eslint-plugin-react-hooks

ESLint rules for React Hooks

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

react-bot

Keywords

eslinteslint-plugineslintpluginreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
publish-pattern	new-deps-added	AI (publish-pattern): New deps (babel/core, hermes-parser, zod, etc.) are all established packages supporting the React Compiler integration added in v6.0.0.	ai	2026/04/22
source-diff	source-size-tripled	AI (source-diff): Major version (6.0.0) bundles React Compiler integration, explaining the 34.6x size increase. Legitimate feature addition, not payload injection.	ai	2026/04/22
source-diff	net-exec-file:cjs/eslint-plugin-react-hooks.production.js	AI (source-diff): Bundled CJS production build; 'crypto' is Node built-in, no actual network calls present. Pattern is a false positive on minified ESLint plugin bundle from official Meta/React repo.	ai	2026/04/22
npm-metadata	suspicious-initial-version	AI (npm-metadata): eslint-plugin-react-hooks is the official React ESLint plugin from Facebook/Meta. Version 0.0.0 is a known placeholder/canary pattern for this package, not a malicious indicator.	ai	2026/04/22
phantom-deps	phantom-dep:zod	AI (phantom-deps): Used in the bundled CJS production file; static analyzer cannot trace imports through the bundle. Legitimate runtime dependency.	ai	2026/04/22
maintainer-change	maintainer-takeover	AI (maintainer-change): react-bot is Meta's official publishing bot for React packages; the transition from individual maintainers to react-bot is a documented organizational practice, not a hijack.	ai	2026/04/22
source-diff	obfuscated-file:cjs/eslint-plugin-react-hooks.production.js	AI (source-diff): File is a standard minified production CJS build artifact with MIT license header and readable logic; long lines are from minification, not obfuscation. Normal for React's build pipeline.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/core	AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/parser	AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency.	ai	2026/04/22
phantom-deps	phantom-dep:hermes-parser	AI (phantom-deps): Used in the bundled CJS production file for Hermes JS parsing. Legitimate runtime dependency.	ai	2026/04/22
phantom-deps	phantom-dep:zod-validation-error	AI (phantom-deps): Used in the bundled CJS production file alongside zod for config validation. Legitimate runtime dependency.	ai	2026/04/22
phantom-deps	phantom-dep:@babel/plugin-proposal-private-methods	AI (phantom-deps): Used in the bundled CJS production file for Babel transformation. Legitimate runtime dependency.	ai	2026/04/22
dependencies	unvetted-dep:zod-validation-error	AI (dependencies): zod-validation-error is a standard companion utility to zod; its inclusion alongside zod in this official React package is benign.	ai	2026/04/22
dependencies	unvetted-dep:zod	AI (dependencies): zod is a well-known, widely-adopted schema validation library; its use in eslint-plugin-react-hooks for React Compiler integration is legitimate and low-risk.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): eps1lon is a known React core team member; publisher transition from gnoff to eps1lon is a legitimate React team change, not a compromise.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): eps1lon and react-bot are legitimate React team accounts; addition reflects normal React team roster management.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of trueadm and lunaruan reflects normal React team roster changes; no evidence of malicious takeover.	ai	2026/04/22
provenance	no-provenance	AI (provenance): react-bot publishes official React packages without Sigstore provenance; this is consistent across their releases and not a risk signal.	ai	2026/04/21
dependencies	unvetted-dep:hermes-parser	AI (dependencies): hermes-parser is Meta's own JS parser, appropriate for a Meta-published React ESLint plugin. Not a risk signal for this package.	ai	2026/04/21

Versions (showing 100 of 272)

Hide prereleases

Version	Deps	Published
7.1.0-canary-87ae75b3-20260128	5 / 18	2026-01-28
7.1.0-canary-80cb7a99-20251211	5 / 18	2025-12-11
7.1.0-canary-80b1cab3-20260331	5 / 18	2026-04-01
7.1.0-canary-7dc903cd-20251203	5 / 18	2025-12-03
7.1.0-canary-77319e2a-20260416	5 / 18	2026-04-16
7.1.0-canary-74568e86-20260328	5 / 18	2026-03-30
7.1.0-canary-705268dc-20260409	5 / 18	2026-04-09
7.1.0-canary-6a0ab4d2-20260121	5 / 18	2026-01-22
7.1.0-canary-67f7d47a-20251103	5 / 18	2025-11-04
7.1.0-canary-66ae640b-20251204	5 / 18	2025-12-04
7.1.0-canary-65eec428-20251218	5 / 18	2025-12-18
7.1.0-canary-65db1000-20260206	5 / 18	2026-02-06
7.1.0-canary-6066c782-20260212	5 / 18	2026-02-12
7.1.0-canary-5e9eedb5-20260312	5 / 18	2026-03-12
7.1.0-canary-5aec1b2a-20260110	5 / 18	2026-01-12
7.1.0-canary-5a2205ba-20251105	5 / 18	2025-11-06
7.1.0-canary-56824423-20260414	5 / 18	2026-04-14
7.1.0-canary-561ee24d-20251101	5 / 18	2025-11-01
7.1.0-canary-55480b4d-20251208	5 / 18	2025-12-09
7.1.0-canary-52684925-20251110	5 / 18	2025-11-10
7.1.0-canary-4f931700-20251029	5 / 18	2025-10-29
7.1.0-canary-4cc5b7a9-20260303	5 / 18	2026-03-03
7.1.0-canary-4a3d993e-20260114	5 / 18	2026-01-14
7.1.0-canary-4842fbea-20260217	5 / 18	2026-02-18
7.1.0-canary-47d1ad14-20260216	5 / 18	2026-02-17
7.1.0-canary-46103596-20260305	5 / 18	2026-03-06
7.1.0-canary-41b3e9a6-20260119	5 / 18	2026-01-19
7.1.0-canary-40b4a5bf-20251120	5 / 18	2025-11-21
7.1.0-canary-408b38ef-20251023	5 / 18	2025-10-24
7.1.0-canary-404b38c7-20260408	5 / 18	2026-04-08
7.1.0-canary-3f0b9e61-20260317	5 / 18	2026-03-17
7.1.0-canary-3e319a94-20260126	5 / 18	2026-01-26
7.1.0-canary-3e1abcc8-20260113	5 / 18	2026-01-14
7.1.0-canary-3e00319b-20260203	5 / 18	2026-02-03
7.1.0-canary-3cb2c420-20260324	5 / 18	2026-03-25
7.1.0-canary-3bc2d414-20260304	5 / 18	2026-03-04
7.1.0-canary-3a2bee26-20260218	5 / 18	2026-02-19
7.1.0-canary-3a0ab8a7-20251029	5 / 18	2025-10-30
7.1.0-canary-37bcdcde-20251211	5 / 18	2025-12-11
7.1.0-canary-378973b3-20251205	5 / 18	2025-12-05
7.1.0-canary-2dd9b7cf-20260208	5 / 18	2026-02-08
7.1.0-canary-2ba30655-20260219	5 / 18	2026-02-20
7.1.0-canary-272441a9-20260209	5 / 18	2026-02-09
7.1.0-canary-257b033f-20251113	5 / 18	2025-11-14
7.1.0-canary-24d8716e-20260123	5 / 18	2026-01-23
7.1.0-canary-230772f9-20260128	5 / 18	2026-01-29
7.1.0-canary-1ea46df8-20251111	5 / 18	2025-11-12
7.1.0-canary-1b45e243-20260402	5 / 18	2026-04-03
7.1.0-canary-10680271-20260126	5 / 18	2026-01-26
7.1.0-canary-100fc4a8-20251110	5 / 18	2025-11-11
7.1.0-canary-09f05694-20251201	5 / 18	2025-12-02
7.1.0-canary-0972e239-20251118	5 / 18	2025-11-18
7.1.0-canary-093b3246-20251113	5 / 18	2025-11-13
7.1.0-canary-044d56f3-20260330	5 / 18	2026-03-31
7.1.0-canary-03ca38e6-20260213	5 / 18	2026-02-13
7.1.0-canary-00f063c3-20260415	5 / 18	2026-04-15
7.0.0-canary-f6a48828-20251019	5 / 18	2025-10-20
7.0.0-canary-ead92181-20251010	5 / 18	2025-10-12
7.0.0-canary-d7215b49-20251013	5 / 18	2025-10-13
7.0.0-canary-93f85932-20251016	5 / 18	2025-10-16
7.0.0-canary-71b3a03c-20251021	5 / 18	2025-10-21
7.0.0-canary-6160773f-20251023	5 / 18	2025-10-23
7.0.0-canary-5f2b5718-20251014	5 / 18	2025-10-14
7.0.0-canary-58bdc0bb-20251019	5 / 18	2025-10-19
7.0.0-canary-56e84692-20251014	5 / 18	2025-10-14
7.0.0-canary-4b3e662e-20251008	5 / 18	2025-10-08
7.0.0-canary-2bcbf254-20251020	5 / 18	2025-10-20
7.0.0-canary-1873ad79-20251015	5 / 18	2025-10-15
7.0.0-canary-1324e1bb-20251016	5 / 18	2025-10-17
7.0.0-canary-06fcc8f3-20251009	5 / 18	2025-10-10
0.0.0-experimental-fef12a01-20260413	5 / 18	2026-04-13
0.0.0-experimental-fd524fe0-20251121	5 / 18	2025-11-24
0.0.0-experimental-fb2177c1-20251114	5 / 18	2025-11-15
0.0.0-experimental-fa50caf5-20251107	5 / 18	2025-11-07
0.0.0-experimental-f93b9fd4-20251217	5 / 18	2025-12-17
0.0.0-experimental-f646e8ff-20251104	5 / 18	2025-11-04
0.0.0-experimental-ed4bd540-20260202	5 / 18	2026-02-02
0.0.0-experimental-ec9cc003-20251208	5 / 18	2025-12-08
0.0.0-experimental-eb89912e-20251118	5 / 18	2025-11-19
0.0.0-experimental-e8c63626-20260213	5 / 18	2026-02-16
0.0.0-experimental-e33071c6-20260224	5 / 18	2026-02-25
0.0.0-experimental-e0cc7202-20260227	5 / 18	2026-02-27
0.0.0-experimental-dd048c3b-20251105	5 / 18	2025-11-05
0.0.0-experimental-da9325b5-20260417	5 / 18	2026-04-17
0.0.0-experimental-da641178-20260129	5 / 18	2026-01-30
0.0.0-experimental-d763f313-20251210	5 / 18	2025-12-10
0.0.0-experimental-d6cae440-20260106	5 / 18	2026-01-07
0.0.0-experimental-d2908752-20260119	5 / 18	2026-01-20
0.0.0-experimental-d1727fbf-20260417	5 / 18	2026-04-17
0.0.0-experimental-c9ddee7e-20251031	5 / 18	2025-10-31
0.0.0-experimental-c80a0750-20260312	5 / 18	2026-03-13
0.0.0-experimental-c137dd6f-20260204	5 / 18	2026-02-04
0.0.0-experimental-c0d218f0-20260324	5 / 18	2026-03-24
0.0.0-experimental-c0060cf2-20260224	5 / 18	2026-02-24
0.0.0-experimental-bef88f7c-20260116	5 / 18	2026-01-16
0.0.0-experimental-bcf97c75-20251215	5 / 18	2025-12-15
0.0.0-experimental-bb8a76c6-20260115	5 / 18	2026-01-15
0.0.0-experimental-bb533877-20260205	5 / 18	2026-02-05
0.0.0-experimental-b546603b-20260121	5 / 18	2026-01-21
0.0.0-experimental-b45bb335-20251211	5 / 18	2025-12-11

Showing 100 of 272 Next page →