expo-localization — Greenflagged

Provides an interface for native user localization information.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurmansjchmiela

Keywords

react-nativeexpolocalizationlocalesl10n

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Canary releases from the Expo ecosystem are published via a different pipeline that does not attach gitHead; this is consistent across Expo canary versions and not indicative of compromise.	ai	2026/04/23
source-diff	source-size-tripled	AI (source-diff): expo-localization is a major-version Expo SDK module; size growth from 10KB to 44KB is consistent with expanded locale data/API surface in a v14 release. No malware indicators present.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removals at Expo reflect normal team rotation within a large, established organization; no takeover indicators present.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): expo-localization is maintained by 650 Industries (Expo); team membership changes are routine organizational transitions, not takeover signals.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Expo canary releases use a date+commit-hash suffix (e.g. canary-20260328-bdc6273) as a standard versioning convention; this pattern is not indicative of malicious intent for this package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): brentvatne is a well-known Expo core team member with a strong track record; this is a legitimate internal maintainer transition within the Expo org, not a compromise.	ai	2026/04/22
provenance	no-provenance	AI (provenance): Established Expo SDK package from 650 Industries; lack of provenance attestation is common and not a risk signal here.	ai	2026/04/21
phantom-deps	phantom-dep:rtl-detect	AI (phantom-deps): rtl-detect is a legitimate declared dependency for a localization package; phantom-dep finding reflects indirect/config usage, not a risk.	ai	2026/04/21
dependencies	unvetted-dep:rtl-detect	AI (dependencies): rtl-detect is a well-known, benign RTL detection utility; its use is appropriate and expected in a localization package.	ai	2026/04/21

Versions (showing 100 of 120)

Hide prereleases

Version	Deps	Published
56.0.6	1 / 7	2026-05-21
56.0.5	1 / 7	2026-05-19
56.0.4	1 / 7	2026-05-13
56.0.3	1 / 7	2026-05-06
56.0.2	1 / 7	2026-05-06
56.0.1	1 / 7	2026-05-06
56.0.0	1 / 6	2026-05-05
55.0.15	1 / 2	2026-05-19
55.0.14	1 / 2	2026-05-13
55.0.13	1 / 2	2026-04-09
55.0.12	1 / 2	2026-04-07
55.0.11	1 / 2	2026-04-02
55.0.10	1 / 2	2026-04-02
55.0.9	1 / 2	2026-03-17
55.0.8	1 / 2	2026-02-25
55.0.7	1 / 2	2026-02-20
55.0.6	1 / 2	2026-02-16
55.0.5	1 / 2	2026-02-08
55.0.4	1 / 2	2026-02-03
55.0.3	1 / 2	2026-01-27
55.0.2	1 / 2	2026-01-26
55.0.1	1 / 2	2026-01-22
55.0.0	1 / 2	2026-01-21
17.0.9	1 / 2	2026-05-28
17.0.8	1 / 2	2025-12-05
17.0.7	1 / 2	2025-09-11
17.0.6	1 / 2	2025-09-02
17.0.5	1 / 2	2025-08-31
17.0.4	1 / 2	2025-08-27
17.0.3	1 / 2	2025-08-25
17.0.2	1 / 2	2025-08-17
17.0.1	1 / 2	2025-08-15
17.0.0	1 / 2	2025-08-13
16.1.6	1 / 2	2025-07-01
16.1.5	1 / 2	2025-04-30
16.1.4	1 / 2	2025-04-30
16.1.3	1 / 2	2025-04-25
16.1.2	1 / 2	2025-04-14
16.1.1	1 / 1	2025-04-09
16.1.0	1 / 1	2025-04-04
16.0.1	1 / 1	2025-01-10
16.0.0	1 / 1	2024-10-22
15.0.3	1 / 1	2024-05-06
15.0.2	1 / 1	2024-05-01
15.0.1	1 / 1	2024-04-23
15.0.0	1 / 1	2024-04-18
14.8.4	1 / 1	2024-04-15
14.8.3	1 / 1	2024-01-18
14.8.2	1 / 1	2024-01-10
14.8.1	1 / 1	2023-12-19
14.8.0	1 / 1	2023-12-12
14.7.0	1 / 1	2023-11-14
14.6.0	1 / 1	2023-10-17
14.5.0	1 / 1	2023-09-04
14.4.0	1 / 1	2023-08-02
14.3.0	1 / 1	2023-06-21
14.2.0	1 / 1	2023-05-08
14.1.1	1 / 1	2023-02-09
14.1.0	1 / 1	2023-02-03
14.0.0	1 / 1	2022-10-25
13.1.0	1 / 1	2022-07-07
13.0.0	1 / 1	2022-04-18
12.0.1	1 / 1	2022-02-01
12.0.0	1 / 1	2021-12-03
11.0.0	1 / 1	2021-09-28
10.2.0	1 / 1	2021-06-16
10.1.0	1 / 1	2021-03-10
10.0.0	1 / 1	2021-01-15
9.1.0	1 / 1	2020-11-17
9.0.0	1 / 1	2020-08-18
8.2.1	1 / 1	2020-05-29
8.2.0	1 / 1	2020-05-27
8.1.0	1 / 1	2020-03-03
8.0.0	1 / 1	2019-12-02
7.0.0	1 / 1	2019-09-19
6.0.0	1 / 1	2019-07-27
5.0.1	1 / 1	2019-06-06
5.0.0	1 / 1	2019-05-29
4.0.0	1 / 1	2019-03-14
3.0.0	1 / 1	2019-02-27
2.0.0	4 / 1	2019-01-04
1.0.0	1 / 2	2018-10-31
56.0.0-canary-20260420-2ac87c0	1 / 6	2026-04-20
56.0.0-canary-20260417-141204f	1 / 6	2026-04-17
56.0.0-canary-20260414-e3dbafd	1 / 6	2026-04-14
56.0.0-canary-20260409-6fc2991	1 / 6	2026-04-09
56.0.0-canary-20260402-87c5ce2	1 / 2	2026-04-02
56.0.0-canary-20260305-5163746	1 / 2	2026-03-05
56.0.0-canary-20260212-4f61309	1 / 2	2026-02-12
55.0.10-canary-20260402-9da566b	1 / 2	2026-04-02
55.0.10-canary-20260401-5e87ef7	1 / 2	2026-04-01
55.0.10-canary-20260328-bdc6273	1 / 2	2026-03-28
55.0.10-canary-20260328-2049187	1 / 2	2026-03-28
55.0.10-canary-20260327-0789fbc	1 / 2	2026-03-27
55.0.4-canary-20260128-67ce8d5	1 / 2	2026-01-28
55.0.0-canary-20260223-05214f1	1 / 2	2026-02-23
18.0.0-canary-20260121-a63c0dd	1 / 2	2026-01-21
18.0.0-canary-20260120-bb71700	1 / 2	2026-01-20
18.0.0-canary-20260119-70f7c28	1 / 2	2026-01-19
18.0.0-canary-20260114-d8e19f5	1 / 2	2026-01-14

Showing 100 of 120 Next page →