react-scripts
Configuration and scripts for Create React App.
5
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
gaearonfbtimeriansuianschmitz
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| phantom-deps | phantom-dep:postcss-normalize | AI (phantom-deps): react-scripts loads postcss plugins via config files by design; phantom dep pattern is expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:postcss-preset-env | AI (phantom-deps): react-scripts loads postcss plugins via config files by design; phantom dep pattern is expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:postcss-flexbugs-fixes | AI (phantom-deps): react-scripts loads postcss plugins via config files by design; phantom dep pattern is expected for this build toolchain. | ai | |
| phantom-deps | phantom-dep:babel-plugin-named-asset-import | AI (phantom-deps): react-scripts loads babel plugins by convention through config; phantom dep pattern is expected for this build toolchain. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): react-scripts follows long release cycles between major versions; dormancy between v4 and v5 is consistent with CRA's documented release history, not account takeover. | ai | |
| dependencies | unvetted-dep:html-webpack-plugin | AI (dependencies): html-webpack-plugin is a standard webpack plugin for HTML generation; its inclusion in a build toolchain like react-scripts is entirely expected. | ai | |
| dependencies | unvetted-dep:prompts | AI (dependencies): prompts is a well-known CLI library used in react-scripts' eject.js to confirm the eject operation; its use is documented and benign for this package. | ai | |
| dependencies | unvetted-dep:babel-loader | AI (dependencies): babel-loader is a well-known, legitimate webpack Babel loader. Pinning to 8.1.0 is expected for react-scripts' deterministic build environment. | ai | |
| dependencies | unvetted-dep:@babel/core | AI (dependencies): Babel core is a fundamental build dependency of react-scripts; unvetted flag is a false positive. | ai | |
| dependencies | unvetted-dep:browserslist | AI (dependencies): browserslist is a standard browser targeting dependency; unvetted flag is a false positive. | ai | |
| dependencies | unvetted-dep:dotenv | AI (dependencies): dotenv is a standard env config dependency; unvetted flag is a false positive. | ai | |
| phantom-deps | phantom-dep:postcss | AI (phantom-deps): postcss is loaded via webpack config string references — standard build tool pattern for react-scripts. | ai | |
| phantom-deps | phantom-dep:tailwindcss | AI (phantom-deps): tailwindcss is referenced in config files as an optional PostCSS plugin; standard build tool pattern. | ai | |
| phantom-deps | phantom-dep:browserslist | AI (phantom-deps): browserslist is referenced in config files; standard build tool pattern for react-scripts. | ai | |
| provenance | no-provenance | AI (provenance): react-scripts predates Sigstore provenance adoption; absence is expected for this established package. | ai | |
| dependencies | unvetted-dep:jest | AI (dependencies): jest is a core, well-known test runner dependency of react-scripts; unvetted flag is a false positive. | ai | |
| dependencies | unvetted-dep:webpack | AI (dependencies): webpack is a core, well-known build tool dependency of react-scripts; unvetted flag is a false positive for this package. | ai | |
| dependencies | unvetted-dep:eslint | AI (dependencies): eslint is a core, well-known linting dependency of react-scripts; unvetted flag is a false positive. | ai | |
| dependencies | unvetted-dep:postcss | AI (dependencies): postcss is a standard CSS processing dependency for react-scripts; unvetted flag is a false positive. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-import | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-flowtype | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:jest-watch-typeahead | AI (phantom-deps): Loaded via jest config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jsx-a11y | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:babel-eslint | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:jest-resolve | AI (phantom-deps): Loaded via jest config; standard CRA pattern for jest internals. | ai | |
| phantom-deps | phantom-dep:@svgr/webpack | AI (phantom-deps): Loaded via webpack config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-jest | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:fsevents | AI (phantom-deps): Optional dependency for file watching on macOS; declared in optionalDependencies and referenced in config. | ai | |
| phantom-deps | phantom-dep:@babel/core | AI (phantom-deps): Framework-scoped build tool loaded by convention; standard for build configuration packages. | ai | |
| phantom-deps | phantom-dep:sass-loader | AI (phantom-deps): Build tool referenced in webpack config; expected for build configuration packages. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/parser | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern for TypeScript support. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-react-hooks | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:eslint-plugin-testing-library | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern. | ai | |
| phantom-deps | phantom-dep:@typescript-eslint/eslint-plugin | AI (phantom-deps): Loaded via eslint config by name; standard CRA pattern for TypeScript support. | ai | |
| phantom-deps | phantom-dep:identity-obj-proxy | AI (phantom-deps): Loaded via jest config by name; standard CRA pattern for CSS module mocking. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Conditional TypeScript resolution at build time; legitimate build tool behavior. | ai | |
| bogus-package | bogus-package | AI (bogus-package): Spam-publisher flags for 'fb' and 'gaearon' are false positives — these are Facebook's official npm org and Dan Abramov (React core team). Package is the official CRA toolchain. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): Filters process.env for REACT_APP_ prefixed variables; standard build configuration practice. | ai | |
| semgrep | semgrep:child-process-import | AI (semgrep): Used in documented eject script; expected for build configuration tool. | ai |
Versions (showing 5 of 5)
| Version | Deps | Published |
|---|---|---|
| 5.0.1 | 48 / 2 | |
| 5.0.0 | 48 / 2 | |
| 4.0.3 | 59 / 2 | |
| 4.0.2 | 59 / 2 | |
| 4.0.0 | 58 / 2 |
v5.0.1
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.3
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.2
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 finding
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.