whiskey
Whiskey is a powerful test runner for Node.js applications and a process orchestration framework which makes running integration tests with a lot of service / process dependencies easier.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:assets/jquery-1.4.3.min.js | AI (source-diff): File is the canonical jQuery 1.4.3 minified library bundled as a static asset for HTML coverage reports. Network/eval patterns are intrinsic to jQuery, not malware. | ai | |
| source-diff | obfuscated-file:lib-cov/common.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/extern/_debugger.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/extern/optparse/lib/optparse.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/extern/long-stack-traces/lib/long-stack-traces.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 30 new files are all JSCoverage-instrumented versions of existing source; no injected foreign code. | ai | |
| source-diff | obfuscated-file:lib-cov/coverage.js | AI (source-diff): lib-cov/ files are JSCoverage-generated instrumentation artifacts, not obfuscated malicious code. Pattern is stable for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/assert.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/constants.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/run_test_file.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/util.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/parser.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/run.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/process_runner/runner.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/reporters/test/tap.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/reporters/test/cli.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/reporters/coverage/cli.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| source-diff | obfuscated-file:lib-cov/reporters/coverage/html.js | AI (source-diff): JSCoverage-generated instrumentation artifact; benign for this test framework package. | ai | |
| email-domain | unclaimed-email:cloudkick.com | AI (email-domain): Cloudkick.com was a company acquired by Rackspace ~2011; domain lapse is expected for this ~15-year-old package. No evidence of active hijack attempt. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require of test file paths is fundamental to how test runners load user test modules. Expected and benign for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): whiskey is a test runner; child_process usage in example/ and test files is expected and core to its purpose. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() is in assets/coverage_html.js, a test coverage reporting artifact, not runtime library code. Parses a cookie for sort state — not an attack surface. | ai |
Versions (showing 33 of 33)
| Version | Deps | Published |
|---|---|---|
| 0.8.4 | 10 / 1 | |
| 0.8.3 | 10 / 0 | |
| 0.8.2 | 9 / 0 | |
| 0.7.1 | 9 / 0 | |
| 0.7.0 | 9 / 0 | |
| 0.6.13 | 9 / 0 | |
| 0.6.12 | 9 / 0 | |
| 0.6.11 | 9 / 0 | |
| 0.6.10 | 8 / 0 | |
| 0.6.9 | 8 / 0 | |
| 0.6.8 | 8 / 0 | |
| 0.6.7 | 8 / 0 | |
| 0.6.6 | 8 / 0 | |
| 0.6.5 | 8 / 0 | |
| 0.6.4 | 8 / 0 | |
| 0.6.3 | 8 / 0 | |
| 0.6.2 | 8 / 0 | |
| 0.6.1 | 8 / 0 | |
| 0.6.0 | 8 / 0 | |
| 0.5.1 | 6 / 0 | |
| 0.5.0 | 6 / 0 | |
| 0.4.2 | 6 / 0 | |
| 0.4.1 | 6 / 0 | |
| 0.4.0 | 5 / 0 | |
| 0.3.4 | 5 / 0 | |
| 0.3.3 | 4 / 0 | |
| 0.3.2 | 4 / 0 | |
| 0.3.1 | 4 / 0 | |
| 0.3.0 | 4 / 0 | |
| 0.2.3 | 2 / 0 | |
| 0.2.2 | 2 / 0 | |
| 0.2.1 | 2 / 0 | |
| 0.2.0 | 3 / 0 |
v0.8.4
2 findingsMaintainer email '[email protected]' uses domain 'cloudkick.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
2 findingsMaintainer email '[email protected]' uses domain 'cloudkick.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.10
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.8
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.7
17 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.2
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
2 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.