@expo/config-plugins — Greenflagged

A library for Expo config plugins

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

jsonexporeact-nativereact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Canary releases from the Expo monorepo are published via a different pipeline that does not inject gitHead; this is a consistent pattern for @expo/* canary versions and not a malicious signal.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): Expo is a large open-source org; maintainer roster changes are routine. New maintainers (douglowder, betoatexpo, philpl) are consistent with known Expo team members.	ai	2026/04/23
dependencies	unvetted-dep:@expo/fingerprint	AI (dependencies): @expo/fingerprint is an Expo-maintained package in the same monorepo/org; not a third-party unknown. Stable false positive for this package.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Expo uses a documented canary versioning pattern (X.Y.Z-canary-YYYYMMDD-githash) for pre-release builds; this is not a malicious version string pattern for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@react-native/normalize-color	AI (phantom-deps): @react-native/normalize-color is an official Meta/React Native package declared for platform-specific resolution; not directly imported in JS is expected behavior for this type of dep.	ai	2026/04/23
dependencies	unvetted-dep:@expo/config-types	AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem.	ai	2026/04/23
dependencies	unvetted-dep:@expo/sdk-runtime-versions	AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem.	ai	2026/04/23
dependencies	unvetted-dep:xcode	AI (dependencies): xcode is a well-known npm package for parsing Xcode project files, a standard dependency for React Native/Expo tooling.	ai	2026/04/23
dependencies	unvetted-dep:getenv	AI (dependencies): getenv is a small, established utility for reading environment variables; standard dependency for build tooling.	ai	2026/04/23
dependencies	unvetted-dep:xml2js	AI (dependencies): xml2js is a widely-used XML parsing library; pinned to 0.6.0 which is a stable release.	ai	2026/04/23
dependencies	unvetted-dep:slugify	AI (dependencies): slugify is a well-established string slugification utility with no known security issues.	ai	2026/04/23
dependencies	unvetted-dep:@expo/json-file	AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): brentvatne is a core Expo team member with an exceptional track record (3555 approved versions). Publisher rotation within the Expo org is expected and not a takeover signal.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer changes within the Expo organization are routine team transitions, not indicative of a package takeover.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Expo monorepo packages historically lack Sigstore provenance; this is consistent with the publisher's other approved packages and not a risk indicator for this ecosystem.	ai	2026/04/21

Versions (showing 79 of 179)

Show 35 prereleases

Version	Deps	Published
6.0.2	15 / 3	2023-05-16
6.0.1	15 / 3	2023-02-21
6.0.0	15 / 3	2023-02-03
5.0.4	15 / 3	2022-11-02
5.0.3	15 / 3	2022-10-30
5.0.2	15 / 3	2022-10-25
5.0.1	15 / 3	2022-08-11
5.0.0	15 / 3	2022-07-07
4.1.5	15 / 3	2022-05-13
4.1.4	15 / 3	2022-04-27
4.1.3	15 / 3	2022-04-27
4.1.2	15 / 3	2022-04-25
4.1.1	15 / 3	2022-04-11
4.1.0	16 / 4	2022-03-08
4.0.18	16 / 4	2022-02-10
4.0.17	16 / 4	2022-02-08
4.0.16	16 / 4	2022-01-12
4.0.15	16 / 4	2021-12-22
4.0.14	16 / 4	2021-12-16
4.0.13	16 / 4	2021-12-14
4.0.12	16 / 4	2021-12-09
4.0.11	16 / 4	2021-12-03
4.0.10	15 / 4	2021-11-29
4.0.9	15 / 4	2021-11-26
4.0.8	15 / 4	2021-11-24
4.0.7	15 / 4	2021-11-09
4.0.6	15 / 4	2021-10-22
4.0.4	15 / 4	2021-10-22
4.0.3	15 / 4	2021-10-19
4.0.2	15 / 4	2021-10-06
4.0.0	15 / 4	2021-09-21
3.1.0	14 / 4	2021-08-25
3.0.8	13 / 4	2021-08-20
3.0.7	13 / 4	2021-08-06
3.0.6	13 / 4	2021-07-28
3.0.5	13 / 6	2021-07-16
3.0.4	13 / 6	2021-07-16
3.0.3	12 / 6	2021-07-05
3.0.2	12 / 6	2021-06-25
3.0.1	12 / 6	2021-06-23
3.0.0	12 / 6	2021-06-23
2.0.4	12 / 6	2021-06-21
2.0.3	12 / 6	2021-06-12
2.0.2	11 / 5	2021-06-01
2.0.1	11 / 5	2021-05-31
2.0.0	11 / 5	2021-05-26
1.0.33	13 / 5	2021-05-25
1.0.32	14 / 5	2021-05-20
1.0.31	14 / 5	2021-05-14
1.0.30	14 / 5	2021-05-11
1.0.29	14 / 5	2021-05-07
1.0.28	14 / 5	2021-04-21
1.0.27	14 / 5	2021-04-20
1.0.26	14 / 5	2021-04-14
1.0.25	14 / 5	2021-04-09
1.0.24	14 / 5	2021-04-01
1.0.23	14 / 5	2021-03-19
1.0.22	14 / 5	2021-03-18
1.0.21	14 / 5	2021-03-09
1.0.20	14 / 5	2021-02-25
1.0.19	14 / 5	2021-02-19
1.0.18	14 / 5	2021-02-02
1.0.17	13 / 5	2021-01-27
1.0.16	13 / 5	2021-01-26
1.0.15	13 / 5	2021-01-25
1.0.14	13 / 5	2021-01-14
1.0.13	12 / 4	2020-12-18
1.0.12	13 / 4	2020-12-15
1.0.11	13 / 4	2020-12-10
1.0.10	12 / 4	2020-12-08
1.0.9	12 / 4	2020-12-05
1.0.8	12 / 4	2020-12-05
1.0.7	11 / 4	2020-12-04
1.0.6	11 / 4	2020-12-02
1.0.5	11 / 4	2020-11-30
1.0.4	11 / 4	2020-11-28
1.0.3	11 / 4	2020-11-27
1.0.2	11 / 4	2020-11-27
1.0.1	11 / 4	2020-11-26