@expo/configure-splash-screen
Supplementary module for 'expo-splash-screen' providing cli configuration command
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Expo/evanbacon publish environment change is plausible for a large org; no malicious indicators. Not a security risk for this package. | ai | |
| provenance | no-provenance | AI (provenance): Official @expo scoped package from a highly trusted publisher; lack of Sigstore provenance is not a blocking concern for this established org package. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from bbarthec to brentvatne occurred in Sept 2020 — a legitimate Expo org maintainer transition. brentvatne is a long-standing, highly trusted Expo publisher. | ai |
Versions (showing 30 of 30)
| Version | Deps | Published |
|---|---|---|
| 0.6.0 | 8 / 13 | |
| 0.5.0 | 8 / 13 | |
| 0.4.0 | 8 / 13 | |
| 0.3.4 | 10 / 14 | |
| 0.3.3 | 10 / 15 | |
| 0.3.2 | 11 / 15 | |
| 0.3.1 | 11 / 15 | |
| 0.3.0 | 11 / 14 | |
| 0.2.1 | 11 / 14 | |
| 0.2.0 | 11 / 14 | |
| 0.1.19 | 11 / 14 | |
| 0.1.18 | 11 / 14 | |
| 0.1.17 | 11 / 14 | |
| 0.1.16 | 10 / 12 | |
| 0.1.15 | 10 / 12 | |
| 0.1.14 | 10 / 12 | |
| 0.1.13 | 10 / 12 | |
| 0.1.12 | 10 / 11 | |
| 0.1.11 | 10 / 11 | |
| 0.1.10 | 9 / 10 | |
| 0.1.9 | 10 / 11 | |
| 0.1.8 | 10 / 11 | |
| 0.1.7 | 9 / 11 | |
| 0.1.6 | 9 / 11 | |
| 0.1.5 | 9 / 11 | |
| 0.1.4 | 9 / 11 | |
| 0.1.3 | 9 / 11 | |
| 0.1.2 | 9 / 11 | |
| 0.1.1 | 9 / 11 | |
| 0.1.0 | 9 / 11 |
v0.6.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: brentvatne.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: brentvatne.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-06-23. This could indicate a legitimate maintainer transition or an account compromise.
v0.4.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: evanbacon.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-02-03. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2021-01-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-12-15. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-11-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-28. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.19
2 findingsThis version was published by a different npm account than previous versions on 2020-09-22. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.18
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-21. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-17. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-09-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.14
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-08-04. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.13
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-07-30. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.12
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-15. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.11
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-06-02. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-27. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-11. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v0.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.