@applitools/execution-grid-tunnel
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:env-spread | AI (semgrep): Tunnel subprocess launcher legitimately inherits parent env; standard pattern for this package. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Core functionality is managing tunnel child processes; child_process use is expected and documented. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IP (0.0.0.0) is in examples/demo.js targeting localhost; not production code. | ai | |
| phantom-deps | phantom-dep:dotenv | AI (phantom-deps): dotenv is used via -r dotenv/config in npm scripts, not direct import; stable false positive. | ai | |
| phantom-deps | phantom-dep:p-retry | AI (phantom-deps): Likely used transitively or in config; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:encoding | AI (phantom-deps): encoding is a common indirect dep for node-fetch; stable false positive. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 4.1.0 | 15 / 15 | |
| 4.0.2 | 13 / 15 | |
| 4.0.1 | 14 / 15 | |
| 4.0.0 | 14 / 15 | |
| 3.1.5 | 14 / 15 |
v4.1.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: ormeda.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (ormeda) than the most recent previously approved version (ronikar_applitools) on 2026-06-01, but ormeda is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v4.0.2
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/applitools/rendering-grid/blob/93210dee210b231fe641037113285de8b4e7fc55/src/tunnel-process-manager/tunnel-controller.js#L108 106 | detached: false, 107 | windowsHide: true, > 108 | env: { 109 | ...process.env, 110 | tunnelId: this._tunnelId,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
2 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/applitools/rendering-grid/blob/953d7f002b01cd6f7ea7c45805c9fddc44f3ff3a/src/tunnel-process-manager/tunnel-controller.js#L108 106 | detached: false, 107 | windowsHide: true, > 108 | env: { 109 | ...process.env, 110 | tunnelId: this._tunnelId,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.1.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.