metro — Greenflagged

🚇 The JavaScript bundler for React Native.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

fbmetro-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@babel/core	AI (phantom-deps): Framework-scoped dep loaded by convention in Metro's transform pipeline.	ai	2026/04/28
phantom-deps	phantom-dep:metro-transform-worker	AI (phantom-deps): Sibling monorepo package loaded dynamically by worker path; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:metro-babel-transformer	AI (phantom-deps): Sibling monorepo package loaded by convention; stable false positive.	ai	2026/04/28
phantom-deps	phantom-dep:source-map	AI (phantom-deps): source-map is a declared runtime dep used transitively via config; stable false positive for this package.	ai	2026/04/28
semgrep	semgrep:env-spread	AI (semgrep): Passing process.env to jest-worker child processes is standard build-tool behavior for Metro.	ai	2026/04/28
phantom-deps	phantom-dep:hermes-parser	AI (phantom-deps): hermes-parser is a declared runtime dep used via config/plugin loading; stable false positive for this package.	ai	2026/04/28
semgrep	semgrep:dynamic-require	AI (semgrep): Loads user-configured asset plugins by design; documented extension point in Metro.	ai	2026/04/28
semgrep	semgrep:hex-decode	AI (semgrep): Buffer.from(sha1, 'hex') constructs a cache key from a SHA1 hash — not a malicious payload.	ai	2026/04/28

Versions (showing 17 of 17)

Version	Deps	Published
0.84.4	39 / 17	2026-04-30
0.84.2	40 / 17	2026-02-27
0.84.1	40 / 17	2026-02-25
0.84.0	40 / 16	2026-02-20
0.83.7	39 / 17	2026-04-29
0.83.6	40 / 17	2026-04-13
0.83.5	40 / 17	2026-03-01
0.83.4	40 / 16	2026-02-20
0.83.3	40 / 14	2025-10-01
0.83.2	40 / 14	2025-09-18
0.83.1	40 / 14	2025-07-24
0.83.0	40 / 14	2025-07-13
0.82.5	40 / 14	2025-07-06
0.82.4	40 / 14	2025-05-21
0.82.3	40 / 14	2025-05-06
0.82.2	40 / 13	2025-04-29
0.81.5	40 / 14	2025-05-06

v0.84.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.2

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/facebook/metro/blob/01b4ad617f940c01df1616d10562affb879ac25d/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.1

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/facebook/metro/blob/1d59131ebf39a5724d722fe7ea8507bf67abb946/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.84.0

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/facebook/metro/blob/61815654746ec99e1361e52309bc345b476af170/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.6

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/facebook/metro/blob/3eecb5a80c6d862affb69b858a7027bdf4fcb579/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.5

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: https://github.com/facebook/metro/blob/5a62201b5685763561f64db9bc6cfcffddbd2671/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.83.4

2 findings

HIGH env-spread: src/DeltaBundler/WorkerFarm.js:66 semgrep

Spreading entire process.env into an object — may capture all secrets Source: ssh://[email protected]/facebook/metro/blob/c3318e4b720b9767d34f96ab22741404e6f3cba3/src/DeltaBundler/WorkerFarm.js#L66 64 | } 65 | _makeFarm(absoluteWorkerPath, exposedMethods, numWorkers) { > 66 | const env = { 67 | ...process.env, 68 | FORCE_COLOR: 1,