← Home

expo-camera

npm Repository Homepage

A React component that renders a preview for the device's either front or back camera. Camera's parameters like zoom, auto focus, white balance and flash mode are adjustable. With expo-camera, one can also take photos and record videos that are saved to t

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurmanccheeverjesseruderterriblebensjchmielaesamelson

Keywords

react-nativeexpocamera

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata bundled-binaries AI (npm-metadata): Prebuilt ZXingObjC xcframework binaries for iOS barcode scanning; expected for this native camera package. ai
provenance missing-githead AI (provenance): expo-camera canary builds are published from a different pipeline than stable releases; missing gitHead is expected for this package's canary workflow. ai
provenance no-provenance AI (provenance): Canary pre-release builds from the Expo monorepo do not go through the same provenance-attesting CI as stable releases; acceptable given publisher track record. ai
publish-pattern suspicious-version-number AI (publish-pattern): Expo canary releases consistently use date-stamped version strings (e.g., 55.0.x-canary-YYYYMMDD-hash); this pattern is standard for the expo ecosystem and not indicative of malice. ai
phantom-deps phantom-dep:expo-permissions-interface AI (phantom-deps): Interface package is part of Expo's modular architecture; declared and used indirectly through config. ai
phantom-deps phantom-dep:expo-camera-interface AI (phantom-deps): Interface package is part of Expo's modular architecture; declared and used indirectly through config. ai
phantom-deps phantom-dep:expo-file-system-interface AI (phantom-deps): Interface package is part of Expo's modular architecture; declared and used indirectly through config. ai
phantom-deps phantom-dep:expo-face-detector-interface AI (phantom-deps): Interface package is part of Expo's modular architecture; declared and used indirectly through config. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainer philpl is associated with the Expo organization; this is a legitimate team addition for a major Expo SDK package. ai
maintainer-change maintainer-removed AI (maintainer-change): Maintainer roster changes are routine for a large org like 650 Industries/Expo; no evidence of hostile takeover. ai
provenance publisher-changed AI (provenance): brentvatne is a well-known Expo core team member publishing from the official expo/expo monorepo; publisher changes within the Expo org are routine and expected. ai
dependencies unvetted-peer-dep:react-native AI (dependencies): react-native is the expected peer dependency for React Native libraries; stable for this package. ai
dependencies unvetted-peer-dep:expo AI (dependencies): expo is the expected peer dependency for expo-camera; part of the official Expo SDK ecosystem. ai
dependencies unvetted-dep:barcode-detector AI (dependencies): barcode-detector is a legitimate runtime dependency for camera barcode detection; stable for this package. ai

Versions (showing 100 of 197)

Hide prereleases
Version Deps Published
56.0.8 1 / 4
56.0.7 1 / 4
56.0.6 1 / 4
56.0.5 1 / 4
56.0.4 1 / 4
56.0.3 1 / 4
56.0.2 1 / 4
56.0.1 1 / 4
56.0.0 1 / 3
55.0.19 1 / 1
55.0.18 1 / 1
55.0.17 1 / 1
55.0.16 1 / 1
55.0.15 1 / 1
55.0.14 1 / 1
55.0.13 1 / 1
55.0.12 1 / 1
55.0.11 1 / 1
55.0.10 1 / 1
55.0.9 1 / 1
55.0.8 1 / 1
55.0.7 1 / 1
55.0.6 1 / 1
55.0.5 1 / 1
55.0.4 1 / 1
55.0.3 1 / 1
55.0.2 1 / 1
55.0.1 1 / 1
55.0.0 1 / 1
17.0.10 1 / 1
17.0.9 1 / 1
17.0.8 1 / 1
17.0.7 1 / 1
17.0.6 1 / 1
17.0.5 1 / 1
17.0.4 1 / 1
17.0.3 1 / 1
17.0.2 1 / 1
17.0.1 1 / 1
17.0.0 1 / 1
16.1.11 1 / 1
16.1.10 1 / 1
16.1.9 1 / 1
16.1.8 1 / 1
16.1.7 1 / 1
16.1.6 1 / 1
16.1.5 1 / 1
16.1.4 1 / 1
16.1.3 1 / 1
16.1.2 1 / 1
16.1.1 1 / 1
16.1.0 1 / 1
16.0.18 1 / 1
16.0.17 1 / 1
16.0.16 1 / 1
16.0.15 1 / 1
16.0.14 1 / 1
16.0.13 1 / 1
16.0.12 1 / 1
16.0.11 1 / 1
16.0.10 1 / 1
16.0.9 1 / 1
16.0.8 1 / 1
16.0.7 1 / 1
16.0.6 1 / 1
16.0.5 1 / 1
16.0.4 1 / 1
16.0.3 1 / 1
16.0.2 1 / 1
16.0.1 1 / 1
16.0.0 1 / 1
15.0.16 1 / 1
15.0.15 1 / 1
15.0.14 1 / 1
15.0.13 1 / 1
15.0.12 1 / 1
15.0.11 1 / 1
15.0.10 1 / 1
15.0.9 1 / 1
15.0.8 1 / 1
15.0.7 1 / 1
15.0.6 1 / 1
15.0.5 1 / 1
15.0.4 1 / 1
15.0.3 1 / 1
15.0.2 1 / 1
15.0.1 1 / 1
15.0.0 1 / 1
14.1.3 1 / 1
14.1.2 1 / 1
14.1.1 1 / 1
14.1.0 1 / 1
14.0.6 1 / 1
14.0.5 1 / 1
14.0.4 1 / 1
14.0.3 1 / 1
14.0.2 1 / 1
14.0.1 1 / 1
14.0.0 1 / 1
13.9.0 1 / 1
Showing 100 of 197 Next page →

v56.0.8

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → alanhughes (on 2026-06-10, known maintainer) provenance

This version was published by a different npm account (alanhughes) than the most recent previously approved version (brentvatne) on 2026-06-10, but alanhughes is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v56.0.7

2 findings
HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/spm-deps/ZXingObjC/debug/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/dSYMs/ZXingObjC.framework.dSYM/Contents/Resources/DWARF/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.6

3 findings
HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/spm-deps/ZXingObjC/debug/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/dSYMs/ZXingObjC.framework.dSYM/Contents/Resources/DWARF/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → alanhughes (on 2026-05-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

v56.0.5

2 findings
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: alanhughes → brentvatne (on 2026-05-14) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.

v56.0.4

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.3

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.2

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.1

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.0

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.19

3 findings
HIGH Bundled binary files (3) npm-metadata

Package contains compiled binaries that could be backdoors: • prebuilds/spm-deps/ZXingObjC/debug/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/dSYMs/ZXingObjC.framework.dSYM/Contents/Resources/DWARF/ZXingObjC • prebuilds/spm-deps/ZXingObjC/release/ZXingObjC.xcframework/ios-arm64/ZXingObjC.framework/ZXingObjC

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → alanhughes (on 2026-05-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.

v55.0.18

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.17

1 finding
INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v14.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.