@fluentui-react-native/tester

A test app to test FluentUI React Native Components during development

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

jasonvmorseacoatesuifrnbothansenyy

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @types/node is a Microsoft-published type package; benign addition for this tester app context.	ai	2026/05/22
dependencies	unvetted-dep:@fluentui-react-native/e2e-testing	AI (dependencies): First-party FluentUI RN e2e testing package from same Microsoft org.	ai	2026/04/27
dependencies	unvetted-dep:@warren-ms/react-native-icons	AI (dependencies): Microsoft internal icons package used consistently across FluentUI RN tester versions.	ai	2026/04/27
dependencies	unvetted-dep:@office-iss/react-native-win32	AI (dependencies): Microsoft-owned Win32 React Native package; stable dep for this package.	ai	2026/04/27
dependencies	unvetted-dep:@fortawesome/react-native-fontawesome	AI (dependencies): Official Font Awesome React Native package; stable dep for this package.	ai	2026/04/27
dependencies	unvetted-dep:@react-native-community/slider	AI (dependencies): Official React Native community slider; stable dep for this package.	ai	2026/04/27
dependencies	unvetted-dep:@react-native-picker/picker	AI (dependencies): Official React Native community picker; stable dep for this package.	ai	2026/04/27
dependencies	unvetted-dep:@react-native-menu/menu	AI (dependencies): Well-known React Native community package; stable dep for this Microsoft tester app.	ai	2026/04/27
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Raw IP in SVG test component is a local network test fixture, not malicious exfiltration; stable pattern for this test app.	ai	2026/04/27
phantom-deps	phantom-dep:@fortawesome/fontawesome-svg-core	AI (phantom-deps): This is a declared direct dependency and peer companion to @fortawesome/react-native-fontawesome; phantom detection is a false positive for this package.	ai	2026/04/26
provenance	no-provenance	AI (provenance): Microsoft FluentUI RN bot-published package; no provenance is consistent across all 916 versions and is acceptable for this established package.	ai	2026/04/26
dependencies	unvetted-dep:react-native-macos	AI (dependencies): react-native-macos is the official Microsoft React Native macOS platform package; expected for this cross-platform test app.	ai	2026/04/25
bogus-package	bogus-package	AI (bogus-package): This is a legitimate Microsoft test app package in a large monorepo; short README and no keywords are cosmetic, not security signals.	ai	2026/04/25
phantom-deps	phantom-dep:@types/react	AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is a false positive for this package type.	ai	2026/04/25
phantom-deps	phantom-dep:@types/node	AI (phantom-deps): Framework-scoped type package loaded by convention; phantom-dep is a false positive for this package type.	ai	2026/04/25
phantom-deps	phantom-dep:react	AI (phantom-deps): React is a peer/framework dependency referenced in config files; phantom-dep is a false positive for React Native app packages.	ai	2026/04/25
phantom-deps	phantom-dep:react-native-windows	AI (phantom-deps): Platform-specific binary package; phantom-dep finding is expected for this type of dependency in a React Native app.	ai	2026/04/25
phantom-deps	phantom-dep:react-native-macos	AI (phantom-deps): Platform-specific binary package; phantom-dep finding is expected for this type of dependency in a React Native app.	ai	2026/04/25
phantom-deps	phantom-dep:react-native-svg	AI (phantom-deps): Platform-specific binary package; phantom-dep finding is expected for this type of dependency in a React Native app.	ai	2026/04/25
dependencies	unvetted-dep:react-native-windows	AI (dependencies): react-native-windows is the official Microsoft React Native Windows platform package; expected for this cross-platform test app.	ai	2026/04/25
dependencies	unvetted-dep:react-native-svg	AI (dependencies): react-native-svg is a well-known, legitimate React Native SVG library; expected dependency for a cross-platform RN test app.	ai	2026/04/25

Versions (showing 16 of 16)

Version	Deps	Published
0.170.51	7 / 49	2026-04-24
0.170.50	60 / 27	2025-11-22
0.170.49	60 / 27	2025-11-05
0.170.48	60 / 27	2025-09-26
0.170.47	60 / 27	2025-09-19
0.170.46	60 / 27	2025-09-18
0.170.45	60 / 27	2025-09-18
0.170.44	60 / 27	2025-09-17
0.170.39	60 / 27	2025-08-13
0.170.36	60 / 21	2025-07-25
0.170.35	60 / 21	2025-07-23
0.170.34	60 / 21	2025-07-22
0.170.32	60 / 21	2025-07-17
0.170.31	60 / 21	2025-07-16
0.170.28	60 / 20	2025-07-10
0.170.27	58 / 20	2025-06-12

v0.170.51

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.170.50

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.170.49

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.