react-native-windows
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): Publisher change from rnbot to microsoft1es reflects Microsoft's internal CI/CD pipeline transition (1ES publishing); both accounts are Microsoft-controlled. Stable for this package. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): vmoroz (Vladimir Morozov) is a known Microsoft React Native Windows contributor; addition is a legitimate team change. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is consistent with the 1ES publishing pipeline change; not a malware indicator for this well-established Microsoft package. | ai | |
| phantom-deps | phantom-dep:jsc-android | AI (phantom-deps): jsc-android is a platform-specific binary dependency for Android JS engine; not directly imported but legitimately declared. | ai | |
| phantom-deps | phantom-dep:semver | AI (phantom-deps): semver referenced in config files; expected for version management in platform packages. | ai | |
| phantom-deps | phantom-dep:commander | AI (phantom-deps): commander referenced in CLI config; standard for command-line tools. | ai | |
| phantom-deps | phantom-dep:babel-jest | AI (phantom-deps): babel-jest referenced in config files; expected for Jest test configuration. | ai | |
| phantom-deps | phantom-dep:@babel/runtime | AI (phantom-deps): Framework-scoped package loaded by convention; standard for Babel-based projects. | ai | |
| phantom-deps | phantom-dep:hermes-compiler | AI (phantom-deps): Referenced in config files; expected for Hermes JavaScript engine support. | ai | |
| phantom-deps | phantom-dep:metro-source-map | AI (phantom-deps): Referenced in config files; expected for Metro bundler source map support. | ai | |
| phantom-deps | phantom-dep:event-target-shim | AI (phantom-deps): Referenced in config files; standard polyfill for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native/assets | AI (phantom-deps): Platform-specific binary package loaded by convention; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native/codegen | AI (phantom-deps): Platform-specific binary package for code generation; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native-community/cli | AI (phantom-deps): Platform-specific CLI package loaded by convention; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native/gradle-plugin | AI (phantom-deps): Platform-specific binary package for Gradle; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native/new-app-screen | AI (phantom-deps): Platform-specific package loaded by convention; expected for React Native. | ai | |
| phantom-deps | phantom-dep:babel-plugin-syntax-hermes-parser | AI (phantom-deps): Referenced in config files; expected for Hermes parser support. | ai | |
| phantom-deps | phantom-dep:@react-native/community-cli-plugin | AI (phantom-deps): Platform-specific CLI plugin loaded by convention; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native-community/cli-platform-ios | AI (phantom-deps): Platform-specific binary package for iOS; expected for React Native. | ai | |
| phantom-deps | phantom-dep:@react-native-community/cli-platform-android | AI (phantom-deps): Platform-specific binary package for Android; expected for React Native. | ai | |
| phantom-deps | phantom-dep:flow-enums-runtime | AI (phantom-deps): Referenced in config files; expected for Flow type checking support. | ai | |
| phantom-deps | phantom-dep:ws | AI (phantom-deps): ws is referenced in config files for WebSocket support; standard for React Native platform packages. | ai | |
| phantom-deps | phantom-dep:yargs | AI (phantom-deps): yargs referenced in CLI config; expected for build/CLI tools in platform packages. | ai | |
| phantom-deps | phantom-dep:mkdirp | AI (phantom-deps): mkdirp referenced in config files; standard utility for build scripts. | ai | |
| semgrep | semgrep:eval-usage | AI (semgrep): eval() in loadBundleFromServer.js is the standard React Native Metro dev-server bundle loading pattern; intentional and stable across versions. | ai | |
| provenance | no-provenance | AI (provenance): microsoft1es has 3550 approved packages; lack of Sigstore provenance is not a meaningful risk signal for this well-established publisher. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require in template.config.js reads app.json for app name — standard React Native template pattern, not arbitrary module loading. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): child_process in Scripts/cli.js is build/CLI tooling, not runtime library code. Expected for a framework package with build scripts. | ai |
Versions (showing 72 of 72)
| Version | Deps | Published |
|---|---|---|
| 0.83.0 | 46 / 20 | |
| 0.82.8 | 46 / 20 | |
| 0.82.5 | 46 / 20 | |
| 0.82.3 | 46 / 20 | |
| 0.82.1 | 46 / 20 | |
| 0.82.0 | 46 / 20 | |
| 0.81.24 | 45 / 20 | |
| 0.81.22 | 45 / 20 | |
| 0.81.21 | 45 / 20 | |
| 0.81.20 | 45 / 20 | |
| 0.81.19 | 45 / 20 | |
| 0.81.18 | 45 / 20 | |
| 0.81.15 | 45 / 20 | |
| 0.81.13 | 45 / 20 | |
| 0.81.12 | 45 / 20 | |
| 0.81.11 | 45 / 20 | |
| 0.81.10 | 45 / 20 | |
| 0.81.9 | 45 / 20 | |
| 0.81.7 | 45 / 20 | |
| 0.81.6 | 45 / 20 | |
| 0.81.5 | 45 / 20 | |
| 0.81.4 | 45 / 20 | |
| 0.81.3 | 45 / 20 | |
| 0.81.2 | 45 / 20 | |
| 0.81.1 | 45 / 20 | |
| 0.81.0 | 45 / 20 | |
| 0.80.6 | 45 / 20 | |
| 0.80.5 | 45 / 20 | |
| 0.80.1 | 45 / 20 | |
| 0.80.0 | 45 / 20 | |
| 0.79.5 | 44 / 20 | |
| 0.79.4 | 44 / 20 | |
| 0.79.3 | 44 / 20 | |
| 0.79.2 | 44 / 20 | |
| 0.79.1 | 44 / 20 | |
| 0.79.0 | 44 / 20 | |
| 0.78.15 | 44 / 20 | |
| 0.78.14 | 44 / 20 | |
| 0.78.13 | 44 / 20 | |
| 0.78.12 | 44 / 20 | |
| 0.78.10 | 44 / 20 | |
| 0.78.9 | 44 / 20 | |
| 0.78.8 | 44 / 20 | |
| 0.78.7 | 44 / 20 | |
| 0.78.6 | 44 / 20 | |
| 0.78.5 | 45 / 20 | |
| 0.77.12 | 46 / 20 | |
| 0.77.11 | 46 / 20 | |
| 0.77.10 | 46 / 20 | |
| 0.77.9 | 46 / 20 | |
| 0.76.17 | 46 / 20 | |
| 0.76.16 | 46 / 20 | |
| 0.76.15 | 46 / 20 | |
| 0.76.14 | 46 / 20 | |
| 0.76.13 | 46 / 20 | |
| 0.76.12 | 46 / 20 | |
| 0.75.20 | 44 / 20 | |
| 0.75.19 | 44 / 20 | |
| 0.75.18 | 44 / 20 | |
| 0.75.17 | 44 / 20 | |
| 0.74.59 | 42 / 21 | |
| 0.74.58 | 42 / 21 | |
| 0.74.56 | 42 / 21 | |
| 0.74.55 | 42 / 21 | |
| 0.74.54 | 42 / 21 | |
| 0.74.53 | 42 / 21 | |
| 0.74.52 | 42 / 21 | |
| 0.74.48 | 42 / 21 | |
| 0.74.47 | 42 / 21 | |
| 0.74.46 | 42 / 21 | |
| 0.74.45 | 42 / 21 | |
| 0.74.44 | 42 / 21 |
v0.83.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.5
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.82.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.82.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-18. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.82.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.24
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.22
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.21
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.81.9
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-21. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.7
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.3
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-01-27. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-01-14. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.1
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-01-07. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.81.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.5
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2025-12-12. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.80.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.80.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.79.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.79.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.79.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.79.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.79.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.78.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.8
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.78.6
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.78.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.77.11
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.77.10
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.77.9
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.16
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.76.15
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.76.14
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.13
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.76.12
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.20
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.19
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.75.18
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.75.17
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.59
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.58
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.56
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.55
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.54
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-20. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.53
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.52
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: microsoft1es.
This version was published by a different npm account than previous versions on 2026-03-19. This could indicate a legitimate maintainer transition or an account compromise.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.48
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.47
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.74.46
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.45
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.74.44
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.