expo-module-scripts — Greenflagged

A private package for various tasks for Expo module packages like compiling and testing

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

babel-presetjest-presetexpo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@react-native/jest-preset	AI (phantom-deps): Jest preset deps are loaded by convention, not directly imported; stable false positive for this tooling package.	ai	2026/05/21
phantom-deps	phantom-dep:eslint-config-universe	AI (phantom-deps): Build tool package; eslint-config-universe is referenced in eslint config files, not directly imported. Stable pattern for this package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Provenance attestation is a best practice but not a security requirement. Established package with clear repo and consistent history.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): krystofwoldrich is a known Expo org contributor; maintainer additions within the Expo team are routine and not a risk signal for this package.	ai	2026/04/24
maintainer-change	maintainer-removed	AI (maintainer-change): Removed maintainers are Expo org members; team rotation within a large org is expected and not indicative of a takeover.	ai	2026/04/24
phantom-deps	phantom-dep:@types/jest	AI (phantom-deps): Type definitions consumed by TypeScript config; not directly imported.	ai	2026/04/23
phantom-deps	phantom-dep:@tsconfig/node18	AI (phantom-deps): Extended by tsconfig.json; not a direct import.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/preset-env	AI (phantom-deps): Babel preset loaded by babel config convention.	ai	2026/04/23
phantom-deps	phantom-dep:babel-preset-expo	AI (phantom-deps): Babel preset loaded by babel config convention.	ai	2026/04/23
phantom-deps	phantom-dep:@expo/npm-proofread	AI (phantom-deps): CLI tool referenced in config/scripts; not directly imported.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Both alanhughes and brentvatne are known Expo team members; brentvatne is Expo co-founder. Legitimate team publishing rotation.	ai	2026/04/23
phantom-deps	phantom-dep:@testing-library/react-native	AI (phantom-deps): Test framework dependency loaded by jest preset convention.	ai	2026/04/23
phantom-deps	phantom-dep:babel-plugin-dynamic-import-node	AI (phantom-deps): Babel plugin loaded by babel config convention.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/plugin-transform-export-namespace-from	AI (phantom-deps): Babel plugin loaded by babel config convention.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require.resolve for ESLint config resolution — standard pattern for tooling that resolves from specific paths.	ai	2026/04/23
dependencies	unvetted-dep:jest-snapshot-prettier	AI (dependencies): npm alias for prettier@^2; standard pattern to pin major version for jest snapshots.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/preset-typescript	AI (phantom-deps): Babel preset loaded by babel config convention.	ai	2026/04/23
phantom-deps	phantom-dep:glob	AI (phantom-deps): Build/test tooling package; deps consumed via config files, not direct imports. Normal for this package type.	ai	2026/04/23
phantom-deps	phantom-dep:ts-jest	AI (phantom-deps): Jest preset config dependency; consumed by jest config, not direct import.	ai	2026/04/23
phantom-deps	phantom-dep:@babel/cli	AI (phantom-deps): CLI tool invoked by expo-module bin scripts; not a direct import.	ai	2026/04/23
phantom-deps	phantom-dep:typescript	AI (phantom-deps): Used via tsconfig and build scripts; standard for tooling package.	ai	2026/04/23

Versions (showing 64 of 64)

Hide prereleases

Version	Deps	Published
56.0.2	17 / 2	2026-05-06
55.0.1	20 / 1	2026-01-22
5.0.8	19 / 1	2025-12-04
5.0.7	19 / 1	2025-09-10
5.0.4	19 / 1	2025-08-26
5.0.0	19 / 1	2025-08-13
4.1.8	19 / 0	2025-06-26
4.1.7	19 / 0	2025-05-08
4.1.5	19 / 0	2025-04-25
4.1.3	19 / 0	2025-04-22
4.0.3	19 / 0	2025-01-10
3.5.0	19 / 0	2024-04-18
3.4.2	18 / 0	2024-04-15
3.4.1	18 / 0	2024-02-01
3.4.0	18 / 0	2023-12-12
3.3.0	14 / 0	2023-11-14
3.2.0	14 / 0	2023-10-17
3.1.1	14 / 0	2023-09-18
3.1.0	14 / 0	2023-09-04
3.0.12	14 / 0	2023-07-26
3.0.11	14 / 0	2023-07-04
3.0.10	14 / 0	2023-06-22
3.0.9	14 / 0	2023-06-02
3.0.8	14 / 0	2023-05-08
3.0.7	14 / 0	2023-02-09
3.0.6	14 / 0	2023-02-03
3.0.5	14 / 0	2022-12-30
3.0.4	14 / 0	2022-11-22
3.0.3	14 / 0	2022-11-02
3.0.2	14 / 0	2022-10-30
3.0.1	15 / 0	2022-10-28
3.0.0	15 / 0	2022-10-25
2.1.1	15 / 0	2022-08-22
2.1.0	15 / 0	2022-08-04
2.0.0	14 / 0	2021-04-15
1.2.0	12 / 0	2020-01-27
1.1.1	10 / 0	2019-09-19
1.1.0	10 / 0	2019-09-06
1.0.1	9 / 0	2019-07-26
1.0.0	9 / 0	2019-03-13
5.1.0-canary-20260121-a63c0dd	20 / 1	2026-01-21
5.1.0-canary-20260120-bb71700	20 / 1	2026-01-20
5.1.0-canary-20260119-70f7c28	20 / 1	2026-01-19
5.1.0-canary-20260114-d8e19f5	20 / 1	2026-01-14
5.1.0-canary-20260113-4879b86	20 / 1	2026-01-13
5.1.0-canary-20260113-0ce2b9c	20 / 1	2026-01-13
5.1.0-canary-20260105-6b962e6	20 / 1	2026-01-05
5.1.0-canary-20251230-fc48ddc	20 / 1	2025-12-30
5.1.0-canary-20251223-b83b31e	20 / 1	2025-12-23
5.1.0-canary-20251216-6e1f9a7	20 / 1	2025-12-16
5.1.0-canary-20251216-3f01dbf	20 / 1	2025-12-16
5.1.0-canary-20251212-acb11f2	20 / 1	2025-12-12
5.1.0-canary-20251211-7da85ea	20 / 1	2025-12-11
5.1.0-canary-20251210-1f163e3	20 / 1	2025-12-10
5.1.0-canary-20251206-615dec1	20 / 1	2025-12-06
5.1.0-canary-20251205-a1dedc6	20 / 1	2025-12-05
5.1.0-canary-20251205-756eb7a	20 / 1	2025-12-05
5.1.0-canary-20251127-587bc53	20 / 1	2025-11-27
5.1.0-canary-20251120-e46b3cc	19 / 1	2025-11-20
5.1.0-canary-20251119-961a032	19 / 1	2025-11-19
5.1.0-canary-20251118-8f7ee64	19 / 1	2025-11-18
5.1.0-canary-20251118-4ca99d5	19 / 1	2025-11-18
5.0.9-canary-20260119-17896bf	19 / 1	2026-01-19
5.0.8-canary-20251031-b135dff	19 / 1	2025-10-31

v56.0.2

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.1

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: expo-bot → alanhughes (on 2026-01-22) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-22. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.8

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: expo-bot → kudochien (on 2025-12-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.7

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: alanhughes → brentvatne (on 2025-09-10) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-10. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.4

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → alanhughes (on 2025-08-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-26. This could indicate a legitimate maintainer transition or an account compromise.

v5.0.0

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: lukmccall → brentvatne (on 2025-08-13) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-08-13. This could indicate a legitimate maintainer transition or an account compromise.

v4.1.8

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → gabrieldonadel (on 2025-06-26) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-06-26. This could indicate a legitimate maintainer transition or an account compromise.

v4.1.7

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → gabrieldonadel (on 2025-05-08) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-08. This could indicate a legitimate maintainer transition or an account compromise.

v4.1.5

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.