@expo/server
Server API for Expo Router projects
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): expo-bot automated canary releases for @expo/server consistently lack gitHead; this reflects the CI publish pipeline, not a supply chain compromise. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Canary versioning (canary-YYYYMMDD-hash) is standard practice for the Expo ecosystem; not indicative of malicious intent. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): Maintainer additions in a monorepo package are routine; new maintainers appear Expo-affiliated with no compromise indicators. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): undici is the official Node.js HTTP client maintained by the Node.js core team; its addition is a legitimate and low-risk dependency choice for a server-side package. | ai | |
| dependencies | unvetted-dep:@remix-run/node | AI (dependencies): @remix-run/node is a legitimate, well-known Remix framework dependency used intentionally by @expo/server for server-side request/response handling in Expo Router projects. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 76 new files are the result of adding a parallel MJS build alongside the existing CJS build; expected for this refactor. | ai | |
| provenance | publisher-changed | AI (provenance): gabrieldonadel is a known Expo team member with strong track record (5665 approved packages); publisher rotation within the Expo org is expected and not a risk signal. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removals paired with additions suggest routine team rotation, not takeover, in an established Expo package. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase explained by dual CJS/MJS build output added in this version; structural refactor, not injected payload. | ai | |
| dependencies | unvetted-dep:undici | AI (dependencies): Undici is a widely-used, well-maintained HTTP client; its addition here is a legitimate dependency refactoring, not a supply-chain attack vector. | ai | |
| typosquat | typosquat.levenshtein:semver | AI (typosquat): Scoped @expo package from official Expo org; Levenshtein match to 'semver' is coincidental, not typosquatting. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.7.5 | 2 / 4 | |
| 0.7.4 | 2 / 4 | |
| 0.7.3 | 2 / 4 | |
| 0.7.2 | 2 / 4 | |
| 0.7.1 | 2 / 4 | |
| 0.7.0 | 2 / 4 | |
| 0.6.3 | 4 / 2 | |
| 0.6.2 | 4 / 2 | |
| 0.6.1 | 4 / 2 | |
| 0.6.0 | 4 / 2 | |
| 0.5.3 | 4 / 2 | |
| 0.5.2 | 4 / 2 | |
| 0.5.1 | 4 / 2 | |
| 0.5.0 | 4 / 2 | |
| 0.4.4 | 4 / 2 | |
| 0.4.3 | 4 / 2 | |
| 0.4.2 | 4 / 2 | |
| 0.4.1 | 4 / 2 | |
| 0.4.0 | 4 / 2 | |
| 0.3.1 | 4 / 2 | |
| 0.3.0 | 4 / 2 | |
| 0.2.0 | 4 / 2 | |
| 0.1.0 | 4 / 1 | |
| 0.7.5-canary-20250919-7a31b96 | 2 / 4 | |
| 0.7.5-canary-20250912-b5ce2a8 | 2 / 4 | |
| 0.7.3-canary-20250830-81bb199 | 2 / 4 | |
| 0.7.3-canary-20250826-f475166 | 2 / 4 | |
| 0.6.4-canary-20250729-d8899ae | 4 / 2 | |
| 0.6.4-canary-20250722-599a28f | 4 / 2 | |
| 0.6.4-canary-20250713-8f814f8 | 4 / 2 | |
| 0.6.4-canary-20250709-136b77f | 4 / 2 | |
| 0.6.4-canary-20250701-6a945c5 | 4 / 2 | |
| 0.6.4-canary-20250630-547cd82 | 4 / 2 | |
| 0.6.3-canary-20250613-b29d676 | 4 / 2 | |
| 0.6.3-canary-20250612-338ef55 | 4 / 2 | |
| 0.6.3-canary-20250611-f0afe80 | 4 / 2 |
v0.6.3
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-18. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.5-canary-20250919-7a31b96
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-19. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.5-canary-20250912-b5ce2a8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.3-canary-20250830-81bb199
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-30. This could indicate a legitimate maintainer transition or an account compromise.
v0.7.3-canary-20250826-f475166
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-26. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250729-d8899ae
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-29. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250722-599a28f
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-22. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250713-8f814f8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-13. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250709-136b77f
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-09. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250701-6a945c5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-01. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.4-canary-20250630-547cd82
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: expo-bot.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-30. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3-canary-20250613-b29d676
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-13. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3-canary-20250612-338ef55
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gabrieldonadel.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-12. This could indicate a legitimate maintainer transition or an account compromise.
v0.6.3-canary-20250611-f0afe80
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gabrieldonadel.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-11. This could indicate a legitimate maintainer transition or an account compromise.