@sentry/node — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sentry-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): Dep swap is an intra-org rename (@sentry-internal/server-utils → @sentry/server-utils); not an external supply-chain addition.	ai	2026/06/16
dependencies	unvetted-dep:@sentry-internal/server-utils	AI (dependencies): Sentry-internal monorepo package pinned to exact matching version; consistent with routine SDK refactoring.	ai	2026/06/03
source-diff	large-new-source-files	AI (source-diff): Diff is cross-major-version (v8 vs v10); file count difference is expected.	ai	2026/05/29
source-diff	obfuscated-file:build/cjs/integrations/anr/index.js	AI (source-diff): Base64 worker script for ANR detection; standard Sentry pattern across versions.	ai	2026/05/29
publish-pattern	dormant-publish	AI (publish-pattern): @sentry/node has 698 versions and 19.1M weekly downloads; it publishes continuously. The dormancy finding is a data artifact from comparing against a specific prior approved version.	ai	2026/04/26
maintainer-change	maintainer-removed	AI (maintainer-change): Sentry regularly rotates team members on npm; sentry-bot is the stable publishing account. Maintainer churn is normal for this org and not a takeover signal.	ai	2026/04/26
typosquat	typosquat.levenshtein:zod	AI (typosquat): @sentry/node is the official Sentry Node SDK under the @sentry scope — not a typosquat of 'zod'. Levenshtein distance match is a false positive for this scoped package.	ai	2026/04/25
provenance	no-provenance	AI (provenance): sentry-bot is a well-established publisher with 3865 approved packages. Lack of provenance attestation is acceptable for this trusted publisher.	ai	2026/04/25
phantom-deps	phantom-dep:import-in-the-middle	AI (phantom-deps): import-in-the-middle is a legitimate runtime dependency declared in package.json, used by Sentry for ESM module interception. Not a phantom dep concern.	ai	2026/04/25

Versions (showing 49 of 49)

Version	Deps	Published
10.58.0	10 / 1	2026-06-15
10.57.0	10 / 1	2026-06-09
10.56.0	10 / 1	2026-06-02
10.55.0	9 / 1	2026-05-28
10.54.0	9 / 1	2026-05-26
10.53.1	29 / 1	2026-05-12
10.53.0	29 / 1	2026-05-12
10.52.0	29 / 1	2026-05-07
10.51.0	31 / 1	2026-04-29
10.50.0	31 / 1	2026-04-23
10.49.0	32 / 1	2026-04-16
10.48.0	34 / 1	2026-04-09
10.47.0	35 / 1	2026-03-31
10.46.0	35 / 1	2026-03-25
10.45.0	35 / 1	2026-03-19
10.44.0	35 / 1	2026-03-17
10.43.0	35 / 1	2026-03-10
10.42.0	35 / 1	2026-03-03
10.41.0	35 / 1	2026-03-02
10.40.0	35 / 1	2026-02-24
10.39.0	35 / 1	2026-02-16
10.38.0	35 / 1	2026-01-29
10.37.0	35 / 1	2026-01-27
10.36.0	35 / 1	2026-01-21
10.35.0	35 / 1	2026-01-19
10.34.0	35 / 1	2026-01-14
10.33.0	35 / 1	2026-01-12
10.32.1	35 / 1	2025-12-19
10.32.0	35 / 1	2025-12-18
10.31.0	35 / 1	2025-12-16
10.30.0	35 / 1	2025-12-11
10.29.0	35 / 1	2025-12-04
10.28.0	35 / 1	2025-12-02
10.27.0	35 / 1	2025-11-24
10.10.0	35 / 1	2025-09-04
10.9.0	35 / 1	2025-09-03
10.8.0	35 / 1	2025-08-29
10.7.0	35 / 1	2025-08-27
10.6.0	35 / 1	2025-08-26
10.5.0	35 / 1	2025-08-12
10.4.0	35 / 1	2025-08-11
10.3.0	35 / 1	2025-08-08
10.2.0	35 / 1	2025-08-06
10.1.0	35 / 1	2025-08-04
10.0.0	35 / 1	2025-07-31
9.47.1	35 / 1	2025-11-17
9.47.0	35 / 1	2025-11-17
8.55.2	35 / 1	2026-04-28
8.55.1	35 / 1	2026-03-25

v10.58.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.57.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.56.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.55.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.54.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.53.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.53.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.52.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.50.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v10.2.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.