@expo/log-box
Error overlay for universal Expo apps.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): expo-bot is Expo's official automated publishing account used for canary releases; transition from individual maintainer to bot account is expected and documented in Expo's release process. | ai | |
| dependencies | unvetted-peer-dep:expo | AI (dependencies): Core Expo peer dependency; expected and appropriate for this package's purpose. | ai | |
| dependencies | unvetted-peer-dep:@expo/dom-webview | AI (dependencies): Same-org peer dependency; appropriate for Expo error overlay component. | ai | |
| dependencies | unvetted-peer-dep:react-native | AI (dependencies): Standard peer dependency for React Native packages; expected and appropriate. | ai | |
| dependencies | unvetted-dep:@expo/dom-webview | AI (dependencies): Same-org dependency in Expo ecosystem; unvetted status is expected for internal org packages. | ai | |
| provenance | no-provenance | AI (provenance): Expo canary releases from this publisher consistently lack Sigstore provenance; publisher has strong track record (2009 approved). Stable for this package. | ai | |
| provenance | missing-githead | AI (provenance): Expo canary releases are published from a different CI pipeline than stable releases; missing gitHead is expected for this package's canary build process. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Canary version strings (e.g. X.Y.Z-canary-YYYYMMDD-hash) are a standard Expo release pattern across their monorepo packages. | ai | |
| phantom-deps | phantom-dep:@expo/dom-webview | AI (phantom-deps): Phantom dependency is properly declared; same-org scope makes this a stable pattern. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require loads Expo metro config transformer path; legitimate build tooling pattern, not a security risk. | ai |
Versions (showing 26 of 26)
| Version | Deps | Published |
|---|---|---|
| 56.0.12 | 3 / 14 | |
| 56.0.11 | 3 / 14 | |
| 56.0.10 | 3 / 14 | |
| 56.0.9 | 3 / 14 | |
| 56.0.8 | 3 / 14 | |
| 56.0.7 | 3 / 14 | |
| 56.0.6 | 3 / 14 | |
| 56.0.5 | 3 / 14 | |
| 56.0.4 | 3 / 14 | |
| 56.0.3 | 3 / 14 | |
| 56.0.2 | 3 / 13 | |
| 56.0.1 | 3 / 12 | |
| 56.0.0 | 3 / 12 | |
| 55.0.12 | 3 / 10 | |
| 55.0.11 | 3 / 10 | |
| 55.0.10 | 3 / 10 | |
| 55.0.9 | 3 / 10 | |
| 55.0.8 | 3 / 10 | |
| 55.0.7 | 3 / 10 | |
| 55.0.6 | 3 / 10 | |
| 55.0.5 | 3 / 10 | |
| 55.0.4 | 3 / 10 | |
| 55.0.3 | 3 / 10 | |
| 55.0.2 | 3 / 10 | |
| 55.0.1 | 3 / 10 | |
| 55.0.0 | 3 / 10 |
v56.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.10
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.9
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.
v56.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.