@sailfish-rrweb/replay
This package contains all the necessary code to replay recorded events. See the [guide](../../guide.md) for more info on rrweb.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | encoded-string-file:dist/replay.js | AI (source-diff): Base64 string is an inline Web Worker blob for canvas image-bitmap processing — standard rrweb pattern. | ai | |
| source-diff | encoded-string-file:dist/replay.cjs | AI (source-diff): Long string is PostCSS source-map URL handling code in minified bundle, not a payload. | ai | |
| source-diff | encoded-string-file:dist/replay.umd.cjs | AI (source-diff): Same PostCSS source-map code pattern as replay.cjs; benign minified bundle content. | ai | |
| source-diff | encoded-string-file:dist/replay.umd.min.cjs | AI (source-diff): Same PostCSS source-map code pattern; benign minified bundle content. | ai | |
| source-diff | encoded-string-file:dist/replay.umd.umd.cjs | AI (source-diff): Same PostCSS source-map code pattern; benign minified bundle content. | ai | |
| source-diff | encoded-string-file:dist/replay.umd.umd.min.cjs | AI (source-diff): Same PostCSS source-map code pattern; benign minified bundle content. | ai | |
| phantom-deps | phantom-dep:@sailfish-rrweb/types | AI (phantom-deps): Same-org types package; declared as dep for type resolution, not directly imported at runtime. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 0.5.10 | 2 / 5 | |
| 0.5.9 | 2 / 5 | |
| 0.5.8 | 2 / 5 | |
| 0.5.7 | 2 / 5 | |
| 0.5.6 | 2 / 5 | |
| 0.5.4 | 2 / 5 |
v0.5.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.8
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.7
7 findingsModified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.