react-hot-loader — Greenflagged

Tweak React components in real time.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

gaearonmontogeekneozirokasheycalescewkwiatek

Keywords

reactjavascriptwebpackhmrlivereloadliveedithotloaderreload

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:redbox-react	AI (phantom-deps): redbox-react is used as a configurable error overlay; referenced in config rather than direct import is expected.	ai	2026/04/24
source-diff	source-size-tripled	AI (source-diff): Major version bump (1.x → 3.x) with a complete rewrite; 28KB total is modest and expected.	ai	2026/04/24
maintainer-change	maintainer-added	AI (maintainer-change): Known collaborators added to a multi-maintainer project; consistent with react-hot-loader's public contributor history.	ai	2026/04/24
provenance	publisher-changed	AI (provenance): Legitimate maintainer transition for react-hot-loader; neoziro is a well-established publisher with strong track record (537 approved, 0 rejected).	ai	2026/04/24
provenance	no-provenance	AI (provenance): Established package with 180 versions and strong ecosystem trust; lack of provenance attestation is a hygiene issue, not a security risk for this package.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): source-map is a canonical, trusted Mozilla-maintained package; its addition to a hot-reloading dev tool is entirely expected and benign.	ai	2026/04/24
phantom-deps	phantom-dep:@types/react	AI (phantom-deps): @types/react is a TypeScript types package loaded by convention, not direct import. Stable false positive for this package.	ai	2026/04/24
phantom-deps	phantom-dep:global	AI (phantom-deps): `global` is a declared runtime dependency used indirectly; phantom-dep finding is a false positive for this package.	ai	2026/04/24
dependencies	unvetted-dep:fast-levenshtein	AI (dependencies): fast-levenshtein is a well-known, widely-used string distance library with no security concerns. Stable false positive for this package.	ai	2026/04/24
bogus-package	bogus-package	AI (bogus-package): gaearon is Dan Abramov, a legitimate React core team member and creator of this package. The spam flag is a false positive. README off-topic content is standard OSS sponsorship/collective links.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): react-hot-loader is a mature, stable package largely superseded by React Fast Refresh. Long dormancy followed by a minor maintenance release is expected for this package's lifecycle stage.	ai	2026/04/23
semgrep	semgrep:eval-usage	AI (semgrep): eval() is used solely as a CSP detection probe (try/catch pattern to check if eval is allowed). This is a documented, benign pattern in hot-reloading tools.	ai	2026/04/23

Versions (showing 51 of 118)

View all versions

Version	Deps	Published
4.13.1	8 / 46	2022-11-13
4.13.0	8 / 46	2020-09-22
4.12.21	8 / 45	2020-04-30
4.12.20	8 / 45	2020-03-14
4.12.19	8 / 45	2020-01-22
4.12.18	8 / 45	2019-11-16
4.12.17	8 / 45	2019-11-12
4.12.16	9 / 44	2019-11-06
4.12.15	8 / 45	2019-10-08
4.12.14	8 / 45	2019-09-23
4.12.13	8 / 45	2019-09-12
4.12.12	8 / 45	2019-08-27
4.12.11	8 / 45	2019-08-12
4.12.10	8 / 44	2019-07-27
4.12.9	8 / 44	2019-07-23
4.12.8	8 / 44	2019-07-18
4.12.7	8 / 44	2019-07-16
4.12.6	8 / 44	2019-07-10
4.12.5	8 / 44	2019-07-07
4.12.4	8 / 44	2019-07-06
4.12.3	9 / 44	2019-07-04
4.12.2	9 / 44	2019-07-03
4.12.1	9 / 44	2019-07-03
4.12.0	9 / 44	2019-06-30
4.11.2	9 / 44	2019-06-30
4.11.1	9 / 44	2019-06-15
4.11.0	9 / 44	2019-06-10
4.10.0	9 / 44	2019-06-02
4.9.0	9 / 44	2019-06-02
4.8.8	9 / 44	2019-05-23
4.8.7	9 / 44	2019-05-20
4.8.6	9 / 44	2019-05-18
4.8.5	9 / 44	2019-05-16
4.8.4	9 / 43	2019-04-15
4.8.3	9 / 43	2019-04-05
4.8.2	9 / 43	2019-03-30
4.8.0	9 / 43	2019-03-07
4.7.2	9 / 43	2019-03-04
4.7.1	9 / 43	2019-02-20
4.7.0	9 / 43	2019-02-18
4.6.5	9 / 43	2019-01-31
4.6.4	9 / 43	2019-01-31
4.6.3	9 / 43	2018-12-19
4.6.2	9 / 43	2018-12-18
4.6.1	9 / 43	2018-12-17
4.6.0	9 / 43	2018-12-13
4.5.3	9 / 42	2018-12-07
4.5.2	9 / 42	2018-12-06
4.5.1	9 / 42	2018-11-21
4.5.0	8 / 42	2018-11-20
4.4.0	7 / 42	2018-11-10