react-dom @19.2.6
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
43
Risk Score
MIT
License
No
Install Scripts
1
Dependencies
0
Dev Dependencies
1246.5 KB
Package Size
Published
React package for working with the DOM.
Maintainers
fbreact-bot
Keywords
react
Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| scheduler | ^0.27.0 | auto_approved |
Transitive Dependency Tree
1 transitive deps
max depth 1
├─
scheduler
^0.27.0
→ 0.27.0
Changes from v0.0.0-experimental-94643c3b-20260421
Dependency Changes
| Change | Package | Version |
|---|---|---|
| changed | scheduler | 0.0.0-experimental-94643c3b-20260421 → ^0.27.0 |
File Changes
0 added
5 removed
22 modified
size delta: -2955.9 KB
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
missing-githead |
provenance | reject | AI | AI (provenance): Missing gitHead on a version that appears to be a regression (19.0.5 published after 19.2.5 was approved) is a meaningful supply-chain integrity signal for this package. |
SAST Findings (2)
CRITICAL
Missing gitHead — previous versions had it
provenance
[Always reject] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: react-bot.
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 1 critical (+40), 1 low (+3).
Published to npm: