← Home

@public-ui/visual-tests

npm Repository Homepage

Provides utility to run visual regression tests for themes.

25
Versions
EUPL-1.2
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

m.oppitzitzbund

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): m.oppitz is the established maintainer (59 approved packages); transition from CI to named publisher is expected. ai
phantom-deps phantom-dep:axe-playwright AI (phantom-deps): axe-playwright is used in config/test files rather than directly imported; stable pattern for this test utility package. ai
publish-pattern rapid-publish AI (publish-pattern): Published by GitHub Actions automation; rapid successive publishes are normal for this CI-driven monorepo release pipeline. ai
phantom-deps phantom-dep:serve AI (phantom-deps): serve is a legitimate runtime dependency for this test utility; phantom-dep finding reflects config-file reference, not a real issue. ai
dependencies unvetted-dep:axe-html-reporter AI (dependencies): axe-html-reporter is a well-known accessibility reporting tool from the axe-core ecosystem; legitimate dependency for a visual/accessibility testing utility. ai
dependencies unvetted-dep:@axe-core/playwright AI (dependencies): @axe-core/playwright is the official Playwright integration from Deque Systems' axe-core; legitimate and expected dependency for this testing package. ai
phantom-deps phantom-dep:http-server AI (phantom-deps): http-server is a declared runtime dependency used via config files in this test utility, not direct JS imports. Expected pattern for test infrastructure. ai
phantom-deps phantom-dep:@public-ui/sample-react AI (phantom-deps): Same org scope package used as a test fixture; referenced in config rather than direct imports. Expected for this package. ai
phantom-deps phantom-dep:@axe-core/playwright AI (phantom-deps): Referenced in playwright config files rather than direct imports — expected pattern for this test utility. ai
phantom-deps phantom-dep:axe-html-reporter AI (phantom-deps): axe-html-reporter is referenced in playwright config files rather than direct imports — normal for test runner packages. ai
semgrep semgrep:env-spread AI (semgrep): process.env spread is used to pass environment to a local child process in a test runner utility — standard pattern, no exfiltration risk. Stable for this package. ai

Versions (showing 25 of 25)

Version Deps Published
4.2.1 5 / 7
4.2.0 5 / 7
4.1.4 5 / 8
4.1.3 5 / 8
4.1.2 5 / 8
4.1.1 5 / 8
4.1.0 5 / 8
4.0.3 5 / 8
4.0.2 5 / 8
4.0.1 5 / 8
4.0.0 5 / 8
3.1.5 5 / 10
3.1.4 5 / 10
3.1.3 5 / 10
3.1.2 5 / 10
3.1.1 5 / 8
3.1.0 5 / 8
3.0.9 5 / 8
3.0.8 5 / 8
2.2.23 4 / 7
2.2.22 4 / 7
2.2.21 4 / 7
2.2.20 4 / 7
2.2.19 4 / 7
2.2.18 4 / 7

v4.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.3

2 findings
HIGH env-spread: src/index.js:58 semgrep

Spreading entire process.env into an object — may capture all secrets 56 | cwd: visualsTestModulePath, 57 | shell: true, > 58 | env: { 59 | ...process.env, 60 | KOLIBRI_CWD: process.cwd(),

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.5

2 findings
HIGH Publisher changed: GitHub Actions → m.oppitz (on 2026-04-28) provenance

This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.8

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.23

2 findings
HIGH Publisher changed: GitHub Actions → m.oppitz (on 2026-04-28) provenance

This version was published by a different npm account than previous versions on 2026-04-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.21

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.20

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.19

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.2.18

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.