@vkontakte/videoplayer
Videoplayer based on the vk.com platform
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:es2015.cjs | AI (source-diff): Standard minified build artifact for ES2015 target; consistent with VK videoplayer's multi-target bundle pattern. | ai | |
| source-diff | obfuscated-file:esnext.cjs | AI (source-diff): Standard minified build artifact for esnext target; consistent with VK videoplayer's multi-target bundle pattern. | ai | |
| source-diff | obfuscated-file:es2024.cjs | AI (source-diff): Standard minified build artifact for ES2024 target; consistent with VK videoplayer's multi-target bundle pattern. | ai | |
| source-diff | obfuscated-file:es2018.cjs | AI (source-diff): Standard minified build artifact for ES2018 target; consistent with VK videoplayer's multi-target bundle pattern. | ai | |
| dependencies | unvetted-dep:@adtech/rbadman | AI (dependencies): Internal VK/adtech dependency used consistently across versions of this package; stable false positive. | ai | |
| semgrep | semgrep:api-obfuscation-reflect | AI (semgrep): Fires on Svelte framework internals in bundled output; not actual obfuscation. | ai | |
| license | copyleft-license:GPL-3.0 | AI (license): Package is intentionally GPL-3.0 licensed by VK; stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): Long-established VK package with 1043 versions; provenance absence is consistent across all prior releases. | ai | |
| phantom-deps | phantom-dep:@adtech/rbadman | AI (phantom-deps): Ad-tech dep referenced in config files; consistent with VK platform integration across versions. | ai |
Versions (showing 16 of 16)
| Version | Deps | Published |
|---|---|---|
| 1.1.93 | 5 / 0 | |
| 1.1.92 | 5 / 0 | |
| 1.1.91 | 5 / 0 | |
| 1.1.90 | 5 / 0 | |
| 1.1.89 | 5 / 0 | |
| 1.1.86 | 5 / 0 | |
| 1.1.85 | 5 / 0 | |
| 1.1.84 | 5 / 0 | |
| 1.1.83 | 5 / 0 | |
| 1.1.82 | 5 / 0 | |
| 1.1.81 | 5 / 0 | |
| 1.1.80 | 5 / 0 | |
| 1.1.79 | 5 / 0 | |
| 1.1.78 | 5 / 0 | |
| 1.1.77 | 5 / 0 | |
| 1.1.76 | 5 / 0 |
v1.1.93
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.92
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.90
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.89
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.86
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.85
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.84
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.83
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.82
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.81
5 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.80
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.79
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.78
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.77
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.76
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.