@tramvai/test-pw
Set of helpers for using [playwright](https://playwright.dev) in the integration tests
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | dormant-publish | AI (publish-pattern): Tramvai monorepo with 560 versions; publisher has 101 approved packages and matches known org. | ai | |
| dependencies | unvetted-dep:wait-on | AI (dependencies): wait-on is a standard test utility for waiting on ports/URLs; expected in a Playwright test helper. | ai | |
| dependencies | unvetted-dep:console-with-style | AI (dependencies): console-with-style is a benign logging utility; consistent with test tooling context. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Standard subprocess env passthrough in a test fixture; not exfiltration. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a known implicit TypeScript runtime dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:get-port | AI (phantom-deps): get-port is declared in dependencies and used via config; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:wait-on | AI (phantom-deps): wait-on is declared in dependencies and used via config; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:execa | AI (phantom-deps): execa is declared in dependencies and used via config/scripts; phantom-dep heuristic false positive. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 7.21.0 | 10 / 6 | |
| 7.19.1 | 10 / 6 | |
| 7.18.0 | 10 / 6 | |
| 7.17.5 | 10 / 6 | |
| 7.17.1 | 10 / 6 | |
| 7.16.1 | 10 / 6 | |
| 7.16.0 | 10 / 6 | |
| 6.80.26 | 10 / 6 | |
| 6.80.23 | 10 / 6 | |
| 6.80.20 | 10 / 6 | |
| 6.80.13 | 10 / 6 | |
| 6.80.10 | 10 / 6 | |
| 6.80.7 | 10 / 6 | |
| 6.80.6 | 10 / 6 | |
| 5.53.150 | 10 / 6 | |
| 5.53.142 | 10 / 6 | |
| 5.53.140 | 10 / 6 |
v7.21.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.19.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/ea61c0e978ad5c668d494f7c9ac3817e9750ee05/lib/fixtures/build-app.es.js#L68 66 | ], { 67 | cwd: root, > 68 | env: { 69 | ...process.env, 70 | ...options?.env,
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/ea61c0e978ad5c668d494f7c9ac3817e9750ee05/lib/fixtures/build-app.js#L80 78 | ], { 79 | cwd: root, > 80 | env: { 81 | ...process.env, 82 | ...options?.env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.17.5
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/0001b0774fbc3b69cede7b81f85d6aadc1b0c5f0/lib/fixtures/build-app.es.js#L68 66 | ], { 67 | cwd: root, > 68 | env: { 69 | ...process.env, 70 | ...options?.env,
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/0001b0774fbc3b69cede7b81f85d6aadc1b0c5f0/lib/fixtures/build-app.js#L80 78 | ], { 79 | cwd: root, > 80 | env: { 81 | ...process.env, 82 | ...options?.env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.17.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/b0caa4dfe10ba1d0eab45b06bd1397a57a2848d6/lib/fixtures/build-app.es.js#L68 66 | ], { 67 | cwd: root, > 68 | env: { 69 | ...process.env, 70 | ...options?.env,
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/b0caa4dfe10ba1d0eab45b06bd1397a57a2848d6/lib/fixtures/build-app.js#L80 78 | ], { 79 | cwd: root, > 80 | env: { 81 | ...process.env, 82 | ...options?.env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.16.1
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/1c87344854708224aa7d2b62fd05e890c5a5fb72/lib/fixtures/build-app.es.js#L68 66 | ], { 67 | cwd: root, > 68 | env: { 69 | ...process.env, 70 | ...options?.env,
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/1c87344854708224aa7d2b62fd05e890c5a5fb72/lib/fixtures/build-app.js#L80 78 | ], { 79 | cwd: root, > 80 | env: { 81 | ...process.env, 82 | ...options?.env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.16.0
3 findingsSpreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/bec28438e80b3968d495c08ace216d0f6ad7d145/lib/fixtures/build-app.es.js#L68 66 | ], { 67 | cwd: root, > 68 | env: { 69 | ...process.env, 70 | ...options?.env,
Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/tramvaijs/tramvai/blob/bec28438e80b3968d495c08ace216d0f6ad7d145/lib/fixtures/build-app.js#L80 78 | ], { 79 | cwd: root, > 80 | env: { 81 | ...process.env, 82 | ...options?.env,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.80.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.80.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.80.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.80.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.80.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.80.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.53.150
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.53.142
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.53.140
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.