@stryker-mutator/core
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| typosquat | typosquat.levenshtein:cors | AI (typosquat): Scoped @stryker-mutator/core is not a typosquat of cors; stable false positive. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Test runner passes env to worker child processes; expected pattern. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Mutation test runner spawns child processes by design. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit runtime dependency for TypeScript projects. | ai | |
| phantom-deps | phantom-dep:source-map | AI (phantom-deps): Referenced in config; known implicit usage pattern. | ai |
v9.6.1
4 findingsPackage name '@stryker-mutator/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/e1abfbeb9a27dba8aac9ea019860241b0ca80ead/src/child-proxy/child-process-proxy.ts#L83 81 | silent: true, 82 | execArgv, > 83 | env: { STRYKER_MUTATOR_WORKER: workerId, ...process.env }, 84 | }, 85 | );
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/e1abfbeb9a27dba8aac9ea019860241b0ca80ead/src/test-runner/command-test-runner.ts#L98 96 | activeMutantId === undefined 97 | ? process.env > 98 | : { 99 | ...process.env, 100 | [INSTRUMENTER_CONSTANTS.ACTIVE_MUTANT_ENV_VARIABLE]:
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.4.0
4 findingsPackage name '@stryker-mutator/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/0bfd6499f5836ec2306d36da9da7aade05cd43b0/src/child-proxy/child-process-proxy.ts#L83 81 | silent: true, 82 | execArgv, > 83 | env: { STRYKER_MUTATOR_WORKER: workerId, ...process.env }, 84 | }, 85 | );
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/0bfd6499f5836ec2306d36da9da7aade05cd43b0/src/test-runner/command-test-runner.ts#L86 84 | activeMutantId === undefined 85 | ? process.env > 86 | : { 87 | ...process.env, 88 | [INSTRUMENTER_CONSTANTS.ACTIVE_MUTANT_ENV_VARIABLE]:
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v9.0.0
4 findingsPackage name '@stryker-mutator/core' is 1 edit(s) away from popular package 'cors'.
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/d9283096240428ce35df1505a93b3d9b9dd7b849/src/child-proxy/child-process-proxy.ts#L64 62 | silent: true, 63 | execArgv, > 64 | env: { STRYKER_MUTATOR_WORKER: workerId, ...process.env }, 65 | }); 66 | this.initTask = new Task();
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/stryker-mutator/stryker-js/blob/d9283096240428ce35df1505a93b3d9b9dd7b849/src/test-runner/command-test-runner.ts#L72 70 | const output: Array<Buffer | string> = []; 71 | const env = > 72 | activeMutantId === undefined ? process.env : { ...process.env, [INSTRUMENTER_CONSTANTS.ACTIVE_MUTANT_ENV_VARIABL 73 | const childProcess = exec(this.settings.command, { cwd: this.workingDir, env }); 74 | childProcess.on('error', (error) => {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.