expo-network
Provides useful information about the device's network such as its IP address, MAC address, and airplane mode status
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): expo-network canary releases are published via expo-bot CI automation; missing gitHead is consistent with the automated pipeline change, not a security concern. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Canary version format (date + commit hash) is Expo's standard pre-release versioning convention, not a malicious pattern. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Already marked accepted risk; philpl is a known Expo contributor and this is a legitimate team addition. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainer (ijzerenhein) is a known Expo contributor; removal is consistent with normal team transitions within the Expo organization. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): expo-modules-core is the official Expo native modules layer published by the same org; adding it is an expected architectural migration for Expo SDK v4 packages. | ai | |
| dependencies | unvetted-peer-dep:expo | AI (dependencies): expo-network is part of the Expo monorepo; peer dependency on matching canary expo version is expected and appropriate. | ai | |
| provenance | publisher-changed | AI (provenance): Transition to expo-bot is Expo's standard automated publishing pattern for canary releases; not indicative of account compromise. | ai |
Versions (showing 51 of 74)
| Version | Deps | Published |
|---|---|---|
| 56.0.5 | 0 / 3 | |
| 56.0.4 | 0 / 3 | |
| 56.0.3 | 0 / 3 | |
| 56.0.2 | 0 / 3 | |
| 56.0.1 | 0 / 3 | |
| 56.0.0 | 0 / 2 | |
| 55.0.14 | 0 / 1 | |
| 55.0.13 | 0 / 1 | |
| 55.0.12 | 0 / 1 | |
| 55.0.11 | 0 / 1 | |
| 55.0.10 | 0 / 1 | |
| 55.0.9 | 0 / 1 | |
| 55.0.8 | 0 / 1 | |
| 55.0.7 | 0 / 1 | |
| 55.0.6 | 0 / 1 | |
| 55.0.5 | 0 / 1 | |
| 55.0.4 | 0 / 1 | |
| 55.0.3 | 0 / 1 | |
| 55.0.2 | 0 / 1 | |
| 55.0.1 | 0 / 1 | |
| 55.0.0 | 0 / 1 | |
| 8.0.8 | 0 / 1 | |
| 8.0.7 | 0 / 1 | |
| 8.0.6 | 0 / 1 | |
| 8.0.5 | 0 / 1 | |
| 8.0.4 | 0 / 1 | |
| 8.0.3 | 0 / 1 | |
| 8.0.2 | 0 / 1 | |
| 8.0.1 | 0 / 1 | |
| 8.0.0 | 0 / 1 | |
| 7.1.5 | 0 / 1 | |
| 7.1.4 | 0 / 1 | |
| 7.1.3 | 0 / 1 | |
| 7.1.2 | 0 / 1 | |
| 7.1.1 | 0 / 1 | |
| 7.1.0 | 0 / 1 | |
| 7.0.5 | 0 / 1 | |
| 7.0.4 | 0 / 1 | |
| 7.0.3 | 0 / 1 | |
| 7.0.2 | 0 / 1 | |
| 7.0.1 | 0 / 1 | |
| 7.0.0 | 0 / 1 | |
| 6.0.1 | 0 / 1 | |
| 6.0.0 | 0 / 1 | |
| 5.8.0 | 0 / 1 | |
| 5.7.0 | 0 / 1 | |
| 5.6.0 | 0 / 1 | |
| 5.5.0 | 0 / 1 | |
| 5.4.0 | 0 / 1 | |
| 5.3.0 | 0 / 1 | |
| 5.2.1 | 0 / 1 |
v56.0.5
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (brentvatne) than the most recent previously approved version (alanhughes) on 2026-06-05, but brentvatne is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-18. This could indicate a legitimate maintainer transition or an account compromise.
v5.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-04. This could indicate a legitimate maintainer transition or an account compromise.
v5.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v5.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.