vidstack
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BBfcQIbe.js | AI (source-diff): Standard minified ESM bundle chunk; DASH provider logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BY9sVQlM.js | AI (source-diff): Standard minified ESM bundle chunk; AudioContext/media logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:cdn/chunks/vidstack-6Nr1toD_.js | AI (source-diff): Standard minified CDN chunk for a media player library; content is readable bundled JS, not malicious. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BhlShf5j.js | AI (source-diff): Standard minified CDN chunk; same pattern as other vidstack CDN bundles. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BLeIQEdI.js | AI (source-diff): Standard minified CDN chunk; readable floating-ui and DOM utility code. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BljmbPtk.js | AI (source-diff): Standard minified CDN chunk; readable audio context and media provider code. | ai | |
| source-diff | obfuscated-file:cdn/chunks/vidstack-CDrMLAjP.js | AI (source-diff): Standard minified CDN chunk; readable reactive signal/scope implementation. | ai | |
| source-diff | obfuscated-file:cdn/chunks/vidstack-CfDKwkUv.js | AI (source-diff): Standard minified CDN chunk; readable DOM utility and floating-ui code. | ai | |
| publish-pattern | rapid-publish | AI (publish-pattern): Active library with frequent releases; rapid publish is consistent with patch/hotfix workflow. | ai | |
| source-diff | obfuscated-file:plugins.js | AI (source-diff): Standard minified build output for vidstack's plugin system; no malicious patterns. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-BL0Z6O3t.js | AI (source-diff): Minified CDN chunk; standard build output for this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Major version bump from 0.x to 1.x; large file count increase is expected for a media player library with CDN/dev/prod bundles. | ai | |
| source-diff | obfuscated-file:cdn/with-layouts/chunks/vidstack-2m_nt-Zk.js | AI (source-diff): Minified CDN chunk with readable vidstack media player logic; expected build artifact. | ai | |
| source-diff | obfuscated-file:cdn/chunks/vidstack-Ah9uMJFb.js | AI (source-diff): Minified CDN chunk; standard build output for this package. | ai | |
| source-diff | obfuscated-file:cdn/chunks/vidstack-BjIKgAlK.js | AI (source-diff): Minified CDN chunk; standard build output for this package. | ai | |
| provenance | no-provenance | AI (provenance): Established package with long history; lack of provenance is common and not a risk signal here. | ai | |
| phantom-deps | phantom-dep:type-fest | AI (phantom-deps): type-fest is a type-only dependency used in .d.ts files; not directly imported at runtime but legitimately declared. | ai |
Versions (showing 6 of 6)
| Version | Deps | Published |
|---|---|---|
| 1.15.1 | 4 / 0 | |
| 1.15.0 | 4 / 0 | |
| 1.14.0 | 4 / 0 | |
| 1.13.1 | 4 / 0 | |
| 1.13.0 | 4 / 0 | |
| 0.6.15 | 3 / 24 |
v1.15.1
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
7 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
6 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.