← Home

expo-server

npm Repository Homepage

Server API for Expo Router projects

27
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

idebrentvatneevanbaconexpoadminexponentbycedrickudochienalanhughestsapetaexpo-botphilplwschurman

Keywords

expo

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance missing-githead AI (provenance): expo-bot is Expo's automated publishing account; canary releases from this pipeline consistently lack gitHead without indicating compromise. ai
maintainer-change maintainer-removed AI (maintainer-change): Expo team reorganization and transition to expo-bot automation accounts for maintainer list changes; not indicative of a takeover for this official Expo package. ai
publish-pattern suspicious-version-number AI (publish-pattern): Canary version naming with date and commit hash suffix is standard Expo pre-release practice, not a malicious pattern. ai
npm-metadata suspicious-initial-version AI (npm-metadata): Version 0.0.0 is a known placeholder pattern used by the trusted publisher evanbacon; package has 62 versions and 1139 days of history — not a throwaway. ai
bogus-package bogus-package AI (bogus-package): Structural signals reflect a namespace placeholder from a highly trusted publisher (evanbacon, 1372 approved packages). No malicious content present. ai
provenance publisher-changed AI (provenance): expo-bot is the established automated publishing account for the Expo ecosystem; the transition from human maintainer brentvatne to expo-bot is a known, legitimate pattern. ai

Versions (showing 27 of 27)

Show 38 prereleases
Version Deps Published
56.0.4 0 / 5
56.0.3 0 / 5
56.0.2 0 / 5
56.0.1 0 / 5
56.0.0 0 / 5
55.0.11 0 / 4
55.0.10 0 / 4
55.0.9 0 / 4
55.0.8 0 / 4
55.0.7 0 / 4
55.0.6 0 / 4
55.0.5 0 / 4
55.0.4 0 / 4
55.0.3 0 / 4
55.0.2 0 / 4
55.0.1 0 / 4
55.0.0 0 / 4
1.0.7 0 / 3
1.0.6 0 / 3
1.0.5 0 / 3
1.0.4 0 / 3
1.0.3 0 / 3
1.0.2 0 / 3
1.0.1 0 / 3
1.0.0 0 / 3
0.0.1 0 / 3
0.0.0 0 / 0

v56.0.4

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.3

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: brentvatne → alanhughes (on 2026-05-19) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

v56.0.2

2 findings
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: alanhughes → brentvatne (on 2026-05-14) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-14. This could indicate a legitimate maintainer transition or an account compromise.

v56.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v56.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.11

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.10

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v55.0.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v1.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.