@dynatrace/rum-javascript-sdk
JavaScript API for Real User Monitoring (RUM)
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/types/rum-events/rum-event-keys.js | AI (source-diff): File is a large compiled TypeScript enum with long lines from many string assignments — not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/types/index-typedoc.js | AI (source-diff): File is readable ESM re-export barrel; long lines are inline source maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/testing/test.js | AI (source-diff): Readable Playwright test fixture code; long lines are inline source maps. | ai | |
| source-diff | obfuscated-file:dist/testing/snapshot.js | AI (source-diff): Readable snapshot testing utility; long lines are inline source maps. | ai | |
| source-diff | obfuscated-file:dist/types/testing/snapshot-defaults.js | AI (source-diff): Long lines are base64-encoded inline source maps from TypeScript compilation, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/types/testing/dynatrace-testing.js | AI (source-diff): Long lines are base64-encoded inline source maps from TypeScript compilation, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/api/promises/interactions.js | AI (source-diff): Same tsc-compiled pattern with base64 sourcemap; false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/api/interactions.js | AI (source-diff): File is fully readable compiled TypeScript with JSDoc comments; long lines are from inline source maps, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/testing/types/dynatrace-testing.js | AI (source-diff): File contains only 'export {};' plus an inline source map; the base64 decodes to readable TS interface definitions, not obfuscated code. | ai | |
| source-diff | obfuscated-file:dist/types/rum-events/open-fields.js | AI (source-diff): File contains readable TypeScript-compiled type definitions; long lines are from large string arrays/enums, not obfuscation. | ai |
Versions (showing 32 of 32)
| Version | Deps | Published |
|---|---|---|
| 1.339.9 | 0 / 10 | |
| 1.339.8 | 0 / 10 | |
| 1.339.7 | 0 / 10 | |
| 1.339.6 | 0 / 10 | |
| 1.339.5 | 0 / 10 | |
| 1.339.4 | 0 / 10 | |
| 1.339.3 | 0 / 10 | |
| 1.339.2 | 0 / 10 | |
| 1.339.1 | 0 / 10 | |
| 1.337.12 | 1 / 10 | |
| 1.337.11 | 1 / 10 | |
| 1.337.10 | 1 / 10 | |
| 1.337.9 | 1 / 10 | |
| 1.337.8 | 1 / 10 | |
| 1.337.7 | 1 / 10 | |
| 1.337.6 | 1 / 10 | |
| 1.337.5 | 1 / 10 | |
| 1.337.4 | 1 / 10 | |
| 1.337.3 | 1 / 10 | |
| 1.337.2 | 1 / 10 | |
| 1.337.1 | 1 / 10 | |
| 1.335.9 | 1 / 10 | |
| 1.335.7 | 1 / 10 | |
| 1.335.6 | 1 / 10 | |
| 1.335.5 | 1 / 10 | |
| 1.333.16 | 1 / 10 | |
| 1.331.17 | 1 / 10 | |
| 1.331.13 | 1 / 10 | |
| 1.329.5 | 1 / 10 | |
| 1.329.4 | 1 / 10 | |
| 1.329.3 | 1 / 10 | |
| 1.329.2 | 1 / 10 |
v1.339.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.339.1
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.9
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.6
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.5
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.4
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.337.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.337.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.335.9
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.335.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.335.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.335.5
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.333.16
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.331.17
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamtschatka.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.331.13
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamtschatka.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.329.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamtschatka.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.329.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.329.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.329.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.