@metamask/react-native-playground
A React Native test dapp for multichain api
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:expo | AI (phantom-deps): Expo playground app; deps consumed by Expo runtime, not directly imported in source. | ai | |
| phantom-deps | phantom-dep:react | AI (phantom-deps): Standard React Native peer dep pattern in Expo monorepo playground. | ai | |
| phantom-deps | phantom-dep:react-native | AI (phantom-deps): Platform-specific dep; expected phantom in Expo playground. | ai | |
| phantom-deps | phantom-dep:wagmi | AI (phantom-deps): Web3 framework dep used at runtime in playground app. | ai | |
| phantom-deps | phantom-dep:viem | AI (phantom-deps): Web3 library dep used at runtime in playground app. | ai | |
| phantom-deps | phantom-dep:expo-router | AI (phantom-deps): Expo router is the entry point (main: expo-router/entry); phantom is expected. | ai | |
| phantom-deps | phantom-dep:expo-haptics | AI (phantom-deps): Expo module consumed by runtime, not directly imported. | ai | |
| phantom-deps | phantom-dep:expo-system-ui | AI (phantom-deps): Expo module consumed by runtime, not directly imported. | ai | |
| phantom-deps | phantom-dep:expo-web-browser | AI (phantom-deps): Expo module consumed by runtime, not directly imported. | ai | |
| provenance | no-provenance | AI (provenance): MetaMask org package; lack of provenance is common and not a disqualifier here. | ai |
Versions (showing 4 of 4)
| Version | Deps | Published |
|---|---|---|
| 0.1.3 | 45 / 12 | |
| 0.1.2 | 45 / 12 | |
| 0.1.1 | 45 / 10 | |
| 0.1.0 | 45 / 10 |
v0.1.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.