preact
Fast 3kb React-compatible Virtual DOM library.
Supply chain provenance
Status for the latest visible version.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| install-scripts | install-script:postinstall | AI (install-scripts): Postinstall only prints a donation message via console.log; no network/fs/exec calls. Benign for preact. | ai | |
| typosquat | typosquat.levenshtein:react | AI (typosquat): Preact is a well-established, legitimate alternative to React (16.6M downloads, 10+ years old). Not a typosquat. | ai | |
| provenance | publisher-changed | AI (provenance): Both jdecroock and marvinhagemeister are known Preact core team members; publisher rotation is expected for this package. | ai | |
| provenance | no-provenance | AI (provenance): Preact predates Sigstore provenance; absence is expected and not a risk signal for this established package. | ai | |
| source-diff | obfuscated-file:compat/dist/compat.module.js | AI (source-diff): Standard minified distribution bundle for Preact's compat layer; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/preact.module.js | AI (source-diff): Standard bundled distribution file for Preact core; not obfuscated. | ai | |
| source-diff | obfuscated-file:debug/dist/debug.module.js | AI (source-diff): Standard minified distribution bundle for Preact's debug module; not obfuscated. | ai | |
| source-diff | obfuscated-file:hooks/dist/hooks.module.js | AI (source-diff): Standard minified distribution bundle for Preact's hooks module; not obfuscated. | ai | |
| source-diff | obfuscated-file:dist/preact.min.module.js | AI (source-diff): Standard minified distribution bundle for Preact core; not obfuscated. | ai |
Versions (showing 100 of 220)
| Version | Deps | Published |
|---|---|---|
| 10.4.4 | 0 / 45 | |
| 10.4.3 | 0 / 45 | |
| 10.4.2 | 0 / 45 | |
| 10.4.1 | 0 / 45 | |
| 10.4.0 | 0 / 45 | |
| 10.3.4 | 0 / 46 | |
| 10.3.3 | 0 / 46 | |
| 10.3.2 | 0 / 46 | |
| 10.3.1 | 0 / 46 | |
| 10.3.0 | 0 / 46 | |
| 10.2.1 | 0 / 45 | |
| 10.2.0 | 0 / 45 | |
| 10.1.1 | 0 / 45 | |
| 10.1.0 | 0 / 44 | |
| 10.0.5 | 0 / 44 | |
| 10.0.4 | 0 / 41 | |
| 10.0.3 | 0 / 41 | |
| 10.0.2 | 0 / 41 | |
| 10.0.1 | 0 / 41 | |
| 10.0.0 | 0 / 41 | |
| 8.5.3 | 0 / 48 | |
| 8.5.2 | 0 / 48 | |
| 8.5.1 | 0 / 48 | |
| 8.5.0 | 0 / 48 | |
| 8.4.2 | 0 / 48 | |
| 8.4.1 | 0 / 48 | |
| 8.4.0 | 0 / 48 | |
| 8.3.1 | 0 / 48 | |
| 8.3.0 | 0 / 48 | |
| 8.2.9 | 0 / 47 | |
| 8.2.8 | 0 / 47 | |
| 8.2.7 | 0 / 46 | |
| 8.2.6 | 0 / 46 | |
| 8.2.5 | 0 / 45 | |
| 8.2.4 | 0 / 45 | |
| 8.2.3 | 0 / 45 | |
| 8.2.2 | 0 / 45 | |
| 8.2.1 | 0 / 45 | |
| 8.2.0 | 0 / 45 | |
| 8.1.0 | 0 / 42 | |
| 8.0.1 | 0 / 42 | |
| 8.0.0 | 0 / 42 | |
| 7.2.1 | 0 / 41 | |
| 7.2.0 | 0 / 41 | |
| 7.1.0 | 0 / 41 | |
| 7.0.3 | 0 / 39 | |
| 7.0.2 | 0 / 39 | |
| 7.0.1 | 0 / 39 | |
| 6.4.0 | 0 / 38 | |
| 6.3.0 | 0 / 37 | |
| 6.2.1 | 0 / 37 | |
| 6.2.0 | 0 / 37 | |
| 6.1.0 | 0 / 37 | |
| 6.0.2 | 0 / 37 | |
| 6.0.1 | 0 / 37 | |
| 6.0.0 | 0 / 36 | |
| 5.7.0 | 0 / 36 | |
| 5.6.0 | 0 / 36 | |
| 5.5.0 | 0 / 35 | |
| 5.4.1 | 0 / 35 | |
| 5.4.0 | 0 / 35 | |
| 5.3.2 | 0 / 35 | |
| 5.3.1 | 0 / 35 | |
| 5.3.0 | 0 / 35 | |
| 4.8.0 | 0 / 32 | |
| 4.7.2 | 0 / 30 | |
| 4.7.1 | 0 / 30 | |
| 4.7.0 | 0 / 30 | |
| 4.6.3 | 0 / 30 | |
| 4.6.2 | 0 / 30 | |
| 4.6.1 | 0 / 30 | |
| 4.6.0 | 0 / 30 | |
| 4.5.1 | 0 / 30 | |
| 4.5.0 | 0 / 30 | |
| 4.4.0 | 0 / 30 | |
| 4.3.2 | 0 / 30 | |
| 4.3.1 | 0 / 30 | |
| 4.3.0 | 0 / 30 | |
| 4.2.0 | 0 / 30 | |
| 4.1.3 | 0 / 29 | |
| 4.1.2 | 0 / 29 | |
| 4.1.1 | 0 / 29 | |
| 4.1.0 | 0 / 29 | |
| 4.0.1 | 0 / 29 | |
| 4.0.0 | 0 / 29 | |
| 3.4.0 | 0 / 29 | |
| 3.3.0 | 0 / 29 | |
| 3.2.0 | 0 / 29 | |
| 3.1.0 | 0 / 29 | |
| 3.0.2 | 0 / 29 | |
| 3.0.1 | 0 / 29 | |
| 3.0.0 | 0 / 28 | |
| 2.8.3 | 0 / 28 | |
| 2.8.2 | 0 / 28 | |
| 2.8.1 | 0 / 28 | |
| 2.8.0 | 0 / 28 | |
| 2.7.3 | 0 / 28 | |
| 2.7.2 | 0 / 28 | |
| 2.7.1 | 0 / 28 | |
| 2.7.0 | 0 / 28 |
v10.4.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.1
2 findingsScript: node -e "console.log('\u001b[35m\u001b[1mLove Preact? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/preact/donate\u001b[0m')"
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v10.0.0
2 findingsScript: node -e "console.log('\u001b[35m\u001b[1mLove Preact? You can now donate to our open collective:\u001b[22m\u001b[39m\n > \u001b[34mhttps://opencollective.com/preact/donate\u001b[0m')"
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.