Skip to content

[Snyk] Upgrade hls.js from 1.4.14 to 1.6.4 #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tot-ra wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade hls.js from 1.4.14 to 1.6.4 #182

tot-ra wants to merge 1 commit into from

Conversation

@tot-ra
Copy link
Contributor

@tot-ra tot-ra commented Jun 21, 2025

snyk-top-banner

Snyk has created this PR to upgrade hls.js from 1.4.14 to 1.6.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 1018 versions ahead of your current version.

  • The recommended version was released 22 days ago.

Release notes
Package name: hls.js
  • 1.6.4 - 2025-05-30

    Summary

    HLS.js v1.6.4 fixes a regression in fragmented mp4 audio segment handling introduced in v1.6.3.

    Changes Since The Last Release

    v1.6.3...v1.6.4

    • Fix mp4 audio sample duration calculation regression (#7290) @ robwalch
      • #7199 introduced a regression by skipping sample based duration calculation for audio tracks

    Demo Page

    https://5f099c29.hls-js-dev.pages.dev/demo/

    API and Breaking Changes

    If you are upgrading from version v0.14.17 or lower, see the MIGRATING guide for API changes between v0.14.x and v1.0.0.

    Feedback

    Please provide feedback via Issues in GitHub. For more details on how to contribute to HLS.js, see our CONTRIBUTING guide.

  • 1.6.4-0.canary.11264 - 2025-05-30
  • 1.6.3 - 2025-05-29

    Summary

    HLS.js v1.6.3 includes bug fixes and improvements over the last release.

    Changes Since The Last Release

    v1.6.2...v1.6.3

    New configuration options

    • Added config preserveManualLevelOnError option (#7280) @ brodiddev
    • Added config requireKeySystemAccessOnStart (EME clear to encrypted transition) (#7216) @ grabofus
    • Added config startOnSegmentBoundary synchronizing live start position with program boundary (#7211) @ krseager
    • Added config liveSyncMode?: 'edge' | 'buffered' to change live catch up seek behavior (#7210) @ whdudtod1273

    Interstitials

    • Fixed appending of Interstitials in place that exceed X-PLAYOUT-LIMIT (#7182) @ robwalch
    • Support late X-PLAYOUT-LIMIT update with append-in-place interstitials (#7257)
    • Skip Interstitial assets that error rather than falling back to primary for entire break (#7263)
    • Fixed interstitial "_HLS_primary_id" value in asset requests (#7260)

    EME

    • Setting requireKeySystemAccessOnStart fixes Chrome PIPELINE_DECODE_ERROR on clear to encrypted transition (#7216) @ grabofus
    • Prevent same MediaKeys from being set on media element by eme-controller (#7284) @ robwalch
    • Fix MediaKeys cleanup on player destroy and reuse (#7287)

    MSE and codec selection

    • Prevent overlapping track appends in muxed fmp4 on discontinuity (#7199, #7247) @ robwalch
    • Fixed seeking into jagged discontinuity sequence boundary (#7274)
    • Fix handling of variants with mixed video codecs starting with "avc1" (#7205)
    • Improved HEVC codec parsing (#7177)

    Misc

    Demo Page

    https://b96cca92.hls-js-dev.pages.dev/demo/

    API and Breaking Changes

    If you are upgrading from version v0.14.17 or lower, see the MIGRATING guide for API changes between v0.14.x and v1.0.0.

    Feedback

    Please provide feedback via Issues in GitHub. For more details on how to contribute to HLS.js, see our CONTRIBUTING guide.

  • 1.6.3-0.canary.11263 - 2025-05-29
  • 1.6.3-0.canary.11262 - 2025-05-29
  • 1.6.3-0.canary.11261 - 2025-05-29
  • 1.6.3-0.canary.11259 - 2025-05-29
  • 1.6.3-0.canary.11257 - 2025-05-29
  • 1.6.3-0.canary.11255 - 2025-05-28
  • 1.6.3-0.canary.11254 - 2025-05-28
  • 1.6.3-0.canary.11253 - 2025-05-28
  • 1.6.3-0.canary.11252 - 2025-05-26
  • 1.6.3-0.canary.11251 - 2025-05-25
  • 1.6.3-0.canary.11249 - 2025-05-25
  • 1.6.3-0.canary.11247 - 2025-05-24
  • 1.6.3-0.canary.11246 - 2025-05-23
  • 1.6.3-0.canary.11244 - 2025-05-23
  • 1.6.3-0.canary.11242 - 2025-05-23
  • 1.6.3-0.canary.11240 - 2025-05-23
  • 1.6.3-0.canary.11238 - 2025-05-22
  • 1.6.3-0.canary.11236 - 2025-05-22
  • 1.6.3-0.canary.11234 - 2025-05-21
  • 1.6.3-0.canary.11233 - 2025-05-20
  • 1.6.3-0.canary.11232 - 2025-05-20
  • 1.6.3-0.canary.11230 - 2025-05-20
  • 1.6.3-0.canary.11228 - 2025-05-19
  • 1.6.3-0.canary.11227 - 2025-05-19
  • 1.6.3-0.canary.11226 - 2025-05-19
  • 1.6.3-0.canary.11225 - 2025-05-19
  • 1.6.3-0.canary.11223 - 2025-05-19
  • 1.6.3-0.canary.11221 - 2025-05-19
  • 1.6.3-0.canary.11219 - 2025-05-19
  • 1.6.3-0.canary.11218 - 2025-05-17
  • 1.6.3-0.canary.11216 - 2025-05-17
  • 1.6.3-0.canary.11214 - 2025-05-17
  • 1.6.3-0.canary.11213 - 2025-05-14
  • 1.6.3-0.canary.11211 - 2025-05-14
  • 1.6.3-0.canary.11209 - 2025-05-13
  • 1.6.3-0.canary.11207 - 2025-05-13
  • 1.6.3-0.canary.11205 - 2025-05-10
  • 1.6.3-0.canary.11203 - 2025-05-08
  • 1.6.3-0.canary.11201 - 2025-05-08
  • 1.6.3-0.canary.11200 - 2025-05-08
  • 1.6.3-0.canary.11198 - 2025-05-08
  • 1.6.3-0.canary.11196 - 2025-05-08
  • 1.6.3-0.canary.11194 - 2025-05-08
  • 1.6.3-0.canary.11192 - 2025-05-05
  • 1.6.3-0.canary.11191 - 2025-05-05
  • 1.6.3-0.canary.11190 - 2025-05-05
  • 1.6.3-0.canary.11189 - 2025-05-05
  • 1.6.3-0.canary.11187 - 2025-05-05
  • 1.6.3-0.canary.11185 - 2025-05-05
  • 1.6.3-0.canary.11183 - 2025-05-02
  • 1.6.3-0.canary.11181 - 2025-05-02
  • 1.6.3-0.canary.11180 - 2025-05-02
  • 1.6.3-0.canary.11178 - 2025-05-02
  • 1.6.3-0.canary.11176 - 2025-05-01
  • 1.6.3-0.canary.11175 - 2025-05-01
  • 1.6.3-0.canary.11173 - 2025-04-29
  • 1.6.3-0.canary.11171 - 2025-04-29
  • 1.6.3-0.canary.11170 - 2025-04-29
  • 1.6.3-0.canary.11169 - 2025-04-28
  • 1.6.3-0.canary.11167 - 2025-04-24
  • 1.6.3-0.canary.11165 - 2025-04-24
  • 1.6.3-0.canary.11163 - 2025-04-23
  • 1.6.3-0.canary.11161 - 2025-04-23
  • 1.6.3-0.canary.11159 - 2025-04-22
  • 1.6.3-0.canary.11157 - 2025-04-22
  • 1.6.3-0.canary.11155 - 2025-04-21
  • 1.6.3-0.canary.11153 - 2025-04-21
  • 1.6.3-0.canary.11151 - 2025-04-21
  • 1.6.3-0.canary.11149 - 2025-04-19
  • 1.6.3-0.canary.11147 - 2025-04-18
  • 1.6.3-0.canary.11145 - 2025-04-17
  • 1.6.3-0.canary.11143 - 2025-04-16
  • 1.6.3-0.canary.11142 - 2025-04-15
  • 1.6.3-0.canary.11141 - 2025-04-12
  • 1.6.3-0.canary.11139 - 2025-04-12
  • 1.6.3-0.canary.11137 - 2025-04-11
  • 1.6.3-0.canary.11135 - 2025-04-11
  • 1.6.3-0.canary.11133 - 2025-04-11
  • 1.6.2 - 2025-04-10

    Summary

    HLS.js v1.6.2 includes bug fixes and improvements over the last release.

    Changes Since The Last Release

    v1.6.1...v1.6.2

    • Fix live "discontinuity sequence mismatch" regression (#7168) @ robwalch
    • Do not skip loading of parts that were previously buffered (#7167)

    Demo Page

    https://e5abc373.hls-js-dev.pages.dev/demo/

    API and Breaking Changes

    If you are upgrading from version v0.14.17 or lower, see the MIGRATING guide for API changes between v0.14.x and v1.0.0.

    Feedback

    Please provide feedback via Issues in GitHub. For more details on how to contribute to HLS.js, see our CONTRIBUTING guide.

  • 1.6.2-0.canary.11129 - 2025-04-10
  • 1.6.2-0.canary.11128 - 2025-04-10
  • 1.6.2-0.canary.11126 - 2025-04-10
  • 1.6.2-0.canary.11124 - 2025-04-10
  • 1.6.2-0.canary.11123 - 2025-04-08
  • 1.6.2-0.canary.11122 - 2025-04-07
  • 1.6.2-0.canary.11120 - 2025-04-07
  • 1.6.2-0.canary.11118 - 2025-04-05
  • 1.6.2-0.canary.11116 - 2025-04-05
  • 1.6.1 - 2025-04-04

    Summary

    HLS.js v1.6.1 includes bug fixes and improvements over the last release.

    Changes Since The Last Release

    v1.6.0...v1.6.1

    • Fix streaming interruption from exception thrown setting MediaSource duration (#7148) @ robwalch
    • Make appendBuffer errors fatal when HTMLMediaElement.error is present (#7147)
    • Guard against exceptions when parsing incomplete codec boxes (#7146)
    • Warn on muxed mp4 with alt-audio (unsupported media configuration) (#7153)
    • Support disabling alternate audio with config (#7154)
    • Timeout mediakeySession.remove() and only call for persistent-license sessions (#7050) @ JackPu
    • Add workaround for Xbox One keyStatuses.forEach callback not work well (#7150)

    Demo Page

    https://26b6689f.hls-js-dev.pages.dev/demo/

    API and Breaking Changes

    If you are upgrading from version v0.14.17 or lower, see the MIGRATING guide for API changes between v0.14.x and v1.0.0.

    Feedback

    Please provide feedback via Issues in GitHub. For more details on how to contribute to HLS.js, see our CONTRIBUTING guide.

  • 1.6.1-0.canary.11114 - 2025-04-03
  • 1.6.1-0.canary.11113 - 2025-04-03
  • 1.6.1-0.canary.11112 - 2025-04-03
  • 1.6.1-0.canary.11111 - 2025-04-02
  • 1.6.1-0.canary.11110 - 2025-04-02
  • 1.6.1-0.canary.11108 - 2025-04-02
  • 1.6.1-0.canary.11107 - 2025-04-02
  • 1.6.1-0.canary.11106 - 2025-04-02
  • 1.6.1-0.canary.11104 - 2025-04-02
  • 1.6.1-0.canary.11103 - 2025-04-01
  • 1.6.1-0.canary.11101 - 2025-04-01
  • 1.6.1-0.canary.11099 - 2025-03-31
  • 1.6.1-0.canary.11097 - 2025-03-28
  • 1.6.1-0.canary.11095 - 2025-03-27
  • 1.6.1-0.canary.11093 - 2025-03-27
  • 1.6.1-0.canary.11091 - 2025-03-27
  • 1.6.1-0.canary.11089 - 2025-03-27
  • 1.6.1-0.canary.11087 - 2025-03-27
  • 1.6.1-0.canary.11085 - 2025-03-27
  • 1.6.0 - 2025-03-27

    Summary

    HLS.js v1.6.0 introduces support for HLS Interstitials with new API features, media support, and playback enhancements.

    New features in release version 1.6

    API changes in release version 1.6

    • Added config.detectStallWithCurrentTimeMs used to specify the maximum amount of time in milliseconds before a BUFFER_STALLED_ERROR is reported when the media elements currentTime has not advanced while playing (#6941)
    • Added config.nudgeOnVideoHole whether or not to nudge the playhead when crossing over video buffer gaps to flush the rendering pipeline and ensure smooth playback through video buffered ranges (#6972)
    • Added config.enableInterstitialPlayback set to false to disable Interstitial playback without turning off Interstitials parsing and events
    • Added config.interstitialsController set to null to disable Interstitials support completely
    • Added config.interstitialAssetListLoadPolicy defines the loading policy of X-ASSET-LIST JSON
    • Added config.liveSyncOnStallIncrease (#6455) @ vk342
    • Added config.maxDevicePixelRatio to limit browser value when capping level to media element dimensions (#6825) @ signalwerk
    • Added config.videoPreference.videoCodec video codec selection preference option (#6483)
    • Added config options specifically for Interstitial asset player instances:
      • config.primarySessionId identifies the parent player session that spawned the asset player (read from hls.sessionId)
      • config.assetPlayerId identifies logs from asset players
      • config.timelineOffset offsets MSE appends for gapless playback
    • Support config.fetchSetup optional async result (#6714) @ zce
    • Added hls.bufferedToEnd read-only indicates when EOS has been appended (media is buffered from currentTime to end of stream)
    • Added hls.bufferingEnabled read-only flag toggled with pauseBuffering() and resumeBuffering()
    • Added hls.hasEnoughToStart getter returns whether enough is buffered to seek to start position (#6571)
    • Added hls.inFlightFragments
    • Added hls.interstitialsManager read-only InterstitialsManager or null. The InterstitialsManager is an interface for accessing program information and methods for seeking across items and skipping Interstitials.
    • Added hls.latestLevelDetails read-only LevelDetails object of the most up-to-date HLS variant Playlist data
    • Added hls.loadLevelObj read-only Level object of selected level (variant) or null
    • Added hls.loadingEnabled read-only flag toggled with hls.startLoad() and hls.stopLoad()
    • Added hls.pathwayPriority Content-Steering setting (#6295) @ PavelFomin90
    • Added hls.pathways getter (#6997) @ grabofus
    • Added hls.sessionId read-only Hls instance UUID - used to assign a value to the _HLS_primary_id query parameter of interstitial requests
    • Added hls.startPosition read-only the resolved startPosition that playback will begin at once media is appended
    • Support setting hls.targetLatency (#6473) @ vk342
    • Added hls.transferMedia() detaches and returns MediaSource and SourceBuffers non-destructively
    • Added hls.url read-only value of the currently playing url (from hls.loadSource(url)) (#6411) @ ibobo
    • Added Events.MEDIA_ENDED event (#6141)
    • Added Events.STALL_RESOLVED event (#6941)
    • Added Events.EVENT_CUE_ENTER Used internally to determine when the playhead has entered a time-range replaced by an Interstitial event.
    • Added levelInfo: Level to LevelLoadingData and LevelLoadedData event data
    • Added track: MediaPlaylist to TrackLoadingData and TrackLoadedData event data (audio and subtitle events)
    • Added withoutMultiVariant: boolean to LevelLoadedData event
    • Added LevelDetais.expired read-only indicates live playlist data is no longer valid for fragment loading
    • Added LevelDetais.requestScheduled to improve live playlist reload scheduling
    • Added read-only Fragment.bitrate and Fragment.byteLength getters
    • Several Fragment properties have been replaced with accessors: get baseurl(), get/set stats(), get/set programDateTime(). Class property accessors are not enumerable. This impacts copying object properties and serialization. Fragment.stats remain enumerable with (#6999)
    • Enhancements:
      • hls.startLoad() takes a second optional argument to skip seeking on start (otherwise, HLS.js seeks following to the first optional startPosition argument on append)
      • hls.attachMedia() supports transferring MediaSource and SourceBuffers from Hls instances with hls.transferMedia()
      • hls.recoverMediaError() seeks to the value of currentTime before the source reset is performed (#6297)
    • New Events:
      • ASSET_LIST_LOADING when a request is made for an X-ASSET-LIST JSON object
      • ASSET_LIST_LOADED when a response is received for an X-ASSET-LIST JSON object
      • INTERSTITIALS_UPDATED when Interstitials are added, removed, or the schedule is updated following a variant playlist update or updated asset durations from X-ASSET-LIST JSON or asset playlist and media parsing
      • INTERSTITIALS_BUFFERED_TO_BOUNDARY when the forward buffer reaches the boundary of the following schedule item (Interstitial event or primary segment)
      • INTERSTITIAL_ASSET_PLAYER_CREATED when an asset player instance is created to stream an Interstitial asset (will always be before attaching media to the asset player)
      • INTERSTITIAL_STARTED when streaming of an Interstitial event containing one or more assets has begun (may occur before X-ASSET-LIST JSON is loaded or playback has started)
      • INTERSTITIAL_ENDED when streaming of an Interstitial event containing one or more assets has ended - before resuming primary or starting the next event
      • INTERSTITIAL_ASSET_STARTED when streaming of an Interstitial asset has begun (following the beginning of the event or the end of the last asset)
      • INTERSTITIAL_ASSET_ENDED when streaming of an Interstitial asset has ended (before the next asset or the event ending)
      • INTERSTITIAL_ASSET_ERROR when an error occurs starting or streaming an Interstitial asset (this can include non-fatal errors such as stalling and errors that will end streaming of the asset, resulting in the schedule advancing to the next asset or fallback to primary)
      • INTERSTITIALS_PRIMARY_RESUMED when playback of primary content has begun or resumed from an Interstitial event
      • BUFFERED_TO_END when the last audio and video segments in the playlist have been appended (EOS signaled on all SourceBuffers)
      • AUDIO_TRACK_UPDATED similar to LEVEL_UPDATED fired for any update to audio group playlists
      • SUBTITLE_TRACK_UPDATED similar to LEVEL_UPDATED fired for any update to subtitle group playlists
    • Updated Events
      • MEDIA_ATTACHING, MEDIA_ATTACHED, MEDIA_DETACHING, and MEDIA_DETACHED include additional information (depending on whether media is being transferred)
    • New Errors
      • Type: NETWORK_ERROR
        • details: ASSET_LIST_LOAD_ERROR network error loading asset list
        • details: ASSET_LIST_LOAD_TIMEOUT network timeout error loading asset list
        • details: ASSET_LIST_PARSING_ERROR asset list was not valid JSON or missing required data
      • Type: OTHER_ERROR
        • details: INTERSTITIAL_ASSET_ITEM_ERROR an issue interrupted or prevented asset playback. This will result in skipping the remainder of the asset or falling back to primary content. The event error will contain more details. This type of error differs from the INTERSTITIAL_ASSET_ERROR events forwarded from asset player errors.
        • details: ATTACH_MEDIA_ERROR when calling attachMedia with falsey media argument (#6556) @ agajassi
        • Support more key system error detail (#6807) @ JackPu
          • details: KEY_SYSTEM_DESTROY_CLOSE_SESSION_ERROR
          • details: KEY_SYSTEM_DESTROY_MEDIA_KEYS_ERROR
          • details: KEY_SYSTEM_DESTROY_REMOVE_SESSION_ERROR

    Enhancements

    • Reduce workers across instances (#6550)

@snyk-bot
fix: upgrade hls.js from 1.4.14 to 1.6.4
74a3f67 
Snyk has created this PR to upgrade hls.js from 1.4.14 to 1.6.4.

See this package in npm:
hls.js

See this project in Snyk:
https://app.snyk.io/org/tot-ra/project/3f566743-6ee7-474b-aa30-f8e7242644a9?utm_source=github&utm_medium=referral&page=upgrade-pr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tot-ra tot-ra

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tot-ra @snyk-bot