shaka-player
Supply chain provenance
Status for the latest visible version.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | url-dep:jsdoc | AI (npm-metadata): devDependency pinned to maintainer fork at specific commit; no runtime impact. | ai | |
| npm-metadata | url-dep:karma | AI (npm-metadata): devDependency pinned to maintainer fork; no runtime impact. | ai | |
| npm-metadata | url-dep:eslint-config-google | AI (npm-metadata): devDependency pinned to specific commit on google org repo; no runtime impact. | ai | |
| npm-metadata | url-dep:google-closure-library | AI (npm-metadata): devDependency pinned to maintainer fork at specific commit; no runtime impact. | ai | |
| npm-metadata | url-dep:eslint-plugin-shaka-rules | AI (npm-metadata): devDependency pointing to local file path; no runtime impact. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 5.1.8 | 0 / 54 | |
| 5.1.7 | 0 / 54 | |
| 5.1.6 | 0 / 54 | |
| 5.1.5 | 0 / 54 | |
| 5.1.4 | 0 / 54 | |
| 5.1.2 | 0 / 54 |
v5.1.8
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.7
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.6
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.5
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v5.1.4
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.