posthog-js — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

watilotwixesfuziontechmariusandraben-posthogtimglrafael_posthogfraserhoppermanoelposthogrobbie-cdustinbyrnefeliperalmeidalucasheriquesfrankposthogtom-posthogadamleithppeterkirkhamposthogioannisjjoshuasnyderhuguespouillot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@opentelemetry/api	AI (phantom-deps): Peer/transitive dep used by other @opentelemetry packages in the bundle.	ai	2026/05/29
source-diff	obfuscated-file:dist/rrweb.js	AI (source-diff): Minified dist bundle of rrweb session recording lib; standard for this package.	ai	2026/05/27
source-diff	obfuscated-file:dist/rrweb-plugin-console-record.js	AI (source-diff): Minified dist bundle of rrweb console-record plugin; standard for this package.	ai	2026/05/27
source-diff	obfuscated-file:dist/logs.js	AI (source-diff): Standard minified OpenTelemetry SDK logging code. Recognizable OTEL patterns, no malicious indicators.	ai	2026/04/26
provenance	publisher-changed	AI (provenance): posthog-js publishes via GitHub Actions CI/CD with SLSA provenance attestation. The move from personal account to automated CI is a security improvement, not a risk signal.	ai	2026/04/26
source-diff	obfuscated-file:dist/conversations.js	AI (source-diff): Standard minified Preact/JS build artifact for posthog-js dist/ folder. Code patterns are recognizable framework code, not obfuscated malware.	ai	2026/04/26
source-diff	obfuscated-file:dist/element-inference.js	AI (source-diff): Standard minified CSS selector utility code. Recognizable parsing patterns, no malicious indicators.	ai	2026/04/26
source-diff	obfuscated-file:lib/src/extensions/surveys/icons.js	AI (source-diff): Minified SVG icon definitions using Preact JSX runtime. Clearly benign build output.	ai	2026/04/26
source-diff	obfuscated-file:dist/product-tours-preview.js	AI (source-diff): Standard minified Preact component code for product tours feature. Recognizable VDOM patterns, no malicious indicators.	ai	2026/04/26
source-diff	obfuscated-file:dist/product-tours.js	AI (source-diff): Standard minified Preact component code for product tours feature. Recognizable VDOM patterns, no malicious indicators.	ai	2026/04/26
publish-pattern	dormant-publish	AI (publish-pattern): posthog-js publishes ~every 2 days (1135 versions over 2257 days). Dormancy is relative to last approved version in this pipeline, not actual package inactivity.	ai	2026/04/26
source-diff	encoded-string-file:dist/recorder.js	AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files.	ai	2026/04/26
source-diff	encoded-string-file:dist/lazy-recorder.js	AI (source-diff): Minified session-recording bundle; long strings are embedded assets (CSS/SVG). Same pattern already accepted in sibling dist files. No malicious indicators.	ai	2026/04/26
source-diff	encoded-string-file:dist/module.full.js	AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files.	ai	2026/04/26
source-diff	encoded-string-file:dist/module.full.no-external.js	AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files.	ai	2026/04/26
source-diff	encoded-string-file:dist/recorder-v2.js	AI (source-diff): Minified session-recording bundle; long strings are embedded assets. Same pattern already accepted in sibling dist files.	ai	2026/04/26
source-diff	large-new-source-files	AI (source-diff): posthog-js regularly adds new bundle variants; 49 new files reflects new extension/slim module additions, not injected code.	ai	2026/04/26
source-diff	encoded-string-file:dist/all-external-dependencies.js	AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads.	ai	2026/04/26
source-diff	encoded-string-file:dist/array.full.js	AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads.	ai	2026/04/26
source-diff	encoded-string-file:dist/array.full.no-external.js	AI (source-diff): Long strings in minified bundles are standard minification artifacts (rrweb DOM recording code), not encoded malicious payloads.	ai	2026/04/26
source-diff	obfuscated-file:dist/default-extensions.js	AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware.	ai	2026/04/26
source-diff	obfuscated-file:dist/module.slim.no-external.js	AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware.	ai	2026/04/26
source-diff	obfuscated-file:dist/module.slim.js	AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware.	ai	2026/04/26
source-diff	obfuscated-file:dist/extension-bundles.js	AI (source-diff): posthog-js ships minified browser bundles as part of its normal distribution; these are standard build artifacts, not obfuscated malware.	ai	2026/04/26