Your Tests Pass. Your Mutation Score Is 40%. Here's What Surviving Mutants Are Actually Telling You.

Your tests pass. Your coverage report says 87%. But your mutation score is 40%, and half your mutants are still alive.

That 40% doesn’t mean your code is broken. It means your tests are. Coverage measures which lines executed during a test run. Mutation testing measures whether your tests would notice if those lines started doing the wrong thing. A 40% mutation score means 60% of the bugs that could have been introduced into your code would have sailed straight through CI.

What a Surviving Mutant Actually Is

A surviving mutant is a small, artificial bug that your tests failed to catch.

Mutation testing tools work by taking your source code and applying a set of predefined transformations, one at a time. They might flip a > to a >=, change a + to a -, or replace a boolean condition with true. Each transformed version of your code is a mutant. The tool runs your test suite against every mutant. If any test fails, the mutant is “killed.” If all tests pass, the mutant “survives.”

A surviving mutant means one of two things. Either your tests don’t actually verify the behavior that the mutant broke, or the mutant is “equivalent” (the transformation produces semantically identical code, which is a known hard problem in mutation testing).

Most survivors are not equivalent. Most are dead bugs walking.

A Concrete Example: The Password Validator

Here’s a function that checks whether a password meets policy requirements:

// password.js
function isValidPassword(password) {
  if (password.length < 8) {
    return false;
  }
  if (!/[A-Z]/.test(password)) {
    return false;
  }
  if (!/[0-9]/.test(password)) {
    return false;
  }
  return true;
}

module.exports = { isValidPassword };

And here’s a test suite that gives you 100% line coverage:

// password.test.js
const { isValidPassword } = require('./password');

test('accepts a valid password', () => {
  expect(isValidPassword('Hello1')).toBe(true);
});

test('rejects a short password', () => {
  expect(isValidPassword('Hi1')).toBe(false);
});

test('rejects a password without uppercase', () => {
  expect(isValidPassword('hello1')).toBe(false);
});

test('rejects a password without a digit', () => {
  expect(isValidPassword('Hellooo')).toBe(false);
});

Wait. isValidPassword('Hello1') returns true, but 'Hello1' is only six characters. The first check should reject it. The test is wrong, but it passes because the test itself is asserting the wrong behavior.

A mutation testing tool like Stryker would catch this. One of its mutations would flip < to <= in the length check. That mutant would survive because the existing tests don’t actually verify the boundary at 8 characters. Another mutation might delete the entire first if block. That mutant would also survive, because the tests don’t include an eight-character password without an uppercase letter or digit. The upper bound on length is never tested in combination with the other rules.

Here’s a test suite that actually kills those mutants:

// password.test.js
const { isValidPassword } = require('./password');

test('rejects password shorter than 8 chars', () => {
  expect(isValidPassword('Hello1')).toBe(false);
});

test('accepts password exactly 8 chars with uppercase and digit', () => {
  expect(isValidPassword('Hello1!@')).toBe(true);
});

test('rejects password without uppercase', () => {
  expect(isValidPassword('hello1!@')).toBe(false);
});

test('rejects password without digit', () => {
  expect(isValidPassword('Helloooo')).toBe(false);
});

test('rejects password missing both uppercase and digit', () => {
  expect(isValidPassword('helloooo')).toBe(false);
});

Now the boundary at 8 is explicitly tested. The <= mutant fails because 'Hello1!@' (8 chars) must be accepted. The deletion mutant fails because 'helloooo' would slip through without the length check.

How Mutation Testing Actually Works Under the Hood

Mutation testing is computationally expensive because it runs your full test suite once per mutant.

If your codebase has 10,000 lines and your mutation tool generates 3,000 mutants, that’s 3,000 test suite runs. Early academic implementations were essentially unusable on real codebases for this reason. Modern tools have gotten smarter.

Stryker, the most widely used mutation testing framework for JavaScript and TypeScript, uses several optimizations:

Mutant scoping: Stryker only runs the subset of tests that could possibly reach the mutated line, based on coverage data from an initial dry run.
Parallel execution: Mutants are evaluated across worker processes.
Incremental mode: Stryker caches results and only re-evaluates mutants for code that changed since the last run.
Checkers: For compiled languages, Stryker can verify mutants at the AST level without recompiling the entire project.

Even with these optimizations, a full mutation test run on a large codebase can still take 10-30 minutes. This is why most teams run mutation testing in CI on pull requests or nightly builds, not on every save.

The Trade-Offs Nobody Talks About

Mutation testing is not free, and it’s not always the right tool.

The equivalent mutant problem is the biggest theoretical limitation. Some mutations don’t change observable behavior. Consider:

const timeout = 1000 * 60;

A mutation that changes this to 1000 * 61 is semantically different. But a mutation that changes it to 60 * 1000 is equivalent. No test can kill it because the value is identical. Distinguishing equivalent mutants from genuine survivors is undecidable in the general case. Modern tools use heuristics to skip obvious cases, but you’ll still see some.

Performance is real. On a medium-sized TypeScript project, Stryker might generate 2,000 mutants and take 15 minutes to evaluate them. That’s 15 minutes of CI time on every run if you enable it for pull requests. Teams typically start with a threshold (say, fail the build if mutation score drops below 60%) and run full analysis nightly.

False confidence cuts both ways. A 100% mutation score doesn’t mean your code has no bugs. It means no bug that matches the tool’s mutation operators would have slipped through. Mutation testing can’t invent bugs it doesn’t know how to create. It won’t catch logical errors in your requirements, race conditions it can’t simulate, or integration failures across service boundaries.

How to Actually Start Using Mutation Testing

If you’re writing JavaScript or TypeScript, Stryker is the place to start.

Install it:

npm install --save-dev @stryker-mutator/core @stryker-mutator/jest-runner

Create stryker.config.mjs:

// @ts-check
/** @type {import('@stryker-mutator/api/core').PartialStrykerOptions} */
const config = {
  packageManager: 'npm',
  reporters: ['html', 'clear-text', 'progress'],
  testRunner: 'jest',
  coverageAnalysis: 'perTest',
  mutate: ['src/**/*.js'],
  threshold: {
    break: 60,
  },
};

export default config;

Run it:

npx stryker run

Start by looking at the HTML report, not the score. The report shows each surviving mutant inline with your source code. Read through the first ten survivors. For each one, ask: would a real bug at this location cause a production issue? If yes, write a test that would catch it. If no, consider whether the code is over-engineered.

Don’t chase 100%. On a mature codebase, 70-80% is a strong score. Below 50%, you probably have tests that execute code without asserting anything meaningful. Above 90%, you’re likely hitting diminishing returns and a growing equivalent-mutant tax.

What to Do With Your 40%

A 40% mutation score is a gift. It tells you exactly where your tests are decorative.

Pick the three files with the most surviving mutants. Read each survivor and ask what assertion is missing. Often the fix is simple: you called a function in a test but never checked the return value. Or you passed data through a parser but never verified the parsed output. Or you tested the happy path three times with different inputs but never tested the error branch.

The mutants aren’t noise. They’re a ranked list of the most likely places for an untested bug to hide. Start at the top.

FAQ

What’s the difference between code coverage and mutation testing? Code coverage measures which lines were executed. Mutation testing measures whether your tests would fail if those lines contained a bug. 100% coverage with 40% mutation score means you ran every line, but your tests wouldn’t notice if most of them were wrong.

Can mutation testing find bugs in my existing code? No. Mutation testing evaluates your tests, not your source code. It tells you where your tests are insufficient. It does not tell you whether your code is correct, only whether your tests would catch certain classes of errors.

Which languages have good mutation testing tools? JavaScript/TypeScript (Stryker), Java (PIT), C# (Stryker.NET), Python (mutmut), and Rust (cargo-mutants) all have mature tools. The ecosystem varies in performance and supported mutation operators.

Should mutation testing replace code coverage? No. Coverage is cheap and fast. Use it for quick feedback during development. Use mutation testing as a periodic quality gate to find the blind spots that coverage can’t see.