← Home

@dynatrace/cordova-plugin

npm Homepage

This plugin gives you the ability to use the Dynatrace instrumentation in your hybrid application (Cordova, Ionic, ..). It uses the Mobile Agent, the JavaScript Agent. The Mobile Agent will give you all device specific values containing lifecycle informat

2
Versions
SEE LICENSE IN LICENSE.md
License
Yes
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

dynatrace-nodejskamtschatkadyladantoddbaert

Keywords

DynatraceMobileAndroidiOSCordovaPerformanceMonitoringIonic

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
install-scripts install-script:install AI (install-scripts): InstallCap.js is a documented Capacitor/Cordova setup hook; stable pattern across all versions of this SDK. ai
npm-metadata bundled-binaries AI (npm-metadata): iOS .framework binaries are standard for Dynatrace mobile SDK; expected in every release. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require constructs module path from module.id — a safe plugin-loader pattern, not arbitrary input. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in install helper scripts for build tooling; expected for a Cordova/Capacitor plugin. ai

Versions (showing 2 of 2)

Version Deps Published
2.337.1 3 / 26
2.335.1 3 / 26

v2.337.1

3 findings
HIGH Package has 'install' script install-scripts

Script: node ./scripts/InstallCap.js

HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • files/iOS/Dynatrace.xcframework/ios-arm64/Dynatrace.framework/Dynatrace • files/iOS/Dynatrace.xcframework/tvos-arm64/Dynatrace.framework/Dynatrace

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.335.1

3 findings
HIGH Package has 'install' script install-scripts

Script: node ./scripts/InstallCap.js

HIGH Bundled binary files (2) npm-metadata

Package contains compiled binaries that could be backdoors: • files/iOS/Dynatrace.xcframework/ios-arm64/Dynatrace.framework/Dynatrace • files/iOS/Dynatrace.xcframework/tvos-arm64/Dynatrace.framework/Dynatrace

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.