@conform-to/react — Greenflagged

Conform view adapter for react

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

edmundhung

Keywords

constraint-validationformform-validationhtmlprogressive-enhancementvalidationreactremix

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() used in a Proxy trap for field metadata delegation — standard pattern for this form library, not obfuscation.	ai	2026/05/11
provenance	publisher-changed	AI (provenance): Package now publishes via GitHub Actions with SLSA attestation; this is the expected CI/CD publisher going forward.	ai	2026/05/05
dependencies	unvetted-dep:@conform-to/dom	AI (dependencies): Same-monorepo sibling package; versioned in lockstep with @conform-to/react, not an independent risk.	ai	2026/04/29

Versions (showing 33 of 33)

Version	Deps	Published
1.19.3	1 / 17	2026-05-16
1.19.2	1 / 14	2026-05-10
1.19.1	1 / 14	2026-04-27
1.19.0	1 / 14	2026-04-13
1.18.0	1 / 14	2026-04-04
1.17.1	1 / 14	2026-02-15
1.17.0	1 / 14	2026-02-10
1.16.0	1 / 14	2026-01-26
1.15.1	1 / 14	2025-12-18
1.15.0	1 / 14	2025-12-10
1.14.1	1 / 14	2025-12-04
1.14.0	1 / 14	2025-12-01
1.13.3	1 / 14	2025-11-07
1.13.2	1 / 14	2025-10-31
1.13.1	1 / 14	2025-10-23
1.13.0	1 / 14	2025-10-20
1.12.1	1 / 13	2025-10-17
1.12.0	1 / 13	2025-10-08
1.11.0	1 / 13	2025-09-25
1.10.1	1 / 13	2025-09-17
1.10.0	1 / 13	2025-09-15
1.9.1	1 / 14	2025-09-10
1.9.0	1 / 14	2025-09-05
1.8.2	1 / 13	2025-07-15
1.8.1	1 / 13	2025-07-03
1.8.0	1 / 13	2025-06-30
1.7.2	1 / 13	2025-06-20
1.7.1	1 / 13	2025-06-19
1.7.0	1 / 11	2025-06-13
1.6.1	1 / 10	2025-05-30
1.6.0	1 / 10	2025-05-19
1.5.1	1 / 10	2025-05-15
1.5.0	1 / 10	2025-05-05

v1.19.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.19.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.19.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.18.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.1

2 findings

HIGH Publisher changed: edmundhung → GitHub Actions (on 2026-02-15) provenance

This version was published by a different npm account than previous versions on 2026-02-15. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.17.0

2 findings

HIGH Publisher changed: edmundhung → GitHub Actions (on 2026-02-10) provenance

This version was published by a different npm account than previous versions on 2026-02-10. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.