expo-image-picker — Greenflagged

Provides access to the system's UI for selecting images and videos from the phone's library or taking a photo with the camera.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

react-nativeexpoimagepickerimage-picker

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Expo canary builds are published from a different CI environment that does not inject gitHead; this is consistent across canary releases from this publisher and not a meaningful risk signal.	ai	2026/04/23
dependencies	unvetted-dep:expo-permissions	AI (dependencies): expo-permissions is a sibling official Expo SDK package from the same expo/expo monorepo; its use here is expected and legitimate for permission handling in the image picker.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Expo uses date-stamped canary version strings (e.g., X.Y.Z-canary-YYYYMMDD-HASH) as a standard convention across all their packages. This pattern is not malicious.	ai	2026/04/23
phantom-deps	phantom-dep:expo-permissions	AI (phantom-deps): expo-permissions is referenced in Expo config/plugin files rather than direct JS imports; this is a standard pattern for Expo native modules and not a security concern.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established Expo SDK package from a known publisher; lack of provenance attestation is common and not a risk signal here.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer changes within the Expo organization are routine; no evidence of hostile takeover given the official repo URL and publisher track record.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): brentvatne is a core Expo maintainer with a strong track record (91 approved packages); publisher rotation within the Expo org is expected and not a risk signal for this package.	ai	2026/04/22
phantom-deps	phantom-dep:expo-image-loader	AI (phantom-deps): expo-image-loader is a native module dependency referenced in config/plugin files rather than JS imports — expected pattern for Expo SDK packages.	ai	2026/04/21
dependencies	unvetted-dep:expo-image-loader	AI (dependencies): expo-image-loader is a first-party Expo monorepo package (github.com/expo/expo); unvetted status is a pipeline artifact, not a real risk. Stable for all versions of this package.	ai	2026/04/21

Versions (showing 34 of 134)

Show 38 prereleases

Version	Deps	Published
11.0.3	3 / 1	2021-10-21
11.0.2	3 / 1	2021-10-15
11.0.1	3 / 1	2021-10-01
11.0.0	3 / 1	2021-09-28
10.2.3	3 / 1	2021-08-20
10.2.2	4 / 1	2021-06-24
10.2.1	4 / 1	2021-06-22
10.2.0	4 / 1	2021-06-16
10.1.4	4 / 1	2021-04-16
10.1.3	4 / 1	2021-04-13
10.1.2	4 / 1	2021-04-09
10.1.1	4 / 1	2021-03-31
10.1.0	3 / 1	2021-03-10
10.0.0	3 / 1	2021-01-15
9.2.1	2 / 1	2020-12-09
9.2.0	2 / 1	2020-11-17
9.1.1	2 / 1	2020-09-23
9.1.0	2 / 1	2020-08-18
9.0.0	2 / 1	2020-08-11
8.4.0	2 / 1	2020-07-27
8.3.0	2 / 1	2020-05-29
8.2.0	2 / 1	2020-05-27
8.1.0	1 / 1	2020-03-03
8.0.2	1 / 1	2020-01-14
8.0.1	0 / 1	2019-12-10
8.0.0	0 / 1	2019-12-02
7.0.0	0 / 1	2019-09-19
6.0.0	0 / 1	2019-07-27
5.0.2	0 / 1	2019-06-06
5.0.1	0 / 1	2019-06-05
5.0.0	0 / 1	2019-05-29
4.0.0	0 / 1	2019-03-14
3.0.0	0 / 1	2019-02-27
1.0.0	0 / 1	2019-02-19