← Home

eslint-plugin-react-hooks

npm Repository Homepage

ESLint rules for React Hooks

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

react-bot

Keywords

eslinteslint-plugineslintpluginreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
publish-pattern new-deps-added AI (publish-pattern): New deps (babel/core, hermes-parser, zod, etc.) are all established packages supporting the React Compiler integration added in v6.0.0. ai
source-diff source-size-tripled AI (source-diff): Major version (6.0.0) bundles React Compiler integration, explaining the 34.6x size increase. Legitimate feature addition, not payload injection. ai
source-diff net-exec-file:cjs/eslint-plugin-react-hooks.production.js AI (source-diff): Bundled CJS production build; 'crypto' is Node built-in, no actual network calls present. Pattern is a false positive on minified ESLint plugin bundle from official Meta/React repo. ai
npm-metadata suspicious-initial-version AI (npm-metadata): eslint-plugin-react-hooks is the official React ESLint plugin from Facebook/Meta. Version 0.0.0 is a known placeholder/canary pattern for this package, not a malicious indicator. ai
phantom-deps phantom-dep:zod AI (phantom-deps): Used in the bundled CJS production file; static analyzer cannot trace imports through the bundle. Legitimate runtime dependency. ai
maintainer-change maintainer-takeover AI (maintainer-change): react-bot is Meta's official publishing bot for React packages; the transition from individual maintainers to react-bot is a documented organizational practice, not a hijack. ai
source-diff obfuscated-file:cjs/eslint-plugin-react-hooks.production.js AI (source-diff): File is a standard minified production CJS build artifact with MIT license header and readable logic; long lines are from minification, not obfuscation. Normal for React's build pipeline. ai
phantom-deps phantom-dep:@babel/core AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. ai
phantom-deps phantom-dep:@babel/parser AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. ai
phantom-deps phantom-dep:hermes-parser AI (phantom-deps): Used in the bundled CJS production file for Hermes JS parsing. Legitimate runtime dependency. ai
phantom-deps phantom-dep:zod-validation-error AI (phantom-deps): Used in the bundled CJS production file alongside zod for config validation. Legitimate runtime dependency. ai
phantom-deps phantom-dep:@babel/plugin-proposal-private-methods AI (phantom-deps): Used in the bundled CJS production file for Babel transformation. Legitimate runtime dependency. ai
dependencies unvetted-dep:zod-validation-error AI (dependencies): zod-validation-error is a standard companion utility to zod; its inclusion alongside zod in this official React package is benign. ai
dependencies unvetted-dep:zod AI (dependencies): zod is a well-known, widely-adopted schema validation library; its use in eslint-plugin-react-hooks for React Compiler integration is legitimate and low-risk. ai
provenance publisher-changed AI (provenance): eps1lon is a known React core team member; publisher transition from gnoff to eps1lon is a legitimate React team change, not a compromise. ai
maintainer-change maintainer-added AI (maintainer-change): eps1lon and react-bot are legitimate React team accounts; addition reflects normal React team roster management. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of trueadm and lunaruan reflects normal React team roster changes; no evidence of malicious takeover. ai
provenance no-provenance AI (provenance): react-bot publishes official React packages without Sigstore provenance; this is consistent across their releases and not a risk signal. ai
dependencies unvetted-dep:hermes-parser AI (dependencies): hermes-parser is Meta's own JS parser, appropriate for a Meta-published React ESLint plugin. Not a risk signal for this package. ai

Versions (showing 100 of 272)

Hide prereleases
Version Deps Published
7.1.0-canary-87ae75b3-20260128 5 / 18
7.1.0-canary-80cb7a99-20251211 5 / 18
7.1.0-canary-80b1cab3-20260331 5 / 18
7.1.0-canary-7dc903cd-20251203 5 / 18
7.1.0-canary-77319e2a-20260416 5 / 18
7.1.0-canary-74568e86-20260328 5 / 18
7.1.0-canary-705268dc-20260409 5 / 18
7.1.0-canary-6a0ab4d2-20260121 5 / 18
7.1.0-canary-67f7d47a-20251103 5 / 18
7.1.0-canary-66ae640b-20251204 5 / 18
7.1.0-canary-65eec428-20251218 5 / 18
7.1.0-canary-65db1000-20260206 5 / 18
7.1.0-canary-6066c782-20260212 5 / 18
7.1.0-canary-5e9eedb5-20260312 5 / 18
7.1.0-canary-5aec1b2a-20260110 5 / 18
7.1.0-canary-5a2205ba-20251105 5 / 18
7.1.0-canary-56824423-20260414 5 / 18
7.1.0-canary-561ee24d-20251101 5 / 18
7.1.0-canary-55480b4d-20251208 5 / 18
7.1.0-canary-52684925-20251110 5 / 18
7.1.0-canary-4f931700-20251029 5 / 18
7.1.0-canary-4cc5b7a9-20260303 5 / 18
7.1.0-canary-4a3d993e-20260114 5 / 18
7.1.0-canary-4842fbea-20260217 5 / 18
7.1.0-canary-47d1ad14-20260216 5 / 18
7.1.0-canary-46103596-20260305 5 / 18
7.1.0-canary-41b3e9a6-20260119 5 / 18
7.1.0-canary-40b4a5bf-20251120 5 / 18
7.1.0-canary-408b38ef-20251023 5 / 18
7.1.0-canary-404b38c7-20260408 5 / 18
7.1.0-canary-3f0b9e61-20260317 5 / 18
7.1.0-canary-3e319a94-20260126 5 / 18
7.1.0-canary-3e1abcc8-20260113 5 / 18
7.1.0-canary-3e00319b-20260203 5 / 18
7.1.0-canary-3cb2c420-20260324 5 / 18
7.1.0-canary-3bc2d414-20260304 5 / 18
7.1.0-canary-3a2bee26-20260218 5 / 18
7.1.0-canary-3a0ab8a7-20251029 5 / 18
7.1.0-canary-37bcdcde-20251211 5 / 18
7.1.0-canary-378973b3-20251205 5 / 18
7.1.0-canary-2dd9b7cf-20260208 5 / 18
7.1.0-canary-2ba30655-20260219 5 / 18
7.1.0-canary-272441a9-20260209 5 / 18
7.1.0-canary-257b033f-20251113 5 / 18
7.1.0-canary-24d8716e-20260123 5 / 18
7.1.0-canary-230772f9-20260128 5 / 18
7.1.0-canary-1ea46df8-20251111 5 / 18
7.1.0-canary-1b45e243-20260402 5 / 18
7.1.0-canary-10680271-20260126 5 / 18
7.1.0-canary-100fc4a8-20251110 5 / 18
7.1.0-canary-09f05694-20251201 5 / 18
7.1.0-canary-0972e239-20251118 5 / 18
7.1.0-canary-093b3246-20251113 5 / 18
7.1.0-canary-044d56f3-20260330 5 / 18
7.1.0-canary-03ca38e6-20260213 5 / 18
7.1.0-canary-00f063c3-20260415 5 / 18
7.0.0-canary-f6a48828-20251019 5 / 18
7.0.0-canary-ead92181-20251010 5 / 18
7.0.0-canary-d7215b49-20251013 5 / 18
7.0.0-canary-93f85932-20251016 5 / 18
7.0.0-canary-71b3a03c-20251021 5 / 18
7.0.0-canary-6160773f-20251023 5 / 18
7.0.0-canary-5f2b5718-20251014 5 / 18
7.0.0-canary-58bdc0bb-20251019 5 / 18
7.0.0-canary-56e84692-20251014 5 / 18
7.0.0-canary-4b3e662e-20251008 5 / 18
7.0.0-canary-2bcbf254-20251020 5 / 18
7.0.0-canary-1873ad79-20251015 5 / 18
7.0.0-canary-1324e1bb-20251016 5 / 18
7.0.0-canary-06fcc8f3-20251009 5 / 18
0.0.0-experimental-fef12a01-20260413 5 / 18
0.0.0-experimental-fd524fe0-20251121 5 / 18
0.0.0-experimental-fb2177c1-20251114 5 / 18
0.0.0-experimental-fa50caf5-20251107 5 / 18
0.0.0-experimental-f93b9fd4-20251217 5 / 18
0.0.0-experimental-f646e8ff-20251104 5 / 18
0.0.0-experimental-ed4bd540-20260202 5 / 18
0.0.0-experimental-ec9cc003-20251208 5 / 18
0.0.0-experimental-eb89912e-20251118 5 / 18
0.0.0-experimental-e8c63626-20260213 5 / 18
0.0.0-experimental-e33071c6-20260224 5 / 18
0.0.0-experimental-e0cc7202-20260227 5 / 18
0.0.0-experimental-dd048c3b-20251105 5 / 18
0.0.0-experimental-da9325b5-20260417 5 / 18
0.0.0-experimental-da641178-20260129 5 / 18
0.0.0-experimental-d763f313-20251210 5 / 18
0.0.0-experimental-d6cae440-20260106 5 / 18
0.0.0-experimental-d2908752-20260119 5 / 18
0.0.0-experimental-d1727fbf-20260417 5 / 18
0.0.0-experimental-c9ddee7e-20251031 5 / 18
0.0.0-experimental-c80a0750-20260312 5 / 18
0.0.0-experimental-c137dd6f-20260204 5 / 18
0.0.0-experimental-c0d218f0-20260324 5 / 18
0.0.0-experimental-c0060cf2-20260224 5 / 18
0.0.0-experimental-bef88f7c-20260116 5 / 18
0.0.0-experimental-bcf97c75-20251215 5 / 18
0.0.0-experimental-bb8a76c6-20260115 5 / 18
0.0.0-experimental-bb533877-20260205 5 / 18
0.0.0-experimental-b546603b-20260121 5 / 18
0.0.0-experimental-b45bb335-20251211 5 / 18
Showing 100 of 272 Next page →

v7.1.0-canary-80cb7a99-20251211

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.1.0-canary-24d8716e-20260123

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.0.0-canary-ead92181-20251010

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.0.0-experimental-d2908752-20260119

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0-experimental-bb8a76c6-20260115

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.