← Home

react-native-worklets

npm Repository Homepage

The React Native multithreading library

100
Versions
MIT
License
No
Install Scripts
Verified
Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures No source commit

Maintainers

tjzelswm-bot

Keywords

react-nativereactnativeworklets

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
semgrep semgrep:eval-usage AI (semgrep): eval() is the core mechanism of the worklets runtime — it evaluates serialized worklet functions on background threads. This is the intentional, documented design of the library, not a supply-chain risk. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require in validate-react-native-version.js loads a local package.json via __dirname-relative path for version validation. Benign build/validation script pattern. ai
phantom-deps phantom-dep:@babel/plugin-transform-classes AI (phantom-deps): Babel transform plugins are loaded by convention through the Babel plugin system, not via direct imports. Standard pattern for Babel-based tooling. ai
phantom-deps phantom-dep:@babel/plugin-transform-unicode-regex AI (phantom-deps): Babel transform plugins are loaded by convention through the Babel plugin system, not via direct imports. Standard pattern for Babel-based tooling. ai
phantom-deps phantom-dep:@babel/plugin-transform-class-properties AI (phantom-deps): Babel transform plugins are loaded by convention through the Babel plugin system, not via direct imports. Standard pattern for Babel-based tooling. ai

Versions (showing 100 of 182)

Hide prereleases
Version Deps Published
0.9.1 11 / 18
0.9.0 11 / 18
0.8.3 11 / 20
0.8.2 11 / 20
0.7.4 11 / 18
0.7.3 11 / 18
0.7.2 11 / 18
0.7.1 11 / 18
0.7.0 11 / 18
0.6.1 11 / 18
0.6.0 11 / 18
0.5.2 11 / 18
0.5.1 11 / 18
0.5.0 11 / 18
0.4.2 10 / 18
0.4.1 10 / 18
0.4.0 10 / 18
0.3.0 10 / 18
0.2.0 0 / 16
0.1.0 0 / 16
0.9.0-nightly-20260409-b9828e8a3 11 / 20
0.9.0-nightly-20260331-651c56393 11 / 20
0.9.0-nightly-20260330-941d1eb01 11 / 20
0.9.0-nightly-20260329-941d1eb01 11 / 20
0.9.0-nightly-20260328-941d1eb01 11 / 20
0.9.0-nightly-20260327-941d1eb01 11 / 20
0.9.0-nightly-20260326-dedf4f649 11 / 20
0.9.0-nightly-20260325-414e8adaf 11 / 20
0.9.0-nightly-20260324-681a4faed 11 / 20
0.9.0-nightly-20260323-ba9c5502a 11 / 20
0.9.0-nightly-20260322-50710c225 11 / 20
0.9.0-nightly-20260321-50710c225 11 / 20
0.9.0-nightly-20260320-548038843 11 / 20
0.8.0-rc.0 12 / 19
0.8.0-nightly-20260319-405a07d0a 12 / 19
0.8.0-nightly-20260318-d2b8286a6 12 / 19
0.8.0-nightly-20260317-108689c96 12 / 19
0.8.0-nightly-20260316-3d4fe2138 12 / 19
0.8.0-nightly-20260315-eaaab308b 12 / 19
0.8.0-nightly-20260314-eaaab308b 12 / 19
0.8.0-nightly-20260313-eaaab308b 12 / 19
0.8.0-nightly-20260312-26326bd14 12 / 19
0.8.0-nightly-20260311-a11a9af87 12 / 19
0.8.0-nightly-20260310-b1c2d6f9a 12 / 18
0.8.0-nightly-20260309-df271a90c 12 / 18
0.8.0-nightly-20260308-a76d9645b 12 / 18
0.8.0-nightly-20260307-a76d9645b 12 / 18
0.8.0-nightly-20260306-a76d9645b 12 / 18
0.8.0-nightly-20260305-d209b5fe1 12 / 18
0.8.0-nightly-20260304-d209b5fe1 12 / 18
0.8.0-nightly-20260303-df30fd94e 12 / 18
0.8.0-nightly-20260302-326fb25d5 12 / 18
0.8.0-nightly-20260301-d82a03d6a 12 / 18
0.8.0-nightly-20260228-d82a03d6a 12 / 18
0.8.0-nightly-20260227-d82a03d6a 12 / 18
0.8.0-nightly-20260226-abb846956 12 / 18
0.8.0-nightly-20260225-6b6087770 12 / 18
0.8.0-nightly-20260224-a83e03175 12 / 18
0.8.0-nightly-20260223-5033f2a08 12 / 18
0.8.0-nightly-20260222-098e81296 12 / 18
0.8.0-nightly-20260221-098e81296 12 / 18
0.8.0-nightly-20260220-cfa662238 12 / 18
0.8.0-nightly-20260219-7092236eb 12 / 18
0.8.0-nightly-20260218-5935af984 12 / 18
0.8.0-nightly-20260217-358eda585 12 / 18
0.8.0-nightly-20260216-358eda585 12 / 18
0.8.0-nightly-20260215-df89d775e 12 / 18
0.8.0-nightly-20260214-df89d775e 12 / 18
0.8.0-nightly-20260213-df89d775e 12 / 18
0.8.0-nightly-20260212-327369883 12 / 18
0.8.0-nightly-20260211-96ab3f00d 12 / 18
0.8.0-nightly-20260210-7a1a46673 12 / 18
0.8.0-nightly-20260209-45da97dbe 12 / 18
0.8.0-nightly-20260208-eef90ec7a 12 / 18
0.8.0-nightly-20260207-eef90ec7a 12 / 18
0.8.0-nightly-20260206-eef90ec7a 12 / 18
0.8.0-nightly-20260205-eef90ec7a 12 / 18
0.8.0-nightly-20260204-eef90ec7a 12 / 18
0.8.0-nightly-20260203-f46b2f3dd 12 / 18
0.8.0-nightly-20260202-5cd6eb50e 12 / 18
0.8.0-nightly-20260201-5cd6eb50e 12 / 18
0.8.0-nightly-20260131-5cd6eb50e 12 / 18
0.8.0-nightly-20260130-5cd6eb50e 12 / 18
0.8.0-nightly-20260129-3ae820e3e 12 / 18
0.8.0-nightly-20260128-58003c818 12 / 18
0.8.0-nightly-20260127-ba16138d2 12 / 18
0.8.0-nightly-20260126-ab4831559 12 / 18
0.8.0-nightly-20260125-f9658a1e7 12 / 18
0.8.0-nightly-20260124-f9658a1e7 12 / 18
0.8.0-nightly-20260123-07da3bf8c 12 / 18
0.8.0-nightly-20260122-45349f895 12 / 18
0.8.0-nightly-20260121-29ed9b2c6 12 / 18
0.8.0-nightly-20260120-239b6b343 12 / 18
0.8.0-nightly-20260119-239b6b343 12 / 18
0.8.0-nightly-20260118-48cb21806 11 / 18
0.8.0-nightly-20260117-48cb21806 11 / 18
0.8.0-nightly-20260116-48cb21806 11 / 18
0.8.0-nightly-20260115-fe95700c7 11 / 18
0.8.0-nightly-20260114-fe95700c7 11 / 18
0.8.0-nightly-20260113-b15297a39 11 / 18
Showing 100 of 182 Next page →

v0.9.1

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.9.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.3

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.8.2

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.7.4

2 findings
HIGH Provenance attestation missing — previous versions had it provenance

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

HIGH Publisher changed: GitHub Actions → tjzel (on 2026-02-16) provenance

This version was published by a different npm account than previous versions on 2026-02-16. This could indicate a legitimate maintainer transition or an account compromise.

v0.7.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.7.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.6.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v0.2.0

1 finding
INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v0.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.