eslint-plugin-react
React specific linting rules for ESLint
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
ljharbyannickcr
Keywords
eslinteslint-plugineslintpluginreact
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| maintainer-change | maintainer-added | AI (maintainer-change): ljharb is a highly reputable npm publisher (918 approved packages, 4617 days history). This is a documented legitimate maintainer transition for eslint-plugin-react. | ai | |
| source-diff | large-new-source-files | AI (source-diff): eslint-plugin-react regularly adds new lint rule files across versions; 22 new source files is consistent with normal feature development for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All 6 new deps (resolve, object.values, array-includes, object.entries, object.fromentries, string.prototype.matchall) are well-known legitimate utility packages, many maintained by ljharb himself. | ai | |
| provenance | publisher-changed | AI (provenance): ljharb is a well-known, highly reputable npm publisher who legitimately took over stewardship of eslint-plugin-react from yannickcr. This is a documented, benign maintainer transition. | ai | |
| dependencies | unvetted-dep:object.hasown | AI (dependencies): object.hasown is a standard ljharb-ecosystem polyfill; its use here is legitimate and consistent across versions of this package. | ai | |
| dependencies | unvetted-dep:array.prototype.toreversed | AI (dependencies): Polyfill dependency; consistent with package's design pattern of using array/string prototype polyfills. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used to detect the installed React version via resolve.sync — a standard, safe pattern for ESLint plugins. Stable for this package. | ai |
Versions (showing 51 of 205)
| Version | Deps | Published |
|---|---|---|
| 7.37.5 | 18 / 31 | |
| 7.37.4 | 18 / 31 | |
| 7.37.3 | 18 / 31 | |
| 7.37.2 | 18 / 31 | |
| 7.37.1 | 18 / 31 | |
| 7.37.0 | 18 / 31 | |
| 7.36.1 | 18 / 31 | |
| 7.36.0 | 18 / 31 | |
| 7.35.2 | 18 / 30 | |
| 7.35.1 | 18 / 30 | |
| 7.35.0 | 18 / 31 | |
| 7.34.4 | 19 / 31 | |
| 7.34.3 | 18 / 31 | |
| 7.34.2 | 18 / 31 | |
| 7.34.1 | 18 / 31 | |
| 7.34.0 | 18 / 31 | |
| 7.33.2 | 16 / 30 | |
| 7.33.1 | 15 / 30 | |
| 7.33.0 | 15 / 30 | |
| 7.32.2 | 15 / 29 | |
| 7.32.1 | 15 / 29 | |
| 7.32.0 | 15 / 29 | |
| 7.31.11 | 15 / 29 | |
| 7.31.10 | 14 / 29 | |
| 7.31.9 | 14 / 29 | |
| 7.31.8 | 14 / 29 | |
| 7.31.7 | 14 / 29 | |
| 7.31.6 | 14 / 29 | |
| 7.31.5 | 14 / 29 | |
| 7.31.4 | 14 / 29 | |
| 7.31.3 | 14 / 29 | |
| 7.31.2 | 14 / 29 | |
| 7.31.1 | 14 / 30 | |
| 7.31.0 | 14 / 30 | |
| 7.30.2 | 14 / 30 | |
| 7.30.1 | 14 / 28 | |
| 7.30.0 | 14 / 28 | |
| 7.29.4 | 14 / 27 | |
| 7.29.3 | 14 / 27 | |
| 7.29.2 | 14 / 27 | |
| 7.29.1 | 14 / 27 | |
| 7.29.0 | 14 / 27 | |
| 7.28.0 | 14 / 27 | |
| 7.27.1 | 14 / 27 | |
| 7.27.0 | 14 / 27 | |
| 7.26.1 | 14 / 20 | |
| 7.26.0 | 14 / 20 | |
| 7.25.3 | 13 / 20 | |
| 7.25.2 | 13 / 20 | |
| 7.25.1 | 13 / 20 | |
| 7.25.0 | 13 / 20 |
v7.37.5
1 finding
LOW
No provenance attestation
provenance
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.