← Home

tracekit

npm Repository Homepage

Cross browser stack traces

19
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ejsmith12niemyjski

Keywords

TraceKitstack traces

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff source-size-tripled AI (source-diff): Size increase is fully explained by addition of mocha.js (103KB test framework file). No new runtime code or suspicious payloads. ai
provenance publisher-changed AI (provenance): Publisher change to niemyjski occurred in 2015; publisher has strong track record (19 approved, 0 rejected). Long-standing legitimate transition. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainers defunctzombie and niemyjski added in 2015 as part of a legitimate historical handoff; niemyjski has a strong approval track record. ai
maintainer-change maintainer-removed AI (maintainer-change): shtylman removed as part of the same 2015 legitimate maintainer transition; no evidence of compromise. ai
maintainer-change maintainer-takeover AI (maintainer-change): Transition from shtylman to defunctzombie/niemyjski occurred in 2015; niemyjski has 19 approved packages and a long track record. Historical legitimate handoff, not an active hijack. ai
source-diff net-exec-file:spec/tracekit-spec.js AI (source-diff): spec/tracekit-spec.js is a Jasmine test file; URLs are string literals used as mock stack trace data, not actual network calls or dynamic code execution. Stable false positive for this test suite. ai
provenance no-provenance AI (provenance): Established package (4506 days old) published before Sigstore provenance was widely adopted; absence is expected and not a risk signal for this package. ai
semgrep semgrep:shady-links-raw-ip AI (semgrep): All raw IP references are in spec/fixtures test data simulating captured browser errors (e.g., 127.0.0.1 localhost URLs). This is expected for a stack-trace parsing library and generalizes across versions. ai

Versions (showing 19 of 19)

Version Deps Published
0.4.9 0 / 11
0.4.8 0 / 11
0.4.7 0 / 12
0.4.6 0 / 12
0.4.5 0 / 12
0.4.4 0 / 12
0.4.3 0 / 10
0.4.2 0 / 10
0.4.1 0 / 10
0.4.0 0 / 10
0.3.5 0 / 10
0.3.4 0 / 10
0.3.3 0 / 10
0.3.2 0 / 9
0.3.1 0 / 10
0.3.0 0 / 5
0.2.1 0 / 5
0.2.0 0 / 4
0.1.0 0 / 1

v0.4.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.8

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.7

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.6

2 findings
HIGH Publisher changed: exceptionless → niemyjski (on 2021-01-28) provenance

This version was published by a different npm account than previous versions on 2021-01-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.5

2 findings
HIGH New file with network + code execution: spec/tracekit-spec.js source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.4.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.5

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.3

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: niemyjski → exceptionless (on 2016-04-05) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2016-04-05. This could indicate a legitimate maintainer transition or an account compromise.

v0.3.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.3.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.2.0

3 findings
HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (shtylman) were replaced by new maintainers (defunctzombie, niemyjski). This is a strong signal of a potential package hijack and requires careful review.

HIGH Publisher changed: shtylman → niemyjski (on 2015-05-18) provenance

This version was published by a different npm account than previous versions on 2015-05-18. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.