← Home

highlight.run

npm Repository Homepage

Open source, fullstack monitoring. Capture frontend errors, record server side logs, and visualize what broke with session replay.

7
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

podomanvadim-highlight

Keywords

highlightsession replayerror monitoringloggingdebuggingobservabilitybrowserlibrary

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:dist/record-BP2p3lFo.js AI (source-diff): Minified Vite bundle with source maps; expected artifact for this frontend SDK. ai
source-diff obfuscated-file:dist/record-Dbff4KsX.js AI (source-diff): Standard minified browser bundle for a session-replay SDK; source maps included and SLSA provenance confirms CI build. ai
source-diff encoded-string-file:dist/index.umd.js AI (source-diff): Long strings are PostCSS source-map annotation code in a bundled UMD output, not obfuscated payloads. ai
phantom-deps phantom-dep:imurmurhash AI (phantom-deps): imurmurhash is a declared runtime dep bundled into dist; phantom-dep heuristic fires because it's not directly imported at source level. ai

Versions (showing 7 of 7)

Version Deps Published
10.3.1 2 / 52
10.3.0 2 / 52
10.2.0 2 / 52
10.1.2 2 / 52
10.1.1 2 / 52
10.1.0 2 / 52
10.0.1 2 / 52

v10.3.1

2 findings
HIGH New obfuscated file: dist/record-BP2p3lFo.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.2.0

3 findings
HIGH New obfuscated file: dist/record-Dbff4KsX.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH Long encoded string in modified file: dist/index.umd.js source-diff

Modified file contains 2 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.1.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v10.0.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.