@vimeo/player
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:https://vimeo.com | AI (email-domain): The author field contains a URL (https://vimeo.com), not an email address. The analyzer is misinterpreting the URL as an email domain. vimeo.com is a live, well-known domain — stable false positive for this package. | ai | |
| dependencies | unvetted-dep:weakmap-polyfill | AI (dependencies): weakmap-polyfill is a small, well-known polyfill that has been a stable dependency of this package across many versions. No security concerns. | ai |
Versions (showing 17 of 17)
| Version | Deps | Published |
|---|---|---|
| 2.30.4 | 2 / 32 | |
| 2.30.3 | 2 / 32 | |
| 2.30.2 | 2 / 32 | |
| 2.30.1 | 2 / 32 | |
| 2.30.0 | 2 / 32 | |
| 2.29.7 | 2 / 32 | |
| 2.29.6 | 2 / 31 | |
| 2.29.5 | 2 / 31 | |
| 2.29.4 | 2 / 31 | |
| 2.29.3 | 2 / 31 | |
| 2.29.2 | 2 / 31 | |
| 2.29.1 | 2 / 31 | |
| 2.29.0 | 2 / 32 | |
| 2.28.0 | 2 / 32 | |
| 2.27.1 | 2 / 32 | |
| 2.27.0 | 2 / 32 | |
| 2.22.0 | 2 / 32 |
v2.30.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.30.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.29.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.28.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.27.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.22.0
2 findingsMaintainer email 'https://vimeo.com' uses domain 'https://vimeo.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.