expo-router — Greenflagged

Expo Router is a file-based router for React Native and web applications.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

react-nativeexpo

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:@react-native-masked-view/masked-view	AI (dependencies): Well-known React Native UI library; stable dependency for this package.	ai	2026/04/23
dependencies	unvetted-dep:@expo/ui	AI (dependencies): Unvetted dependency is Expo's own package at same canary version; stable for this package.	ai	2026/04/23
phantom-deps	phantom-dep:@testing-library/user-event	AI (phantom-deps): Testing library extension loaded by convention; phantom status is expected for test infrastructure.	ai	2026/04/23
phantom-deps	phantom-dep:@testing-library/jest-dom	AI (phantom-deps): Testing library extension loaded by convention; phantom status is expected for test infrastructure.	ai	2026/04/23
phantom-deps	phantom-dep:@jest/globals	AI (phantom-deps): Testing framework package loaded by convention; phantom status is expected for test infrastructure.	ai	2026/04/23
phantom-deps	phantom-dep:debug	AI (phantom-deps): debug is a standard logging utility referenced in config; phantom status is expected for transitive dependencies.	ai	2026/04/23
provenance	missing-githead	AI (provenance): Canary releases from automated CI may lack gitHead; acceptable for pre-release versions.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): Canary version format (7.0.0-canary-YYYYMMDD-hash) is standard for pre-release builds; not suspicious in this context.	ai	2026/04/23
dependencies	unvetted-peer-dep:expo	AI (dependencies): expo is the parent package in the same organization; peer dependency is expected and stable for this package.	ai	2026/04/22
dependencies	unvetted-peer-dep:@testing-library/react-native	AI (dependencies): Optional peer dependency for testing; standard for React Native packages.	ai	2026/04/22
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require in require-context-ponyfill.ts is an intentional webpack require.context() polyfill for testing utilities; stable false positive for this package.	ai	2026/04/22
phantom-deps	phantom-dep:url	AI (phantom-deps): url is a declared runtime dependency in package.json used in build/config files; not a security concern for this package.	ai	2026/04/22
dependencies	unvetted-dep:react-native-reanimated	AI (dependencies): react-native-reanimated is a standard React Native animation library; expected dependency for navigation routing.	ai	2026/04/22
phantom-deps	phantom-dep:react-native-screens	AI (phantom-deps): Platform-specific binary package; phantom dependency is expected and stable for this package.	ai	2026/04/22
phantom-deps	phantom-dep:react-native-reanimated	AI (phantom-deps): Platform-specific binary package; phantom dependency is expected and stable for this package.	ai	2026/04/22
dependencies	unvetted-dep:expo-splash-screen	AI (dependencies): Unvetted status is expected for Expo ecosystem packages; already marked as accepted risk.	ai	2026/04/22
phantom-deps	phantom-dep:react-helmet-async	AI (phantom-deps): react-helmet-async is a declared runtime dependency used in build/config files; not a security concern for this package.	ai	2026/04/22
dependencies	unvetted-dep:react-helmet-async	AI (dependencies): react-helmet-async is a well-known, widely-used React head management library; its use in expo-router for web head management is legitimate and expected.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Publisher change to expo-bot is consistent with Expo's CI/CD automation for canary releases; stable for this package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): 14 new dependencies are all established packages supporting new UI features in this major version; expected and legitimate.	ai	2026/04/22
source-diff	large-new-source-files	AI (source-diff): 251 new files align with major version feature additions (tabs, drawer, split-view, toolbar); expected for v7.0.0.	ai	2026/04/22
maintainer-change	maintainer-removed	AI (maintainer-change): Maintainer removal is expected in Expo's monorepo structure; expo-bot is the canonical publisher for canary releases.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer addition is normal for active projects; no compromise indicators present.	ai	2026/04/22
dependencies	unvetted-dep:@expo/server	AI (dependencies): @expo/server is from the Expo organization; unvetted status is expected for internal ecosystem packages.	ai	2026/04/22
dependencies	unvetted-dep:@radix-ui/react-tabs	AI (dependencies): Radix UI is a well-established, widely-used component library; unvetted status is a false positive for this ecosystem-standard dependency.	ai	2026/04/22
phantom-deps	phantom-dep:client-only	AI (phantom-deps): client-only is a legitimate marker package used in config; phantom-dep status is expected and benign.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Canary releases from CI/CD may not have provenance; acceptable for pre-release versions from trusted publishers.	ai	2026/04/21

Versions (showing 100 of 237)

Hide prereleases

Version	Deps	Published
56.2.8	28 / 22	2026-05-29
56.2.7	28 / 22	2026-05-26
56.2.6	28 / 22	2026-05-23
56.2.5	28 / 22	2026-05-21
56.2.4	28 / 22	2026-05-21
56.2.3	28 / 22	2026-05-20
56.2.2	29 / 22	2026-05-19
56.2.1	29 / 22	2026-05-15
56.2.0	29 / 22	2026-05-14
56.1.4	29 / 22	2026-05-13
56.1.3	29 / 22	2026-05-12
56.1.2	29 / 22	2026-05-11
56.1.1	29 / 22	2026-05-08
56.1.0	28 / 22	2026-05-07
56.0.4	29 / 21	2026-05-06
56.0.3	29 / 21	2026-05-06
56.0.2	29 / 21	2026-05-06
56.0.1	29 / 20	2026-05-05
56.0.0	29 / 20	2026-05-05
55.0.16	26 / 8	2026-05-21
55.0.15	26 / 8	2026-05-19
55.0.14	26 / 8	2026-05-05
55.0.13	26 / 8	2026-04-21
55.0.12	26 / 8	2026-04-10
55.0.11	26 / 8	2026-04-07
55.0.10	26 / 8	2026-04-02
55.0.9	26 / 8	2026-04-02
55.0.8	26 / 8	2026-03-27
55.0.7	26 / 8	2026-03-18
55.0.6	26 / 8	2026-03-17
55.0.5	26 / 8	2026-03-11
55.0.4	26 / 8	2026-03-05
55.0.3	26 / 8	2026-02-26
55.0.2	26 / 8	2026-02-25
55.0.1	27 / 8	2026-02-25
55.0.0	27 / 8	2026-02-25
6.0.24	23 / 9	2026-05-28
6.0.23	23 / 9	2026-01-31
6.0.22	23 / 9	2026-01-20
6.0.21	23 / 9	2025-12-18
6.0.20	23 / 9	2025-12-17
6.0.19	23 / 9	2025-12-12
6.0.18	23 / 9	2025-12-11
6.0.17	23 / 9	2025-12-05
6.0.16	23 / 9	2025-12-04
6.0.15	23 / 9	2025-11-17
6.0.14	23 / 9	2025-10-28
6.0.13	23 / 9	2025-10-20
6.0.12	23 / 9	2025-10-10
6.0.11	23 / 9	2025-10-09
6.0.10	23 / 9	2025-10-01
6.0.9	23 / 9	2025-10-01
6.0.8	23 / 9	2025-09-22
6.0.7	23 / 9	2025-09-18
6.0.6	23 / 9	2025-09-16
6.0.5	23 / 9	2025-09-16
6.0.4	23 / 9	2025-09-13
6.0.3	22 / 9	2025-09-12
6.0.2	22 / 9	2025-09-12
6.0.1	23 / 9	2025-09-11
6.0.0	23 / 9	2025-09-10
5.1.11	14 / 8	2026-01-31
5.1.10	14 / 8	2025-12-12
5.1.9	14 / 8	2025-12-11
5.1.8	14 / 8	2025-12-05
5.1.7	14 / 8	2025-09-22
5.1.6	14 / 8	2025-09-09
5.1.5	14 / 8	2025-08-22
5.1.4	14 / 8	2025-07-18
5.1.3	14 / 8	2025-07-03
5.1.2	14 / 8	2025-07-01
5.1.1	14 / 8	2025-06-26
5.1.0	14 / 8	2025-06-11
5.0.7	14 / 8	2025-05-13
5.0.6	14 / 8	2025-05-06
5.0.5	14 / 8	2025-05-02
5.0.4	14 / 8	2025-05-01
5.0.3	14 / 8	2025-04-28
5.0.2	14 / 8	2025-04-28
4.0.22	13 / 7	2025-12-16
4.0.21	13 / 7	2025-05-05
4.0.20	13 / 7	2025-04-02
4.0.19	13 / 7	2025-03-14
4.0.18	13 / 7	2025-03-11
4.0.17	13 / 7	2025-01-19
4.0.16	13 / 7	2025-01-08
4.0.15	13 / 7	2024-12-24
4.0.14	13 / 7	2024-12-19
4.0.13	13 / 7	2024-12-16
4.0.12	14 / 7	2024-12-10
4.0.11	13 / 7	2024-12-02
4.0.10	13 / 7	2024-11-29
4.0.9	13 / 7	2024-11-22
4.0.8	13 / 7	2024-11-22
4.0.7	13 / 7	2024-11-19
4.0.6	13 / 7	2024-11-15
4.0.5	13 / 7	2024-11-13
4.0.4	12 / 7	2024-11-13
4.0.3	12 / 7	2024-11-13
4.0.2	12 / 7	2024-11-11

Showing 100 of 237 Next page →