expo-module-scripts
A private package for various tasks for Expo module packages like compiling and testing
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:@react-native/jest-preset | AI (phantom-deps): Jest preset deps are loaded by convention, not directly imported; stable false positive for this tooling package. | ai | |
| phantom-deps | phantom-dep:eslint-config-universe | AI (phantom-deps): Build tool package; eslint-config-universe is referenced in eslint config files, not directly imported. Stable pattern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best practice but not a security requirement. Established package with clear repo and consistent history. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): krystofwoldrich is a known Expo org contributor; maintainer additions within the Expo team are routine and not a risk signal for this package. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removed maintainers are Expo org members; team rotation within a large org is expected and not indicative of a takeover. | ai | |
| phantom-deps | phantom-dep:@types/jest | AI (phantom-deps): Type definitions consumed by TypeScript config; not directly imported. | ai | |
| phantom-deps | phantom-dep:@tsconfig/node18 | AI (phantom-deps): Extended by tsconfig.json; not a direct import. | ai | |
| phantom-deps | phantom-dep:@babel/preset-env | AI (phantom-deps): Babel preset loaded by babel config convention. | ai | |
| phantom-deps | phantom-dep:babel-preset-expo | AI (phantom-deps): Babel preset loaded by babel config convention. | ai | |
| phantom-deps | phantom-dep:@expo/npm-proofread | AI (phantom-deps): CLI tool referenced in config/scripts; not directly imported. | ai | |
| provenance | publisher-changed | AI (provenance): Both alanhughes and brentvatne are known Expo team members; brentvatne is Expo co-founder. Legitimate team publishing rotation. | ai | |
| phantom-deps | phantom-dep:@testing-library/react-native | AI (phantom-deps): Test framework dependency loaded by jest preset convention. | ai | |
| phantom-deps | phantom-dep:babel-plugin-dynamic-import-node | AI (phantom-deps): Babel plugin loaded by babel config convention. | ai | |
| phantom-deps | phantom-dep:@babel/plugin-transform-export-namespace-from | AI (phantom-deps): Babel plugin loaded by babel config convention. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require.resolve for ESLint config resolution — standard pattern for tooling that resolves from specific paths. | ai | |
| dependencies | unvetted-dep:jest-snapshot-prettier | AI (dependencies): npm alias for prettier@^2; standard pattern to pin major version for jest snapshots. | ai | |
| phantom-deps | phantom-dep:@babel/preset-typescript | AI (phantom-deps): Babel preset loaded by babel config convention. | ai | |
| phantom-deps | phantom-dep:glob | AI (phantom-deps): Build/test tooling package; deps consumed via config files, not direct imports. Normal for this package type. | ai | |
| phantom-deps | phantom-dep:ts-jest | AI (phantom-deps): Jest preset config dependency; consumed by jest config, not direct import. | ai | |
| phantom-deps | phantom-dep:@babel/cli | AI (phantom-deps): CLI tool invoked by expo-module bin scripts; not a direct import. | ai | |
| phantom-deps | phantom-dep:typescript | AI (phantom-deps): Used via tsconfig and build scripts; standard for tooling package. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 56.0.2 | 17 / 2 | |
| 55.0.1 | 20 / 1 | |
| 5.0.8 | 19 / 1 | |
| 5.0.7 | 19 / 1 | |
| 5.0.4 | 19 / 1 | |
| 5.0.0 | 19 / 1 | |
| 4.1.8 | 19 / 0 | |
| 4.1.7 | 19 / 0 | |
| 4.1.5 | 19 / 0 | |
| 4.1.3 | 19 / 0 | |
| 4.0.3 | 19 / 0 | |
| 3.5.0 | 19 / 0 | |
| 3.4.2 | 18 / 0 | |
| 3.4.1 | 18 / 0 | |
| 3.4.0 | 18 / 0 | |
| 3.3.0 | 14 / 0 | |
| 3.2.0 | 14 / 0 | |
| 3.1.1 | 14 / 0 | |
| 3.1.0 | 14 / 0 | |
| 3.0.12 | 14 / 0 | |
| 3.0.11 | 14 / 0 | |
| 3.0.10 | 14 / 0 | |
| 3.0.9 | 14 / 0 | |
| 3.0.8 | 14 / 0 | |
| 3.0.7 | 14 / 0 | |
| 3.0.6 | 14 / 0 | |
| 3.0.5 | 14 / 0 | |
| 3.0.4 | 14 / 0 | |
| 3.0.3 | 14 / 0 | |
| 3.0.2 | 14 / 0 | |
| 3.0.1 | 15 / 0 | |
| 3.0.0 | 15 / 0 | |
| 2.1.1 | 15 / 0 | |
| 2.1.0 | 15 / 0 | |
| 2.0.0 | 14 / 0 | |
| 1.2.0 | 12 / 0 | |
| 1.1.1 | 10 / 0 | |
| 1.1.0 | 10 / 0 | |
| 1.0.1 | 9 / 0 | |
| 1.0.0 | 9 / 0 |
v56.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.1
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.8
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-10. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-26. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-13. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.8
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-26. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.7
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-08. This could indicate a legitimate maintainer transition or an account compromise.
v4.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.