@react-three/drei — Greenflagged

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

gsimonegiuliozstephencorwindrcmdatdfka_rickcodyjasonbennett

Keywords

reactthreethreejsreact-three-fiber

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:three-stdlib	AI (dependencies): three-stdlib is a core Three.js ecosystem dependency, standard for @react-three/drei across all versions.	ai	2026/04/25
dependencies	unvetted-dep:troika-three-text	AI (dependencies): troika-three-text is a well-known 3D text rendering library, standard dependency for this package.	ai	2026/04/25
dependencies	unvetted-dep:three-mesh-bvh	AI (dependencies): three-mesh-bvh is a well-known Three.js BVH acceleration library, standard for this package.	ai	2026/04/25
dependencies	unvetted-dep:camera-controls	AI (dependencies): camera-controls is a standard Three.js camera control library, expected dependency for drei.	ai	2026/04/25
dependencies	unvetted-dep:maath	AI (dependencies): maath is a pmndrs math utility library, part of the same ecosystem as drei.	ai	2026/04/25
dependencies	unvetted-dep:meshline	AI (dependencies): meshline is a well-known Three.js line rendering library, standard for drei.	ai	2026/04/25
dependencies	unvetted-dep:detect-gpu	AI (dependencies): detect-gpu is a legitimate GPU detection library, appropriate for a 3D graphics helper.	ai	2026/04/25
dependencies	unvetted-dep:stats-gl	AI (dependencies): stats-gl is a WebGL performance stats library, standard utility for drei.	ai	2026/04/25
dependencies	unvetted-dep:stats.js	AI (dependencies): stats.js is a classic JS performance monitor, standard utility for drei.	ai	2026/04/25
dependencies	unvetted-dep:suspend-react	AI (dependencies): suspend-react is a pmndrs React Suspense utility, part of the same ecosystem.	ai	2026/04/25
dependencies	unvetted-dep:tunnel-rat	AI (dependencies): tunnel-rat is a pmndrs React portal utility, part of the same ecosystem.	ai	2026/04/25
dependencies	unvetted-dep:glsl-noise	AI (dependencies): glsl-noise is a well-known GLSL shader noise library, appropriate for a 3D graphics helper.	ai	2026/04/25
dependencies	unvetted-dep:@use-gesture/react	AI (dependencies): @use-gesture/react is a well-established gesture library from pmndrs ecosystem, standard for drei.	ai	2026/04/25
dependencies	unvetted-dep:@monogrid/gainmap-js	AI (dependencies): @monogrid/gainmap-js is a gainmap HDR image library, appropriate for Three.js texture handling in drei.	ai	2026/04/25
dependencies	unvetted-dep:@mediapipe/tasks-vision	AI (dependencies): @mediapipe/tasks-vision is Google's MediaPipe vision library, used for face/hand tracking features in drei.	ai	2026/04/25
phantom-deps	phantom-dep:cross-env	AI (phantom-deps): cross-env is a build/dev tool dependency; phantom detection is expected for build-time-only usage.	ai	2026/04/25
phantom-deps	phantom-dep:glsl-noise	AI (phantom-deps): glsl-noise is used as GLSL shader source, not a JS import; phantom detection is a false positive.	ai	2026/04/25
phantom-deps	phantom-dep:use-sync-external-store	AI (phantom-deps): use-sync-external-store may be used indirectly via zustand or other deps; phantom detection is expected.	ai	2026/04/25