← Home

chrome-devtools-frontend

npm Repository Homepage
55
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

paulirishmathiasgoogle-wombot

Keywords

devtoolschromechromiumblinkdebugger

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:etc-passwd-access AI (semgrep): String appears in a comment explaining a security mitigation, not actual file access. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): Raw IPs appear only in unit test fixtures (localhost/127.0.0.1), not production network calls. ai
semgrep semgrep:eval-usage AI (semgrep): eval() is in legacy test runner code evaluating test expressions — not runtime production code. ai
semgrep semgrep:child-process-import AI (semgrep): child_process used in scripts/npm_test.js to run blink tests — standard build/test tooling. ai
semgrep semgrep:child-process-spawn AI (semgrep): Spawns blink test runner in test script; expected for a devtools frontend package. ai
semgrep semgrep:api-obfuscation-reflect AI (semgrep): Reflect.get() used as a standard Proxy trap in DWARF debugger extension — not obfuscation. ai
provenance no-provenance AI (provenance): Established package with 2160 versions; lack of Sigstore provenance is common and not a risk signal here. ai
source-diff obfuscated-file:front_end/third_party/lit/lib/async-directive.js AI (source-diff): Minified Lit HTML library (Google LLC, BSD-3-Clause) bundled as a third-party dependency in Chrome DevTools Frontend. Minification is expected for this package's third-party vendored assets. ai
semgrep semgrep:base64-decode AI (semgrep): Fires in Lighthouse report bundle; base64 usage is for legitimate report rendering (SVG/template content), not payload obfuscation. ai
semgrep semgrep:shady-links-tlds AI (semgrep): Fires in third-party-web data catalog listing known ad/analytics domains (e.g. marketingplatform.google.com). These are legitimate reference URLs in a data file, not C2 infrastructure. ai
semgrep semgrep:dynamic-require AI (semgrep): Fires in CodeMirror's loadmode.js addon, which legitimately uses dynamic require to load syntax modes on demand. Well-known, documented behavior. ai
semgrep semgrep:new-function-constructor AI (semgrep): Fires in bundled axe-core and other third-party libs; new Function() is a documented pattern in axe-core's rule engine. Not a security risk in this package. ai

Versions (showing 55 of 157)

Version Deps Published
1.0.1549484 0 / 61
1.0.1548980 0 / 61
1.0.1548870 0 / 61
1.0.1547571 0 / 61
1.0.1547147 0 / 61
1.0.1545096 0 / 61
1.0.1544076 0 / 61
1.0.1543472 0 / 61
1.0.1543082 0 / 61
1.0.1542501 0 / 61
1.0.1541552 0 / 61
1.0.1541169 0 / 61
1.0.1539972 0 / 60
1.0.1539728 0 / 60
1.0.1538523 0 / 60
1.0.1538310 0 / 60
1.0.1537860 0 / 60
1.0.1537268 0 / 60
1.0.1536371 0 / 60
1.0.1535712 0 / 60
1.0.1534717 0 / 60
1.0.1534251 0 / 60
1.0.1533544 0 / 60
1.0.1532884 0 / 60
1.0.1532228 0 / 60
1.0.1531367 0 / 60
1.0.1530564 0 / 60
1.0.1529904 0 / 60
1.0.1529186 0 / 60
1.0.1528866 0 / 60
1.0.1526630 0 / 60
1.0.1526203 0 / 60
1.0.1525561 0 / 60
1.0.1524741 0 / 60
1.0.1522585 0 / 60
1.0.1522145 0 / 60
1.0.1521880 0 / 60
1.0.1521746 0 / 60
1.0.1521223 0 / 60
1.0.1520535 0 / 60
1.0.1520139 0 / 60
1.0.1519267 0 / 60
1.0.1518653 0 / 60
1.0.1516909 0 / 60
1.0.1515988 0 / 60
1.0.1515796 0 / 60
1.0.1515446 0 / 60
1.0.1514545 0 / 60
1.0.1513662 0 / 60
1.0.1512349 0 / 60
1.0.1512147 0 / 60
1.0.1510848 0 / 60
1.0.1510180 0 / 60
1.0.1506453 0 / 60
1.0.1473514 0 / 61

v1.0.1542501

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1539728

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1537860

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1536371

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1534717

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1534251

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1533544

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1532884

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1532228

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1531367

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1530564

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1529904

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1529186

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1528866

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1526630

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1526203

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1525561

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1524741

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1522585

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1522145

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1521880

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1521746

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1521223

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1520535

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1520139

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1519267

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1518653

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1516909

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1515988

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1515796

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1515446

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1514545

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1513662

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1512349

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1512147

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1510848

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1510180

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.1506453

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.1473514

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.