← Home

next

npm Repository Homepage

The React Framework

5
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

matt.strakavercel-release-botzeit-bot

Keywords

reactframeworknextjswebservernodefront-endbackendclivercel

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
provenance publisher-changed AI (provenance): CI migration from vercel-release-bot to GitHub Actions; SLSA provenance confirms legitimate publish pipeline. ai
phantom-deps phantom-dep:styled-jsx AI (phantom-deps): styled-jsx is bundled into Next.js dist output via the build pipeline; direct source imports are not expected. This is a stable false positive for this package. ai
phantom-deps phantom-dep:baseline-browser-mapping AI (phantom-deps): baseline-browser-mapping is used by Next.js build tooling and bundled into dist; not directly imported in source. Stable false positive for this package. ai

Versions (showing 5 of 5)

Version Deps Published
16.2.6 6 / 221
16.2.5 6 / 221
16.2.4 6 / 221
16.2.3 6 / 221
15.5.15 5 / 221

v16.2.6

2 findings
HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-07) provenance

This version was published by a different npm account than previous versions on 2026-05-07. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.2.5

2 findings
HIGH Publisher changed: vercel-release-bot → GitHub Actions (on 2026-05-06) provenance

This version was published by a different npm account than previous versions on 2026-05-06. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v16.2.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v15.5.15

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.