@react-native-windows/telemetry
Telemetry library for the react-native-windows CLI
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): microsoft-oss-releases is a known Microsoft automation account. | ai | |
| provenance | missing-githead | AI (provenance): Microsoft monorepo publish tooling change; publisher is trusted microsoft1es. | ai | |
| phantom-deps | phantom-dep:minimatch | AI (phantom-deps): minimatch used indirectly via config; stable false positive. | ai | |
| phantom-deps | phantom-dep:@azure/core-auth | AI (phantom-deps): @azure/core-auth is a Microsoft Azure SDK package used as a peer/transitive dep by applicationinsights; not being directly imported is expected for this type of auth abstraction. | ai | |
| dependencies | unvetted-dep:applicationinsights | AI (dependencies): applicationinsights is Microsoft's official Azure Application Insights Node.js SDK — a legitimate and expected dependency for a telemetry package in the react-native-windows ecosystem. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process is used in basePropUtils.js for CI environment detection alongside os and ci-info — standard telemetry/environment-probing behavior for this package. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in projectUtils.js loads package.json from a project root to read the project name — a common, legitimate pattern in React Native build tooling. | ai |
Versions (showing 18 of 18)
| Version | Deps | Published |
|---|---|---|
| 0.83.0 | 10 / 17 | |
| 0.82.1 | 10 / 17 | |
| 0.82.0 | 10 / 17 | |
| 0.81.2 | 9 / 17 | |
| 0.81.1 | 9 / 17 | |
| 0.81.0 | 9 / 17 | |
| 0.80.1 | 9 / 17 | |
| 0.80.0 | 9 / 17 | |
| 0.79.2 | 9 / 17 | |
| 0.79.1 | 9 / 17 | |
| 0.79.0 | 10 / 17 | |
| 0.78.2 | 9 / 17 | |
| 0.78.1 | 10 / 17 | |
| 0.77.2 | 9 / 17 | |
| 0.76.4 | 9 / 17 | |
| 0.75.5 | 9 / 17 | |
| 0.75.4 | 10 / 17 | |
| 0.74.3 | 9 / 17 |
v0.83.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.80.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.79.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.76.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.