preact — Greenflagged

Fast 3kb React-compatible Virtual DOM library.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

preactjsdevelopitmarvinhagemeisterdrewiggjdecroockrschristian

Keywords

preactreactuiuser interfacevirtual domvdomcomponentsdom difffront-endframework

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall only prints a donation message via console.log; no network/fs/exec calls. Benign for preact.	ai	2026/04/24
typosquat	typosquat.levenshtein:react	AI (typosquat): Preact is a well-established, legitimate alternative to React (16.6M downloads, 10+ years old). Not a typosquat.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Both jdecroock and marvinhagemeister are known Preact core team members; publisher rotation is expected for this package.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Preact predates Sigstore provenance; absence is expected and not a risk signal for this established package.	ai	2026/04/24
source-diff	obfuscated-file:compat/dist/compat.module.js	AI (source-diff): Standard minified distribution bundle for Preact's compat layer; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:dist/preact.module.js	AI (source-diff): Standard bundled distribution file for Preact core; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:debug/dist/debug.module.js	AI (source-diff): Standard minified distribution bundle for Preact's debug module; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:hooks/dist/hooks.module.js	AI (source-diff): Standard minified distribution bundle for Preact's hooks module; not obfuscated.	ai	2026/04/23
source-diff	obfuscated-file:dist/preact.min.module.js	AI (source-diff): Standard minified distribution bundle for Preact core; not obfuscated.	ai	2026/04/23

Versions (showing 100 of 220)

Hide prereleases

Version	Deps	Published
10.29.2	0 / 37	2026-05-17
10.29.1	0 / 37	2026-04-03
10.29.0	0 / 37	2026-03-10
10.28.4	0 / 37	2026-02-19
10.28.3	0 / 37	2026-01-31
10.28.2	0 / 37	2026-01-06
10.27.3	0 / 37	2026-01-06
10.26.10	0 / 37	2026-01-06
10.26.4	0 / 41	2025-02-28
10.26.3	0 / 41	2025-02-27
10.26.2	0 / 46	2025-02-18
10.26.1	0 / 46	2025-02-18
10.26.0	0 / 46	2025-02-16
10.25.4	0 / 46	2024-12-28
10.25.3	0 / 46	2024-12-18
10.25.2	0 / 46	2024-12-12
10.25.1	0 / 50	2024-12-02
10.25.0	0 / 50	2024-11-22
10.24.3	0 / 50	2024-10-14
10.24.2	0 / 50	2024-10-04
10.24.1	0 / 50	2024-09-24
10.24.0	0 / 50	2024-09-14
10.23.2	0 / 50	2024-08-12
10.23.1	0 / 50	2024-07-25
10.23.0	0 / 50	2024-07-23
10.22.1	0 / 50	2024-07-01
10.22.0	0 / 53	2024-05-15
10.21.0	0 / 52	2024-04-30
10.20.2	0 / 52	2024-04-09
10.20.1	0 / 52	2024-03-23
10.20.0	0 / 52	2024-03-20
10.19.7	0 / 52	2024-03-18
10.19.6	0 / 52	2024-02-22
10.19.5	0 / 52	2024-02-16
10.19.4	0 / 52	2024-02-08
10.19.3	0 / 52	2023-12-08
10.19.2	0 / 52	2023-11-14
10.19.1	0 / 52	2023-11-11
10.19.0	0 / 52	2023-11-11
10.18.2	0 / 52	2023-11-03
10.18.1	0 / 52	2023-10-01
10.18.0	0 / 52	2023-09-28
10.17.1	0 / 52	2023-08-19
10.17.0	0 / 52	2023-08-14
10.16.0	0 / 52	2023-07-09
10.15.1	0 / 52	2023-05-27
10.15.0	0 / 52	2023-05-21
10.14.1	0 / 52	2023-05-16
10.14.0	0 / 52	2023-05-14
10.13.2	0 / 52	2023-03-27
10.13.1	0 / 52	2023-03-09
10.13.0	0 / 52	2023-02-24
10.12.1	0 / 52	2023-02-09
10.12.0	0 / 52	2023-02-06
10.11.3	0 / 52	2022-11-14
10.11.2	0 / 52	2022-10-15
10.11.1	0 / 52	2022-10-04
10.11.0	0 / 52	2022-09-12
10.10.6	0 / 51	2022-08-19
10.10.5	0 / 51	2022-08-19
10.10.4	0 / 51	2022-08-18
10.10.3	0 / 51	2022-08-16
10.10.2	0 / 51	2022-08-10
10.10.1	0 / 51	2022-08-05
10.10.0	0 / 51	2022-07-13
10.9.0	0 / 51	2022-07-06
10.8.2	0 / 51	2022-06-22
10.8.1	0 / 51	2022-06-16
10.8.0	0 / 51	2022-06-14
10.7.3	0 / 51	2022-06-01
10.7.2	0 / 51	2022-05-06
10.7.1	0 / 51	2022-04-05
10.7.0	0 / 51	2022-03-29
10.6.6	0 / 52	2022-02-14
10.6.5	0 / 52	2022-01-27
10.6.4	0 / 48	2021-12-09
10.6.3	0 / 48	2021-12-08
10.6.2	0 / 48	2021-11-29
10.6.1	0 / 48	2021-11-25
10.6.0	0 / 48	2021-11-23
10.5.15	0 / 48	2021-10-12
10.5.14	0 / 48	2021-07-01
10.5.13	0 / 48	2021-03-14
10.5.12	0 / 48	2021-01-26
10.5.11	0 / 48	2021-01-20
10.5.10	0 / 48	2021-01-14
10.5.9	0 / 49	2021-01-03
10.5.8	0 / 47	2020-12-30
10.5.7	0 / 47	2020-11-12
10.5.6	0 / 47	2020-11-12
10.5.5	0 / 46	2020-10-18
10.5.4	0 / 46	2020-10-05
10.5.3	0 / 46	2020-09-28
10.5.2	0 / 45	2020-09-23
10.5.1	0 / 45	2020-09-23
10.5.0	0 / 45	2020-09-23
10.4.8	0 / 45	2020-08-26
10.4.7	0 / 45	2020-08-05
10.4.6	0 / 45	2020-07-14
10.4.5	0 / 45	2020-06-30

Showing 100 of 220 Next page →

v10.29.2

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: jdecroock → GitHub Actions (on 2026-05-17) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2026-05-17. This could indicate a legitimate maintainer transition or an account compromise.

v10.29.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.29.0

6 findings

HIGH New obfuscated file: compat/dist/compat.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: debug/dist/debug.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: hooks/dist/hooks.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/preact.min.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: dist/preact.module.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v10.28.4