← Home

@hot-updater/expo

npm Repository Homepage
11
Versions
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

gronxb

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): Transition from personal account to GitHub Actions CI is expected for this repo; SLSA attestation confirms legitimate CI publishing. ai
publish-pattern new-deps-added AI (publish-pattern): @babel/core is a well-known, widely-used package pinned to a specific version; low risk for this package. ai
dependencies unvetted-dep:@hot-updater/bare AI (dependencies): Same-monorepo sibling dep, coordinated versioning; not an independent risk. ai
dependencies unvetted-dep:@hot-updater/cli-tools AI (dependencies): Same-monorepo sibling dep, coordinated versioning; not an independent risk. ai
dependencies unvetted-dep:@hot-updater/plugin-core AI (dependencies): Same-monorepo sibling dep, coordinated versioning; not an independent risk. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Explicitly declared as a runtime dep and used for the babel-plugin export; stable false positive for this package. ai

Versions (showing 11 of 113)

Version Deps Published
0.19.3 2 / 3
0.19.2 2 / 3
0.19.1 2 / 3
0.19.0 2 / 3
0.18.5 2 / 3
0.18.4 2 / 3
0.18.3 2 / 3
0.18.2 2 / 3
0.18.1 2 / 3
0.18.0 2 / 3
0.17.0 2 / 3

v0.19.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.19.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.18.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.17.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.