expo-device
A universal module that gets physical information about the device running the application
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Canary builds from Expo embed the commit hash in the version string itself; missing gitHead in the package metadata is expected for this release pipeline and not a meaningful risk signal. | ai | |
| source-diff | source-size-tripled | AI (source-diff): expo-device is an official Expo SDK module that regularly expands device model databases and platform support; size increases are expected and benign for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): expo-modules-core is a first-party Expo package and its addition reflects a standard SDK architectural migration; not a malicious dependency injection. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Expo uses date-stamped canary version strings (e.g., X.Y.Z-canary-YYYYMMDD-hash) as part of their standard release process; this pattern is not indicative of malicious activity for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of szymon20000 is consistent with the same internal Expo team reorganization; no malicious signal. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from tsapeta to brentvatne reflects an internal Expo team transition; brentvatne is a well-known Expo core maintainer with a strong track record. Stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are all recognized Expo team members added as part of a routine org-level maintainer list update. Not indicative of a takeover. | ai | |
| dependencies | unvetted-dep:ua-parser-js | AI (dependencies): ua-parser-js ^0.7.33 is a legitimate dependency for web UA parsing; constraint is well past the 2021 supply-chain incident (0.7.29). Standard usage in Expo SDK. | ai | |
| provenance | no-provenance | AI (provenance): Expo monorepo packages historically lack Sigstore provenance; repo URL and authorship are consistent with the official Expo SDK. | ai |
Versions (showing 81 of 81)
| Version | Deps | Published |
|---|---|---|
| 56.0.4 | 1 / 3 | |
| 56.0.3 | 1 / 3 | |
| 56.0.2 | 1 / 3 | |
| 56.0.1 | 1 / 2 | |
| 56.0.0 | 1 / 2 | |
| 55.0.17 | 1 / 2 | |
| 55.0.16 | 1 / 2 | |
| 55.0.15 | 1 / 2 | |
| 55.0.14 | 1 / 2 | |
| 55.0.13 | 1 / 2 | |
| 55.0.12 | 1 / 2 | |
| 55.0.11 | 1 / 2 | |
| 55.0.10 | 1 / 2 | |
| 55.0.9 | 1 / 2 | |
| 55.0.8 | 1 / 2 | |
| 55.0.7 | 1 / 2 | |
| 55.0.6 | 1 / 2 | |
| 55.0.5 | 1 / 2 | |
| 55.0.4 | 1 / 2 | |
| 55.0.3 | 1 / 2 | |
| 55.0.2 | 1 / 2 | |
| 55.0.1 | 1 / 2 | |
| 55.0.0 | 1 / 2 | |
| 8.0.10 | 1 / 2 | |
| 8.0.9 | 1 / 2 | |
| 8.0.8 | 1 / 2 | |
| 8.0.7 | 1 / 2 | |
| 8.0.6 | 1 / 2 | |
| 8.0.5 | 1 / 2 | |
| 8.0.4 | 1 / 2 | |
| 8.0.3 | 1 / 2 | |
| 8.0.2 | 1 / 2 | |
| 8.0.1 | 1 / 2 | |
| 8.0.0 | 1 / 2 | |
| 7.1.4 | 1 / 2 | |
| 7.1.3 | 1 / 2 | |
| 7.1.2 | 1 / 2 | |
| 7.1.1 | 1 / 1 | |
| 7.1.0 | 1 / 1 | |
| 7.0.3 | 1 / 1 | |
| 7.0.2 | 1 / 1 | |
| 7.0.1 | 1 / 1 | |
| 7.0.0 | 1 / 1 | |
| 6.0.2 | 1 / 1 | |
| 6.0.1 | 1 / 1 | |
| 6.0.0 | 1 / 1 | |
| 5.9.4 | 1 / 1 | |
| 5.9.3 | 1 / 1 | |
| 5.9.2 | 1 / 1 | |
| 5.9.1 | 1 / 1 | |
| 5.9.0 | 1 / 1 | |
| 5.8.0 | 1 / 1 | |
| 5.7.0 | 1 / 1 | |
| 5.6.0 | 1 / 1 | |
| 5.5.0 | 1 / 1 | |
| 5.4.0 | 1 / 1 | |
| 5.3.0 | 1 / 1 | |
| 5.2.1 | 1 / 1 | |
| 5.2.0 | 1 / 1 | |
| 5.1.0 | 1 / 1 | |
| 5.0.0 | 1 / 1 | |
| 4.3.0 | 1 / 1 | |
| 4.2.0 | 1 / 1 | |
| 4.1.1 | 1 / 1 | |
| 4.1.0 | 1 / 1 | |
| 4.0.3 | 2 / 1 | |
| 4.0.2 | 2 / 1 | |
| 4.0.1 | 2 / 1 | |
| 4.0.0 | 2 / 1 | |
| 3.3.0 | 1 / 1 | |
| 3.2.0 | 1 / 1 | |
| 3.1.1 | 1 / 1 | |
| 3.1.0 | 1 / 1 | |
| 3.0.0 | 1 / 1 | |
| 2.4.0 | 2 / 1 | |
| 2.3.0 | 2 / 1 | |
| 2.2.1 | 2 / 1 | |
| 2.2.0 | 2 / 1 | |
| 2.1.0 | 1 / 1 | |
| 2.0.0 | 1 / 1 | |
| 1.0.0 | 1 / 1 |
v56.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-04-02. This could indicate a legitimate maintainer transition or an account compromise.
v55.0.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-17. This could indicate a legitimate maintainer transition or an account compromise.
v55.0.9
2 findingsThis version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
v55.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.0
2 findingsThis version was published by a different npm account than previous versions on 2026-01-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.10
2 findingsThis version was published by a different npm account than previous versions on 2025-12-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.9
2 findingsThis version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.8
2 findingsThis version was published by a different npm account than previous versions on 2025-09-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.3
2 findingsThis version was published by a different npm account than previous versions on 2025-08-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.3
2 findingsThis version was published by a different npm account than previous versions on 2025-04-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.2
2 findingsThis version was published by a different npm account than previous versions on 2024-05-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.1
2 findingsThis version was published by a different npm account than previous versions on 2024-04-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsThis version was published by a different npm account than previous versions on 2024-04-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.3
2 findingsThis version was published by a different npm account than previous versions on 2024-01-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.2
2 findingsThis version was published by a different npm account than previous versions on 2024-01-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.1
2 findingsThis version was published by a different npm account than previous versions on 2023-12-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsThis version was published by a different npm account than previous versions on 2023-11-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.0
2 findingsThis version was published by a different npm account than previous versions on 2023-10-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsThis version was published by a different npm account than previous versions on 2023-09-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
2 findingsThis version was published by a different npm account than previous versions on 2023-09-04. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
2 findingsThis version was published by a different npm account than previous versions on 2023-08-02. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
2 findingsThis version was published by a different npm account than previous versions on 2023-06-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
2 findingsThis version was published by a different npm account than previous versions on 2023-02-09. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsThis version was published by a different npm account than previous versions on 2023-02-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsThis version was published by a different npm account than previous versions on 2022-07-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
2 findingsThis version was published by a different npm account than previous versions on 2022-02-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
2 findingsThis version was published by a different npm account than previous versions on 2021-12-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
2 findingsThis version was published by a different npm account than previous versions on 2021-10-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
2 findingsThis version was published by a different npm account than previous versions on 2021-10-15. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
2 findingsThis version was published by a different npm account than previous versions on 2021-10-01. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.3.0
2 findingsThis version was published by a different npm account than previous versions on 2021-06-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.2.0
2 findingsThis version was published by a different npm account than previous versions on 2021-03-10. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0
2 findingsThis version was published by a different npm account than previous versions on 2020-12-23. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.4.0
2 findingsThis version was published by a different npm account than previous versions on 2020-11-17. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
2 findingsThis version was published by a different npm account than previous versions on 2020-08-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
2 findingsThis version was published by a different npm account than previous versions on 2020-03-03. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.