@fluentui-react-native/framework
Component framework used by fluentui react native controls
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@fluentui-react-native/memo-cache | AI (dependencies): Same-monorepo sibling package from Microsoft FluentUI; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@fluentui-react-native/merge-props | AI (dependencies): Same-monorepo sibling package from Microsoft FluentUI; stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@fluentui-react-native/immutable-merge | AI (dependencies): Same-monorepo sibling package from Microsoft FluentUI; stable false positive for this package. | ai | |
| dependencies | unvetted-peer-dep:react-native-windows | AI (dependencies): Well-known optional platform peer dependency for Windows React Native support; no risk. | ai | |
| dependencies | unvetted-dep:@fluentui-react-native/default-theme | AI (dependencies): Sibling package in the same Microsoft FluentUI React Native monorepo, published by the same trusted bot publisher. No risk. | ai | |
| dependencies | unvetted-peer-dep:@office-iss/react-native-win32 | AI (dependencies): Optional peer dependency for Office Win32 React Native platform; expected for this Microsoft FluentUI package. | ai | |
| provenance | no-provenance | AI (provenance): Established Microsoft monorepo package; lack of Sigstore provenance is common and not a security concern for this publisher. | ai | |
| dependencies | unvetted-peer-dep:react-native-macos | AI (dependencies): Well-known optional platform peer dependency for macOS React Native support; no risk. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 0.15.3 | 9 / 19 | |
| 0.15.1 | 9 / 19 | |
| 0.15.0 | 9 / 19 | |
| 0.14.17 | 9 / 13 | |
| 0.14.16 | 9 / 13 | |
| 0.14.15 | 9 / 13 | |
| 0.14.14 | 9 / 13 | |
| 0.14.13 | 9 / 13 | |
| 0.14.12 | 9 / 13 | |
| 0.14.11 | 10 / 10 | |
| 0.14.10 | 10 / 10 | |
| 0.14.9 | 10 / 10 | |
| 0.14.8 | 10 / 10 | |
| 0.14.7 | 10 / 10 | |
| 0.14.6 | 12 / 10 | |
| 0.14.5 | 12 / 10 | |
| 0.14.4 | 12 / 10 | |
| 0.14.3 | 12 / 8 |
v0.15.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.15.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.15.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.14.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.14.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.