chrome-devtools-frontend

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

paulirishmathiasgoogle-wombot

Keywords

devtoolschromechromiumblinkdebugger

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	no-provenance	AI (provenance): Established package with 2160 versions; lack of Sigstore provenance is common and not a risk signal here.	ai	2026/05/09
semgrep	semgrep:eval-usage	AI (semgrep): eval() is in legacy test runner code evaluating test expressions — not runtime production code.	ai	2026/05/09
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IPs appear only in unit test fixtures (localhost/127.0.0.1), not production network calls.	ai	2026/05/09
semgrep	semgrep:child-process-import	AI (semgrep): child_process used in scripts/npm_test.js to run blink tests — standard build/test tooling.	ai	2026/05/09
semgrep	semgrep:child-process-spawn	AI (semgrep): Spawns blink test runner in test script; expected for a devtools frontend package.	ai	2026/05/09
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() used as a standard Proxy trap in DWARF debugger extension — not obfuscation.	ai	2026/05/09
source-diff	obfuscated-file:front_end/third_party/lit/lib/async-directive.js	AI (source-diff): Minified Lit HTML library (Google LLC, BSD-3-Clause) bundled as a third-party dependency in Chrome DevTools Frontend. Minification is expected for this package's third-party vendored assets.	ai	2026/04/27
semgrep	semgrep:dynamic-require	AI (semgrep): Fires in CodeMirror's loadmode.js addon, which legitimately uses dynamic require to load syntax modes on demand. Well-known, documented behavior.	ai	2026/04/26
semgrep	semgrep:base64-decode	AI (semgrep): Fires in Lighthouse report bundle; base64 usage is for legitimate report rendering (SVG/template content), not payload obfuscation.	ai	2026/04/26
semgrep	semgrep:shady-links-tlds	AI (semgrep): Fires in third-party-web data catalog listing known ad/analytics domains (e.g. marketingplatform.google.com). These are legitimate reference URLs in a data file, not C2 infrastructure.	ai	2026/04/26
semgrep	semgrep:new-function-constructor	AI (semgrep): Fires in bundled axe-core and other third-party libs; new Function() is a documented pattern in axe-core's rule engine. Not a security risk in this package.	ai	2026/04/26

Versions (showing 51 of 149)

View all versions

Version	Deps	Published
1.0.1636056	0 / 60	2026-05-28
1.0.1635876	0 / 62	2026-05-27
1.0.1635648	0 / 62	2026-05-26
1.0.1632065	0 / 62	2026-05-20
1.0.1631386	0 / 62	2026-05-18
1.0.1630574	0 / 62	2026-05-16
1.0.1630364	0 / 62	2026-05-15
1.0.1629211	0 / 62	2026-05-14
1.0.1626840	0 / 62	2026-05-09
1.0.1622369	0 / 62	2026-04-30
1.0.1621678	0 / 62	2026-04-29
1.0.1618066	0 / 62	2026-04-23
1.0.1616061	0 / 62	2026-04-18
1.0.1615539	0 / 62	2026-04-17
1.0.1614363	0 / 62	2026-04-16
1.0.1613625	0 / 62	2026-04-15
1.0.1613465	0 / 62	2026-04-14
1.0.1611825	0 / 62	2026-04-10
1.0.1611390	0 / 62	2026-04-09
1.0.1611099	0 / 62	2026-04-08
1.0.1609381	0 / 62	2026-04-08
1.0.1608868	0 / 62	2026-04-03
1.0.1608453	0 / 62	2026-04-02
1.0.1606789	0 / 62	2026-04-01
1.0.1605390	0 / 62	2026-03-28
1.0.1605219	0 / 62	2026-03-27
1.0.1604514	0 / 62	2026-03-26
1.0.1603822	0 / 62	2026-03-25
1.0.1602543	0 / 62	2026-03-24
1.0.1602348	0 / 62	2026-03-21
1.0.1601661	0 / 62	2026-03-20
1.0.1599001	0 / 62	2026-03-17
1.0.1598808	0 / 62	2026-03-14
1.0.1597624	0 / 62	2026-03-13
1.0.1597448	0 / 62	2026-03-12
1.0.1596535	0 / 62	2026-03-11
1.0.1596260	0 / 62	2026-03-10
1.0.1595925	0 / 62	2026-03-09
1.0.1595090	0 / 62	2026-03-07
1.0.1593959	0 / 62	2026-03-06
1.0.1593518	0 / 62	2026-03-05
1.0.1592362	0 / 62	2026-03-04
1.0.1592129	0 / 62	2026-03-03
1.0.1591204	0 / 62	2026-02-28
1.0.1590494	0 / 62	2026-02-27
1.0.1589336	0 / 62	2026-02-26
1.0.1588580	0 / 62	2026-02-25
1.0.1587905	0 / 62	2026-02-24
1.0.1587572	0 / 62	2026-02-21
1.0.1586699	0 / 62	2026-02-20
1.0.1585664	0 / 62	2026-02-19