@remotion/promo-pages
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:bun-plugin-tailwind | AI (dependencies): Build-time Tailwind plugin used in bun bundle scripts; not a runtime dependency for consumers. | ai | |
| source-diff | obfuscated-file:dist/components/homepage/CommunityStatsItems.js | AI (source-diff): Compiled TypeScript/JSX output; readable React component code, long lines from inlined SVG. | ai | |
| source-diff | obfuscated-file:dist/Users/jonathanburger/remotion/packages/promo-pages/dist/prompts/PromptsSubmit.js | AI (source-diff): Standard esbuild bundle output with readable source comments; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/design.js | AI (source-diff): Readable transpiled TypeScript/JSX; long lines from bundled imports, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/components/experts/ExpertsPage.js | AI (source-diff): Readable transpiled TypeScript/JSX; long lines from bundled JSX, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Users/jonathanburger/remotion/packages/promo-pages/dist/prompts/PromptsShow.js | AI (source-diff): Standard esbuild bundle output with readable source comments; not malicious obfuscation. | ai | |
| source-diff | obfuscated-file:dist/Users/jonathanburger/remotion/packages/promo-pages/dist/Homepage.js | AI (source-diff): Standard esbuild bundle output with readable source comments; not malicious obfuscation. | ai | |
| phantom-deps | phantom-dep:@remotion/shapes | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/paths | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:polished | AI (phantom-deps): Referenced in config/bundle files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@remotion/media | AI (phantom-deps): Internal remotion monorepo package; phantom-dep is a false positive for bundled/config-referenced deps. | ai | |
| phantom-deps | phantom-dep:@mediabunny/ac3 | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@vidstack/react | AI (phantom-deps): Referenced in config files; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:bun-plugin-tailwind | AI (phantom-deps): Build tool referenced in bundle config; stable false positive. | ai | |
| phantom-deps | phantom-dep:create-video | AI (phantom-deps): Internal remotion tooling; referenced in config, not directly imported. | ai | |
| phantom-deps | phantom-dep:@remotion/design | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/web-renderer | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/svg-3d-engine | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/animated-emoji | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/lottie | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai | |
| phantom-deps | phantom-dep:@remotion/player | AI (phantom-deps): Internal remotion monorepo package; stable false positive. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 4.0.463 | 21 / 14 | |
| 4.0.461 | 21 / 14 | |
| 4.0.458 | 21 / 14 | |
| 4.0.457 | 21 / 14 | |
| 4.0.454 | 21 / 14 | |
| 4.0.443 | 21 / 14 |
v4.0.463
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.461
4 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.458
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.457
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.454
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.443
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.