redux — Greenflagged

Predictable state container for JavaScript apps

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

gaearontimdorracdlitephryneasacemarkeeskimojo

Keywords

reduxreducerstatepredictablefunctionalimmutablehotlivereplayfluxelm

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	publisher-changed	AI (provenance): timdorr is a known long-standing Redux core maintainer; publisher rotation between acemarke and timdorr is expected for this package.	ai	2026/04/24
source-diff	net-exec-file:es/redux.mjs	AI (source-diff): Function('return this') is a standard global-this polyfill from symbol-observable; no actual network calls. False positive on minified build output.	ai	2026/04/24
source-diff	obfuscated-file:es/redux.mjs	AI (source-diff): Minified rollup+terser build output of redux source; recognizable API surface (createStore, compose, etc.). Standard for this package's ES module bundle.	ai	2026/04/24
phantom-deps	phantom-dep:loose-envify	AI (phantom-deps): loose-envify is used as a browserify transform declared in package.json, not a direct import.	ai	2026/04/24
source-diff	large-new-source-files	AI (source-diff): Major version migrated build tooling (Babel→tsup/TypeScript), producing new dist file structure. Expected for this package.	ai	2026/04/24
source-diff	obfuscated-file:dist/redux.browser.mjs	AI (source-diff): Standard minified browser bundle produced by tsup; content is clearly Redux source code with Redux error codes and API surface.	ai	2026/04/24
provenance	missing-githead	AI (provenance): Redux is a cornerstone package; missing gitHead reflects a publish-environment change, not a security concern.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Redux predates Sigstore adoption; lack of provenance is expected for legacy publish workflows.	ai	2026/04/23
bogus-package	bogus-package	AI (bogus-package): gaearon (Dan Abramov) is Redux's creator, not spam. README heuristic is a false positive for this major ecosystem package.	ai	2026/04/23

Versions (showing 51 of 68)

View all versions

Version	Deps	Published
5.0.1	0 / 20	2023-12-23
5.0.0	0 / 20	2023-12-04
4.2.1	1 / 38	2023-01-28
4.2.0	1 / 38	2022-04-18
4.1.2	1 / 38	2021-10-28
4.1.1	1 / 38	2021-08-03
4.1.0	1 / 38	2021-04-24
4.0.5	2 / 33	2019-12-24
4.0.4	2 / 33	2019-07-10
4.0.3	2 / 33	2019-07-09
4.0.2	2 / 33	2019-07-09
4.0.1	2 / 30	2018-10-13
4.0.0	2 / 27	2018-04-17
3.7.2	4 / 45	2017-07-13
3.7.1	4 / 45	2017-06-26
3.7.0	4 / 45	2017-06-17
3.6.0	4 / 41	2016-09-04
3.5.2	4 / 39	2016-04-24
3.5.1	4 / 39	2016-04-20
3.5.0	4 / 39	2016-04-20
3.4.0	3 / 38	2016-04-08
3.3.1	3 / 36	2016-02-06
3.3.0	2 / 36	2016-02-05
3.2.1	2 / 36	2016-02-02
3.2.0	2 / 14	2016-02-01
3.1.7	1 / 14	2016-01-31
3.1.6	1 / 13	2016-01-31
3.1.5	1 / 13	2016-01-30
3.1.4	1 / 13	2016-01-29
3.1.3	1 / 13	2016-01-29
3.1.2	1 / 13	2016-01-28
3.1.1	0 / 13	2016-01-28
3.1.0	0 / 13	2016-01-28
3.0.6	0 / 13	2016-01-25
3.0.5	0 / 13	2015-12-12
3.0.4	0 / 13	2015-10-23
3.0.3	0 / 13	2015-10-20
3.0.2	0 / 14	2015-09-26
3.0.1	0 / 14	2015-09-25
3.0.0	0 / 15	2015-09-12
2.0.0	0 / 15	2015-09-01
1.0.1	0 / 15	2015-08-15
1.0.0	2 / 15	2015-08-14
0.12.0	1 / 17	2015-06-19
0.11.1	4 / 16	2015-06-16
0.11.0	4 / 16	2015-06-14
0.10.1	4 / 16	2015-06-13
0.10.0	4 / 16	2015-06-13
0.9.0	5 / 10	2015-06-09
0.8.1	5 / 10	2015-06-06
0.8.0	5 / 10	2015-06-06

v5.0.0

2 findings

HIGH New obfuscated file: dist/redux.browser.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.1

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: acemarke.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.2.0

2 findings

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Missing gitHead — previous versions had it provenance

[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: acemarke.

v4.1.2

2 findings

HIGH Publisher changed: timdorr → acemarke (on 2021-10-28) provenance

This version was published by a different npm account than previous versions on 2021-10-28. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.1

2 findings

HIGH Publisher changed: acemarke → timdorr (on 2021-08-03) provenance

This version was published by a different npm account than previous versions on 2021-08-03. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.1.0

2 findings

HIGH Publisher changed: timdorr → acemarke (on 2021-04-24) provenance

This version was published by a different npm account than previous versions on 2021-04-24. This could indicate a legitimate maintainer transition or an account compromise.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.5

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.4

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.3

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.2

3 findings

HIGH New obfuscated file: es/redux.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: es/redux.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.1

3 findings

HIGH New obfuscated file: es/redux.mjs source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New file with network + code execution: es/redux.mjs source-diff

Newly added file contains both network calls and dynamic code execution. This is a hallmark of dropper/loader malware.

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v4.0.0

1 finding

INFO No provenance attestation provenance

[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.