← Home

react-native

npm Repository Homepage

A framework for building native apps using React

10
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

react-native-botfblunaleapseliwhiteyungsterscortinicofkgozali

Keywords

reactreact-nativeandroidiosmobilecross-platformapp-frameworkmobile-development

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
npm-metadata bundled-binaries AI (npm-metadata): hermesc binaries are the documented Hermes compiler shipped with every react-native release; stable for this package. ai
phantom-deps phantom-dep:babel-jest AI (phantom-deps): babel-jest is a declared dependency used in jest config; phantom-dep heuristic false positive for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require of @react-native-community/cli is the documented plugin resolution pattern for RN CLI. ai
dependencies unvetted-dep:hermes-compiler AI (dependencies): Hermes is Meta's JS engine for React Native; hermes-compiler is a legitimate first-party dependency. ai
phantom-deps phantom-dep:ws AI (phantom-deps): ws is used by React Native's dev server/debugger infrastructure; referenced in config. ai
semgrep semgrep:eval-usage AI (semgrep): eval() in Libraries/Core/Devtools/loadBundleFromServer.js is React Native's documented dev-time bundle loading mechanism. ai
phantom-deps phantom-dep:flow-enums-runtime AI (phantom-deps): Flow enums runtime is injected by the Flow compiler; referenced in config. ai
phantom-deps phantom-dep:@react-native/gradle-plugin AI (phantom-deps): Gradle plugin is a platform-specific (Android) build dependency. ai
phantom-deps phantom-dep:babel-plugin-syntax-hermes-parser AI (phantom-deps): Babel plugin referenced in Metro/build config, not directly imported. ai
phantom-deps phantom-dep:hermes-compiler AI (phantom-deps): Hermes compiler referenced in build config files, not directly imported in JS. ai
semgrep semgrep:child-process-import AI (semgrep): CLI tool legitimately spawns child processes for Metro bundler, emulators, etc. Standard framework CLI behavior. ai

Versions (showing 10 of 10)

Version Deps Published
0.85.3 32 / 0
0.85.2 32 / 0
0.85.1 32 / 0
0.85.0 32 / 0
0.83.9 35 / 0
0.83.8 35 / 0
0.83.7 35 / 0
0.83.6 35 / 0
0.83.5 35 / 0
0.79.2 36 / 0

v0.85.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.85.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.85.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.85.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.83.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.83.8

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.83.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.83.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.83.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.79.2

2 findings
HIGH Bundled binary files (10) npm-metadata

Package contains compiled binaries that could be backdoors: • sdks/hermesc/linux64-bin/hermesc • sdks/hermesc/win64-bin/icuin64.dll • sdks/hermesc/win64-bin/icuio64.dll • sdks/hermesc/win64-bin/icutest64.dll • sdks/hermesc/win64-bin/icutu64.dll • sdks/hermesc/win64-bin/icuuc64.dll • sdks/hermesc/win64-bin/msvcp140.dll • sdks/hermesc/win64-bin/vcruntime140_1.dll • sdks/hermesc/win64-bin/vcruntime140.dll • sdks/hermesc/win64-bin/hermesc.exe

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.