A few observations that might help refine the audit checks.
-
Non-determinism between runs. On the same codebase we consistently get a "1 error + 3 warnings" count, but the specific findings rotate from run to run, and a few are false positives.
-
capture-event-names-static. Flags any variable passed as the first argument to capture(), whereas the best-practices guidance it cites only warns against interpolated names (e.g. page_viewed_${x}) that create unbounded event definitions. We centralise capture behind a typed wrapper where the event name is constrained to a fixed string-literal union — a bounded, finite set that satisfies the guidance — yet it's reported as an error on some runs. Judging against the interpolation criterion rather than "is it a variable" would likely resolve this.
-
capture-uses-proxy. Flagged us as lacking a reverse proxy because it couldn't read the env value at runtime, when we do in fact route ingestion through a first-party subdomain.
A few observations that might help refine the audit checks.
Non-determinism between runs. On the same codebase we consistently get a "1 error + 3 warnings" count, but the specific findings rotate from run to run, and a few are false positives.
capture-event-names-static. Flags any variable passed as the first argument tocapture(), whereas the best-practices guidance it cites only warns against interpolated names (e.g.page_viewed_${x}) that create unbounded event definitions. We centralise capture behind a typed wrapper where the event name is constrained to a fixed string-literal union — a bounded, finite set that satisfies the guidance — yet it's reported as an error on some runs. Judging against the interpolation criterion rather than "is it a variable" would likely resolve this.capture-uses-proxy. Flagged us as lacking a reverse proxy because it couldn't read the env value at runtime, when we do in fact route ingestion through a first-party subdomain.