expo
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:src/async-require/__tests__/asyncRequireModule.test.ts | AI (source-diff): Test file using new Function() to simulate Metro module evaluation; not production code, not malware. | ai | |
| semgrep | semgrep:new-function-constructor | AI (semgrep): Same test file pattern — controlled Metro simulation in unit tests, stable false positive for this package. | ai | |
| provenance | publisher-changed | AI (provenance): alanhughes is an established Expo org publisher with 5888 approved packages; routine maintainer rotation. | ai | |
| source-diff | net-exec-file:src/async-require/fetchThenEvalJs.ts | AI (source-diff): Documented Metro split-bundle loader; eval(body) fetches from local dev server, not arbitrary remote URLs. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in fetchThenEvalJs is intentional Metro async-require pattern; stable across expo versions. | ai | |
| phantom-deps | phantom-dep:@expo/vector-icons | AI (phantom-deps): Expo monorepo pattern; stable false positive. | ai | |
| phantom-deps | phantom-dep:@expo/cli | AI (phantom-deps): Expo monorepo pattern; CLI is referenced via config/bin, not direct import. | ai | |
| phantom-deps | phantom-dep:react-native-edge-to-edge | AI (phantom-deps): Platform-specific binary package; not directly imported by design. | ai | |
| phantom-deps | phantom-dep:expo-font | AI (phantom-deps): Framework-level dep loaded by convention, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped transitive dep; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:expo-file-system | AI (phantom-deps): Expo monorepo pattern; loaded by convention. | ai | |
| phantom-deps | phantom-dep:babel-preset-expo | AI (phantom-deps): Build tooling dep referenced in config, not imported directly. | ai |
Versions (showing 43 of 43)
| Version | Deps | Published |
|---|---|---|
| 56.0.12 | 23 / 11 | |
| 56.0.11 | 23 / 11 | |
| 56.0.10 | 23 / 11 | |
| 56.0.9 | 23 / 11 | |
| 56.0.8 | 23 / 11 | |
| 56.0.7 | 23 / 11 | |
| 56.0.6 | 23 / 11 | |
| 56.0.5 | 23 / 11 | |
| 56.0.4 | 23 / 11 | |
| 56.0.3 | 23 / 11 | |
| 56.0.2 | 23 / 11 | |
| 56.0.1 | 23 / 11 | |
| 56.0.0 | 23 / 11 | |
| 55.0.26 | 23 / 10 | |
| 55.0.25 | 23 / 10 | |
| 55.0.24 | 23 / 10 | |
| 55.0.23 | 23 / 10 | |
| 55.0.22 | 23 / 10 | |
| 55.0.21 | 23 / 10 | |
| 55.0.20 | 23 / 10 | |
| 55.0.19 | 23 / 10 | |
| 55.0.18 | 23 / 10 | |
| 55.0.17 | 23 / 10 | |
| 55.0.10 | 23 / 10 | |
| 55.0.9 | 23 / 10 | |
| 55.0.0 | 23 / 10 | |
| 54.0.35 | 21 / 8 | |
| 54.0.34 | 21 / 8 | |
| 54.0.33 | 21 / 8 | |
| 54.0.32 | 21 / 8 | |
| 54.0.31 | 21 / 8 | |
| 54.0.30 | 21 / 8 | |
| 54.0.29 | 21 / 8 | |
| 54.0.28 | 21 / 8 | |
| 54.0.27 | 21 / 8 | |
| 54.0.26 | 21 / 8 | |
| 54.0.25 | 21 / 8 | |
| 54.0.24 | 21 / 8 | |
| 54.0.23 | 21 / 8 | |
| 53.0.25 | 17 / 9 | |
| 53.0.24 | 17 / 9 | |
| 53.0.9 | 17 / 9 | |
| 52.0.48 | 18 / 6 |
v56.0.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.10
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alanhughes) than the most recent previously approved version (brentvatne) on 2026-06-10, but alanhughes is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.0.9
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (brentvatne) than the most recent previously approved version (alanhughes) on 2026-06-05, but brentvatne is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.0.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.6
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (kudochien) than the most recent previously approved version (alanhughes) on 2026-05-28, but kudochien is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.4
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alanhughes) than the most recent previously approved version (brentvatne) on 2026-05-23, but alanhughes is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.0.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.26
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.25
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.24
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.23
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.22
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.21
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.20
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.19
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v54.0.35
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alanhughes) than the most recent previously approved version (kudochien) on 2026-05-28, but alanhughes is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.