← Home

next

npm Repository Homepage

The React Framework

7
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

matheussmatt.strakavercel-release-botzeit-bot

Keywords

reactframeworknextjswebservernodefront-endbackendclivercel

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata url-dep:ci-info AI (npm-metadata): SHA-pinned devDependency only; not shipped to consumers. Long-standing in next.js monorepo. ai
maintainer-change maintainer-added AI (maintainer-change): matheuss is a known Vercel/Next.js contributor; legitimate team change. ai
provenance publisher-changed AI (provenance): CI migration from vercel-release-bot to GitHub Actions; SLSA provenance confirms legitimate publish pipeline. ai
phantom-deps phantom-dep:styled-jsx AI (phantom-deps): styled-jsx is bundled into Next.js dist output via the build pipeline; direct source imports are not expected. This is a stable false positive for this package. ai
phantom-deps phantom-dep:baseline-browser-mapping AI (phantom-deps): baseline-browser-mapping is used by Next.js build tooling and bundled into dist; not directly imported in source. Stable false positive for this package. ai

Versions (showing 7 of 7)

Version Deps Published
16.2.9 6 / 221
16.2.7 6 / 221
16.2.6 6 / 221
16.2.5 6 / 221
16.2.4 6 / 221
16.2.3 6 / 221
15.5.15 5 / 221

v16.2.9

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.2.7

2 findings
HIGH SHA-pinned github dependency (devDependencies): ci-info npm-metadata

Dependency 'ci-info' in `devDependencies` points to 'github:watson/ci-info#f43f6a1cefff47fb361c88cf4b943fdbcaafe540' instead of a registry version. URL dependencies bypass the registry and can be swapped at any time. A 40-character commit SHA in a dependency URL is a strong supply-chain signal — the 2026-05-11 TanStack/Mini Shai-Hulud attack used this exact shape in `optionalDependencies` to smuggle a malicious payload past lifecycle-script and OSV checks.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.2.5

2 findings
HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.