preact — Greenflagged

Fast 3kb React-compatible Virtual DOM library.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

preactjsdevelopitmarvinhagemeisterdrewiggjdecroockrschristian

Keywords

preactreactuiuser interfacevirtual domvdomcomponentsdom difffront-endframework

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall only prints a donation message via console.log; no network/fs/exec calls. Benign for preact.	ai	2026/04/24
typosquat	typosquat.levenshtein:react	AI (typosquat): Preact is a well-established, legitimate alternative to React (16.6M downloads, 10+ years old). Not a typosquat.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Both jdecroock and marvinhagemeister are known Preact core team members; publisher rotation is expected for this package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Preact predates Sigstore provenance; absence is expected and not a risk signal for this established package.	ai	2026/04/24
source-diff	obfuscated-file:compat/dist/compat.module.js	AI (source-diff): Standard minified distribution bundle for Preact's compat layer; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:dist/preact.module.js	AI (source-diff): Standard bundled distribution file for Preact core; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:debug/dist/debug.module.js	AI (source-diff): Standard minified distribution bundle for Preact's debug module; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:hooks/dist/hooks.module.js	AI (source-diff): Standard minified distribution bundle for Preact's hooks module; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:dist/preact.min.module.js	AI (source-diff): Standard minified distribution bundle for Preact core; not obfuscated.	ai	2026/04/23

Versions (showing 51 of 219)

Show 1 prerelease View all versions

Version	Deps	Published
10.29.2	0 / 37	2026-05-17
10.29.1	0 / 37	2026-04-03
10.29.0	0 / 37	2026-03-10
10.28.4	0 / 37	2026-02-19
10.28.3	0 / 37	2026-01-31
10.28.2	0 / 37	2026-01-06
10.27.3	0 / 37	2026-01-06
10.26.10	0 / 37	2026-01-06
10.26.4	0 / 41	2025-02-28
10.26.3	0 / 41	2025-02-27
10.26.2	0 / 46	2025-02-18
10.26.1	0 / 46	2025-02-18
10.26.0	0 / 46	2025-02-16
10.25.4	0 / 46	2024-12-28
10.25.3	0 / 46	2024-12-18
10.25.2	0 / 46	2024-12-12
10.25.1	0 / 50	2024-12-02
10.25.0	0 / 50	2024-11-22
10.24.3	0 / 50	2024-10-14
10.24.2	0 / 50	2024-10-04
10.24.1	0 / 50	2024-09-24
10.24.0	0 / 50	2024-09-14
10.23.2	0 / 50	2024-08-12
10.23.1	0 / 50	2024-07-25
10.23.0	0 / 50	2024-07-23
10.22.1	0 / 50	2024-07-01
10.22.0	0 / 53	2024-05-15
10.21.0	0 / 52	2024-04-30
10.20.2	0 / 52	2024-04-09
10.20.1	0 / 52	2024-03-23
10.20.0	0 / 52	2024-03-20
10.19.7	0 / 52	2024-03-18
10.19.6	0 / 52	2024-02-22
10.19.5	0 / 52	2024-02-16
10.19.4	0 / 52	2024-02-08
10.19.3	0 / 52	2023-12-08
10.19.2	0 / 52	2023-11-14
10.19.1	0 / 52	2023-11-11
10.19.0	0 / 52	2023-11-11
10.18.2	0 / 52	2023-11-03
10.18.1	0 / 52	2023-10-01
10.18.0	0 / 52	2023-09-28
10.17.1	0 / 52	2023-08-19
10.17.0	0 / 52	2023-08-14
10.16.0	0 / 52	2023-07-09
10.15.1	0 / 52	2023-05-27
10.15.0	0 / 52	2023-05-21
10.14.1	0 / 52	2023-05-16
10.14.0	0 / 52	2023-05-14
10.13.2	0 / 52	2023-03-27
10.13.1	0 / 52	2023-03-09

v10.29.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: jdecroock → GitHub Actions (on 2026-05-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-17. This could indicate a legitimate maintainer transition or an account compromise.

v10.29.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.29.0

6 findings

HIGH New obfuscated file: compat/dist/compat.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: debug/dist/debug.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: hooks/dist/hooks.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/preact.min.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/preact.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.28.4