@expo/config — Greenflagged

A library for interacting with the app.json

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

jsonreact-nativeexporeact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Canary releases from the Expo monorepo are published via a different CI pipeline that does not attach gitHead; this is a consistent pattern for @expo/* canary versions and not a malicious signal.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Expo uses a well-documented canary versioning scheme (X.Y.Z-canary-YYYYMMDD-commithash); this pattern is consistent across all @expo/* canary releases and is not indicative of malicious activity.	ai	2026/04/23
dependencies	unvetted-dep:@expo/babel-preset-cli	AI (dependencies): @expo/babel-preset-cli is an official Expo-scoped package from the same organization (expo/expo-cli repo), used legitimately as a Babel preset for CLI tooling. Not a risk for this package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Established Expo package with strong publisher track record; lack of provenance is common and not a concern here.	ai	2026/04/23
phantom-deps	phantom-dep:@types/invariant	AI (phantom-deps): @types/invariant is a TypeScript type definition with no runtime code; its presence as a dependency rather than devDependency is a packaging quirk, not a security risk.	ai	2026/04/23
dependencies	unvetted-dep:@types/invariant	AI (dependencies): @types/invariant is a benign TypeScript type-only package; no executable code, no security risk regardless of version constraint.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): brentvatne is a long-standing Expo core team member; publisher rotation within the Expo org is expected and not a security concern for this package.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): @expo/require-utils is a first-party Expo monorepo package; adding it is a routine internal refactor, not a supply-chain risk.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer changes within the Expo organization are routine; already marked as accepted risk in findings.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): tsapeta and philpl are known Expo org contributors; maintainer rotation within the Expo team is expected and not a takeover signal for this package.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): Inflated semver (55.x) reflects Expo's SDK versioning scheme, not spam inflation. Short README is typical for monorepo packages. Not a bogus package.	ai	2026/04/21

Versions (showing 100 of 290)

Hide prereleases

Version	Deps	Published
6.0.24	11 / 1	2022-05-13
6.0.23	11 / 1	2022-04-27
6.0.22	11 / 1	2022-04-27
6.0.21	11 / 1	2022-04-25
6.0.20	11 / 1	2022-04-11
6.0.19	11 / 1	2022-03-08
6.0.18	11 / 1	2022-02-10
6.0.17	11 / 1	2022-02-08
6.0.16	11 / 1	2022-01-12
6.0.15	11 / 1	2021-12-22
6.0.14	11 / 1	2021-12-16
6.0.13	11 / 1	2021-12-14
6.0.12	11 / 1	2021-12-09
6.0.11	11 / 1	2021-12-03
6.0.10	11 / 1	2021-11-29
6.0.9	11 / 1	2021-11-26
6.0.8	11 / 1	2021-11-24
6.0.7	11 / 1	2021-11-09
6.0.6	11 / 1	2021-10-22
6.0.4	11 / 1	2021-10-22
6.0.3	11 / 1	2021-10-19
6.0.2	11 / 1	2021-10-06
6.0.0	11 / 1	2021-09-21
5.0.9	11 / 1	2021-08-25
5.0.8	11 / 1	2021-08-20
5.0.7	11 / 1	2021-08-06
5.0.6	11 / 1	2021-07-28
5.0.5	14 / 3	2021-07-16
5.0.4	14 / 3	2021-07-16
5.0.3	14 / 3	2021-07-05
5.0.2	14 / 3	2021-06-25
5.0.1	14 / 3	2021-06-23
5.0.0	14 / 3	2021-06-23
4.0.4	14 / 3	2021-06-21
4.0.3	14 / 3	2021-06-12
4.0.2	14 / 3	2021-06-01
4.0.1	14 / 3	2021-05-31
4.0.0	14 / 3	2021-05-26
3.3.43	14 / 3	2021-05-25
3.3.42	14 / 3	2021-05-20
3.3.41	14 / 3	2021-05-14
3.3.40	14 / 3	2021-05-11
3.3.39	14 / 3	2021-05-07
3.3.38	14 / 3	2021-04-21
3.3.37	14 / 3	2021-04-20
3.3.36	14 / 3	2021-04-14
3.3.35	14 / 3	2021-04-09
3.3.34	14 / 3	2021-04-01
3.3.33	14 / 3	2021-03-19
3.3.32	14 / 3	2021-03-18
3.3.31	14 / 3	2021-03-09
3.3.30	14 / 3	2021-02-25
3.3.29	12 / 3	2021-02-19
3.3.28	12 / 3	2021-02-02
3.3.27	12 / 3	2021-01-29
3.3.26	12 / 3	2021-01-27
3.3.25	12 / 3	2021-01-26
3.3.24	12 / 3	2021-01-25
3.3.23	12 / 3	2021-01-14
3.3.22	12 / 4	2020-12-18
3.3.21	12 / 4	2020-12-10
3.3.20	12 / 4	2020-12-08
3.3.19	11 / 3	2020-12-05
3.3.18	11 / 3	2020-11-30
3.3.17	11 / 3	2020-11-28
3.3.16	10 / 3	2020-11-26
3.3.15	17 / 5	2020-11-09
3.3.14	17 / 5	2020-11-05
3.3.13	17 / 5	2020-11-03
3.3.12	16 / 5	2020-11-03
3.3.11	16 / 5	2020-10-19
3.3.10	16 / 5	2020-10-14
3.3.9	16 / 5	2020-10-02
3.3.8	16 / 5	2020-09-29
3.3.7	16 / 5	2020-09-28
3.3.6	16 / 5	2020-09-24
3.3.5	16 / 5	2020-09-24
3.3.4	16 / 5	2020-09-23
3.3.3	16 / 5	2020-09-22
3.3.2	16 / 5	2020-09-18
3.3.1	15 / 5	2020-09-17
3.3.0	13 / 5	2020-09-08
3.2.22	13 / 5	2020-09-01
3.2.21	13 / 5	2020-08-27
3.2.20	13 / 5	2020-08-26
3.2.19	12 / 5	2020-08-18
3.2.18	12 / 5	2020-08-11
3.2.17	12 / 5	2020-08-04
3.2.16	12 / 5	2020-07-30
3.2.15	12 / 5	2020-07-07
3.2.14	12 / 5	2020-06-25
3.2.13	12 / 5	2020-06-24
3.2.12	12 / 5	2020-06-19
3.2.11	12 / 5	2020-06-18
3.2.10	12 / 5	2020-06-15
3.2.9	13 / 5	2020-06-02
3.2.8	13 / 4	2020-05-27
3.2.7	13 / 5	2020-05-26
3.2.6	13 / 5	2020-05-15
3.2.5	12 / 6	2020-05-15

Showing 100 of 290 Next page →