react-select
A Select control built with and for ReactJS
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| provenance | publisher-changed | AI (provenance): gwyneplaine is a known react-select maintainer transitioning from a release bot account. Publisher has 35 approved packages and long history on npm. | ai | |
| source-diff | obfuscated-file:dist/index-fe3694ff.cjs.dev.js | AI (source-diff): This is a standard bundled CJS dist artifact for react-select. Long lines are from bundling, not obfuscation. Imports are all legitimate declared dependencies. | ai | |
| source-diff | obfuscated-file:dist/index-9b01df15.cjs.dev.js | AI (source-diff): react-select uses Preconstruct to generate CJS/ESM dist bundles; long-line dist files are standard build artifacts, not obfuscation. Stable pattern across all versions. | ai | |
| source-diff | obfuscated-file:dist/index-d1cb43f3.cjs.dev.js | AI (source-diff): react-select ships Preconstruct-generated CJS/ESM bundles with long lines; the sample shows readable React component code, not obfuscation. This pattern is stable across all versions. | ai | |
| source-diff | obfuscated-file:dist/index-5b950e59.cjs.dev.js | AI (source-diff): react-select ships compiled/bundled dist files via preconstruct/rollup; long lines are standard build output (excluded-keys arrays, etc.), not obfuscation. Stable pattern for this package. | ai | |
| source-diff | obfuscated-file:dist/index-0ebaecc9.cjs.dev.js | AI (source-diff): react-select ships bundled dist files via Preconstruct; long lines are standard bundler output, not obfuscation. Code sample confirms readable React component code. | ai | |
| source-diff | obfuscated-file:dist/index-d0712905.cjs.dev.js | AI (source-diff): react-select ships Preconstruct-generated dist files with long lines; the sample shows readable transpiled React code, not obfuscation. This pattern is stable across versions. | ai | |
| source-diff | obfuscated-file:dist/index-25743a6b.cjs.dev.js | AI (source-diff): react-select uses Preconstruct to generate CJS/ESM dist bundles; long-line dist files are expected build artifacts, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-7bd038ed.cjs.dev.js | AI (source-diff): react-select ships compiled dist bundles; long lines are from Babel-compiled output, not obfuscation. Sample shows clean, readable library code with standard imports and comments. | ai | |
| source-diff | obfuscated-file:dist/index-a0eec3a7.cjs.dev.js | AI (source-diff): react-select ships Preconstruct-generated CJS bundles with long lines; this is standard build output, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-9d5f35ff.cjs.dev.js | AI (source-diff): react-select ships pre-built dist files via Preconstruct; long lines in CJS dev bundles are standard bundler output, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-5a5a8b2f.cjs.dev.js | AI (source-diff): This is a standard preconstruct build artifact for react-select. Long lines are from bundled dist output, not obfuscation. Pattern is consistent across all react-select releases. | ai | |
| source-diff | obfuscated-file:dist/index-2fe3dc33.cjs.dev.js | AI (source-diff): react-select ships bundled CJS/ESM dist files via preconstruct; long lines are normal build artifacts, not obfuscation. Sample shows readable React component code. | ai | |
| source-diff | obfuscated-file:dist/index-0ceaa597.cjs.dev.js | AI (source-diff): react-select ships Rollup/Preconstruct-generated CJS/ESM bundles with long lines; these are standard build artifacts, not obfuscation. Stable false positive for this package. | ai | |
| source-diff | obfuscated-file:dist/index-b678006b.cjs.dev.js | AI (source-diff): react-select ships bundled CJS/ESM build artifacts via @preconstruct/cli. Long lines are from bundled output, not obfuscation. Sample code is clearly readable React component logic. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): mitchellhamilton stepping down is a known transition; emmatown (same ecosystem) took over. No takeover indicators. | ai | |
| source-diff | large-new-source-files | AI (source-diff): react-select ships multiple dist variants (cjs.dev, cjs.prod, esm) per entrypoint. Large numbers of new dist files are expected across version bumps with build tooling changes. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): emmatown is a known maintainer in the Emotion/Preconstruct ecosystem; this is a legitimate maintainer transition for react-select. | ai | |
| source-diff | obfuscated-file:dist/index-0d5b3c94.cjs.dev.js | AI (source-diff): react-select ships bundled CJS/ESM dist files via Preconstruct; long lines are standard build output, not obfuscation. This pattern is stable across all versions of this package. | ai | |
| source-diff | obfuscated-file:dist/index-e1df3c50.cjs.dev.js | AI (source-diff): react-select ships Preconstruct-generated CJS/ESM dist bundles; long lines in dist files are normal bundled output, not obfuscation. Stable pattern for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): @floating-ui/dom and use-isomorphic-layout-effect are well-known legitimate packages appropriate for a dropdown/select component. No malicious signal. | ai | |
| source-diff | obfuscated-file:dist/index-b950ee42.cjs.dev.js | AI (source-diff): This is a standard preconstruct CJS dev build artifact for react-select. Long lines are from bundled/concatenated output, not obfuscation. The sample shows normal readable JS with Babel runtime helpers. | ai | |
| source-diff | obfuscated-file:dist/index-42b266b1.cjs.dev.js | AI (source-diff): This is a standard bundler output (Preconstruct) for react-select. Long lines are due to bundled/minified build artifacts, not obfuscation. Code is readable and benign in the sample. | ai | |
| phantom-deps | phantom-dep:@types/react-transition-group | AI (phantom-deps): TypeScript types package loaded by convention; phantom detection is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@emotion/cache | AI (dependencies): @emotion/cache is a well-known CSS-in-JS library dependency; its use in react-select for styling is expected and legitimate. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): prop-types is a common React ecosystem package; phantom detection here is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:react-transition-group | AI (dependencies): react-transition-group is a well-known React animation library; its use in react-select's animated entrypoint is expected and legitimate. | ai | |
| dependencies | unvetted-dep:@floating-ui/dom | AI (dependencies): @floating-ui/dom is a standard positioning library; its use in react-select for dropdown positioning is expected and legitimate. | ai |
Versions (showing 45 of 45)
| Version | Deps | Published |
|---|---|---|
| 5.10.2 | 9 / 6 | |
| 5.10.1 | 9 / 6 | |
| 5.10.0 | 9 / 6 | |
| 5.9.0 | 9 / 6 | |
| 5.8.3 | 9 / 6 | |
| 5.8.2 | 9 / 6 | |
| 5.8.1 | 9 / 6 | |
| 5.8.0 | 9 / 6 | |
| 5.7.7 | 9 / 6 | |
| 5.7.6 | 9 / 6 | |
| 5.7.5 | 9 / 6 | |
| 5.7.4 | 9 / 6 | |
| 5.7.3 | 9 / 6 | |
| 5.7.2 | 9 / 6 | |
| 5.7.1 | 9 / 6 | |
| 5.7.0 | 9 / 6 | |
| 5.6.1 | 9 / 6 | |
| 5.6.0 | 9 / 6 | |
| 5.5.9 | 9 / 6 | |
| 5.5.8 | 9 / 6 | |
| 5.5.7 | 9 / 6 | |
| 5.5.6 | 9 / 6 | |
| 5.5.5 | 9 / 6 | |
| 5.5.4 | 9 / 6 | |
| 5.5.3 | 9 / 6 | |
| 5.5.2 | 9 / 6 | |
| 5.5.1 | 9 / 6 | |
| 5.5.0 | 9 / 6 | |
| 5.4.0 | 7 / 6 | |
| 5.3.2 | 7 / 6 | |
| 5.3.1 | 7 / 6 | |
| 5.3.0 | 7 / 6 | |
| 5.2.2 | 7 / 6 | |
| 5.2.1 | 7 / 6 | |
| 5.2.0 | 7 / 6 | |
| 5.1.0 | 7 / 6 | |
| 5.0.0 | 7 / 6 | |
| 4.3.1 | 7 / 5 | |
| 4.3.0 | 7 / 5 | |
| 4.2.1 | 7 / 5 | |
| 4.2.0 | 7 / 5 | |
| 4.1.0 | 7 / 5 | |
| 4.0.2 | 8 / 5 | |
| 4.0.1 | 8 / 5 | |
| 4.0.0 | 8 / 5 |
v5.10.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.10.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.9.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.8.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v5.8.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.7.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.6.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.9
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.8
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.7
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.6
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.5
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.4
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.3
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.5.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.4.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.2
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.3.1
3 findingsThis version was published by a different npm account than previous versions on 2021-05-11. This could indicate a legitimate maintainer transition or an account compromise.
Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.3.0
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.1
2 findingsNewly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.2.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.1.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v4.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.