react-native-macos
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:jsc-android | AI (phantom-deps): jsc-android is a platform-specific peer dep referenced in config; stable false positive for this package. | ai | |
| semgrep | semgrep:child-process-exec | AI (semgrep): exec() in runMacOS.js opens macOS apps by bundle ID — standard CLI toolchain behavior for a React Native macOS build tool. | ai | |
| semgrep | semgrep:child-process-spawn | AI (semgrep): spawn() in runMacOS.js invokes xcpretty for Xcode build output — expected behavior for a macOS build CLI tool. | ai | |
| phantom-deps | phantom-dep:@react-native/virtualized-lists | AI (phantom-deps): react-native-macos uses its own fork (@react-native-macos/virtualized-lists); declaring the upstream as a dep is a known compatibility pattern for this package. | ai | |
| provenance | no-provenance | AI (provenance): Microsoft's react-native-macos is a well-established package with 54 approved-dep edges and automated publishing; lack of Sigstore provenance is not a disqualifier here. | ai | |
| phantom-deps | phantom-dep:babel-jest | AI (phantom-deps): babel-jest is referenced in jest config files; phantom-dep detection is a false positive for config-file-only references in large frameworks. | ai | |
| phantom-deps | phantom-dep:flow-enums-runtime | AI (phantom-deps): flow-enums-runtime is a Flow type system runtime dependency referenced in config; expected for this package. | ai | |
| semgrep | semgrep:env-spread | AI (semgrep): Spreading process.env in runMacOS.js CLI tool is standard practice for passing developer environment to child processes. Not credential exfiltration. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-hermes-parser | AI (phantom-deps): Referenced in Babel config files; phantom-dep detection is a false positive for config-file-only references. | ai | |
| phantom-deps | phantom-dep:@react-native/gradle-plugin | AI (phantom-deps): Platform-specific binary package for Android/Gradle builds; not directly imported in JS but legitimately declared. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in loadBundleFromServer.js is React Native's intentional dev-mode hot reload mechanism, explicitly marked with eslint-disable and well-documented. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process usage in a CLI tool (cli.js) is expected for spawning build tools, packagers, and simulators. Standard for React Native CLI. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in cli.js delegates to @react-native-community/cli after resolving its path — standard CLI delegation pattern for React Native. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is a legitimate declared dependency used in config/platform-specific contexts in this large framework package. | ai |
Versions (showing 36 of 36)
| Version | Deps | Published |
|---|---|---|
| 0.81.7 | 34 / 0 | |
| 0.81.6 | 34 / 0 | |
| 0.81.5 | 34 / 0 | |
| 0.81.4 | 34 / 0 | |
| 0.81.3 | 34 / 0 | |
| 0.81.2 | 34 / 0 | |
| 0.81.1 | 34 / 0 | |
| 0.81.0 | 34 / 0 | |
| 0.79.4 | 37 / 0 | |
| 0.79.1 | 37 / 0 | |
| 0.79.0 | 37 / 0 | |
| 0.78.6 | 36 / 0 | |
| 0.78.5 | 36 / 0 | |
| 0.78.4 | 36 / 0 | |
| 0.77.7 | 37 / 0 | |
| 0.77.6 | 37 / 0 | |
| 0.77.5 | 37 / 0 | |
| 0.77.4 | 37 / 0 | |
| 0.76.12 | 38 / 0 | |
| 0.76.11 | 38 / 0 | |
| 0.76.10 | 38 / 0 | |
| 0.75.34 | 39 / 0 | |
| 0.75.33 | 39 / 0 | |
| 0.75.32 | 39 / 0 | |
| 0.75.31 | 39 / 0 | |
| 0.75.30 | 39 / 0 | |
| 0.75.29 | 39 / 0 | |
| 0.75.28 | 39 / 0 | |
| 0.74.37 | 39 / 0 | |
| 0.74.36 | 39 / 0 | |
| 0.74.35 | 39 / 0 | |
| 0.74.34 | 39 / 0 | |
| 0.74.33 | 39 / 0 | |
| 0.74.32 | 39 / 0 | |
| 0.74.31 | 39 / 0 | |
| 0.74.30 | 39 / 0 |
v0.81.7
3 findingsSpreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/react-native-macos/blob/49b7a9053319230e1afb5112b5d60523527f0040/local-cli/runMacOS/runMacOS.js#L314 312 | if (packager) { 313 | return { > 314 | env: { 315 | ...process.env, 316 | RCT_TERMINAL: terminal,
Spreading entire process.env into an object — may capture all secrets Source: https://github.com/microsoft/react-native-macos/blob/49b7a9053319230e1afb5112b5d60523527f0040/local-cli/runMacOS/runMacOS.js#L323 321 | 322 | return { > 323 | env: { 324 | ...process.env, 325 | RCT_TERMINAL: terminal,
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.6
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.3
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.4
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.78.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.78.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.77.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.76.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.29
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.28
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.37
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.36
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.35
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.34
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.33
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.32
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.31
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.30
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.