ahooks — Greenflagged

react hooks library

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

awmleerliuyibtaowengfan576679268straw94

Keywords

ahooksumi hooksreact hooks

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): @types/js-cookie is a pure TypeScript type definitions package for js-cookie, which was already a dependency. Adding types alongside an existing dep is benign and routine.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): The awmleer→taoweng transition is a documented maintainer handoff within the Alibaba/ahooks team; taoweng has a long, clean track record on npm.	ai	2026/04/24
dependencies	unvetted-dep:ahooks-v3-count	AI (dependencies): ahooks-v3-count is the ahooks team's own telemetry/adoption-counting package; its presence is a known, intentional pattern for this library.	ai	2026/04/24
phantom-deps	phantom-dep:ahooks-v3-count	AI (phantom-deps): Declared but not directly imported; consistent with indirect/config-level usage by the ahooks telemetry mechanism.	ai	2026/04/24
semgrep	semgrep:api-obfuscation-reflect	AI (semgrep): Reflect.get() inside a Proxy handler is idiomatic JS for reactive proxy implementation (useReactive hook). Not obfuscation; pattern is stable across versions of this package.	ai	2026/04/23
phantom-deps	phantom-dep:@types/js-cookie	AI (phantom-deps): @types/js-cookie is intentionally bundled as a runtime dep for type definitions. Minor packaging quirk, not a security issue; stable for this package.	ai	2026/04/23

Versions (showing 51 of 98)

View all versions

Version	Deps	Published
3.9.7	10 / 0	2026-03-23
3.9.6	10 / 0	2025-10-27
3.9.5	10 / 1	2025-08-31
3.9.4	9 / 1	2025-08-22
3.9.3	9 / 1	2025-08-18
3.9.2	9 / 0	2025-08-18
3.9.1	9 / 0	2025-08-17
3.9.0	9 / 13	2025-06-28
3.8.5	9 / 9	2025-05-19
3.8.4	9 / 9	2024-12-05
3.8.3	9 / 9	2024-12-05
3.8.2	9 / 9	2024-12-04
3.8.1	9 / 9	2024-08-11
3.8.0	9 / 9	2024-05-23
3.7.11	9 / 9	2024-04-01
3.7.10	8 / 9	2024-02-01
3.7.9	8 / 9	2024-01-28
3.7.8	10 / 10	2023-06-25
3.7.7	10 / 10	2023-04-30
3.7.6	10 / 10	2023-03-24
3.7.5	9 / 9	2023-02-28
3.7.4	9 / 9	2022-12-26
3.7.3	8 / 9	2022-12-19
3.7.2	8 / 9	2022-10-18
3.7.1	8 / 9	2022-09-08
3.7.0	8 / 9	2022-08-04
3.6.2	8 / 9	2022-07-28
3.5.2	8 / 9	2022-07-03
3.5.1	8 / 9	2022-06-29
3.5.0	8 / 9	2022-06-16
3.4.1	8 / 9	2022-06-02
3.4.0	8 / 9	2022-05-24
3.3.13	8 / 9	2022-05-21
3.3.12	8 / 9	2022-05-16
3.3.11	8 / 9	2022-05-15
3.3.10	8 / 9	2022-04-27
3.3.9	8 / 9	2022-04-27
3.3.8	8 / 9	2022-04-15
3.3.0	8 / 9	2022-03-30
3.2.0	8 / 9	2022-03-28
3.1.14	8 / 9	2022-03-23
3.1.13	8 / 9	2022-03-04
3.1.12	8 / 9	2022-03-04
3.1.11	8 / 9	2022-03-03
3.1.10	8 / 9	2022-02-25
3.1.9	8 / 9	2022-01-26
3.1.8	7 / 10	2022-01-21
3.1.7	7 / 10	2022-01-19
3.1.6	7 / 10	2022-01-17
3.1.5	7 / 10	2022-01-07
3.1.4	7 / 10	2022-01-04

v3.9.7

2 findings

HIGH Publisher changed: taoweng → liuyib (on 2026-03-23) provenance

This version was published by a different npm account than previous versions on 2026-03-23. This could indicate a legitimate maintainer transition or an account compromise.

LOW No provenance attestation provenance