playwright
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:new-function-constructor | AI (semgrep): Found in Playwright's minified MCP bundle; dynamic code execution is expected in a browser automation framework's test runner and MCP server. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): Playwright spawns browser and worker processes as core functionality; child_process.spawn is expected and legitimate. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires in bundled expect library (expectBundleImpl.js); Reflect API usage is standard in assertion library internals. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires in bundled expect library; dynamic require is a standard bundler pattern, not arbitrary module loading. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Playwright captures env state before/after test runs to track env changes produced by tests — documented feature, not exfiltration. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Playwright spawns isolated worker processes for test execution; child_process is fundamental to its architecture. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval(`import(...)`) is a standard CJS/ESM interop workaround; input is a file URL from a known path, not user-controlled. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Decoding base64 attachment bodies in teleReceiver.js is standard serialization for Playwright's test reporter protocol. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Same env-tracking feature as env-spread; enumerating keys to diff pre/post test environment is expected behavior. | ai |
Versions (showing 10 of 10)
| Version | Deps | Published |
|---|---|---|
| 1.60.0 | 1 / 0 | |
| 1.59.1 | 1 / 0 | |
| 1.59.0 | 1 / 0 | |
| 1.58.2 | 1 / 0 | |
| 1.58.1 | 1 / 0 | |
| 1.58.0 | 1 / 0 | |
| 1.57.0 | 1 / 0 | |
| 1.56.1 | 1 / 0 | |
| 1.56.0 | 1 / 0 | |
| 1.55.1 | 1 / 0 |
v1.60.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.1
5 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/playwright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/common/process.js#L52 50 | let processRunner; 51 | let processName; > 52 | const startingEnv = { ...process.env }; 53 | process.on("message", async (message) => { 54 | if (message.method === "__init__") {
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/playwright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/plugins/webServerPlugin.js#L89 87 | const { launchedProcess, gracefullyClose } = await (0, import_utils.launchProcess)({ 88 | command: this._options.command, > 89 | env: { 90 | ...DEFAULT_ENVIRONMENT_VARIABLES, 91 | ...process.env,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/playwright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/runner/processHost.js#L59 57 | // Otherwise user can end up with a bunch of workers stuck in a busy loop without self-destructing. 58 | detached: false, > 59 | env: { 60 | ...process.env, 61 | ...this._extraEnv
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/playwright/blob/d466ac5358cae058cdc75d2ae3ab3ad220042730/lib/runner/testRunner.js#L79 77 | this._watchTestDirs = !!params.watchTestDirs; 78 | this._populateDependenciesOnList = !!params.populateDependenciesOnList; > 79 | this._startingEnv = { ...process.env }; 80 | } 81 | resizeTerminal(params) {
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.59.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.58.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.57.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.56.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.56.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.55.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.