using WebDriver: standard Selenium usage. | ai | |
| source-diff | net-exec-file:examples/promise/no-chain.js | AI (source-diff): Promise-based WebDriver example: standard Selenium usage. | ai | |
| source-diff | net-exec-file:examples/promise/sauce-connect.js | AI (source-diff): SauceLabs WebDriver example: standard Selenium usage. | ai | |
| source-diff | net-exec-file:examples/promise/sauce.ie.js | AI (source-diff): SauceLabs WebDriver example: standard Selenium usage. | ai | |
| source-diff | net-exec-file:examples/promise/sauce.js | AI (source-diff): SauceLabs WebDriver example: standard Selenium usage. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): sebv (Seb Vincent) is a listed contributor with 310 approved packages; transition from admc occurred in 2013 and is a well-known legitimate handoff for this package. | ai | |
| dependencies | unvetted-dep:request | AI (dependencies): request is a well-known, widely-used HTTP client library; appropriate and expected dependency for a WebDriver client package. | ai | |
| source-diff | net-exec-file:examples/example.promise.chrome.js | AI (source-diff): WebDriver example script using browser.eval() and navigating to test pages — standard Selenium usage, not malicious net+exec. | ai | |
| source-diff | net-exec-file:lib/commands.js | AI (source-diff): Core WebDriver client commands module; HTTP calls are for WebDriver protocol, code utils are for browser script serialization. Not malicious. | ai | |
| source-diff | net-exec-file:examples/async/browserstack.ie.js | AI (source-diff): Example file demonstrating wd library's BrowserStack integration; network call is to Selenium hub, not malicious. | ai | |
| source-diff | net-exec-file:examples/async/browserstack.js | AI (source-diff): Example file demonstrating wd library's BrowserStack integration; network call is to Selenium hub, not malicious. | ai | |
| source-diff | net-exec-file:examples/promise/browserstack.js | AI (source-diff): Example file demonstrating wd library's BrowserStack integration; network call is to Selenium hub, not malicious. | ai | |
| source-diff | net-exec-file:examples/promise/browserstack.ie.js | AI (source-diff): Example file demonstrating wd library's BrowserStack integration; network call is to Selenium hub, not malicious. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance; publisher is well-established. | ai | |
| typosquat | typosquat.levenshtein:zod | AI (typosquat): 'wd' is a well-known WebDriver client abbreviation, not a typosquat of 'zod'. Short names will always have low edit distance to other short names. | ai | |
| typosquat | typosquat.levenshtein:qs | AI (typosquat): 'wd' is a well-known WebDriver client abbreviation, not a typosquat of 'qs'. Short names will always have low edit distance to other short names. | ai | |
| typosquat | typosquat.levenshtein:pg | AI (typosquat): 'wd' is a well-known WebDriver client abbreviation, not a typosquat of 'pg'. Short names will always have low edit distance to other short names. | ai | |
| license | uncommon-license:Apache | AI (license): Apache 2.0 is a standard permissive license; the package.json uses a shorthand format the analyzer doesn't recognize, but the license URL confirms it's Apache 2.0. | ai | |
| source-diff | net-exec-file:examples/promise/kobiton.js | AI (source-diff): Example file demonstrating wd library usage with Kobiton cloud testing service; standard WebDriver client pattern, not malware. | ai | |
| source-diff | net-exec-file:examples/async/kobiton.js | AI (source-diff): Example file demonstrating wd library usage with Kobiton cloud testing service; standard WebDriver client pattern, not malware. | ai | |
| provenance | publisher-changed | AI (provenance): sebv→jlipps is a legitimate transition between listed contributors; jlipps is a well-known Appium/Selenium maintainer with strong npm track record. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): References are to 127.0.0.1 in gulpfile.js test infrastructure (Sauce Connect proxy). Localhost in test config is benign. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is in browser-scripts injected via WebDriver execute/executeAsync protocol commands — this is the intended WebDriver functionality. | ai | |
| install-scripts | install-script:install | AI (install-scripts): Install script runs `node scripts/build-browser-scripts` — a local build step for browser-injectable JS helpers, core to wd's WebDriver functionality. Present across versions. | ai |
Versions (showing 38 of 38)
| Version | Deps | Published |
|---|---|---|
| 1.11.4 | 7 / 27 | |
| 1.10.2 | 7 / 25 | |
| 1.8.1 | 8 / 24 | |
| 1.5.0 | 8 / 24 | |
| 1.4.0 | 8 / 24 | |
| 1.1.2 | 7 / 25 | |
| 1.1.1 | 7 / 24 | |
| 1.0.0 | 7 / 24 | |
| 0.2.18 | 7 / 15 | |
| 0.2.11 | 7 / 14 | |
| 0.2.8 | 7 / 14 | |
| 0.2.4 | 8 / 14 | |
| 0.1.3 | 6 / 11 | |
| 0.0.34 | 6 / 11 | |
| 0.0.30 | 5 / 10 | |
| 0.0.29 | 5 / 10 | |
| 0.0.26 | 1 / 10 | |
| 0.0.25 | 1 / 10 | |
| 0.0.24 | 1 / 7 | |
| 0.0.21 | 1 / 5 | |
| 0.0.20 | 1 / 5 | |
| 0.0.17 | 0 / 5 | |
| 0.0.16 | 0 / 5 | |
| 0.0.15 | 0 / 5 | |
| 0.0.14 | 0 / 5 | |
| 0.0.13 | 0 / 5 | |
| 0.0.12 | 0 / 0 | |
| 0.0.11 | 0 / 0 | |
| 0.0.10 | 0 / 0 | |
| 0.0.9 | 0 / 0 | |
| 0.0.8 | 0 / 0 | |
| 0.0.7 | 0 / 0 | |
| 0.0.6 | 0 / 0 | |
| 0.0.5 | 0 / 0 | |
| 0.0.4 | 0 / 0 | |
| 0.0.3 | 0 / 0 | |
| 0.0.2 | 0 / 0 | |
| 0.0.1 | 0 / 0 |
v1.11.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.2
2 findingsThis version was published by a different npm account than previous versions on 2017-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-12-13. This could indicate a legitimate maintainer transition or an account compromise.
v1.0.0
6 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2016-10-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.2.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.11
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.4
18 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.34
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2013-08-01. This could indicate a legitimate maintainer transition or an account compromise.
v0.0.30
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.29
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.