@php-wasm/xdebug-bridge
XDebug bridge server for PHP.wasm
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:run-cli-DHPcno7N.cjs | AI (source-diff): Minified CLI bundle traceable to the official WordPress/wordpress-playground repo; not malicious obfuscation. | ai | |
| provenance | slsa-provenance | AI (provenance): SLSA provenance attestation confirms CI/CD publish; publisher-changed to GitHub Actions is expected for this org. | ai | |
| source-diff | obfuscated-file:run-cli-BPGRvxlC.cjs | AI (source-diff): Minified rollup bundle with public source at WordPress/wordpress-playground repo; not obfuscated malware. | ai | |
| source-diff | obfuscated-file:run-cli-uj1-xEEL.cjs | AI (source-diff): Minified bundler output from official WordPress/wordpress-playground CI; SLSA provenance attestation confirms integrity. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to GitHub Actions publisher with SLSA attestation is expected for this WordPress org project. | ai | |
| phantom-deps | phantom-dep:express | AI (phantom-deps): Bundled monorepo artifact; stable false positive. | ai | |
| phantom-deps | phantom-dep:jsonc-parser | AI (phantom-deps): Bundled monorepo artifact; stable false positive. | ai | |
| phantom-deps | phantom-dep:@php-wasm/node | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:fast-xml-parser | AI (phantom-deps): Bundled monorepo artifact; stable false positive. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Fires in bundled yargs CLI code; standard bundler pattern for this monorepo package. | ai | |
| phantom-deps | phantom-dep:wasm-feature-detect | AI (phantom-deps): Bundled monorepo artifact; stable false positive. | ai | |
| phantom-deps | phantom-dep:@wp-playground/common | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| phantom-deps | phantom-dep:fs-ext-extra-prebuilt | AI (phantom-deps): Platform-specific binary dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@php-wasm/logger | AI (phantom-deps): Same-org monorepo dep; stable false positive. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Sample shows source-map/commentary context in bundled CLI, not a malicious payload. | ai | |
| phantom-deps | phantom-dep:ini | AI (phantom-deps): Monorepo build artifact; deps declared in package.json but bundled, stable false positive. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): Bundled into CLI artifact; phantom-dep is a stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:xml2js | AI (phantom-deps): Bundled monorepo artifact; stable false positive. | ai |
Versions (showing 72 of 72)
| Version | Deps | Published |
|---|---|---|
| 3.1.36 | 5 / 0 | |
| 3.1.35 | 5 / 0 | |
| 3.1.34 | 5 / 0 | |
| 3.1.33 | 5 / 0 | |
| 3.1.32 | 5 / 0 | |
| 3.1.31 | 5 / 0 | |
| 3.1.30 | 5 / 0 | |
| 3.1.29 | 5 / 0 | |
| 3.1.28 | 14 / 0 | |
| 3.1.27 | 14 / 0 | |
| 3.1.26 | 14 / 0 | |
| 3.1.25 | 13 / 0 | |
| 3.1.22 | 13 / 0 | |
| 3.1.21 | 13 / 0 | |
| 3.1.20 | 13 / 0 | |
| 3.1.19 | 13 / 0 | |
| 3.1.18 | 13 / 0 | |
| 3.1.17 | 13 / 0 | |
| 3.1.16 | 13 / 0 | |
| 3.1.15 | 13 / 0 | |
| 3.1.14 | 13 / 0 | |
| 3.1.13 | 13 / 0 | |
| 3.1.12 | 13 / 0 | |
| 3.1.11 | 13 / 0 | |
| 3.1.10 | 13 / 0 | |
| 3.1.9 | 13 / 0 | |
| 3.1.8 | 13 / 0 | |
| 3.1.5 | 13 / 0 | |
| 3.1.4 | 13 / 0 | |
| 3.1.3 | 13 / 0 | |
| 3.1.2 | 11 / 0 | |
| 3.1.1 | 11 / 0 | |
| 3.1.0 | 11 / 0 | |
| 3.0.54 | 10 / 0 | |
| 3.0.53 | 10 / 0 | |
| 3.0.52 | 10 / 0 | |
| 3.0.51 | 10 / 0 | |
| 3.0.46 | 10 / 0 | |
| 3.0.45 | 10 / 0 | |
| 3.0.44 | 10 / 0 | |
| 3.0.43 | 10 / 0 | |
| 3.0.42 | 10 / 0 | |
| 3.0.41 | 10 / 0 | |
| 3.0.40 | 10 / 0 | |
| 3.0.39 | 10 / 0 | |
| 3.0.38 | 10 / 0 | |
| 3.0.37 | 10 / 0 | |
| 3.0.36 | 10 / 0 | |
| 3.0.35 | 10 / 0 | |
| 3.0.34 | 10 / 0 | |
| 3.0.33 | 10 / 0 | |
| 3.0.32 | 10 / 0 | |
| 3.0.31 | 10 / 0 | |
| 3.0.30 | 10 / 0 | |
| 3.0.22 | 11 / 0 | |
| 3.0.21 | 11 / 0 | |
| 3.0.20 | 11 / 0 | |
| 3.0.19 | 11 / 0 | |
| 3.0.18 | 11 / 0 | |
| 3.0.17 | 11 / 0 | |
| 3.0.16 | 11 / 0 | |
| 3.0.15 | 11 / 0 | |
| 3.0.14 | 11 / 0 | |
| 3.0.13 | 11 / 0 | |
| 3.0.12 | 11 / 0 | |
| 3.0.8 | 11 / 0 | |
| 3.0.6 | 11 / 0 | |
| 3.0.5 | 11 / 0 | |
| 3.0.4 | 11 / 0 | |
| 3.0.3 | 11 / 0 | |
| 3.0.2 | 11 / 0 | |
| 3.0.1 | 11 / 0 |
v3.1.36
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.35
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.34
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.33
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.32
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.31
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.30
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.29
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.28
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.27
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.26
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.25
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.22
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.19
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.18
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.17
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.16
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.15
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.14
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.12
3 findingsThis version was published by a different npm account than previous versions on 2026-03-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.11
3 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.10
3 findingsThis version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.9
3 findingsThis version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.1
3 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.54
3 findingsThis version was published by a different npm account than previous versions on 2026-02-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.53
3 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.43
3 findingsThis version was published by a different npm account than previous versions on 2026-01-19. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.42
3 findingsThis version was published by a different npm account than previous versions on 2026-01-15. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.41
3 findingsThis version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.40
3 findingsThis version was published by a different npm account than previous versions on 2026-01-12. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.37
3 findingsThis version was published by a different npm account than previous versions on 2026-01-06. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.36
3 findingsThis version was published by a different npm account than previous versions on 2026-01-05. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.35
3 findingsThis version was published by a different npm account than previous versions on 2025-12-29. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.34
3 findingsThis version was published by a different npm account than previous versions on 2025-12-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.33
3 findingsThis version was published by a different npm account than previous versions on 2025-12-22. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.32
3 findingsThis version was published by a different npm account than previous versions on 2025-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.31
3 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.30
3 findingsThis version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.22
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.21
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.20
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.19
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.18
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.17
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.16
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.15
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.14
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.