react-native-svg — Greenflagged

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

swm-botbrentvatnejake7

Keywords

react-componentreact-nativeiosandroidwindowsSVGARTVMLgradient

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): Transition to GitHub Actions CI/CD publishing with SLSA provenance; legitimate for this package.	ai	2026/05/12
provenance	missing-githead	AI (provenance): Consistent with CI/CD publish migration; SLSA provenance compensates.	ai	2026/05/12

Versions (showing 10 of 10)

Version	Deps	Published
15.15.5	2 / 42	2026-05-11
15.15.4	3 / 43	2026-03-18
15.15.3	3 / 43	2026-02-09
15.15.2	3 / 43	2026-02-03
15.15.1	3 / 43	2025-12-01
15.15.0	3 / 43	2025-11-12
15.14.0	3 / 43	2025-10-08
15.13.0	3 / 43	2025-09-09
15.12.1	3 / 43	2025-07-31
15.12.0	3 / 43	2025-05-12

v15.15.5

3 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: GitHub Actions.

HIGH Publisher changed: jake7 → GitHub Actions (on 2026-05-11) provenance

This version was published by a different npm account than previous versions on 2026-05-11. This could indicate a legitimate maintainer transition or an account compromise.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.