@expo/config-plugins
A library for Expo config plugins
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Canary releases from the Expo monorepo are published via a different pipeline that does not inject gitHead; this is a consistent pattern for @expo/* canary versions and not a malicious signal. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Expo is a large open-source org; maintainer roster changes are routine. New maintainers (douglowder, betoatexpo, philpl) are consistent with known Expo team members. | ai | |
| dependencies | unvetted-dep:@expo/fingerprint | AI (dependencies): @expo/fingerprint is an Expo-maintained package in the same monorepo/org; not a third-party unknown. Stable false positive for this package. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Expo uses a documented canary versioning pattern (X.Y.Z-canary-YYYYMMDD-githash) for pre-release builds; this is not a malicious version string pattern for this package. | ai | |
| phantom-deps | phantom-dep:@react-native/normalize-color | AI (phantom-deps): @react-native/normalize-color is an official Meta/React Native package declared for platform-specific resolution; not directly imported in JS is expected behavior for this type of dep. | ai | |
| dependencies | unvetted-dep:@expo/config-types | AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem. | ai | |
| dependencies | unvetted-dep:@expo/sdk-runtime-versions | AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem. | ai | |
| dependencies | unvetted-dep:xcode | AI (dependencies): xcode is a well-known npm package for parsing Xcode project files, a standard dependency for React Native/Expo tooling. | ai | |
| dependencies | unvetted-dep:getenv | AI (dependencies): getenv is a small, established utility for reading environment variables; standard dependency for build tooling. | ai | |
| dependencies | unvetted-dep:xml2js | AI (dependencies): xml2js is a widely-used XML parsing library; pinned to 0.6.0 which is a stable release. | ai | |
| dependencies | unvetted-dep:slugify | AI (dependencies): slugify is a well-established string slugification utility with no known security issues. | ai | |
| dependencies | unvetted-dep:@expo/json-file | AI (dependencies): First-party Expo package from the same monorepo; part of the official Expo ecosystem. | ai | |
| provenance | publisher-changed | AI (provenance): brentvatne is a core Expo team member with an exceptional track record (3555 approved versions). Publisher rotation within the Expo org is expected and not a takeover signal. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer changes within the Expo organization are routine team transitions, not indicative of a package takeover. | ai | |
| provenance | no-provenance | AI (provenance): Expo monorepo packages historically lack Sigstore provenance; this is consistent with the publisher's other approved packages and not a risk indicator for this ecosystem. | ai |
Versions (showing 100 of 214)
| Version | Deps | Published |
|---|---|---|
| 56.0.8 | 13 / 6 | |
| 56.0.7 | 13 / 6 | |
| 56.0.6 | 13 / 6 | |
| 56.0.5 | 13 / 6 | |
| 56.0.4 | 13 / 6 | |
| 56.0.3 | 13 / 6 | |
| 56.0.2 | 13 / 6 | |
| 56.0.1 | 13 / 6 | |
| 56.0.0 | 13 / 6 | |
| 55.0.10 | 13 / 3 | |
| 55.0.9 | 13 / 3 | |
| 55.0.8 | 13 / 3 | |
| 55.0.7 | 13 / 3 | |
| 55.0.6 | 13 / 3 | |
| 55.0.5 | 13 / 3 | |
| 55.0.4 | 13 / 3 | |
| 55.0.3 | 13 / 3 | |
| 55.0.2 | 14 / 3 | |
| 55.0.1 | 14 / 3 | |
| 55.0.0 | 14 / 3 | |
| 54.0.4 | 14 / 3 | |
| 54.0.3 | 14 / 3 | |
| 54.0.2 | 14 / 3 | |
| 54.0.1 | 14 / 3 | |
| 54.0.0 | 14 / 3 | |
| 11.0.7 | 14 / 4 | |
| 11.0.6 | 14 / 4 | |
| 11.0.5 | 14 / 4 | |
| 11.0.4 | 14 / 4 | |
| 11.0.3 | 14 / 4 | |
| 11.0.2 | 14 / 4 | |
| 11.0.1 | 14 / 4 | |
| 11.0.0 | 14 / 4 | |
| 10.1.2 | 14 / 4 | |
| 10.1.1 | 14 / 4 | |
| 10.1.0 | 14 / 4 | |
| 10.0.3 | 14 / 4 | |
| 10.0.2 | 14 / 4 | |
| 10.0.1 | 14 / 4 | |
| 10.0.0 | 14 / 4 | |
| 9.1.7 | 14 / 4 | |
| 9.1.6 | 14 / 4 | |
| 9.1.5 | 14 / 4 | |
| 9.1.4 | 14 / 4 | |
| 9.1.3 | 14 / 4 | |
| 9.1.2 | 14 / 4 | |
| 9.1.1 | 14 / 4 | |
| 9.1.0 | 14 / 4 | |
| 9.0.17 | 14 / 4 | |
| 9.0.16 | 14 / 4 | |
| 9.0.15 | 14 / 4 | |
| 9.0.14 | 14 / 4 | |
| 9.0.13 | 14 / 4 | |
| 9.0.12 | 14 / 4 | |
| 9.0.11 | 14 / 4 | |
| 9.0.10 | 14 / 4 | |
| 9.0.9 | 14 / 4 | |
| 9.0.8 | 14 / 4 | |
| 9.0.7 | 14 / 4 | |
| 9.0.6 | 14 / 4 | |
| 9.0.5 | 14 / 4 | |
| 9.0.4 | 14 / 4 | |
| 9.0.3 | 14 / 4 | |
| 9.0.2 | 14 / 4 | |
| 9.0.1 | 14 / 4 | |
| 9.0.0 | 14 / 4 | |
| 8.0.11 | 15 / 4 | |
| 8.0.10 | 15 / 4 | |
| 8.0.9 | 15 / 4 | |
| 8.0.8 | 15 / 4 | |
| 8.0.7 | 15 / 4 | |
| 8.0.6 | 15 / 4 | |
| 8.0.5 | 15 / 4 | |
| 8.0.4 | 15 / 4 | |
| 8.0.3 | 15 / 4 | |
| 8.0.2 | 15 / 4 | |
| 8.0.1 | 15 / 4 | |
| 8.0.0 | 15 / 4 | |
| 7.9.2 | 17 / 4 | |
| 7.9.1 | 17 / 4 | |
| 7.9.0 | 17 / 4 | |
| 7.8.4 | 17 / 4 | |
| 7.8.3 | 17 / 4 | |
| 7.8.2 | 17 / 4 | |
| 7.8.1 | 16 / 4 | |
| 7.8.0 | 16 / 4 | |
| 7.7.0 | 16 / 3 | |
| 7.6.0 | 16 / 3 | |
| 7.5.0 | 16 / 3 | |
| 7.4.0 | 15 / 3 | |
| 7.3.1 | 15 / 3 | |
| 7.3.0 | 15 / 3 | |
| 7.2.5 | 15 / 3 | |
| 7.2.4 | 15 / 3 | |
| 7.2.3 | 15 / 3 | |
| 7.2.2 | 15 / 3 | |
| 7.2.1 | 15 / 3 | |
| 7.2.0 | 15 / 3 | |
| 7.1.0 | 15 / 3 | |
| 7.0.0 | 15 / 3 |
v56.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-20. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.7
2 findingsThis version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.5
2 findingsThis version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.3
2 findingsThis version was published by a different npm account than previous versions on 2026-01-26. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v55.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v55.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v54.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v54.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v54.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.
v54.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-11. This could indicate a legitimate maintainer transition or an account compromise.
v54.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-10. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-02. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-31. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-27. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-25. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-19. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-17. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-15. This could indicate a legitimate maintainer transition or an account compromise.
v11.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-13. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-08. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-03. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-01. This could indicate a legitimate maintainer transition or an account compromise.
v10.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-18. This could indicate a legitimate maintainer transition or an account compromise.
v10.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v9.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-04. This could indicate a legitimate maintainer transition or an account compromise.
v9.0.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-02-21. This could indicate a legitimate maintainer transition or an account compromise.
v9.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-12-05. This could indicate a legitimate maintainer transition or an account compromise.
v9.0.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-11-29. This could indicate a legitimate maintainer transition or an account compromise.
v9.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v8.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.9.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.8.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.8.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.8.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.8.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.8.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.7.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.