cloudflare
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| semgrep | semgrep:shady-links-exfil-services | AI (semgrep): webhook.site URL in JSDoc example comment, not executed code. | ai | |
| provenance | publisher-changed | AI (provenance): Legit handoff to Cloudflare CI/CD with SLSA attestation. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Individual maintainer replaced by official CI publisher. | ai | |
| semgrep | semgrep:webhook-url | AI (semgrep): Slack URL in JSDoc examples for webhook resource docs; benign and stable. | ai | |
| phantom-deps | phantom-dep:@types/node | AI (phantom-deps): Type-only framework dep. | ai | |
| phantom-deps | phantom-dep:@types/node-fetch | AI (phantom-deps): Type-only dep for node-fetch. | ai |
v7.0.0
4 findingsThis version was published by a different npm account than previous versions on 2026-07-09. This could indicate a legitimate maintainer transition or an account compromise.
URL pointing to known exfiltration/tunneling service (matched inside a comment — likely documentation, not executed code) Source: https://github.com/cloudflare/cloudflare-typescript/blob/3583affb5cea551858ed4c4b6c0fc326a306d3bd/resources/realtime-kit/webhooks.js#L31 29 | * ], 30 | * name: 'All events webhook', > 31 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 32 | * }, 33 | * );
URL pointing to known exfiltration/tunneling service (matched inside a comment — likely documentation, not executed code) Source: https://github.com/cloudflare/cloudflare-typescript/blob/3583affb5cea551858ed4c4b6c0fc326a306d3bd/resources/realtime-kit/webhooks.js#L141 139 | * ], 140 | * name: 'All events webhook', > 141 | * url: 'https://webhook.site/b23a5bbd-c7b0-4ced-a9e2-78ae7889897e', 142 | * }, 143 | * );
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.0
7 findingsHardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 15 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 16 | * name: 'Slack Webhook', > 17 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 18 | * }); 19 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 37 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 38 | * name: 'Slack Webhook', > 39 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 40 | * }, 41 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 12 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 13 | * name: 'Slack Webhook', > 14 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 15 | * }); 16 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 34 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 35 | * name: 'Slack Webhook', > 36 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 37 | * }, 38 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 16 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 17 | * name: 'Slack Webhook', > 18 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 19 | * }); 20 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 41 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 42 | * name: 'Slack Webhook', > 43 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 44 | * }, 45 | * );
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.0.0
7 findingsHardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 15 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 16 | * name: 'Slack Webhook', > 17 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 18 | * }); 19 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 37 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 38 | * name: 'Slack Webhook', > 39 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 40 | * }, 41 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 12 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 13 | * name: 'Slack Webhook', > 14 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 15 | * }); 16 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 34 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 35 | * name: 'Slack Webhook', > 36 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 37 | * }, 38 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 16 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 17 | * name: 'Slack Webhook', > 18 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 19 | * }); 20 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 41 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 42 | * name: 'Slack Webhook', > 43 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 44 | * }, 45 | * );
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
7 findingsHardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 15 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 16 | * name: 'Slack Webhook', > 17 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 18 | * }); 19 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 37 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 38 | * name: 'Slack Webhook', > 39 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 40 | * }, 41 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 12 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 13 | * name: 'Slack Webhook', > 14 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 15 | * }); 16 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 34 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 35 | * name: 'Slack Webhook', > 36 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 37 | * }, 38 | * );
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 16 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 17 | * name: 'Slack Webhook', > 18 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 19 | * }); 20 | * ```
Hardcoded webhook URL suggests data exfiltration (matched inside a comment — likely documentation, not executed code) 41 | * account_id: '023e105f4ecef8ad9ca31a8372d0c353', 42 | * name: 'Slack Webhook', > 43 | * url: 'https://hooks.slack.com/services/Ds3fdBFbV/456464Gdd', 44 | * }, 45 | * );
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.