@whereby.com/media
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:rtcstats | AI (dependencies): whereby/rtcstats is the org's own package; stable false positive for this package. | ai | |
| npm-metadata | url-dep:rtcstats | AI (npm-metadata): GitHub dep points to whereby/rtcstats (same org), pinned to a specific tag — not an arbitrary external URL. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): 476-version package from Whereby's own npm account; dormancy likely reflects release cadence, not takeover. | ai | |
| typosquat | typosquat.levenshtein:redis | AI (typosquat): Scoped package @whereby.com/media is clearly not a typosquat of redis; Levenshtein match is spurious. | ai |
Versions (showing 19 of 19)
| Version | Deps | Published |
|---|---|---|
| 9.2.0 | 11 / 15 | |
| 9.1.1 | 11 / 15 | |
| 9.1.0 | 11 / 15 | |
| 9.0.0 | 11 / 15 | |
| 8.3.5 | 11 / 15 | |
| 8.3.4 | 11 / 15 | |
| 8.3.3 | 11 / 15 | |
| 8.3.2 | 11 / 15 | |
| 8.3.1 | 11 / 15 | |
| 8.3.0 | 11 / 15 | |
| 8.2.8 | 11 / 15 | |
| 8.2.7 | 11 / 15 | |
| 8.2.6 | 11 / 15 | |
| 8.2.2 | 11 / 15 | |
| 8.0.10 | 11 / 15 | |
| 8.0.9 | 11 / 15 | |
| 8.0.4 | 11 / 15 | |
| 8.0.1 | 11 / 15 | |
| 3.0.0 | 11 / 15 |
v9.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.3.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.2.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.9
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.