react-devtools-inline

Embed react-devtools within a website

Supply chain provenance

Status for the latest visible version.

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	obfuscated-file:dist/hookNames.js	AI (source-diff): Standard webpack bundle for React DevTools hook name parsing; not obfuscated malware.	ai	2026/04/29
source-diff	net-exec-file:dist/hookNames.js	AI (source-diff): Webpack bundle with worker RPC and URL handling; no malicious network+exec pattern.	ai	2026/04/29
source-diff	obfuscated-file:dist/importFile.worker.worker.js	AI (source-diff): Standard webpack bundle for Chrome CPU profile import; not obfuscated malware.	ai	2026/04/29
source-diff	net-exec-file:dist/importFile.worker.worker.js	AI (source-diff): Webpack bundle for profiler file import; no malicious network+exec pattern.	ai	2026/04/29
source-diff	obfuscated-file:dist/parseSourceAndMetadata.worker.worker.js	AI (source-diff): Standard webpack bundle for source map parsing; not obfuscated malware.	ai	2026/04/29
source-diff	net-exec-file:dist/parseSourceAndMetadata.worker.worker.js	AI (source-diff): Webpack bundle with URL parsing for source maps; no malicious network+exec pattern.	ai	2026/04/29
source-diff	source-size-tripled	AI (source-diff): Size increase reflects new worker bundles for hook names and file import features in major version bump.	ai	2026/04/29
phantom-deps	phantom-dep:source-map-js	AI (phantom-deps): Used as webpack bundled dependency for source map resolution; stable false positive.	ai	2026/04/29
phantom-deps	phantom-dep:@jridgewell/sourcemap-codec	AI (phantom-deps): Used as webpack bundled dependency for source map codec; stable false positive.	ai	2026/04/29

Version	Deps	Published
7.0.1	2 / 22	2025-10-20
4.4.0	1 / 17	2020-01-03