← Home

@svta/common-media-library

npm Repository Homepage

A common library for media playback in JavaScript

12
Versions
Apache-2.0
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

littlespexjason_n_thibeault

Keywords

CTA-5004Common Media Client DataCMCDCTA-5006Common Media Server DataCMSDRFC8941Structured Field ValuesID3Common Media RequestCommon Media ResponseCTA-608CEA-608EIA-608

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition to GitHub Actions publishing is consistent with SLSA provenance attestation; org-owned repo matches package metadata. ai
publish-pattern dormant-publish AI (publish-pattern): Dormancy followed by CI/CD-attested publish from the same org repo is low risk; SLSA provenance confirms legitimate pipeline. ai

Versions (showing 12 of 12)

Version Deps Published
0.18.1 0 / 0
0.18.0 0 / 0
0.17.4 0 / 0
0.17.3 0 / 0
0.17.2 0 / 0
0.17.1 0 / 0
0.17.0 0 / 0
0.16.0 0 / 0
0.15.1 0 / 0
0.15.0 0 / 0
0.14.0 0 / 0
0.13.0 0 / 0

v0.18.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.18.0

2 findings
HIGH Publisher changed: jason_n_thibeault → GitHub Actions (on 2025-09-24) provenance

This version was published by a different npm account than previous versions on 2025-09-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.4

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.17.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.16.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.15.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.14.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.13.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.