@react-native-windows/codegen
Generators for react-native-codegen targeting react-native-windows
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Missing gitHead is a side effect of the CI/CD pipeline change between Microsoft automation accounts; no malicious signal for this package. | ai | |
| provenance | publisher-changed | AI (provenance): Both rnbot and microsoft1es are Microsoft-affiliated automation accounts for react-native-windows publishing; this transition is a legitimate internal change, not a takeover. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy is an artifact of version series tracking; microsoft1es has a strong track record and the package content is unchanged from prior approved versions. | ai | |
| phantom-deps | phantom-dep:mustache | AI (phantom-deps): mustache is declared in package.json dependencies and used in the compiled output; phantom-dep false positive for TypeScript-compiled packages. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic requires are used to resolve known peer dependency paths (react-native, @react-native/codegen) at runtime — standard pattern for a codegen tool, not arbitrary module loading. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch is declared in package.json dependencies and used in the compiled output; phantom-dep false positive for TypeScript-compiled packages. | ai | |
| dependencies | unvetted-dep:@react-native-windows/fs | AI (dependencies): First-party sibling package from the same microsoft/react-native-windows monorepo, published by the same microsoft1es account at the same version. | ai | |
| phantom-deps | phantom-dep:chalk | AI (phantom-deps): chalk is declared in package.json dependencies and used in the compiled output; phantom-dep false positive for TypeScript-compiled packages. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 0.83.0 | 7 / 15 | |
| 0.82.1 | 7 / 15 | |
| 0.82.0 | 7 / 15 | |
| 0.81.5 | 6 / 15 | |
| 0.81.4 | 6 / 15 | |
| 0.81.3 | 6 / 15 | |
| 0.81.2 | 6 / 15 | |
| 0.81.1 | 6 / 15 | |
| 0.81.0 | 6 / 15 | |
| 0.80.2 | 6 / 15 | |
| 0.80.1 | 6 / 15 | |
| 0.80.0 | 6 / 15 | |
| 0.79.1 | 6 / 15 | |
| 0.79.0 | 6 / 15 | |
| 0.78.3 | 6 / 15 | |
| 0.78.2 | 6 / 15 | |
| 0.75.7 | 6 / 15 | |
| 0.74.9 | 6 / 15 |
v0.83.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.5
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-07. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.7
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.9
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.