react-timer-mixin — Greenflagged

TimerMixin provides timer functions for executing code in the future that are safely cleaned up when the component unmounts

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

awearysophiebitstadeuzagallo

Keywords

reacttimermixin

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): spicyj and sophiebits are both npm accounts for Sophie Alpert (React core team); this is a documented account rename, not a hostile takeover.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): sophiebits is Sophie Alpert's renamed npm account; addition reflects a legitimate account transition, not a new unknown party.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): spicyj removal is the other side of Sophie Alpert's account rename to sophiebits; no actual change in control.	ai	2026/04/23
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by 2018 publish aligns with Sophie Alpert's npm account rename; no code changes introduced, consistent with routine maintenance.	ai	2026/04/23

Versions (showing 5 of 5)

Version	Deps	Published
0.13.4	0 / 2	2018-07-17
0.13.3	0 / 2	2015-09-09
0.13.2	0 / 2	2015-07-03
0.13.1	0 / 2	2015-03-23
0.13.0	0 / 1	2015-03-20

v0.13.4

2 findings

HIGH Publisher changed: spicyj → sophiebits (on 2018-07-17) provenance

This version was published by a different npm account than previous versions on 2018-07-17. This could indicate a legitimate maintainer transition or an account compromise.