@hls-downloader/adapters
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:dist/browser.mjs | AI (source-diff): Standard bundler minification of HLS/FFmpeg adapter code; no malicious patterns in sample. | ai | |
| source-diff | obfuscated-file:dist/node.mjs | AI (source-diff): Standard bundler minification; sample shows HLS parsing/download logic only. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by bundling mediabunny and ffmpeg deps into browser.mjs. | ai | |
| phantom-deps | phantom-dep:@hls-downloader/core | AI (phantom-deps): Same-org sibling package; phantom-dep heuristic fires because it's re-exported rather than directly imported. | ai | |
| phantom-deps | phantom-dep:@ffmpeg/ffmpeg | AI (phantom-deps): Referenced in config/build files as a peer; not directly imported in source but legitimately declared. | ai |
v2.0.0
3 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.2.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.