expo-router
Expo Router is a file-based router for React Native and web applications.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@react-native-masked-view/masked-view | AI (dependencies): Well-known React Native UI library; stable dependency for this package. | ai | |
| dependencies | unvetted-dep:@expo/ui | AI (dependencies): Unvetted dependency is Expo's own package at same canary version; stable for this package. | ai | |
| phantom-deps | phantom-dep:@testing-library/user-event | AI (phantom-deps): Testing library extension loaded by convention; phantom status is expected for test infrastructure. | ai | |
| phantom-deps | phantom-dep:@testing-library/jest-dom | AI (phantom-deps): Testing library extension loaded by convention; phantom status is expected for test infrastructure. | ai | |
| phantom-deps | phantom-dep:@jest/globals | AI (phantom-deps): Testing framework package loaded by convention; phantom status is expected for test infrastructure. | ai | |
| phantom-deps | phantom-dep:debug | AI (phantom-deps): debug is a standard logging utility referenced in config; phantom status is expected for transitive dependencies. | ai | |
| provenance | missing-githead | AI (provenance): Canary releases from automated CI may lack gitHead; acceptable for pre-release versions. | ai | |
| publish-pattern | suspicious-version-number | AI (publish-pattern): Canary version format (7.0.0-canary-YYYYMMDD-hash) is standard for pre-release builds; not suspicious in this context. | ai | |
| dependencies | unvetted-peer-dep:expo | AI (dependencies): expo is the parent package in the same organization; peer dependency is expected and stable for this package. | ai | |
| dependencies | unvetted-peer-dep:@testing-library/react-native | AI (dependencies): Optional peer dependency for testing; standard for React Native packages. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in require-context-ponyfill.ts is an intentional webpack require.context() polyfill for testing utilities; stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:url | AI (phantom-deps): url is a declared runtime dependency in package.json used in build/config files; not a security concern for this package. | ai | |
| dependencies | unvetted-dep:react-native-reanimated | AI (dependencies): react-native-reanimated is a standard React Native animation library; expected dependency for navigation routing. | ai | |
| phantom-deps | phantom-dep:react-native-screens | AI (phantom-deps): Platform-specific binary package; phantom dependency is expected and stable for this package. | ai | |
| phantom-deps | phantom-dep:react-native-reanimated | AI (phantom-deps): Platform-specific binary package; phantom dependency is expected and stable for this package. | ai | |
| dependencies | unvetted-dep:expo-splash-screen | AI (dependencies): Unvetted status is expected for Expo ecosystem packages; already marked as accepted risk. | ai | |
| phantom-deps | phantom-dep:react-helmet-async | AI (phantom-deps): react-helmet-async is a declared runtime dependency used in build/config files; not a security concern for this package. | ai | |
| dependencies | unvetted-dep:react-helmet-async | AI (dependencies): react-helmet-async is a well-known, widely-used React head management library; its use in expo-router for web head management is legitimate and expected. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change to expo-bot is consistent with Expo's CI/CD automation for canary releases; stable for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): 14 new dependencies are all established packages supporting new UI features in this major version; expected and legitimate. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 251 new files align with major version feature additions (tabs, drawer, split-view, toolbar); expected for v7.0.0. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Maintainer removal is expected in Expo's monorepo structure; expo-bot is the canonical publisher for canary releases. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer addition is normal for active projects; no compromise indicators present. | ai | |
| dependencies | unvetted-dep:@expo/server | AI (dependencies): @expo/server is from the Expo organization; unvetted status is expected for internal ecosystem packages. | ai | |
| dependencies | unvetted-dep:@radix-ui/react-tabs | AI (dependencies): Radix UI is a well-established, widely-used component library; unvetted status is a false positive for this ecosystem-standard dependency. | ai | |
| phantom-deps | phantom-dep:client-only | AI (phantom-deps): client-only is a legitimate marker package used in config; phantom-dep status is expected and benign. | ai | |
| provenance | no-provenance | AI (provenance): Canary releases from CI/CD may not have provenance; acceptable for pre-release versions from trusted publishers. | ai |
Versions (showing 51 of 226)
| Version | Deps | Published |
|---|---|---|
| 56.2.8 | 28 / 22 | |
| 56.2.7 | 28 / 22 | |
| 56.2.6 | 28 / 22 | |
| 56.2.5 | 28 / 22 | |
| 56.2.4 | 28 / 22 | |
| 56.2.3 | 28 / 22 | |
| 56.2.2 | 29 / 22 | |
| 56.2.1 | 29 / 22 | |
| 56.2.0 | 29 / 22 | |
| 56.1.4 | 29 / 22 | |
| 56.1.3 | 29 / 22 | |
| 56.1.2 | 29 / 22 | |
| 56.1.1 | 29 / 22 | |
| 56.1.0 | 28 / 22 | |
| 56.0.4 | 29 / 21 | |
| 56.0.3 | 29 / 21 | |
| 56.0.2 | 29 / 21 | |
| 56.0.1 | 29 / 20 | |
| 56.0.0 | 29 / 20 | |
| 55.0.16 | 26 / 8 | |
| 55.0.15 | 26 / 8 | |
| 55.0.14 | 26 / 8 | |
| 55.0.13 | 26 / 8 | |
| 55.0.12 | 26 / 8 | |
| 55.0.11 | 26 / 8 | |
| 55.0.10 | 26 / 8 | |
| 55.0.9 | 26 / 8 | |
| 55.0.8 | 26 / 8 | |
| 55.0.7 | 26 / 8 | |
| 55.0.6 | 26 / 8 | |
| 55.0.5 | 26 / 8 | |
| 55.0.4 | 26 / 8 | |
| 55.0.3 | 26 / 8 | |
| 55.0.2 | 26 / 8 | |
| 55.0.1 | 27 / 8 | |
| 55.0.0 | 27 / 8 | |
| 6.0.24 | 23 / 9 | |
| 6.0.23 | 23 / 9 | |
| 6.0.22 | 23 / 9 | |
| 6.0.21 | 23 / 9 | |
| 6.0.20 | 23 / 9 | |
| 6.0.19 | 23 / 9 | |
| 6.0.18 | 23 / 9 | |
| 6.0.17 | 23 / 9 | |
| 6.0.16 | 23 / 9 | |
| 6.0.15 | 23 / 9 | |
| 6.0.14 | 23 / 9 | |
| 6.0.13 | 23 / 9 | |
| 6.0.12 | 23 / 9 | |
| 6.0.11 | 23 / 9 | |
| 6.0.10 | 23 / 9 |
v56.2.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.2.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.2.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
This version was published by a different npm account (alanhughes) than the most recent previously approved version (brentvatne) on 2026-05-23, but alanhughes is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.
v56.2.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-21. This could indicate a legitimate maintainer transition or an account compromise.
v56.2.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.2.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v56.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.
v56.1.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-12. This could indicate a legitimate maintainer transition or an account compromise.
v56.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v56.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.5
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-11. This could indicate a legitimate maintainer transition or an account compromise.
v55.0.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-03-05. This could indicate a legitimate maintainer transition or an account compromise.
v55.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v55.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-02-25. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.23
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2026-01-31. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.20
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-17. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.18
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-11. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.16
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-12-04. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.15
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-11-17. This could indicate a legitimate maintainer transition or an account compromise.
v6.0.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.