← Home

eslint-plugin-react

npm Repository Homepage

React specific linting rules for ESLint

100
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

ljharbyannickcr

Keywords

eslinteslint-plugineslintpluginreact

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-added AI (maintainer-change): ljharb is a highly reputable npm publisher (918 approved packages, 4617 days history). This is a documented legitimate maintainer transition for eslint-plugin-react. ai
source-diff large-new-source-files AI (source-diff): eslint-plugin-react regularly adds new lint rule files across versions; 22 new source files is consistent with normal feature development for this package. ai
publish-pattern new-deps-added AI (publish-pattern): All 6 new deps (resolve, object.values, array-includes, object.entries, object.fromentries, string.prototype.matchall) are well-known legitimate utility packages, many maintained by ljharb himself. ai
provenance publisher-changed AI (provenance): ljharb is a well-known, highly reputable npm publisher who legitimately took over stewardship of eslint-plugin-react from yannickcr. This is a documented, benign maintainer transition. ai
dependencies unvetted-dep:object.hasown AI (dependencies): object.hasown is a standard ljharb-ecosystem polyfill; its use here is legitimate and consistent across versions of this package. ai
dependencies unvetted-dep:array.prototype.toreversed AI (dependencies): Polyfill dependency; consistent with package's design pattern of using array/string prototype polyfills. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require is used to detect the installed React version via resolve.sync — a standard, safe pattern for ESLint plugins. Stable for this package. ai

Versions (showing 100 of 205)

Version Deps Published
7.37.5 18 / 31
7.37.4 18 / 31
7.37.3 18 / 31
7.37.2 18 / 31
7.37.1 18 / 31
7.37.0 18 / 31
7.36.1 18 / 31
7.36.0 18 / 31
7.35.2 18 / 30
7.35.1 18 / 30
7.35.0 18 / 31
7.34.4 19 / 31
7.34.3 18 / 31
7.34.2 18 / 31
7.34.1 18 / 31
7.34.0 18 / 31
7.33.2 16 / 30
7.33.1 15 / 30
7.33.0 15 / 30
7.32.2 15 / 29
7.32.1 15 / 29
7.32.0 15 / 29
7.31.11 15 / 29
7.31.10 14 / 29
7.31.9 14 / 29
7.31.8 14 / 29
7.31.7 14 / 29
7.31.6 14 / 29
7.31.5 14 / 29
7.31.4 14 / 29
7.31.3 14 / 29
7.31.2 14 / 29
7.31.1 14 / 30
7.31.0 14 / 30
7.30.2 14 / 30
7.30.1 14 / 28
7.30.0 14 / 28
7.29.4 14 / 27
7.29.3 14 / 27
7.29.2 14 / 27
7.29.1 14 / 27
7.29.0 14 / 27
7.28.0 14 / 27
7.27.1 14 / 27
7.27.0 14 / 27
7.26.1 14 / 20
7.26.0 14 / 20
7.25.3 13 / 20
7.25.2 13 / 20
7.25.1 13 / 20
7.25.0 13 / 20
7.24.0 12 / 18
7.23.2 12 / 18
7.23.1 12 / 19
7.23.0 12 / 19
7.22.0 11 / 19
7.21.5 11 / 19
7.21.4 11 / 19
7.21.3 11 / 19
7.21.2 11 / 18
7.21.1 11 / 18
7.21.0 11 / 18
7.20.6 11 / 18
7.20.5 11 / 18
7.20.4 11 / 18
7.20.3 11 / 18
7.20.2 11 / 18
7.20.1 11 / 18
7.20.0 11 / 17
7.19.0 12 / 15
7.18.3 10 / 15
7.18.2 10 / 15
7.18.1 10 / 15
7.18.0 9 / 14
7.17.0 10 / 13
7.16.0 9 / 13
7.15.1 9 / 13
7.15.0 9 / 13
7.14.3 9 / 13
7.14.2 9 / 13
7.14.1 9 / 13
7.14.0 9 / 13
7.13.0 7 / 8
7.12.4 7 / 8
7.12.3 7 / 7
7.12.2 7 / 7
7.12.1 7 / 7
7.12.0 7 / 7
7.11.1 5 / 5
7.11.0 5 / 5
7.10.0 4 / 5
7.9.1 4 / 5
7.9.0 5 / 5
7.8.2 4 / 5
7.8.1 4 / 5
7.8.0 4 / 5
7.7.0 4 / 5
7.6.1 4 / 5
7.6.0 4 / 5
7.5.1 4 / 5
Showing 100 of 205 Next page →

v7.37.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v7.9.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.