react-native-screens — Greenflagged

Native navigation primitives for your React Native app.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

kkafarswm-bot

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:react-native-gradle-plugin	AI (dependencies): react-native-gradle-plugin is a platform-specific Android build tool dependency; its use in react-native-screens is expected and benign for this package.	ai	2026/04/23
phantom-deps	phantom-dep:react-native-gradle-plugin	AI (phantom-deps): Declared but not directly imported because it is a platform-specific binary package for Android Gradle builds; this pattern is stable for react-native-screens.	ai	2026/04/23
source-diff	large-new-source-files	AI (source-diff): v3.28.0 added Reanimated integration (evidenced by reanimated/index paths in package.json), naturally producing many new source files. No obfuscation or malicious patterns indicated.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer tboba has clean history (115 approved, 0 rejected); legitimate transition for mature package.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Provenance attestation is not yet standard practice on npm; absence is not a security signal for established packages.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): react-freeze is a legitimate Software Mansion library intentionally added to react-native-screens for React 18 concurrent feature support; not a supply chain risk.	ai	2026/04/23
provenance	missing-githead	AI (provenance): Package transitioned to GitHub Actions CI publishing; missing gitHead is explained by the changed publish environment. SLSA provenance attestation provides stronger integrity assurance.	ai	2026/04/23
publish-pattern	suspicious-version-number	AI (publish-pattern): react-native-screens uses this nightly versioning pattern (date + commit hash suffix) for automated nightly CI builds; not a malware indicator for this package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher transition from kacperkapusciak to tboba is legitimate; new publisher has strong track record.	ai	2026/04/22
install-scripts	install-script:postinstall	AI (install-scripts): Postinstall runs git submodule update and yarn install—standard monorepo setup, not arbitrary code execution.	ai	2026/04/22
dependencies	unvetted-dep:react-freeze	AI (dependencies): react-freeze is a legitimate React Native ecosystem package; its use in react-native-screens for subtree freezing is expected and stable across versions.	ai	2026/04/22

Versions (showing 100 of 117)

Show 340 prereleases

Version	Deps	Published
4.25.2	2 / 42	2026-05-21
4.25.1	2 / 42	2026-05-18
4.25.0	2 / 42	2026-05-11
4.24.0	2 / 41	2026-02-23
4.23.0	2 / 41	2026-02-06
4.22.0	2 / 41	2026-02-03
4.21.0	2 / 41	2026-02-02
4.20.0	2 / 41	2026-01-19
4.19.0	2 / 41	2025-12-15
4.18.0	2 / 41	2025-10-22
4.17.1	2 / 41	2025-10-15
4.17.0	2 / 41	2025-10-15
4.16.0	3 / 41	2025-09-04
4.15.4	3 / 41	2025-08-28
4.15.3	3 / 41	2025-08-26
4.15.2	3 / 41	2025-08-22
4.15.1	3 / 41	2025-08-21
4.15.0	3 / 41	2025-08-20
4.14.1	3 / 41	2025-08-14
4.14.0	3 / 41	2025-08-13
4.13.1	3 / 42	2025-07-17
4.13.0	3 / 42	2025-07-17
4.12.0	3 / 42	2025-07-16
4.11.1	3 / 42	2025-05-28
4.11.0	3 / 42	2025-05-27
4.10.0	2 / 40	2025-03-27
4.9.2	2 / 40	2025-03-12
4.9.1	2 / 40	2025-02-25
4.9.0	2 / 40	2025-02-21
4.8.0	2 / 40	2025-02-19
4.7.0	2 / 40	2025-02-18
4.6.0	2 / 40	2025-01-31
4.5.0	2 / 39	2025-01-10
4.4.0	2 / 40	2024-12-20
4.3.0	2 / 40	2024-11-21
4.2.0	2 / 40	2024-11-19
4.1.0	2 / 40	2024-11-14
4.0.0	2 / 40	2024-11-06
3.37.0	2 / 40	2025-03-07
3.36.0	2 / 40	2025-02-26
3.35.0	2 / 40	2024-10-25
3.34.1	2 / 40	2024-10-24
3.34.0	2 / 40	2024-08-05
3.33.0	2 / 40	2024-07-31
3.32.0	2 / 40	2024-06-18
3.31.1	2 / 40	2024-04-23
3.31.0	2 / 40	2024-04-23
3.30.1	2 / 40	2024-03-25
3.30.0	2 / 40	2024-03-25
3.29.0	2 / 39	2023-12-07
3.28.0	2 / 39	2023-12-07
3.27.0	2 / 39	2023-10-23
3.26.0	2 / 39	2023-10-17
3.25.0	2 / 41	2023-08-31
3.24.0	2 / 41	2023-08-04
3.23.0	2 / 41	2023-07-26
3.22.1	2 / 41	2023-07-06
3.22.0	2 / 41	2023-06-22
3.21.1	2 / 41	2023-06-19
3.21.0	2 / 41	2023-06-14
3.20.0	2 / 44	2023-02-13
3.19.0	2 / 44	2023-01-17
3.18.2	2 / 41	2022-10-14
3.18.1	2 / 41	2022-10-11
3.18.0	2 / 41	2022-10-04
3.17.0	2 / 41	2022-08-25
3.16.0	2 / 41	2022-08-19
3.15.0	2 / 41	2022-07-08
3.14.1	2 / 41	2022-07-04
3.14.0	2 / 41	2022-06-30
3.13.1	2 / 41	2022-03-03
3.13.0	2 / 41	2022-02-28
3.12.0	3 / 41	2022-02-17
3.11.1	2 / 41	2022-02-11
3.11.0	2 / 41	2022-02-09
3.10.2	2 / 41	2022-01-17
3.10.1	2 / 41	2021-12-07
3.10.0	2 / 41	2021-12-02
3.9.0	2 / 40	2021-10-29
3.8.0	1 / 40	2021-09-28
3.7.2	1 / 40	2021-09-14
3.7.1	1 / 40	2021-09-13
3.7.0	1 / 40	2021-09-09
3.6.0	1 / 39	2021-08-23
3.5.0	1 / 39	2021-08-03
3.4.0	1 / 37	2021-06-17
3.3.0	0 / 37	2021-05-24
3.2.0	0 / 37	2021-05-10
3.1.1	0 / 37	2021-04-14
3.1.0	0 / 37	2021-04-07
3.0.0	0 / 37	2021-03-30
2.18.1	0 / 37	2021-03-02
2.18.0	0 / 36	2021-02-25
2.17.1	0 / 36	2021-01-26
2.17.0	0 / 36	2021-01-25
2.16.1	0 / 36	2020-12-10
2.16.0	0 / 36	2020-12-10
2.15.2	0 / 36	2021-01-20
2.15.1	0 / 36	2021-01-19
2.15.0	0 / 36	2020-11-16

Showing 100 of 117 Next page →

v4.25.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.25.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.