react-native-web
React Native for Web
51
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
necolas
Keywords
reactreact-componentreact-nativeweb
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:@react-native/normalize-color | AI (dependencies): @react-native/normalize-color is the official React Native color normalization package maintained by Meta; its use in react-native-web is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:lodash.debounce | AI (phantom-deps): Phantom deps in build-heavy projects are normal; lodash.debounce is referenced in config files, not source imports. | ai | |
| phantom-deps | phantom-dep:react-textarea-autosize | AI (phantom-deps): Declared dependency referenced in config/example files but not directly imported in source; consistent with optional/conditional usage in this library. Not a security concern. | ai | |
| phantom-deps | phantom-dep:inline-style-prefixer | AI (phantom-deps): Phantom deps in build-heavy projects are normal; inline-style-prefixer is referenced in config files, not source imports. | ai | |
| dependencies | unvetted-dep:react-art | AI (dependencies): react-art is a legitimate React core team package used for SVG/canvas rendering; its inclusion in react-native-web is expected and appropriate across all versions. | ai | |
| dependencies | unvetted-dep:react-tappable | AI (dependencies): react-tappable is a legitimate React touch event library appropriate for react-native-web's touch interaction needs; stable false positive for this package. | ai | |
| provenance | missing-githead | AI (provenance): react-native-web is a well-established package by a trusted publisher; missing gitHead is consistent with a changed build environment during a major version bump, not a supply chain compromise. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All new dependencies (debounce, prop-types, deep-assign, etc.) are well-known React ecosystem utilities; addition is consistent with legitimate refactoring from lodash to smaller focused packages. | ai | |
| source-diff | obfuscated-file:dist/components/TextInput/index.js | AI (source-diff): Babel-transpiled/minified build output from the prepublish script. Standard webpack/babel patterns, not obfuscation. Stable for this package's dist/ build artifacts. | ai | |
| dependencies | unvetted-dep:inline-style-prefix-all | AI (dependencies): Established CSS prefix utility; legitimate dependency for web styling in react-native-web. | ai | |
| dependencies | unvetted-dep:react-timer-mixin | AI (dependencies): Established React utility package; legitimate dependency for react-native-web. | ai | |
| source-diff | obfuscated-file:dist/apis/StyleSheet/StyleSheetValidation.js | AI (source-diff): Standard Babel-compiled output; content is clearly StyleSheet validation logic, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/module.js | AI (source-diff): dist/ files are standard Babel-compiled CommonJS output for react-native-web; minification is expected build artifact, not obfuscation. | ai | |
| source-diff | obfuscated-file:dist/apis/AsyncStorage/index.js | AI (source-diff): Standard Babel-compiled output; content is clearly AsyncStorage implementation using localStorage, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/AppRegistry/AppContainer.js | AI (source-diff): Standard Babel-compiled React component output; no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/AppRegistry/index.js | AI (source-diff): Standard Babel-compiled output; content is clearly AppRegistry implementation, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/StyleSheet/StyleRegistry.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/apis/UIManager/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/ActivityIndicator/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/Image/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/KeyboardAvoidingView/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/ListView/ListViewDataSource.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/ListView/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/ProgressBar/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/RefreshControl/index.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/components/ScrollView/ScrollViewBase.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| source-diff | obfuscated-file:dist/apis/NetInfo/index.js | AI (source-diff): Standard Babel-compiled output; content is clearly NetInfo using navigator.connection API, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/PanResponder/index.js | AI (source-diff): Standard Babel-compiled output; content is clearly PanResponder gesture handling, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/StyleSheet/StyleManager.js | AI (source-diff): Standard Babel-compiled output; content is clearly CSS StyleManager implementation, no malicious patterns. | ai | |
| source-diff | obfuscated-file:dist/apis/StyleSheet/createReactDOMStyle.js | AI (source-diff): Standard Babel-compiled output for react-native-web dist/; expected build artifact. | ai | |
| phantom-deps | phantom-dep:react-tappable | AI (phantom-deps): Phantom deps in build-heavy projects are normal; react-tappable is referenced in config files, not source imports. | ai | |
| phantom-deps | phantom-dep:react-swipeable | AI (phantom-deps): react-swipeable is a legitimate swipe gesture library used in the example app; phantom-dep finding is expected for example/optional deps in this package. | ai | |
| source-diff | large-new-source-files | AI (source-diff): react-native-web is a large UI framework; new source files reflect legitimate feature additions (e.g., Animated API), not injected code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase reflects legitimate feature development (Animated API, new components) by a trusted publisher with a clean track record. | ai | |
| source-diff | net-exec-file:dist/ReactNative.js | AI (source-diff): UMD bundle includes React Native APIs (NetInfo etc.) and webpack module loader. Not malware — standard build artifact for react-native-web. | ai | |
| source-diff | obfuscated-file:dist/ReactNative.js | AI (source-diff): Minified UMD bundle is expected build output for this package; webpack/browserify minification is legitimate, not malware obfuscation. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Early version (0.0.6) of a well-established library by a trusted publisher; minor metadata gaps are expected and not indicative of spam or malicious intent. | ai | |
| npm-metadata | no-description | AI (npm-metadata): Empty description is expected for this seed/placeholder version; subsequent versions have proper descriptions. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): Version 0.0.0 is the legitimate initial placeholder published by necolas over 10 years ago; the package has 359 subsequent versions and a clean history. | ai | |
| provenance | no-provenance | AI (provenance): Package predates Sigstore provenance by many years; absence of attestation is expected and not a risk signal for this publisher. | ai |
Versions (showing 51 of 274)
| Version | Deps | Published |
|---|---|---|
| 0.21.2 | 8 / 0 | |
| 0.21.1 | 8 / 0 | |
| 0.21.0 | 8 / 0 | |
| 0.20.0 | 8 / 0 | |
| 0.19.13 | 8 / 0 | |
| 0.19.12 | 8 / 0 | |
| 0.19.11 | 8 / 0 | |
| 0.19.10 | 8 / 0 | |
| 0.19.9 | 8 / 0 | |
| 0.19.8 | 8 / 0 | |
| 0.19.7 | 8 / 0 | |
| 0.19.6 | 8 / 0 | |
| 0.19.5 | 8 / 0 | |
| 0.19.4 | 8 / 0 | |
| 0.19.3 | 8 / 0 | |
| 0.19.2 | 8 / 0 | |
| 0.19.1 | 6 / 0 | |
| 0.19.0 | 6 / 0 | |
| 0.18.12 | 7 / 0 | |
| 0.18.11 | 7 / 0 | |
| 0.18.10 | 7 / 0 | |
| 0.18.9 | 7 / 0 | |
| 0.18.8 | 7 / 0 | |
| 0.18.7 | 7 / 0 | |
| 0.18.6 | 7 / 0 | |
| 0.18.5 | 7 / 0 | |
| 0.18.4 | 8 / 0 | |
| 0.18.3 | 7 / 0 | |
| 0.18.2 | 7 / 0 | |
| 0.18.1 | 7 / 0 | |
| 0.18.0 | 7 / 0 | |
| 0.17.7 | 7 / 0 | |
| 0.17.6 | 7 / 0 | |
| 0.17.5 | 7 / 0 | |
| 0.17.4 | 7 / 0 | |
| 0.17.3 | 7 / 0 | |
| 0.17.2 | 7 / 0 | |
| 0.17.1 | 7 / 0 | |
| 0.17.0 | 7 / 0 | |
| 0.16.5 | 7 / 0 | |
| 0.16.4 | 7 / 0 | |
| 0.16.3 | 9 / 0 | |
| 0.16.2 | 9 / 0 | |
| 0.16.1 | 9 / 0 | |
| 0.16.0 | 9 / 0 | |
| 0.15.7 | 9 / 0 | |
| 0.15.6 | 9 / 0 | |
| 0.15.5 | 9 / 0 | |
| 0.15.4 | 9 / 0 | |
| 0.15.3 | 9 / 0 | |
| 0.15.2 | 9 / 0 |