@expo/steps BUSL-1.1 20 versions

@expo/steps

npm Repository Homepage

TBD

20

Versions

BUSL-1.1

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

idebrentvatneexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Intentional plugin/custom-function loader pattern in a build-step executor; stable for this package.	ai	2026/05/18
semgrep	semgrep:base64-decode	AI (semgrep): Decodes build step output files from base64 storage format; not executing decoded content.	ai	2026/05/18
dependencies	unvetted-dep:@expo/logger	AI (dependencies): Sibling package from expo/eas-cli monorepo at matching version; not a third-party risk.	ai	2026/05/03
dependencies	unvetted-dep:@expo/eas-build-job	AI (dependencies): Sibling package from expo/eas-cli monorepo at matching version; not a third-party risk.	ai	2026/05/03
phantom-deps	phantom-dep:arg	AI (phantom-deps): arg is a declared runtime dependency in package.json; phantom-dep heuristic misfires here.	ai	2026/05/03

Versions (showing 20 of 20)

Version	Deps	Published
20.1.0	11 / 12	2026-06-05
20.0.0	11 / 12	2026-05-29
19.1.0	11 / 12	2026-05-25
19.0.0	11 / 12	2026-05-19
18.13.1	11 / 12	2026-05-18
18.12.0	11 / 12	2026-05-12
18.9.0	11 / 12	2026-04-30
18.8.0	11 / 12	2026-04-22
18.6.0	11 / 12	2026-04-10
18.5.0	11 / 12	2026-04-02
18.4.0	11 / 11	2026-03-16
18.2.0	11 / 11	2026-03-09
18.0.2	11 / 11	2026-02-20
18.0.1	11 / 11	2026-02-12
1.0.271	11 / 11	2026-01-23
1.0.263	12 / 12	2026-01-13
1.0.260	12 / 12	2025-12-10
1.0.252	12 / 12	2025-12-02
1.0.246	12 / 12	2025-11-10
1.0.245	12 / 12	2025-11-03

v20.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v20.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v19.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.13.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.12.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.9.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.8.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.6.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.5.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.4.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.0.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v18.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.271

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.263

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.260

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v1.0.252

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.246

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v1.0.245

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.