@react-native-async-storage/async-storage
Asynchronous, persistent, key-value storage system for React Native.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| email-domain | unclaimed-email:krizzu.dev | AI (email-domain): Package is the canonical React Native async storage library under the react-native-async-storage GitHub org. The author's personal domain lapsing is a hygiene issue but does not represent a meaningful takeover risk for this well-established org-owned package. | ai | |
| provenance | no-provenance | AI (provenance): Package predates widespread provenance adoption; no provenance is expected for packages of this age and is not a risk signal here. | ai | |
| provenance | publisher-changed | AI (provenance): Package migrated to GitHub Actions CI/CD publishing with SLSA/Sigstore attestation — this is a security improvement, not a compromise signal. Stable for this package going forward. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): idb is a well-known, reputable IndexedDB wrapper library. Its addition in v3.x is consistent with adding web platform support. Not a suspicious dependency. | ai | |
| dependencies | unvetted-dep:merge-options | AI (dependencies): merge-options is a well-known, stable utility package; its use as a dependency in this React Native library is benign and consistent across versions. | ai |
Versions (showing 78 of 78)
| Version | Deps | Published |
|---|---|---|
| 3.1.1 | 1 / 10 | |
| 3.1.0 | 1 / 10 | |
| 3.0.3 | 1 / 10 | |
| 3.0.2 | 1 / 10 | |
| 3.0.1 | 1 / 10 | |
| 3.0.0 | 1 / 10 | |
| 2.2.0 | 1 / 29 | |
| 2.1.2 | 1 / 29 | |
| 2.1.1 | 1 / 29 | |
| 2.1.0 | 1 / 33 | |
| 2.0.0 | 1 / 32 | |
| 1.24.0 | 1 / 32 | |
| 1.23.1 | 1 / 33 | |
| 1.23.0 | 1 / 33 | |
| 1.22.3 | 1 / 33 | |
| 1.22.2 | 1 / 33 | |
| 1.22.1 | 1 / 33 | |
| 1.22.0 | 1 / 33 | |
| 1.21.0 | 1 / 33 | |
| 1.20.0 | 1 / 33 | |
| 1.19.8 | 1 / 34 | |
| 1.19.7 | 1 / 34 | |
| 1.19.6 | 1 / 34 | |
| 1.19.5 | 1 / 34 | |
| 1.19.4 | 1 / 34 | |
| 1.19.3 | 1 / 35 | |
| 1.19.2 | 1 / 26 | |
| 1.19.1 | 1 / 26 | |
| 1.19.0 | 1 / 26 | |
| 1.18.2 | 1 / 27 | |
| 1.18.1 | 1 / 27 | |
| 1.18.0 | 1 / 27 | |
| 1.17.12 | 1 / 27 | |
| 1.17.11 | 1 / 27 | |
| 1.17.10 | 1 / 26 | |
| 1.17.9 | 1 / 26 | |
| 1.17.8 | 1 / 26 | |
| 1.17.7 | 1 / 26 | |
| 1.17.6 | 1 / 26 | |
| 1.17.5 | 1 / 26 | |
| 1.17.4 | 1 / 26 | |
| 1.17.3 | 1 / 26 | |
| 1.17.2 | 1 / 26 | |
| 1.17.1 | 1 / 26 | |
| 1.17.0 | 1 / 26 | |
| 1.16.3 | 1 / 26 | |
| 1.16.2 | 1 / 25 | |
| 1.16.1 | 1 / 25 | |
| 1.16.0 | 1 / 25 | |
| 1.15.17 | 1 / 26 | |
| 1.15.16 | 1 / 26 | |
| 1.15.15 | 1 / 26 | |
| 1.15.14 | 1 / 28 | |
| 1.15.13 | 1 / 28 | |
| 1.15.12 | 1 / 28 | |
| 1.15.11 | 1 / 26 | |
| 1.15.10 | 1 / 26 | |
| 1.15.9 | 1 / 26 | |
| 1.15.8 | 1 / 26 | |
| 1.15.7 | 1 / 26 | |
| 1.15.6 | 1 / 26 | |
| 1.15.5 | 1 / 28 | |
| 1.15.4 | 1 / 28 | |
| 1.15.3 | 1 / 28 | |
| 1.15.2 | 1 / 28 | |
| 1.15.1 | 1 / 28 | |
| 1.15.0 | 1 / 28 | |
| 1.14.1 | 1 / 28 | |
| 1.14.0 | 1 / 28 | |
| 1.13.4 | 1 / 28 | |
| 1.13.3 | 1 / 27 | |
| 1.13.2 | 1 / 25 | |
| 1.13.1 | 1 / 24 | |
| 1.13.0 | 1 / 23 | |
| 3.0.0-next.3 | 1 / 10 | |
| 3.0.0-next.2 | 1 / 10 | |
| 3.0.0-next.1 | 1 / 10 | |
| 3.0.0-next.0 | 1 / 10 |
v3.1.1
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.1.0
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v3.0.3
1 findingPublished via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.
v1.23.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.23.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.22.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.21.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.20.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.8
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.7
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.6
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.5
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.4
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.19.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.11
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.10
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.9
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.8
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.7
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.6
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.5
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.4
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.17.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.16.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.17
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.16
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.15
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.14
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.13
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.12
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.11
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.10
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.9
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.8
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.7
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.6
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.5
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.4
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.15.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.14.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.4
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.3
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.2
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.1
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.13.0
2 findingsMaintainer email '[email protected]' uses domain 'krizzu.dev' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v3.0.0-next.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0-next.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0-next.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v3.0.0-next.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.