workbox-google-analytics
Queues failed requests and uses the Background Sync API to replay them when the network is available
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v2.1.1.js | AI (source-diff): Workbox ships minified build artifacts as its distribution format; these are version-stamped bundles generated by the gulp build step, not obfuscated malicious code. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v2.1.1.js | AI (source-diff): Workbox ships minified build artifacts as its distribution format; these are version-stamped bundles generated by the gulp build step, not obfuscated malicious code. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v2.1.0.js | AI (source-diff): Workbox ships versioned minified build artifacts as its primary deliverable; long lines are bundled JS, not obfuscation. Pattern is stable across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v2.1.0.js | AI (source-diff): Workbox ships versioned minified build artifacts as its primary deliverable; long lines are bundled JS, not obfuscation. Pattern is stable across all versions of this package. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v1.3.0.js | AI (source-diff): Minified production build artifact for a service worker importScripts bundle from the official Google Workbox project. Content matches stated purpose; no malicious patterns. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v1.3.0.js | AI (source-diff): Minified build artifact for a service worker importScripts bundle from the official Google Workbox project. Content matches stated purpose; no malicious patterns. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v2.0.3.js | AI (source-diff): Standard minified build artifact with Apache 2.0 Google license header; workbox packages ship versioned .dev/.prod build files as their primary distribution format. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v2.0.3.js | AI (source-diff): Standard minified build artifact with Apache 2.0 Google license header; workbox packages ship versioned .dev/.prod build files as their primary distribution format. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v2.0.0.js | AI (source-diff): Workbox packages ship minified build artifacts as their primary distributable. This is standard rollup output, not malicious obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v2.0.0.js | AI (source-diff): Workbox packages ship minified build artifacts as their primary distributable. This is standard rollup output, not malicious obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v2.0.2-rc1-2.0.2-rc1.0.js | AI (source-diff): This is a legitimate minified build artifact from the workbox-google-analytics package (Google Chrome team). Long lines are expected in bundled JS output; content is clearly the workbox GA service worker helper. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v2.0.2-rc1-2.0.2-rc1.0.js | AI (source-diff): This is a legitimate minified build artifact from the workbox-google-analytics package (Google Chrome team). Long lines are expected in bundled JS output; content is clearly the workbox GA service worker helper. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.dev.v1.1.0.js | AI (source-diff): Workbox ships minified build artifacts as its primary distribution format for importScripts() usage. The code is standard Google Analytics offline caching logic with Apache 2.0 header — not obfuscated malware. | ai | |
| source-diff | obfuscated-file:build/importScripts/workbox-google-analytics.prod.v1.1.0.js | AI (source-diff): Workbox ships minified build artifacts as its primary distribution format for importScripts() usage. The code is standard Google Analytics offline caching logic with Apache 2.0 header — not obfuscated malware. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy aligns with Workbox's release cadence and the maintainer transition period; no other compromise indicators present. | ai | |
| provenance | publisher-changed | AI (provenance): tomayac is a known Google DevRel engineer (Thomas Steiner); publisher change reflects a legitimate Workbox project maintainer transition, not a compromise. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainer is consistent with a planned transition within the Workbox project; no malicious indicators present. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): tomayac has a strong track record (43 approved packages) and is a known Google DevRel contributor; addition is consistent with a legitimate handoff. | ai | |
| provenance | no-provenance | AI (provenance): Workbox packages are published from the googlechrome/workbox monorepo without Sigstore provenance; this is consistent across the ecosystem and not a security concern for this package. | ai |
Versions (showing 51 of 61)
| Version | Deps | Published |
|---|---|---|
| 7.4.1 | 4 / 0 | |
| 7.4.0 | 4 / 0 | |
| 7.3.0 | 4 / 0 | |
| 7.1.0 | 4 / 0 | |
| 7.0.0 | 4 / 0 | |
| 6.6.1 | 4 / 0 | |
| 6.6.0 | 4 / 0 | |
| 6.5.4 | 4 / 0 | |
| 6.5.3 | 4 / 0 | |
| 6.5.2 | 4 / 0 | |
| 6.5.1 | 4 / 0 | |
| 6.5.0 | 4 / 0 | |
| 6.4.2 | 4 / 0 | |
| 6.4.1 | 4 / 0 | |
| 6.4.0 | 4 / 0 | |
| 6.3.0 | 4 / 0 | |
| 6.2.4 | 4 / 0 | |
| 6.2.3 | 4 / 0 | |
| 6.2.2 | 4 / 0 | |
| 6.2.1 | 4 / 0 | |
| 6.2.0 | 4 / 0 | |
| 6.1.5 | 4 / 0 | |
| 6.1.2 | 4 / 0 | |
| 6.1.1 | 4 / 0 | |
| 6.1.0 | 4 / 0 | |
| 6.0.2 | 4 / 0 | |
| 6.0.0 | 4 / 0 | |
| 5.1.4 | 4 / 0 | |
| 5.1.3 | 4 / 0 | |
| 5.1.2 | 4 / 0 | |
| 5.1.1 | 4 / 0 | |
| 5.1.0 | 4 / 0 | |
| 5.0.0 | 4 / 0 | |
| 4.3.1 | 4 / 0 | |
| 4.3.0 | 4 / 0 | |
| 4.2.0 | 4 / 0 | |
| 4.1.1 | 4 / 0 | |
| 4.1.0 | 4 / 0 | |
| 4.0.0 | 4 / 0 | |
| 3.6.3 | 4 / 0 | |
| 3.6.2 | 4 / 0 | |
| 3.6.1 | 4 / 0 | |
| 3.5.0 | 4 / 0 | |
| 3.4.1 | 4 / 0 | |
| 3.3.1 | 4 / 0 | |
| 3.3.0 | 4 / 0 | |
| 3.2.0 | 4 / 0 | |
| 3.1.0 | 4 / 0 | |
| 3.0.1 | 4 / 0 | |
| 3.0.0 | 4 / 0 | |
| 2.1.1 | 0 / 0 |
v7.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-19. This could indicate a legitimate maintainer transition or an account compromise.
v7.3.0
2 findingsThis version was published by a different npm account than previous versions on 2024-10-29. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.5.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.5.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-24. This could indicate a legitimate maintainer transition or an account compromise.
v6.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-03. This could indicate a legitimate maintainer transition or an account compromise.
v6.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-02-23. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-15. This could indicate a legitimate maintainer transition or an account compromise.
v6.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-11-03. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-04-24. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-25. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v5.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v4.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-04-15. This could indicate a legitimate maintainer transition or an account compromise.
v4.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-15. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-03-07. This could indicate a legitimate maintainer transition or an account compromise.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-02-27. This could indicate a legitimate maintainer transition or an account compromise.
v3.6.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.6.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-09-19. This could indicate a legitimate maintainer transition or an account compromise.
v3.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-06-27. This could indicate a legitimate maintainer transition or an account compromise.
v3.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-06-18. This could indicate a legitimate maintainer transition or an account compromise.
v3.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-05-02. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-04-12. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-11-02. This could indicate a legitimate maintainer transition or an account compromise.