Is hls.js safe to use?

hls.js has 1 known vulnerabilities on the latest version (1.6.16). DepScope rates its health at 67/100 (moderate risk).

What is the latest version of hls.js?

The latest version of hls.js is 1.6.16, released 2026-04-13.

Does hls.js have known vulnerabilities?

Yes. hls.js has 1 known vulnerabilities. See depscope.dev/pkg/npm/hls.js for details.

Is hls.js deprecated?

No, hls.js is actively maintained. Latest release: 1.6.16 (2026-04-13).

What are alternatives to hls.js?

Popular alternatives to hls.js in npm include: debug, minimatch, ansi-styles, brace-expansion, strip-ansi.

What license does hls.js use?

hls.js is licensed under Apache-2.0.

hls.js

npmv1.6.16

JavaScript HLS client using MediaSourceExtension

License Apache-2.0permissive3554 versions4 maintainers0 deps

video-dev/hls.js

/ 100

Health

do not use

Do not install. Package is flagged as malicious (advisory MAL-2026-3019).

Health breakdown0 – 100

25/25

maintenance

0/20

popularity

15/25

security

15/15

maturity

12/15

community

Vulnerabilities

1 critical

Advisories (1)

Severity	ID	Summary	Fixed in
critical	GHSA-pq9g-f2rr-m4hw	Malicious code in hls.js (npm)	—

Bundle & TypeScript

📦

Bundle Size

500.0 KBminified

153.2 KB gzipped

0 direct dependencies

ESMside effects

🌟

TypeScript

10/10typed

bundled

⚠ Malicious package

This package is flagged as malicious by the OpenSSF/OSV community feed. Do not install.

Advisory: MAL-2026-3019 — Malicious code in hls.js (npm)

Quality signals

OSS Criticality

0.77critical

Health History

Dependency Tree

License Audit

API access

Get this data programmatically — free, no authentication.

curl https://depscope.dev/api/check/npm/hls.js