← Home

@datadog/pprof

npm Repository Homepage
4
Versions
License
Yes
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

datadog

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern dormant-publish AI (publish-pattern): High-volume Datadog package with 103 versions and 8.7M weekly downloads; irregular release cadence is normal for this project. ai
semgrep semgrep:base64-decode AI (semgrep): Base64 decoding in sourcemapper.js is standard source map data URL parsing (data:...;base64,...). No malicious payload context. ai
install-scripts install-script:install AI (install-scripts): Install script is literally `exit 0` — a no-op used to suppress node-gyp rebuild when prebuilts are bundled. Zero risk; stable pattern for this package. ai
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt .node binaries are expected for this native profiling library. SLSA provenance attestation confirms CI/CD build integrity. Standard multi-platform/ABI prebuild pattern. ai

Versions (showing 4 of 4)

Version Deps Published
5.14.4 3 / 19
5.14.3 3 / 19
5.14.1 3 / 19
5.13.3 5 / 22

v5.14.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.14.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.14.1

3 findings
HIGH Package has 'install' script install-scripts

Script: exit 0

HIGH Bundled binary files (56) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/node-108.node • prebuilds/darwin-x64/node-108.node • prebuilds/linuxglibc-arm64/node-108.node • prebuilds/linuxglibc-x64/node-108.node • prebuilds/linuxmusl-arm64/node-108.node • prebuilds/linuxmusl-x64/node-108.node • prebuilds/win32-x64/node-108.node • prebuilds/darwin-arm64/node-111.node • prebuilds/darwin-x64/node-111.node • prebuilds/linuxglibc-arm64/node-111.node ... and 46 more

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v5.13.3

3 findings
HIGH Package has 'install' script install-scripts

Script: exit 0

HIGH Bundled binary files (56) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/darwin-arm64/node-108.node • prebuilds/darwin-x64/node-108.node • prebuilds/linuxglibc-arm64/node-108.node • prebuilds/linuxglibc-x64/node-108.node • prebuilds/linuxmusl-arm64/node-108.node • prebuilds/linuxmusl-x64/node-108.node • prebuilds/win32-x64/node-108.node • prebuilds/darwin-arm64/node-111.node • prebuilds/darwin-x64/node-111.node • prebuilds/linuxglibc-arm64/node-111.node ... and 46 more

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.