expo-device
A universal module that gets physical information about the device running the application
19
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurmansimekfsonccheevermarklawlorkadikramansjchmielafiber-godjonsamptcdavisesamelsonquinlanjcharliecruzanbbarthecmczernekaleqsiogabrieldonadellukmccallprincefleaswallowchristopherwalterszdziedzickeith-kurakradoslawkrzemien
Keywords
react-nativeexpoexpo-device
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | missing-githead | AI (provenance): Canary builds from Expo embed the commit hash in the version string itself; missing gitHead in the package metadata is expected for this release pipeline and not a meaningful risk signal. | ai | |
| source-diff | source-size-tripled | AI (source-diff): expo-device is an official Expo SDK module that regularly expands device model databases and platform support; size increases are expected and benign for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): expo-modules-core is a first-party Expo package and its addition reflects a standard SDK architectural migration; not a malicious dependency injection. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Expo uses date-stamped canary version strings (e.g., X.Y.Z-canary-YYYYMMDD-hash) as part of their standard release process; this pattern is not indicative of malicious activity for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of szymon20000 is consistent with the same internal Expo team reorganization; no malicious signal. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change from tsapeta to brentvatne reflects an internal Expo team transition; brentvatne is a well-known Expo core maintainer with a strong track record. Stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are all recognized Expo team members added as part of a routine org-level maintainer list update. Not indicative of a takeover. | ai | |
| dependencies | unvetted-dep:ua-parser-js | AI (dependencies): ua-parser-js ^0.7.33 is a legitimate dependency for web UA parsing; constraint is well past the 2021 supply-chain incident (0.7.29). Standard usage in Expo SDK. | ai | |
| provenance | no-provenance | AI (provenance): Expo monorepo packages historically lack Sigstore provenance; repo URL and authorship are consistent with the official Expo SDK. | ai |
Versions (showing 19 of 119)
| Version | Deps | Published |
|---|---|---|
| 8.0.11-canary-20260113-4879b86 | 1 / 2 | |
| 8.0.11-canary-20260113-0ce2b9c | 1 / 2 | |
| 8.0.11-canary-20260105-6b962e6 | 1 / 2 | |
| 8.0.11-canary-20251230-fc48ddc | 1 / 2 | |
| 8.0.11-canary-20251223-b83b31e | 1 / 2 | |
| 8.0.11-canary-20251216-6e1f9a7 | 1 / 2 | |
| 8.0.11-canary-20251216-3f01dbf | 1 / 2 | |
| 8.0.11-canary-20251212-acb11f2 | 1 / 2 | |
| 8.0.11-canary-20251211-7da85ea | 1 / 2 | |
| 8.0.11-canary-20251210-1f163e3 | 1 / 2 | |
| 8.0.11-canary-20251206-615dec1 | 1 / 2 | |
| 8.0.11-canary-20251205-a1dedc6 | 1 / 2 | |
| 8.0.11-canary-20251205-756eb7a | 1 / 2 | |
| 8.0.10-canary-20251127-587bc53 | 1 / 2 | |
| 8.0.10-canary-20251120-e46b3cc | 1 / 2 | |
| 8.0.10-canary-20251119-961a032 | 1 / 2 | |
| 8.0.10-canary-20251118-8f7ee64 | 1 / 2 | |
| 8.0.10-canary-20251118-4ca99d5 | 1 / 2 | |
| 8.0.10-canary-20251031-b135dff | 1 / 2 |