gleap — Greenflagged

![Gleap JavaScript SDK Intro](https://github.com/GleapSDK/JavaScript-SDK/blob/master/resources/banner.png?raw=true)

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

boehlerlukas

Keywords

bug-reportingbug-reporting-toolcustomer-surveyssurveyscustomer-feedbackcustomer-feedback-sdkjavascript-bug-reportingcrash-reportingmarketing-automationuser-onboardingai-chatbotin-app-feedback

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	encoded-string-file:build/browser/index.js	AI (source-diff): Minified webpack bundle output; long strings are standard bundled JS, not encoded payloads.	ai	2026/05/22
source-diff	encoded-string-file:build/cjs/index.js	AI (source-diff): Minified webpack bundle output; long strings are standard bundled JS, not encoded payloads.	ai	2026/05/22
source-diff	encoded-string-file:build/esm/index.mjs	AI (source-diff): Minified webpack bundle output; long strings are standard bundled JS, not encoded payloads.	ai	2026/05/22
provenance	no-provenance	AI (provenance): Long-established package with 362 versions; absence of Sigstore provenance is consistent with its entire history.	ai	2026/05/10
dependencies	unvetted-dep:unique-selector	AI (dependencies): DOM selector utility is expected for this SDK's element-targeting functionality.	ai	2026/05/10
dependencies	unvetted-dep:@rrweb/record	AI (dependencies): Session recording dep is expected for a bug-reporting/feedback SDK; stable pattern across versions.	ai	2026/05/10
phantom-deps	phantom-dep:@rrweb/record	AI (phantom-deps): Bundled SDK; deps referenced in webpack config rather than direct imports — stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:@floating-ui/dom	AI (phantom-deps): Same bundled pattern; stable false positive for this package.	ai	2026/04/29
phantom-deps	phantom-dep:unique-selector	AI (phantom-deps): Same bundled pattern; stable false positive for this package.	ai	2026/04/29

Versions (showing 12 of 12)

Version	Deps	Published
16.0.10	3 / 23	2026-06-05
16.0.8	3 / 23	2026-05-21
16.0.7	3 / 23	2026-05-21
16.0.6	3 / 23	2026-05-21
16.0.5	3 / 23	2026-05-12
16.0.3	3 / 23	2026-05-08
16.0.2	3 / 23	2026-05-07
16.0.1	3 / 23	2026-05-07
16.0.0	3 / 23	2026-05-06
15.3.2	3 / 23	2026-04-28
15.3.1	3 / 23	2026-04-27
15.3.0	3 / 23	2026-04-22

v16.0.10

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.8

4 findings

HIGH Long encoded string in modified file: build/browser/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/cjs/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/esm/index.mjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.7

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.6

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.5

4 findings

HIGH Long encoded string in modified file: build/browser/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/cjs/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/esm/index.mjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.1

4 findings

HIGH Long encoded string in modified file: build/browser/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/cjs/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/esm/index.mjs source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v16.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v15.3.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v15.3.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.