@amplitude/session-replay-browser
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:lib/scripts/session-replay-browser-esm.js | AI (source-diff): Minified bundle output; standard TypeScript compilation artifacts. | ai | |
| source-diff | encoded-string-file:lib/scripts/session-replay-browser-min.js | AI (source-diff): Minified bundle output; standard TypeScript compilation artifacts. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Empty description is intentional for this scoped Amplitude package; stable across versions. | ai | |
| source-diff | encoded-string-file:lib/scripts/amplitude-min.umd.js | AI (source-diff): Minified UMD bundle with source map; stable pattern for this package. | ai | |
| source-diff | encoded-string-file:lib/scripts/amplitude-min.js | AI (source-diff): Minified bundle with source map; stable pattern for this package. | ai | |
| provenance | missing-githead | AI (provenance): SLSA provenance attestation present; gitHead absence is a minor metadata gap, not a supply-chain risk for this well-established package. | ai | |
| source-diff | obfuscated-file:lib/scripts/session-replay-browser-esm.js | AI (source-diff): Standard minified build artifact from Amplitude's public repo; expected for this package. | ai | |
| source-diff | obfuscated-file:lib/scripts/session-replay-browser-min.js | AI (source-diff): Standard rollup/terser minified build artifact with source map; consistent with Amplitude's documented build pipeline. | ai | |
| source-diff | obfuscated-file:lib/scripts/console-plugin-min.js | AI (source-diff): Standard rollup/terser minified build artifact with source map; consistent with Amplitude's documented build pipeline. | ai | |
| source-diff | obfuscated-file:lib/scripts/rrweb-record-min.js | AI (source-diff): Standard rollup/terser minified build artifact with source map; consistent with Amplitude's documented build pipeline. | ai | |
| source-diff | obfuscated-file:lib/scripts/session-replay-min.js | AI (source-diff): Standard rollup/terser minified build artifact with source map; consistent with Amplitude's documented build pipeline. | ai | |
| source-diff | obfuscated-file:lib/scripts/targeting-min.js | AI (source-diff): Standard rollup/terser minified build artifact with source map; consistent with Amplitude's documented build pipeline. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-types | AI (dependencies): First-party Amplitude scoped package; consistent with session-replay SDK across all versions. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-record | AI (dependencies): First-party Amplitude scoped package; consistent with session-replay SDK across all versions. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-utils | AI (dependencies): First-party Amplitude scoped package; consistent with session-replay SDK across all versions. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-plugin-console-record | AI (dependencies): Amplitude's own rrweb plugin fork; expected dependency for session-replay SDK. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-packer | AI (dependencies): Amplitude's own rrweb-packer fork; expected dependency for session-replay SDK. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb | AI (dependencies): Amplitude's own rrweb fork; expected core dependency for session-replay SDK across all versions. | ai | |
| dependencies | unvetted-dep:@amplitude/rrweb-snapshot | AI (dependencies): Amplitude's own rrweb-snapshot fork; expected dependency for session-replay SDK. | ai | |
| phantom-deps | phantom-dep:@amplitude/experiment-core | AI (phantom-deps): First-party @amplitude scoped dep in monorepo; phantom-dep heuristic is a false positive here. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Reflect.get used for history API monkey-patching in session-replay; standard technique, not obfuscation. | ai | |
| phantom-deps | phantom-dep:@amplitude/rrweb-utils | AI (phantom-deps): First-party @amplitude scoped dep in monorepo; phantom-dep heuristic is a false positive here. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 in minified console plugin bundle is expected for session-replay encoding; no malicious payload. | ai | |
| phantom-deps | phantom-dep:@rollup/plugin-replace | AI (phantom-deps): Build-time rollup plugin loaded by convention; phantom-dep false positive. | ai | |
| phantom-deps | phantom-dep:@amplitude/analytics-client-common | AI (phantom-deps): First-party @amplitude scoped dep in monorepo; phantom-dep heuristic is a false positive here. | ai | |
| phantom-deps | phantom-dep:@amplitude/rrweb-packer | AI (phantom-deps): First-party @amplitude scoped dep in monorepo; phantom-dep heuristic is a false positive here. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 1.44.1 | 13 / 14 | |
| 1.44.0 | 13 / 14 | |
| 1.43.0 | 13 / 14 | |
| 1.42.3 | 13 / 14 | |
| 1.42.2 | 13 / 14 | |
| 1.42.1 | 13 / 14 | |
| 1.42.0 | 13 / 14 | |
| 1.41.0 | 13 / 14 | |
| 1.40.0 | 13 / 14 | |
| 1.39.0 | 13 / 14 | |
| 1.38.0 | 13 / 14 | |
| 1.37.0 | 13 / 14 | |
| 1.36.2 | 13 / 14 | |
| 1.36.1 | 13 / 14 | |
| 1.36.0 | 13 / 14 | |
| 1.35.1 | 13 / 14 | |
| 1.29.4 | 12 / 12 | |
| 1.28.11 | 12 / 12 | |
| 1.28.10 | 12 / 12 | |
| 1.28.9 | 12 / 12 | |
| 1.28.8 | 12 / 12 | |
| 1.28.7 | 12 / 12 | |
| 1.28.6 | 12 / 12 | |
| 1.28.5 | 12 / 12 | |
| 1.28.4 | 12 / 12 | |
| 1.28.3 | 12 / 12 | |
| 1.28.2 | 12 / 12 | |
| 1.28.1 | 12 / 12 | |
| 1.28.0 | 12 / 12 | |
| 1.27.0 | 9 / 12 | |
| 1.26.2 | 9 / 12 | |
| 1.26.1 | 9 / 12 | |
| 1.26.0 | 9 / 12 | |
| 1.25.3 | 9 / 12 | |
| 1.25.2 | 9 / 12 | |
| 1.25.1 | 9 / 12 | |
| 1.25.0 | 9 / 12 | |
| 1.24.1 | 8 / 12 | |
| 1.24.0 | 8 / 12 | |
| 1.23.0 | 8 / 12 | |
| 1.22.11 | 8 / 12 | |
| 1.22.10 | 8 / 12 | |
| 1.22.3 | 9 / 12 | |
| 1.22.2 | 9 / 12 | |
| 1.22.1 | 9 / 12 |
v1.44.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.44.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.43.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.42.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.42.2
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.42.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.42.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.41.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.40.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.38.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.37.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.36.2
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.36.1
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.36.0
2 findingsPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
v1.35.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.29.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.28.11
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.10
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.9
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.8
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.7
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.6
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.5
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.4
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.3
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.2
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.28.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.27.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.2
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.1
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.26.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.3
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.2
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.1
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.25.0
2 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.24.0
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.23.0
3 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.3
3 findingsModified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.22.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.