eslint-plugin-react-hooks
ESLint rules for React Hooks
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (babel/core, hermes-parser, zod, etc.) are all established packages supporting the React Compiler integration added in v6.0.0. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Major version (6.0.0) bundles React Compiler integration, explaining the 34.6x size increase. Legitimate feature addition, not payload injection. | ai | |
| source-diff | net-exec-file:cjs/eslint-plugin-react-hooks.production.js | AI (source-diff): Bundled CJS production build; 'crypto' is Node built-in, no actual network calls present. Pattern is a false positive on minified ESLint plugin bundle from official Meta/React repo. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): eslint-plugin-react-hooks is the official React ESLint plugin from Facebook/Meta. Version 0.0.0 is a known placeholder/canary pattern for this package, not a malicious indicator. | ai | |
| phantom-deps | phantom-dep:zod | AI (phantom-deps): Used in the bundled CJS production file; static analyzer cannot trace imports through the bundle. Legitimate runtime dependency. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): react-bot is Meta's official publishing bot for React packages; the transition from individual maintainers to react-bot is a documented organizational practice, not a hijack. | ai | |
| source-diff | obfuscated-file:cjs/eslint-plugin-react-hooks.production.js | AI (source-diff): File is a standard minified production CJS build artifact with MIT license header and readable logic; long lines are from minification, not obfuscation. Normal for React's build pipeline. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:@babel/parser | AI (phantom-deps): Used in the bundled CJS production file for compiler integration. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:hermes-parser | AI (phantom-deps): Used in the bundled CJS production file for Hermes JS parsing. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:zod-validation-error | AI (phantom-deps): Used in the bundled CJS production file alongside zod for config validation. Legitimate runtime dependency. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-proposal-private-methods | AI (phantom-deps): Used in the bundled CJS production file for Babel transformation. Legitimate runtime dependency. | ai | |
| dependencies | unvetted-dep:zod-validation-error | AI (dependencies): zod-validation-error is a standard companion utility to zod; its inclusion alongside zod in this official React package is benign. | ai | |
| dependencies | unvetted-dep:zod | AI (dependencies): zod is a well-known, widely-adopted schema validation library; its use in eslint-plugin-react-hooks for React Compiler integration is legitimate and low-risk. | ai | |
| provenance | publisher-changed | AI (provenance): eps1lon is a known React core team member; publisher transition from gnoff to eps1lon is a legitimate React team change, not a compromise. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): eps1lon and react-bot are legitimate React team accounts; addition reflects normal React team roster management. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of trueadm and lunaruan reflects normal React team roster changes; no evidence of malicious takeover. | ai | |
| provenance | no-provenance | AI (provenance): react-bot publishes official React packages without Sigstore provenance; this is consistent across their releases and not a risk signal. | ai | |
| dependencies | unvetted-dep:hermes-parser | AI (dependencies): hermes-parser is Meta's own JS parser, appropriate for a Meta-published React ESLint plugin. Not a risk signal for this package. | ai |
Versions (showing 100 of 272)
v7.1.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2026-04-16. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-24. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-08. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.1
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-03. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.1.0
4 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-10-01. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
5 findingsAll previous maintainers (gaearon, threepointone, acdlite, brianvaughn, gnoff, trueadm, lunaruan) were replaced by new maintainers (react-bot). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2025-04-21. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsThis version was published by a different npm account than previous versions on 2025-02-28. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
2 findingsThis version was published by a different npm account than previous versions on 2024-12-05. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
2 findingsThis version was published by a different npm account than previous versions on 2024-10-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.2
2 findingsThis version was published by a different npm account than previous versions on 2024-04-26. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.1
2 findingsThis version was published by a different npm account than previous versions on 2024-04-25. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-04-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-03-29. This could indicate a legitimate maintainer transition or an account compromise.
v4.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-05-01. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.5.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-03-19. This could indicate a legitimate maintainer transition or an account compromise.
v2.5.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2020-02-26. This could indicate a legitimate maintainer transition or an account compromise.
v2.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.3.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-11-14. This could indicate a legitimate maintainer transition or an account compromise.
v2.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-10-22. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-10-03. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-28. This could indicate a legitimate maintainer transition or an account compromise.
v2.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-09-27. This could indicate a legitimate maintainer transition or an account compromise.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.7.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2019-08-08. This could indicate a legitimate maintainer transition or an account compromise.
v1.6.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.6.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v7.1.1-canary-d1727fbf-20260417
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.1-canary-94643c3b-20260421
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-fef12a01-20260413
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-fd524fe0-20251121
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-fb2177c1-20251114
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-fa50caf5-20251107
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-f93b9fd4-20251217
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-f646e8ff-20251104
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-ed69815c-20260323
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-ed4bd540-20260202
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-ec9cc003-20251208
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-eb89912e-20251118
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-e8c63626-20260213
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-e33071c6-20260224
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-e0cc7202-20260227
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-dd048c3b-20251105
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-da9325b5-20260417
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-da641178-20260129
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-d763f313-20251210
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-d6cae440-20260106
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-d2908752-20260119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-c9ddee7e-20251031
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-c80a0750-20260312
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-c137dd6f-20260204
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-c0d218f0-20260324
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-c0060cf2-20260224
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-bef88f7c-20260116
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-bcf97c75-20251215
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-bb8a76c6-20260115
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-bb533877-20260205
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b546603b-20260121
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b45bb335-20251211
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b4546cd0-20260318
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b4455a6e-20251027
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b1533b03-20260203
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b07aa7d6-20260209
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-b061b597-20251212
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-ab18f33d-20260220
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-98ce535f-20260226
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-9627b5a1-20260327
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-95ffd6cd-20260205
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-93fc5740-20251113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-8c34556c-20260126
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-8b2e903a-20260320
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-8ac5f4eb-20251119
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-8a830737-20260113
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0-canary-88ee1f59-20251215
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.