@marsidev/react-turnstile

Cloudflare Turnstile integration for React.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

marsidev

Keywords

cloudflarecloudflare-turnstilereacttanstack-intentturnstile

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Legitimate migration to GitHub Actions CI/CD publishing, confirmed by SLSA provenance attestation.	ai	2026/06/10
provenance	missing-githead	AI (provenance): Expected when switching to provenance-based CI/CD publishing via GitHub Actions.	ai	2026/06/10

Versions (showing 10 of 10)

Version	Deps	Published
1.5.3	0 / 9	2026-06-09
1.5.2	0 / 10	2026-05-05
1.5.1	0 / 10	2026-04-26
1.5.0	0 / 10	2026-03-28
1.4.2	0 / 8	2026-02-04
1.4.1	0 / 8	2025-12-28
1.4.0	0 / 8	2025-12-08
1.3.1	0 / 8	2025-09-15
1.3.0	0 / 7	2025-08-05
1.2.0	0 / 7	2025-08-01

v1.5.3

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: marsidev → GitHub Actions (on 2026-06-09) provenance

This version was published by a different npm account than previous versions on 2026-06-09. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.