@sentry/node-core — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sentry-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Sentry publishes many packages without Sigstore provenance; this is consistent across their entire SDK suite and not a risk indicator for this publisher.	ai	2026/04/26
source-diff	encoded-string-file:build/cjs/integrations/anr/index.js	AI (source-diff): Base64 string is Sentry's embedded ANR worker thread script, a documented pattern in the Sentry Node SDK. Decoded content is standard Sentry SDK code with no malicious payload.	ai	2026/04/26
source-diff	encoded-string-file:build/esm/integrations/anr/index.js	AI (source-diff): Same as CJS counterpart — base64-encoded Sentry ANR worker script, benign and documented pattern.	ai	2026/04/26
source-diff	encoded-string-file:build/esm/integrations/local-variables/local-variables-async.js	AI (source-diff): Same as CJS counterpart — base64-encoded Sentry local-variables worker script, benign and documented pattern.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): @sentry/node-core is a newer split package from @sentry/node; version gaps reflect SDK release cadence, not account takeover. Publisher sentry-bot has strong track record.	ai	2026/04/26
source-diff	encoded-string-file:build/cjs/integrations/local-variables/local-variables-async.js	AI (source-diff): Base64 string is Sentry's embedded local-variables worker thread script. Decoded content is standard Sentry SDK inspector/worker code.	ai	2026/04/26
dependencies	unvetted-dep:@sentry/opentelemetry	AI (dependencies): @sentry/opentelemetry is a first-party Sentry monorepo package always released in lockstep with @sentry/node-core; not a third-party risk.	ai	2026/04/25

Versions (showing 44 of 44)

Version	Deps	Published
10.55.0	3 / 7	2026-05-28
10.54.0	3 / 7	2026-05-26
10.53.1	3 / 7	2026-05-12
10.53.0	3 / 7	2026-05-12
10.52.0	3 / 7	2026-05-07
10.51.0	3 / 7	2026-04-29
10.50.0	3 / 7	2026-04-23
10.49.0	3 / 7	2026-04-16
10.48.0	3 / 9	2026-04-09
10.47.0	3 / 9	2026-03-31
10.46.0	3 / 8	2026-03-25
10.45.0	3 / 8	2026-03-19
10.44.0	3 / 8	2026-03-17
10.43.0	3 / 8	2026-03-10
10.42.0	3 / 8	2026-03-03
10.41.0	3 / 8	2026-03-02
10.40.0	3 / 8	2026-02-24
10.39.0	4 / 9	2026-02-16
10.38.0	4 / 9	2026-01-29
10.37.0	4 / 9	2026-01-27
10.36.0	4 / 9	2026-01-21
10.35.0	4 / 9	2026-01-19
10.34.0	4 / 9	2026-01-14
10.33.0	4 / 9	2026-01-12
10.32.1	4 / 9	2025-12-19
10.32.0	4 / 9	2025-12-18
10.31.0	4 / 9	2025-12-16
10.30.0	4 / 9	2025-12-11
10.29.0	4 / 9	2025-12-04
10.28.0	4 / 9	2025-12-02
10.27.0	4 / 9	2025-11-24
10.10.0	3 / 8	2025-09-04
10.9.0	3 / 8	2025-09-03
10.8.0	3 / 8	2025-08-29
10.7.0	3 / 8	2025-08-27
10.6.0	3 / 8	2025-08-26
10.5.0	3 / 8	2025-08-12
10.4.0	3 / 8	2025-08-11
10.3.0	3 / 8	2025-08-08
10.2.0	3 / 8	2025-08-06
10.1.0	3 / 8	2025-08-04
10.0.0	3 / 8	2025-07-31
9.47.1	3 / 8	2025-11-17
9.47.0	3 / 8	2025-11-17

v10.55.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.54.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.53.1

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.53.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.52.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.51.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.50.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.49.0

5 findings

HIGH Long encoded string in modified file: build/cjs/integrations/anr/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/esm/integrations/anr/index.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/cjs/integrations/local-variables/local-variables-async.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

HIGH Long encoded string in modified file: build/esm/integrations/local-variables/local-variables-async.js source-diff

Modified file contains 1 long encoded string(s) (200+ chars). These are commonly used to hide malicious payloads.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.48.0