@posthog/webpack-plugin No license 9 versions

@posthog/webpack-plugin

npm Repository Homepage

Webpack plugin for Posthog 🦔

9

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

watilotwixesfuziontechmariusandraben-posthogtimglrafael_posthogfraserhoppermanoelposthogrobbie-cdustinbyrnefeliperalmeidalucasheriquesfrankposthogtom-posthogadamleithpcat-phsarahxsanderspeterkirkhamposthogioannisjjoshuasnyderhuguespouillot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:env-spread	AI (semgrep): Spreading env into child process spawn is standard; not exfiltration.	ai	2026/05/26
phantom-deps	phantom-dep:@posthog/cli	AI (phantom-deps): @posthog/cli is a same-org dep declared in package.json; phantom-dep false positive for this package.	ai	2026/05/21

Versions (showing 9 of 111)

Version	Deps	Published
1.2.1	2 / 4	2025-12-15
1.2.0	2 / 4	2025-12-13
1.1.4	2 / 4	2025-12-04
1.1.3	2 / 4	2025-12-03
1.1.2	2 / 4	2025-12-01
1.1.1	2 / 4	2025-11-28
1.1.0	2 / 4	2025-11-24
1.0.2	2 / 4	2025-11-24
1.0.0	2 / 4	2025-11-20

v1.2.1

2 findings

HIGH env-spread: src/index.ts:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | await spawnLocal(config.cliBinaryPath, args, { 84 | cwd: process.cwd(), > 85 | env: { 86 | ...process.env, 87 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.2.0

2 findings

HIGH env-spread: src/index.ts:85 semgrep

Spreading entire process.env into an object — may capture all secrets 83 | await spawnLocal(config.cliBinaryPath, args, { 84 | cwd: process.cwd(), > 85 | env: { 86 | ...process.env, 87 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.4

2 findings

HIGH env-spread: src/index.ts:82 semgrep

Spreading entire process.env into an object — may capture all secrets 80 | await spawnLocal(config.cliBinaryPath, args, { 81 | cwd: process.cwd(), > 82 | env: { 83 | ...process.env, 84 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.3

2 findings

HIGH env-spread: src/index.ts:82 semgrep

Spreading entire process.env into an object — may capture all secrets 80 | await spawnLocal(config.cliBinaryPath, args, { 81 | cwd: process.cwd(), > 82 | env: { 83 | ...process.env, 84 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.2

2 findings

HIGH env-spread: src/index.ts:82 semgrep

Spreading entire process.env into an object — may capture all secrets 80 | await spawnLocal(config.cliBinaryPath, args, { 81 | cwd: process.cwd(), > 82 | env: { 83 | ...process.env, 84 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.1

2 findings

HIGH env-spread: src/index.ts:74 semgrep

Spreading entire process.env into an object — may capture all secrets 72 | await spawnLocal(config.cliBinaryPath, args, { 73 | cwd: process.cwd(), > 74 | env: { 75 | ...process.env, 76 | RUST_LOG: `posthog_cli=${config.logLevel}`,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.1.0

2 findings

HIGH env-spread: src/index.ts:74 semgrep

Spreading entire process.env into an object — may capture all secrets 72 | await spawnLocal(config.cliBinaryPath, args, { 73 | cwd: process.cwd(), > 74 | env: { 75 | ...process.env, 76 | RUST_LOG: `posthog_cli=${config.logLevel}`,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.2

2 findings

HIGH env-spread: src/index.ts:74 semgrep

Spreading entire process.env into an object — may capture all secrets 72 | await spawnLocal(config.cliBinaryPath, args, { 73 | cwd: process.cwd(), > 74 | env: { 75 | ...process.env, 76 | RUST_LOG: `posthog_cli=${config.logLevel}`,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.0

2 findings

HIGH env-spread: src/index.ts:74 semgrep

Spreading entire process.env into an object — may capture all secrets 72 | await spawnLocal(config.cliBinaryPath, args, { 73 | cwd: process.cwd(), > 74 | env: { 75 | ...process.env, 76 | RUST_LOG: `posthog_cli=${config.logLevel}`,

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.