@shopify/react-native-skia
2
Versions
—
License
Yes
Install Scripts
Verified
Provenance
Supply chain provenance
Status for the latest visible version.
SLSA provenance attestation
npm registry signatures
No source commit
Maintainers
jaimie.wayshopify-adminshopify-depmishsmellebuitammychris.craig
Keywords
react-native
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Standard prebuilt-binary install script for a Shopify React Native native module; stable pattern across versions. | ai | |
| phantom-deps | phantom-dep:react-native-skia-android | AI (phantom-deps): Platform-specific binary package; not directly imported by JS code by design. | ai | |
| phantom-deps | phantom-dep:react-native-skia-apple-ios | AI (phantom-deps): Platform-specific binary package; not directly imported by JS code by design. | ai | |
| phantom-deps | phantom-dep:react-native-skia-apple-tvos | AI (phantom-deps): Platform-specific binary package; not directly imported by JS code by design. | ai | |
| phantom-deps | phantom-dep:react-native-skia-apple-macos | AI (phantom-deps): Platform-specific binary package; not directly imported by JS code by design. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Reads project app.json to detect Expo config; path is user-controlled project file, not arbitrary module loading. | ai |
v2.6.0
2 findings
HIGH
Package has 'postinstall' script
install-scripts
Script: node scripts/install-libs.js
INFO
Has SLSA provenance attestation
provenance
Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.