← Home

@expo/expo-modules-macros-plugin

npm Repository Homepage

Swift macro plugin for Expo modules

9
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

idebrentvatneexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition from individual publisher to GitHub Actions CI/CD; consistent with Expo org's automation. ai
source-diff source-size-tripled AI (source-diff): Absolute size is 4KB; tripling from 634B is trivially small and not a payload concern. ai
npm-metadata bundled-binaries AI (npm-metadata): Swift macro plugins require a compiled binary tool; ExpoModulesMacros-tool is the expected artifact for this package's purpose as a Swift macro plugin for Expo modules. ai
maintainer-change maintainer-added AI (maintainer-change): philpl is a known Expo/React Native contributor; addition is consistent with legitimate team management at 650 Industries for an official @expo/ scoped package. ai

Versions (showing 9 of 9)

Version Deps Published
0.4.0 0 / 0
0.3.0 0 / 0
0.2.2 0 / 0
0.2.1 0 / 0
0.2.0 0 / 0
0.1.0 0 / 0
0.0.9 0 / 0
0.0.8 0 / 0
0.0.7 0 / 0

v0.4.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.3.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

2 findings
HIGH Publisher changed: kudochien → GitHub Actions (on 2026-06-04) provenance

This version was published by a different npm account than previous versions on 2026-06-04. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.0.9

2 findings
HIGH Publisher changed: kudochien → tsapeta (on 2026-05-14) provenance

This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.8

2 findings
HIGH Bundled binary files (1) npm-metadata

Package contains compiled binaries that could be backdoors: • apple/ExpoModulesMacros-tool

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.