@newrelic/rrweb — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

newrelic

rrweb

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:base64-decode	AI (semgrep): Standard base64 decoding for rrweb session replay data (fonts, images, etc.). Core library functionality.	ai	2026/04/27
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() in a Proxy handler for mirror access warning — standard JS proxy pattern, not obfuscation.	ai	2026/04/27
phantom-deps	phantom-dep:mitt	AI (phantom-deps): Bundled via Vite into dist; consumed at build time, not directly imported in published files.	ai	2026/04/27
phantom-deps	phantom-dep:base64-arraybuffer	AI (phantom-deps): Bundled via Vite into dist; consumed at build time, not directly imported in published files.	ai	2026/04/27
phantom-deps	phantom-dep:@newrelic/rrweb-utils	AI (phantom-deps): Same-org dependency bundled via Vite; consumed at build time.	ai	2026/04/27
phantom-deps	phantom-dep:@types/css-font-loading-module	AI (phantom-deps): TypeScript type declaration dependency; not imported at runtime.	ai	2026/04/27

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.