eslint-plugin-react-hooks
ESLint rules for React Hooks
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (babel/core, hermes-parser, zod, etc.) are all established packages supporting the React Compiler integration added in v6.0.0. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Major version (6.0.0) bundles React Compiler integration, explaining the 34.6x size increase. Legitimate feature addition, not payload injection. | ai | |
| source-diff | net-exec-file:cjs/eslint-plugin-react-hooks.production.js | AI (source-diff): Bundled CJS production build; 'crypto' is Node built-in, no actual network calls present. Pattern is a false positive on minified ESLint plugin bundle from official Meta/React repo. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): eslint-plugin-react-hooks is the official React ESLint plugin from Facebook/Meta. Version 0.0.0 is a known placeholder/canary pattern for this package, not a malicious indicator. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Used in the bundled CJS production file; static analyzer cannot trace imports through the bundle. Legitimate runtime dependency. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): react-bot is Meta's official publishing bot for React packages; the transition from individual maintainers to react-bot is a documented organizational practice, not a hijack. | ai | |
| source-diff | obfuscated-file:cjs/eslint-plugin-react-hooks.production.js | AI (source-diff): File is a standard minified production CJS build artifact with MIT license header and readable logic; long lines are from minification, not obfuscation. Normal for React's build pipeline. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:hermes-parser | AI (phantom-deps): Used in the bundled CJS production file for Hermes JS parsing. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:zod-validation-error | AI (phantom-deps): Used in the bundled CJS production file alongside zod for config validation. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-private-methods | AI (phantom-deps): Used in the bundled CJS production file for Babel transformation. Legitimate runtime dependency. | ai | |
| dependencies | unvetted-dep:zod-validation-error | AI (dependencies): zod-validation-error is a standard companion utility to zod; its inclusion alongside zod in this official React package is benign. | ai | |
| dependencies | unvetted-dep:zod | AI (dependencies): zod is a well-known, widely-adopted schema validation library; its use in eslint-plugin-react-hooks for React Compiler integration is legitimate and low-risk. | ai | |
| provenance | publisher-changed | AI (provenance): eps1lon is a known React core team member; publisher transition from gnoff to eps1lon is a legitimate React team change, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): eps1lon and react-bot are legitimate React team accounts; addition reflects normal React team roster management. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of trueadm and lunaruan reflects normal React team roster changes; no evidence of malicious takeover. | ai | |
| provenance | no-provenance | AI (provenance): react-bot publishes official React packages without Sigstore provenance; this is consistent across their releases and not a risk signal. | ai | |
| dependencies | unvetted-dep:hermes-parser | AI (dependencies): hermes-parser is Meta's own JS parser, appropriate for a Meta-published React ESLint plugin. Not a risk signal for this package. | ai |
Versions (showing 53 of 53)
| Version | Deps | Published |
|---|---|---|
| 7.1.1 | 5 / 18 | |
| 7.1.0 | 5 / 18 | |
| 7.0.1 | 5 / 18 | |
| 7.0.0 | 5 / 18 | |
| 6.1.1 | 4 / 18 | |
| 6.1.0 | 6 / 18 | |
| 6.0.0 | 6 / 18 | |
| 5.2.0 | 0 / 16 | |
| 5.1.0 | 0 / 8 | |
| 5.0.0 | 0 / 8 | |
| 4.6.2 | 0 / 4 | |
| 4.6.1 | 0 / 4 | |
| 4.6.0 | 0 / 4 | |
| 4.5.0 | 0 / 4 | |
| 4.4.0 | 0 / 4 | |
| 4.3.0 | 0 / 4 | |
| 4.2.0 | 0 / 3 | |
| 4.1.2 | 0 / 3 | |
| 4.1.1 | 0 / 3 | |
| 4.1.0 | 0 / 1 | |
| 4.0.8 | 0 / 1 | |
| 4.0.7 | 0 / 1 | |
| 4.0.6 | 0 / 1 | |
| 4.0.5 | 0 / 1 | |
| 4.0.4 | 0 / 1 | |
| 4.0.3 | 0 / 1 | |
| 4.0.2 | 0 / 1 | |
| 4.0.1 | 0 / 1 | |
| 4.0.0 | 0 / 1 | |
| 3.0.0 | 0 / 0 | |
| 2.5.1 | 0 / 0 | |
| 2.5.0 | 0 / 0 | |
| 2.4.0 | 0 / 0 | |
| 2.3.0 | 0 / 0 | |
| 2.2.0 | 0 / 0 | |
| 2.1.2 | 0 / 0 | |
| 2.1.1 | 0 / 0 | |
| 2.1.0 | 0 / 0 | |
| 2.0.1 | 0 / 0 | |
| 2.0.0 | 0 / 0 | |
| 1.7.0 | 0 / 0 | |
| 1.6.1 | 0 / 0 | |
| 1.6.0 | 0 / 0 | |
| 1.5.1 | 0 / 0 | |
| 1.5.0 | 0 / 0 | |
| 1.4.0 | 0 / 0 | |
| 1.3.0 | 0 / 0 | |
| 1.2.0 | 0 / 0 | |
| 1.1.0 | 0 / 0 | |
| 1.0.2 | 0 / 0 | |
| 1.0.1 | 0 / 0 | |
| 1.0.0 | 0 / 0 | |
| 0.0.0 | 0 / 0 |
v7.1.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
5 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsThis version was published by a different npm account than previous versions on 2025-02-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
2 findingsThis version was published by a different npm account than previous versions on 2024-12-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
2 findingsThis version was published by a different npm account than previous versions on 2024-10-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.2
2 findingsThis version was published by a different npm account than previous versions on 2024-04-26. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.1
2 findingsThis version was published by a different npm account than previous versions on 2024-04-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v2.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-10-03. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-28. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.