react-sizes
Hoc to easily map window sizes to props.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | net-exec-file:dist/react-sizes.js | AI (source-diff): The flagged file is a standard Rollup UMD bundle produced by the documented build:umd script. The 'network' and 'dynamic execution' patterns are UMD boilerplate and environment detection, not malicious code. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase is explained by the addition of the UMD dist bundle (dist/react-sizes.js) which was not present in prior versions. This is an intentional build artifact addition. | ai | |
| provenance | missing-githead | AI (provenance): Established package with 22 versions and clean history; missing gitHead is a publish-environment metadata change, not a code integrity issue. No other risk signals present. | ai | |
| provenance | no-provenance | AI (provenance): Long-standing package predating Sigstore provenance; absence of attestation is expected for this maintainer's workflow. | ai | |
| email-domain | unclaimed-email:http://github.com/renatorib | AI (email-domain): The 'email' field contains a GitHub profile URL, not an email address. The analyzer is misidentifying a URL as an email domain — stable false positive for this package. | ai | |
| phantom-deps | phantom-dep:prop-types | AI (phantom-deps): prop-types is a legitimate runtime dependency for React component libraries; referenced in config/build files. Stable false positive for this package. | ai |
Versions (showing 20 of 20)
| Version | Deps | Published |
|---|---|---|
| 2.0.0 | 2 / 27 | |
| 1.0.4 | 2 / 25 | |
| 1.0.3 | 2 / 25 | |
| 1.0.2 | 2 / 25 | |
| 1.0.1 | 2 / 25 | |
| 1.0.0 | 2 / 25 | |
| 0.4.3 | 1 / 25 | |
| 0.4.2 | 1 / 25 | |
| 0.4.1 | 1 / 25 | |
| 0.3.3 | 3 / 17 | |
| 0.3.2 | 3 / 17 | |
| 0.3.1 | 3 / 17 | |
| 0.3.0 | 3 / 17 | |
| 0.2.0 | 3 / 17 | |
| 0.1.2 | 4 / 10 | |
| 0.1.1 | 5 / 11 | |
| 0.1.0 | 5 / 11 | |
| 0.0.4 | 4 / 11 | |
| 0.0.3 | 4 / 11 | |
| 0.0.2 | 4 / 11 |
v2.0.0
2 findingsMaintainer email 'http://github.com/renatorib' uses domain 'http://github.com/renatorib' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: renatorib.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: renatorib.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.