mixpanel-browser
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/async-modules/mixpanel-recorder-C3AW7mPl.js | AI (source-diff): Bundled rrweb session-recording code; minified dist output, not obfuscation. | ai | |
| source-diff | encoded-string-file:dist/mixpanel.module.js | AI (source-diff): ESM bundle with same inlined worker. | ai | |
| source-diff | encoded-string-file:dist/mixpanel.umd.js | AI (source-diff): UMD bundle with same inlined worker. | ai | |
| source-diff | obfuscated-file:dist/async-modules/mixpanel-recorder-P6SEnnPV.js | AI (source-diff): Bundled/minified dist output for browser SDK; readable code visible in sample. | ai | |
| source-diff | encoded-string-file:dist/mixpanel-recorder.js | AI (source-diff): Base64-inlined web worker for rrweb canvas recording; standard browser SDK pattern. | ai | |
| source-diff | encoded-string-file:dist/mixpanel-recorder.min.js | AI (source-diff): Minified variant of same inlined worker code. | ai | |
| source-diff | encoded-string-file:dist/mixpanel.amd.js | AI (source-diff): AMD bundle with same inlined worker. | ai | |
| source-diff | encoded-string-file:dist/mixpanel.cjs.js | AI (source-diff): CJS bundle with same inlined worker. | ai | |
| source-diff | encoded-string-file:dist/mixpanel-with-recorder.js | AI (source-diff): Same inlined worker in combined bundle. | ai | |
| source-diff | encoded-string-file:dist/mixpanel-with-recorder.min.js | AI (source-diff): Minified variant of same inlined worker code. | ai | |
| phantom-deps | phantom-dep:@types/json-logic-js | AI (phantom-deps): Type-only package; not imported at runtime, stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@mixpanel/rrweb-utils | AI (phantom-deps): Used transitively via rrweb; phantom-dep heuristic fires but this is a known indirect dependency. | ai |
v2.80.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.79.0
10 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.