{"id":736,"url":"https://github.com/istanbuljs/spawn-wrap","last_synced_at":"2026-02-22T22:56:31.838Z","repository":{"id":31782403,"uuid":"35348811","full_name":"istanbuljs/spawn-wrap","owner":"istanbuljs","description":"Wrap all spawned Node.js child processes by adding environs and arguments ahead of the main JavaScript file argument.","archived":false,"fork":false,"pushed_at":"2025-10-25T19:22:13.000Z","size":757,"stargazers_count":38,"open_issues_count":22,"forks_count":19,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-02-14T18:54:56.694Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"blueoak-1.0.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/istanbuljs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"tidelift":"npm/istanbul-reports"}},"created_at":"2015-05-09T23:05:13.000Z","updated_at":"2026-01-14T19:39:25.000Z","dependencies_parsed_at":"2023-10-10T21:02:54.634Z","dependency_job_id":"25e0d6ba-599f-4bcb-bbaa-464dd9c3d378","html_url":"https://github.com/istanbuljs/spawn-wrap","commit_stats":{"total_commits":177,"total_committers":15,"mean_commits":11.8,"dds":0.3220338983050848,"last_synced_commit":"22c26aa8d5df11588163ab0de95ece76e67b7140"},"previous_names":["isaacs/spawn-wrap","tapjs/spawn-wrap"],"tags_count":37,"template":false,"template_full_name":null,"purl":"pkg:github/istanbuljs/spawn-wrap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/istanbuljs%2Fspawn-wrap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/istanbuljs%2Fspawn-wrap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/istanbuljs%2Fspawn-wrap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/istanbuljs%2Fspawn-wrap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/istanbuljs","download_url":"https://codeload.github.com/istanbuljs/spawn-wrap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/istanbuljs%2Fspawn-wrap/sbom","scorecard":{"id":495049,"data":{"date":"2025-08-11","repo":{"name":"github.com/istanbuljs/spawn-wrap","commit":"8fe2e0d20cc1a7f8c82809086f9140c736d5d45c"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Info: Possibly incomplete results: error parsing shell code: \"foo(\" must be followed by ): test/fixtures/npm:0","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/istanbuljs/spawn-wrap/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/istanbuljs/spawn-wrap/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/isaacs-makework.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/istanbuljs/spawn-wrap/isaacs-makework.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/isaacs-makework.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/istanbuljs/spawn-wrap/isaacs-makework.yml/main?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Code-Review","score":4,"reason":"Found 11/27 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: no topLevel permission defined: .github/workflows/isaacs-makework.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: ISC License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/istanbuljs/.github/SECURITY.md:1","Info: Found linked content: github.com/istanbuljs/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/istanbuljs/.github/SECURITY.md:1","Info: Found text in security policy: github.com/istanbuljs/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 22 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"19 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-ff7x-qrg7-qggm","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-9c47-m6qq-7p4h","Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm","Warn: Project is vulnerable to: GHSA-f8q6-p94x-37v3","Warn: Project is vulnerable to: GHSA-xvch-5gv4-984h","Warn: Project is vulnerable to: GHSA-rxrc-rgv4-jpvx","Warn: Project is vulnerable to: GHSA-p8p7-x288-28g6","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-7xcx-6wjh-7xp2","Warn: Project is vulnerable to: GHSA-72xf-g2v4-qvf3","Warn: Project is vulnerable to: GHSA-7p7h-4mm5-852v","Warn: Project is vulnerable to: GHSA-3h5v-q93c-6h6q","Warn: Project is vulnerable to: GHSA-p9pc-299p-vxgp"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-19T20:15:48.996Z","repository_id":31782403,"created_at":"2025-08-19T20:15:48.996Z","updated_at":"2025-08-19T20:15:48.996Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29630514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-19T18:02:07.722Z","status":"ssl_error","status_checked_at":"2026-02-19T18:01:46.144Z","response_time":117,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-01-05T20:15:30.117Z","updated_at":"2026-02-22T22:56:31.819Z","avatar_url":"https://github.com/istanbuljs.png","language":"JavaScript","readme":"# spawn-wrap\n\nWrap all spawned Node.js child processes by adding environs and\narguments ahead of the main JavaScript file argument.\n\nAny child processes launched by that child process will also be\nwrapped in a similar fashion.\n\nThis is a bit of a brutal hack, designed primarily to support code\ncoverage reporting in cases where tests or the system under test are\nloaded via child processes rather than via `require()`.\n\nIt can also be handy if you want to run your own mock executable\ninstead of some other thing when child procs call into it.\n\n[![Build Status](https://travis-ci.org/istanbuljs/spawn-wrap.svg)](https://travis-ci.org/istanbuljs/spawn-wrap)\n\n## USAGE\n\n```javascript\nvar wrap = require('spawn-wrap')\n\n// wrap(wrapperArgs, environs)\nvar unwrap = wrap(['/path/to/my/main.js', 'foo=bar'], { FOO: 1 })\n\n// later to undo the wrapping, you can call the returned function\nunwrap()\n```\n\nIn this example, the `/path/to/my/main.js` file will be used as the\n\"main\" module, whenever any Node or io.js child process is started,\nwhether via a call to `spawn` or `exec`, whether node is invoked\ndirectly as the command or as the result of a shebang `#!` lookup.\n\nIn `/path/to/my/main.js`, you can do whatever instrumentation or\nenvironment manipulation you like.  When you're done, and ready to run\nthe \"real\" main.js file (ie, the one that was spawned in the first\nplace), you can do this:\n\n```javascript\n// /path/to/my/main.js\n// process.argv[1] === 'foo=bar'\n// and process.env.FOO === '1'\n\n// my wrapping manipulations\nsetupInstrumentationOrCoverageOrWhatever()\nprocess.on('exit', function (code) {\n  storeCoverageInfoSynchronously()\n})\n\n// now run the instrumented and covered or whatever codes\nrequire('spawn-wrap').runMain()\n```\n\n## ENVIRONMENT VARIABLES\n\nSpawn-wrap responds to two environment variables, both of which are\npreserved through child processes.\n\n`SPAWN_WRAP_DEBUG=1` in the environment will make this module dump a\nlot of information to stderr.\n\n`SPAWN_WRAP_SHIM_ROOT` can be set to a path on the filesystem where\nthe shim files are written in a `.node-spawn-wrap-\u003cid\u003e` folder.  By\ndefault this is done in `$HOME`, but in some environments you may wish\nto point it at some other root.  (For example, if `$HOME` is mounted\nas read-only in a virtual machine or container.)\n\n## CONTRACTS and CAVEATS\n\nThe initial wrap call uses synchronous I/O.  Probably you should not\nbe using this script in any production environments anyway.\n\nAlso, this will slow down child process execution by a lot, since\nwe're adding a few layers of indirection.\n\nThe contract which this library aims to uphold is:\n\n* Wrapped processes behave identical to their unwrapped counterparts\n  for all intents and purposes.  That means that the wrapper script\n  propagates all signals and exit codes.\n* If you send a signal to the wrapper, the child gets the signal.\n* If the child exits with a numeric status code, then the wrapper\n  exits with that code.\n* If the child dies with a signal, then the wrapper dies with the\n  same signal.\n* If you execute any Node child process, in any of the various ways\n  that such a thing can be done, it will be wrapped.\n* Children of wrapped processes are also wrapped.\n\n(Much of this made possible by\n[foreground-child](http://npm.im/foreground-child).)\n\nThere are a few ways situations in which this contract cannot be\nadhered to, despite best efforts:\n\n1. In order to handle cases where `node` is invoked in a shell script,\n   the `PATH` environment variable is modified such that the the shim\n   will be run before the \"real\" node.  However, since Windows does\n   not allow executing shebang scripts like regular programs, a\n   `node.cmd` file is required.\n2. Signal propagation through `dash` doesn't always work.  So, if you\n   use `child_process.exec()` on systems where `/bin/sh` is actually\n   `dash`, then the process may exit with a status code \u003e 128 rather\n   than indicating that it received a signal.\n3. `cmd.exe` is even stranger with how it propagates and interprets\n   unix signals.  If you want your programs to be portable, then\n   probably you wanna not rely on signals too much.\n4. It *is* possible to escape the wrapping, if you spawn a bash\n   script, and that script modifies the `PATH`, and then calls a\n   specific `node` binary explicitly.\n","funding_links":["https://tidelift.com/funding/github/npm/istanbul-reports"],"categories":["Known issues"],"sub_categories":["Windows registry"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fistanbuljs%2Fspawn-wrap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fistanbuljs%2Fspawn-wrap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fistanbuljs%2Fspawn-wrap/lists"}