@react-native-windows/automation-channel
@react-native-windows/automation-channel adds support for remote procedure calls from a node client to react-native-windows server on the same machine.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Large Microsoft monorepo publish; missing gitHead is a CI environment artifact, not a security signal for this package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Microsoft org maintains multiple stable branches; per-branch dormancy is expected, not a takeover signal. | ai | |
| dependencies | unvetted-dep:jsonrpc-lite | AI (dependencies): jsonrpc-lite is a standard JSON-RPC library; appropriate for an automation-channel package from Microsoft. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): ESLint config tool; referenced in lint config files only, not runtime imports. Stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): ESLint config tool; referenced in lint config files only, not runtime imports. Stable false positive for this package. | ai |
Versions (showing 51 of 97)
| Version | Deps | Published |
|---|---|---|
| 0.83.0 | 4 / 13 | |
| 0.82.8 | 3 / 13 | |
| 0.82.5 | 3 / 13 | |
| 0.82.3 | 3 / 13 | |
| 0.82.1 | 3 / 13 | |
| 0.82.0 | 3 / 13 | |
| 0.81.26 | 3 / 13 | |
| 0.81.25 | 3 / 13 | |
| 0.81.24 | 3 / 13 | |
| 0.81.22 | 3 / 13 | |
| 0.81.21 | 3 / 13 | |
| 0.81.20 | 3 / 13 | |
| 0.81.19 | 3 / 13 | |
| 0.81.18 | 3 / 13 | |
| 0.81.15 | 3 / 13 | |
| 0.81.13 | 3 / 13 | |
| 0.81.12 | 3 / 13 | |
| 0.81.11 | 3 / 13 | |
| 0.81.10 | 3 / 13 | |
| 0.81.9 | 3 / 13 | |
| 0.81.7 | 3 / 13 | |
| 0.81.6 | 3 / 13 | |
| 0.81.5 | 3 / 13 | |
| 0.81.4 | 3 / 13 | |
| 0.81.3 | 3 / 13 | |
| 0.81.2 | 3 / 13 | |
| 0.81.1 | 3 / 13 | |
| 0.81.0 | 3 / 13 | |
| 0.80.6 | 3 / 13 | |
| 0.80.5 | 3 / 13 | |
| 0.12.354 | 3 / 13 | |
| 0.12.353 | 3 / 13 | |
| 0.12.352 | 3 / 13 | |
| 0.12.351 | 3 / 13 | |
| 0.12.350 | 3 / 13 | |
| 0.12.349 | 3 / 13 | |
| 0.12.348 | 3 / 13 | |
| 0.12.347 | 3 / 13 | |
| 0.12.346 | 3 / 13 | |
| 0.12.345 | 3 / 13 | |
| 0.12.344 | 3 / 13 | |
| 0.12.343 | 3 / 13 | |
| 0.12.342 | 3 / 13 | |
| 0.12.341 | 3 / 13 | |
| 0.12.340 | 3 / 13 | |
| 0.12.339 | 3 / 13 | |
| 0.12.338 | 3 / 13 | |
| 0.12.337 | 3 / 13 | |
| 0.12.336 | 3 / 13 | |
| 0.12.335 | 3 / 13 | |
| 0.12.334 | 3 / 13 |
v0.83.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.82.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.18
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.13
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.12
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.11
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.10
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.7
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.6
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.354
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.353
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.352
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.351
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.350
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.349
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.348
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.347
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.346
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.345
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.344
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.343
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.12.342
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.341
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.340
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.339
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.338
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.337
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.336
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.335
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.334
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.