@amplitude/plugin-session-replay-browser
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@amplitude/rrweb-plugin-console-record | AI (dependencies): Same-org Amplitude dependency used in session replay; stable pattern across versions. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-record | AI (dependencies): Same-org Amplitude dependency used in session replay; stable pattern across versions. | ai | |
| source-diff | encoded-string-file:lib/scripts/plugin-session-replay-browser-esm.js | AI (source-diff): Standard minified TypeScript bundle output; samples show normal TS helpers, not obfuscated payloads. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; missing gitHead reflects CI config change, not integrity loss. | ai | |
| source-diff | encoded-string-file:lib/scripts/plugin-session-replay-browser-min.js | AI (source-diff): Minified SDK bundle; long encoded strings are expected build artifacts for this package. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Fires on minified session-replay bundle; expected pattern for this package, not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:@amplitude/rrweb-plugin-console-record | AI (phantom-deps): First-party @amplitude dep bundled into output; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:@amplitude/rrweb-record | AI (phantom-deps): First-party @amplitude dep bundled into output; phantom-dep heuristic false positive. | ai | |
| phantom-deps | phantom-dep:idb-keyval | AI (phantom-deps): idb-keyval is a declared runtime dep; phantom-dep heuristic false positive for this bundled package. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires on minified bundle; Reflect.get in minified code is a standard JS pattern, not evasion. | ai |
Versions (showing 70 of 70)
| Version | Deps | Published |
|---|---|---|
| 1.31.0 | 8 / 12 | |
| 1.30.5 | 8 / 12 | |
| 1.30.4 | 8 / 12 | |
| 1.30.3 | 8 / 12 | |
| 1.30.2 | 8 / 12 | |
| 1.30.1 | 8 / 12 | |
| 1.30.0 | 8 / 12 | |
| 1.29.0 | 8 / 12 | |
| 1.28.1 | 8 / 12 | |
| 1.28.0 | 8 / 12 | |
| 1.27.10 | 8 / 12 | |
| 1.27.9 | 8 / 12 | |
| 1.27.8 | 8 / 12 | |
| 1.27.7 | 8 / 12 | |
| 1.27.6 | 8 / 13 | |
| 1.27.5 | 8 / 13 | |
| 1.27.4 | 8 / 13 | |
| 1.27.3 | 8 / 13 | |
| 1.27.2 | 8 / 13 | |
| 1.27.1 | 8 / 13 | |
| 1.27.0 | 8 / 13 | |
| 1.26.4 | 8 / 13 | |
| 1.26.3 | 8 / 13 | |
| 1.26.2 | 8 / 13 | |
| 1.26.1 | 8 / 13 | |
| 1.26.0 | 8 / 13 | |
| 1.25.21 | 8 / 13 | |
| 1.25.20 | 8 / 13 | |
| 1.25.19 | 8 / 13 | |
| 1.25.18 | 8 / 13 | |
| 1.25.17 | 8 / 13 | |
| 1.25.16 | 8 / 13 | |
| 1.25.15 | 8 / 13 | |
| 1.25.14 | 8 / 13 | |
| 1.25.13 | 8 / 13 | |
| 1.25.12 | 8 / 13 | |
| 1.25.11 | 8 / 13 | |
| 1.25.10 | 8 / 13 | |
| 1.25.9 | 8 / 12 | |
| 1.25.8 | 8 / 12 | |
| 1.25.7 | 8 / 12 | |
| 1.25.6 | 8 / 12 | |
| 1.25.5 | 6 / 11 | |
| 1.25.4 | 6 / 11 | |
| 1.25.3 | 6 / 11 | |
| 1.25.2 | 6 / 11 | |
| 1.25.1 | 6 / 11 | |
| 1.25.0 | 6 / 11 | |
| 1.24.1 | 6 / 11 | |
| 1.24.0 | 6 / 11 | |
| 1.23.6 | 6 / 11 | |
| 1.23.5 | 6 / 11 | |
| 1.23.4 | 6 / 11 | |
| 1.23.3 | 6 / 11 | |
| 1.23.2 | 6 / 11 | |
| 1.18.2 | 4 / 11 | |
| 1.18.1 | 4 / 11 | |
| 1.18.0 | 4 / 11 | |
| 1.17.0 | 4 / 11 | |
| 1.16.15 | 4 / 11 | |
| 1.16.14 | 4 / 11 | |
| 1.16.13 | 4 / 11 | |
| 1.16.9 | 4 / 11 | |
| 1.16.8 | 4 / 11 | |
| 1.16.7 | 4 / 11 | |
| 1.16.5 | 4 / 11 | |
| 1.16.4 | 4 / 11 | |
| 1.16.3 | 4 / 11 | |
| 1.16.2 | 4 / 11 | |
| 1.16.1 | 4 / 11 |
v1.31.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.30.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.29.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.10
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.9
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.27.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.26.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.21
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.20
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.19
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.16
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.15
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.14
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.25.13
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.25.12
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.25.11
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.25.10
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.8
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.6
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.25.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.25.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.24.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.18.2
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.1
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.15
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.14
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.13
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.9
2 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.