← Home

@browserbasehq/stagehand

An AI web browsing framework focused on simplicity and extensibility.

31
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

seanmcguire12kylejeongnosajzerofooldesaadiajmcquilkinmiguel_gbrowserz

Keywords

aibrowserautomationweb-scrapingtesting

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
phantom-deps phantom-dep:devtools-protocol AI (phantom-deps): devtools-protocol used as type/protocol reference in CDP integration; phantom-dep heuristic false positive. ai
phantom-deps phantom-dep:ws AI (phantom-deps): ws is a runtime dep used via playwright/CDP internals; phantom-dep heuristic false positive. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy aligns with documented Browserbase team transition; high-traffic package with org-level maintainer additions. ai
source-diff source-size-tripled AI (source-diff): Size increase matches addition of multiple AI provider integrations and playwright bundling. ai
source-diff large-new-source-files AI (source-diff): Major framework expansion adding LLM providers, playwright integration, MCP SDK — legitimate growth. ai
provenance missing-githead AI (provenance): Published via GitHub Actions with SLSA provenance; gitHead absence likely from monorepo publish flow. ai
phantom-deps phantom-dep:pino-pretty AI (phantom-deps): pino-pretty is a transport loaded at runtime by pino; not directly imported but required. ai
phantom-deps phantom-dep:@langchain/openai AI (phantom-deps): Optional integration dep; referenced in config/dynamic imports, not static imports. ai
provenance publisher-changed AI (provenance): Transition from desaadi to paul-klein-browserbase is an org-internal handoff within Browserbase; both are established accounts. ai
dependencies unvetted-dep:anthropic AI (dependencies): anthropic@^0.0.0 is declared but confirmed not directly imported (phantom-dep finding accepted). The real Anthropic SDK used is @anthropic-ai/sdk. This stub dependency poses no runtime risk for this package. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of three maintainers alongside an addition is consistent with team restructuring at Browserbase; no signs of hostile takeover. ai
publish-pattern new-deps-added AI (publish-pattern): @browserbasehq/sdk is the organization's own first-party SDK; adding it to a Browserbase product is expected and low-risk. ai
maintainer-change maintainer-added AI (maintainer-change): Maintainer addition (anirudhkamath) appears to be a legitimate team change within the Browserbase org; publisher paul-klein-browserbase has strong track record and is the package author. ai
phantom-deps phantom-dep:anthropic-ai AI (phantom-deps): anthropic-ai is a compatibility shim, not directly imported. Stable false positive for this package. ai
provenance no-provenance AI (provenance): Established package from known publisher; lack of provenance is common (~88% of npm) and not a risk signal here. ai
phantom-deps phantom-dep:anthropic AI (phantom-deps): anthropic@^0.0.0 is a placeholder/stub dep; actual SDK is @anthropic-ai/sdk. Not directly imported — stable false positive for this package. ai

Versions (showing 31 of 31)

Version Deps Published
3.7.0 14 / 19
3.6.0 14 / 19
3.5.0 14 / 19
3.4.0 15 / 18
3.3.0 15 / 16
3.2.1 15 / 16
3.2.0 15 / 16
3.1.0 15 / 16
3.0.8 15 / 16
3.0.7 15 / 16
3.0.6 16 / 14
3.0.5 15 / 8
3.0.3 15 / 6
3.0.2 15 / 6
3.0.1 15 / 6
3.0.0 15 / 6
2.5.9 13 / 28
2.5.8 13 / 28
2.5.7 13 / 28
2.5.6 13 / 28
2.5.5 13 / 28
2.5.4 13 / 28
2.5.3 13 / 28
1.3.0 6 / 15
1.2.0 6 / 15
1.1.2 6 / 15
1.1.1 6 / 15
1.1.0 6 / 15
1.0.3 5 / 15
1.0.2 5 / 15
1.0.1 5 / 15

v3.7.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.6.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.5.0

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.3.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: paul-klein-browserbase → GitHub Actions (on 2026-04-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-27. This could indicate a legitimate maintainer transition or an account compromise.

v3.2.1

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-04-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-08. This could indicate a legitimate maintainer transition or an account compromise.

v3.2.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-03-18) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.

v3.1.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-02-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-24. This could indicate a legitimate maintainer transition or an account compromise.

v3.0.8

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-01-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.

v3.0.7

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2025-12-27) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-27. This could indicate a legitimate maintainer transition or an account compromise.

v3.0.6

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2025-12-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-13. This could indicate a legitimate maintainer transition or an account compromise.

v3.0.5

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: paul-klein-browserbase → seanmcguire12 (on 2025-11-24) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-24. This could indicate a legitimate maintainer transition or an account compromise.

v3.0.3

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: paul-klein-browserbase.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.2

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: paul-klein-browserbase.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.1

2 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: paul-klein-browserbase.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: seanmcguire12.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: paul-klein-browserbase → seanmcguire12 (on 2025-10-29) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-29. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2.5.8

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-02-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.7

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2026-01-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.6

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2025-12-09) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.5

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2025-12-09) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-09. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.4

3 findings
HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: seanmcguire12 → GitHub Actions (on 2025-12-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.

v2.5.3

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: paul-klein-browserbase → miguel_g (on 2025-11-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-17. This could indicate a legitimate maintainer transition or an account compromise.

v1.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.2.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.3

2 findings
HIGH Publisher changed: desaadi → paul-klein-browserbase (on 2024-11-01) provenance

This version was published by a different npm account than previous versions on 2024-11-01. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.