raven-js
JavaScript client for Sentry
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:test/integration/test.js | AI (source-diff): Integration test helper using iframe.contentWindow.eval for browser test execution. URLs in fixtures are string literals, not real network calls. Standard browser testing pattern for raven-js. | ai | |
| source-diff | net-exec-file:test/vendor/tracekit-parser.test.js | AI (source-diff): Unit test for TraceKit stack trace parser. URLs are fixture strings in stack trace data, not actual network requests. No malicious behavior. | ai | |
| source-diff | net-exec-file:test/vendor/tracekit.test.js | AI (source-diff): Unit test for TraceKit. URLs are hardcoded fixture strings representing stack trace data, not real network calls. | ai | |
| source-diff | net-exec-file:test/vendor/fixtures/captured-errors.js | AI (source-diff): Test fixture file containing captured error objects with stack trace strings. URLs are string literals in test data, not network calls. | ai | |
| semgrep | semgrep:shady-links-raw-ip | AI (semgrep): Raw IPs are 127.0.0.1 (localhost) used in Gruntfile.js for local test server configuration. Standard development tooling pattern. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in example/scratch.js is a deliberate demonstration of error capture for Sentry. Not in production code path. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from kamilogorek to haza reflects a legitimate Sentry org maintainer transition in 2018; haza has strong track record (3986 approved, 0 rejected). | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead coincides with publisher/CI environment change in 2018; no other malicious indicators present for this established package. | ai | |
| provenance | no-provenance | AI (provenance): Package was published in 2018 before Sigstore provenance was available; not a meaningful risk signal for this version. | ai |
Versions (showing 51 of 85)
| Version | Deps | Published |
|---|---|---|
| 3.27.2 | 0 / 37 | |
| 3.27.1 | 0 / 37 | |
| 3.27.0 | 0 / 37 | |
| 3.26.4 | 0 / 37 | |
| 3.26.3 | 0 / 37 | |
| 3.26.2 | 0 / 37 | |
| 3.26.1 | 0 / 37 | |
| 3.26.0 | 0 / 37 | |
| 3.25.2 | 0 / 38 | |
| 3.25.1 | 0 / 38 | |
| 3.25.0 | 0 / 38 | |
| 3.24.2 | 0 / 39 | |
| 3.24.1 | 0 / 39 | |
| 3.24.0 | 0 / 39 | |
| 3.23.3 | 0 / 39 | |
| 3.23.2 | 0 / 39 | |
| 3.23.1 | 0 / 39 | |
| 3.23.0 | 0 / 39 | |
| 3.22.4 | 0 / 39 | |
| 3.22.3 | 0 / 39 | |
| 3.22.2 | 0 / 41 | |
| 3.22.1 | 0 / 39 | |
| 3.22.0 | 0 / 39 | |
| 3.21.0 | 0 / 39 | |
| 3.20.1 | 0 / 39 | |
| 3.20.0 | 0 / 39 | |
| 3.19.1 | 0 / 39 | |
| 3.19.0 | 0 / 39 | |
| 3.18.1 | 0 / 30 | |
| 3.18.0 | 0 / 30 | |
| 3.17.0 | 0 / 29 | |
| 3.16.1 | 0 / 29 | |
| 3.16.0 | 0 / 29 | |
| 3.15.0 | 0 / 29 | |
| 3.14.2 | 0 / 29 | |
| 3.14.1 | 0 / 29 | |
| 3.14.0 | 1 / 29 | |
| 3.13.1 | 1 / 29 | |
| 3.13.0 | 1 / 29 | |
| 3.12.2 | 1 / 29 | |
| 3.12.1 | 1 / 29 | |
| 3.12.0 | 1 / 29 | |
| 3.11.0 | 1 / 29 | |
| 3.10.0 | 1 / 29 | |
| 3.9.2 | 1 / 29 | |
| 3.9.1 | 1 / 29 | |
| 3.9.0 | 1 / 29 | |
| 3.8.1 | 1 / 29 | |
| 3.8.0 | 1 / 29 | |
| 3.7.0 | 1 / 27 | |
| 3.6.1 | 1 / 27 |
v3.27.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.27.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v3.27.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilogorek.
v3.26.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilogorek.
v3.26.3
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilogorek.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-06-20. This could indicate a legitimate maintainer transition or an account compromise.
v3.26.2
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: kamilogorek.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-06-11. This could indicate a legitimate maintainer transition or an account compromise.
v3.26.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: haza.
v3.26.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: haza.
This version was published by a different npm account than previous versions on 2018-06-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.25.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.24.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.23.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.22.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.21.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.20.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.19.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.19.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.1
5 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.18.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v3.17.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-07-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.16.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-06-30. This could indicate a legitimate maintainer transition or an account compromise.
v3.16.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-06-13. This could indicate a legitimate maintainer transition or an account compromise.
v3.15.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-05-05. This could indicate a legitimate maintainer transition or an account compromise.
v3.14.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.14.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.13.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.12.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.11.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.