{"package":"hls.js","ecosystem":"npm","latest_version":"1.6.16","description":"JavaScript HLS client using MediaSourceExtension","license":"Apache-2.0","license_risk":"permissive","commercial_use_notes":"Permissive: commercial closed-source use OK; preserve the copyright notice.","homepage":"https://github.com/video-dev/hls.js","repository":"https://github.com/video-dev/hls.js","downloads_weekly":5256192,"health":{"score":76,"risk":"moderate","breakdown":{"maintenance":25,"popularity":17,"security":15,"maturity":15,"community":4},"deprecated":false,"max_score":100},"vulnerabilities":{"count":1,"critical":1,"high":0,"medium":0,"low":0,"details":[{"vuln_id":"GHSA-pq9g-f2rr-m4hw","severity":"critical","summary":"Malicious code in hls.js (npm)","affected_versions":"=1.7.0-alpha.1.0.canary.11765|=1.7.0-alpha.1.0.canary.11764","fixed_version":null,"source":"osv","published_at":"2026-04-23T16:08:37Z"}],"actively_exploited_count":0,"likely_exploited_count":0},"versions":{"latest":"1.6.16","total_count":3550,"recent":["1.7.0-alpha.1.0.canary.11743","1.7.0-alpha.1.0.canary.11744","1.7.0-alpha.1.0.canary.11745","1.7.0-alpha.1.0.canary.11746","1.7.0-alpha.1.0.canary.11748","1.7.0-alpha.1.0.canary.11749","1.7.0-alpha.1.0.canary.11750","1.7.0-alpha.1.0.canary.11751","1.7.0-alpha.1.0.canary.11753","1.6.16","1.7.0-alpha.1.0.canary.11754","1.7.0-alpha.1.0.canary.11755","1.7.0-alpha.1.0.canary.11756","1.7.0-alpha.1.0.canary.11758","1.7.0-alpha.1.0.canary.11759","1.7.0-alpha.1.0.canary.11760","1.7.0-alpha.1.0.canary.11761","1.7.0-alpha.1.0.canary.11763","1.7.0-alpha.1.0.canary.11766","1.7.0-alpha.1.0.canary.11768"]},"metadata":{"deprecated":false,"deprecated_message":null,"maintainers_count":4,"first_published":"2016-01-06T14:05:37.911Z","last_published":"2026-04-13T16:54:04.647Z","dependencies_count":0,"dependencies":[]},"bundle":{"size_kb":500.0,"gzip_kb":153.2,"dependency_count":0,"has_js_module":"./dist/hls.mjs","has_side_effects":true,"scoped":false,"source":"bundlephobia"},"typescript":{"score":10,"has_types":true,"types_source":"bundled","types_package":null},"known_issues":{"bugs_count":0,"bugs_severity":{},"status_breakdown":{},"link":null,"scope":"none"},"historical_compromise":null,"recommendation":{"action":"do_not_use","issues":["1 critical vulnerabilities"],"use_version":"1.6.16","version_hint":null,"summary":"hls.js has critical vulnerabilities — do not use"},"version_scoped":null,"requested_version":null,"_cache":"hit","_response_ms":0,"_powered_by":"depscope.dev — free package intelligence for AI agents","typosquat":{"is_suspected":false},"maintainer_trust":{"available":false},"malicious":{"is_malicious":false,"advisory_id":"MAL-2026-3019","summary":"Malicious code in hls.js (npm)","action":"review_advisory","downloads_weekly_at_check":5256192,"note":"Advisory MAL-2026-3019 flags this name but the package has 5,256,192 weekly downloads — likely a false positive or a withdrawn advisory. Verify on OSV.dev before treating as malicious."},"scorecard":{"available":false},"quality":{"available":false}}