@applicaster/quick-brick-player
Quick Brick Player
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:react-native-web-linear-gradient | AI (dependencies): Known React Native web gradient library, pinned to 1.1.2; fits expected use in a player UI component. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): react-native-web-linear-gradient is a legitimate UI dependency for gradient rendering in a player package. | ai | |
| dependencies | unvetted-dep:videojs-contrib-eme | AI (dependencies): Well-known videojs plugin; stable dependency for this media player package. | ai | |
| dependencies | unvetted-dep:@applicaster/zapp-react-native-tvos-app | AI (dependencies): Same org scope (@applicaster); stable internal dependency. | ai | |
| dependencies | unvetted-dep:@applicaster/quick-brick-tv-transport-controls | AI (dependencies): Same org scope (@applicaster); stable internal dependency. | ai | |
| dependencies | unvetted-dep:@applicaster/quick-brick-mobile-transport-controls | AI (dependencies): Same org scope (@applicaster); stable internal dependency. | ai | |
| phantom-deps | phantom-dep:react-native-web-linear-gradient | AI (phantom-deps): Platform-specific binary package; not directly imported by design in this React Native package. | ai | |
| phantom-deps | phantom-dep:video.js | AI (phantom-deps): video.js is a config-referenced player dep; phantom-dep heuristic fires on config-only references, not a real risk. | ai | |
| phantom-deps | phantom-dep:typeface-montserrat | AI (phantom-deps): Font package referenced in config; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:shaka-player | AI (phantom-deps): shaka-player is a config-referenced player dep; same pattern as video.js. | ai | |
| phantom-deps | phantom-dep:videojs-contrib-eme | AI (phantom-deps): videojs plugin loaded via config; phantom-dep heuristic is a stable false positive here. | ai | |
| phantom-deps | phantom-dep:videojs-contrib-quality-levels | AI (phantom-deps): videojs plugin loaded via config; same pattern. | ai | |
| provenance | no-provenance | AI (provenance): Established org package; lack of Sigstore provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:@applicaster/zapp-react-native-tvos-app | AI (phantom-deps): Same-org dep; phantom-dep heuristic is a stable false positive for this package. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 14.0.28 | 11 / 0 | |
| 14.0.27 | 11 / 0 | |
| 14.0.26 | 11 / 0 | |
| 14.0.25 | 11 / 0 | |
| 14.0.24 | 11 / 0 | |
| 14.0.23 | 11 / 0 | |
| 14.0.22 | 11 / 0 | |
| 14.0.21 | 11 / 0 | |
| 14.0.20 | 11 / 0 | |
| 14.0.19 | 11 / 0 | |
| 14.0.18 | 11 / 0 | |
| 14.0.15 | 11 / 0 | |
| 14.0.14 | 11 / 0 | |
| 14.0.12 | 11 / 0 | |
| 14.0.11 | 11 / 0 | |
| 14.0.9 | 11 / 0 | |
| 14.0.8 | 11 / 0 | |
| 14.0.4 | 11 / 0 | |
| 14.0.3 | 11 / 0 | |
| 14.0.2 | 11 / 0 | |
| 14.0.1 | 11 / 0 | |
| 14.0.0 | 11 / 0 | |
| 13.0.25 | 12 / 0 | |
| 13.0.24 | 12 / 0 | |
| 13.0.23 | 12 / 0 | |
| 13.0.21 | 12 / 0 | |
| 13.0.19 | 12 / 0 | |
| 13.0.18 | 12 / 0 | |
| 13.0.17 | 12 / 0 | |
| 13.0.16 | 12 / 0 |
v14.0.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.27
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.26
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v14.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v14.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.25
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.23
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v13.0.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v13.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.