redbox-react
A redbox (rsod) component to display your errors.
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | source-size-tripled | AI (source-diff): Size increase is entirely due to two 1.6MB webpack-compiled example bundles being added. No injected payload. | ai | |
| source-diff | net-exec-file:examples/babel-plugin-react-hot/dist/bundle.js | AI (source-diff): This is a webpack HMR bundle in an examples directory. The network calls and dynamic script injection are standard webpack hot-reload boilerplate, not malware. | ai | |
| source-diff | net-exec-file:examples/react-hot-loader-example/dist/bundle.js | AI (source-diff): Same as above — webpack HMR runtime in an examples directory. Standard hot-reload boilerplate, not malicious. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of keywordbrain is consistent with a legitimate ownership transfer to the actual project authors. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Transfer from keywordbrain to davidpfahler/mxlje is legitimate — author field and GitHub repo both reference David Pfahler as the actual project author. No code changes introduced. | ai | |
| provenance | publisher-changed | AI (provenance): Publisher change in 2016 aligns with legitimate authorship transfer; new publisher mxlje has a long, clean track record (35 approved, 0 rejected). | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainers are the documented authors of the project; no malicious signals in the package content. | ai | |
| email-domain | unclaimed-email:keywordbrain.com | AI (email-domain): Long-established package (10+ years, 34 versions, consistent publisher history). Unclaimed domain is a latent risk but no evidence of active compromise or takeover across the package's history. | ai |
Versions (showing 34 of 34)
| Version | Deps | Published |
|---|---|---|
| 1.6.0 | 4 / 22 | |
| 1.5.0 | 4 / 22 | |
| 1.4.3 | 4 / 22 | |
| 1.4.2 | 4 / 22 | |
| 1.4.1 | 4 / 22 | |
| 1.4.0 | 4 / 22 | |
| 1.3.7 | 4 / 22 | |
| 1.3.6 | 3 / 16 | |
| 1.3.5 | 2 / 17 | |
| 1.3.4 | 2 / 16 | |
| 1.3.3 | 2 / 16 | |
| 1.3.2 | 2 / 15 | |
| 1.3.1 | 3 / 15 | |
| 1.3.0 | 3 / 15 | |
| 1.2.10 | 3 / 15 | |
| 1.2.9 | 3 / 15 | |
| 1.2.8 | 3 / 15 | |
| 1.2.7 | 3 / 15 | |
| 1.2.6 | 2 / 13 | |
| 1.2.5 | 2 / 13 | |
| 1.2.4 | 2 / 13 | |
| 1.2.3 | 2 / 12 | |
| 1.2.2 | 2 / 12 | |
| 1.2.1 | 2 / 12 | |
| 1.2.0 | 2 / 12 | |
| 1.1.1 | 2 / 11 | |
| 1.1.0 | 1 / 11 | |
| 1.0.6 | 1 / 11 | |
| 1.0.5 | 1 / 11 | |
| 1.0.4 | 1 / 11 | |
| 1.0.3 | 1 / 16 | |
| 1.0.2 | 1 / 16 | |
| 1.0.1 | 1 / 16 | |
| 1.0.0 | 1 / 16 |
v1.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.3.0
3 findingsAll previous maintainers (keywordbrain) were replaced by new maintainers (davidpfahler, mxlje). This is a strong signal of a potential package hijack and requires careful review.
This version was published by a different npm account than previous versions on 2016-08-08. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.3
2 findingsMaintainer email '[email protected]' uses domain 'keywordbrain.com' which has no DNS records. An attacker could register this domain to hijack the maintainer identity.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.2.0
3 findingsNewly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.0.0
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.