redux-devtools-inspector
Redux DevTools Diff Monitor
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| source-diff | large-new-source-files | AI (source-diff): New source files reflect monorepo restructuring; no obfuscated or suspicious code patterns indicated. | ai | |
| provenance | missing-githead | AI (provenance): Missing gitHead is consistent with the monorepo migration and changed publish environment; not a malware indicator for this package. | ai | |
| source-diff | source-size-dropped | AI (source-diff): Size drop reflects removal of bundled demo/build artifacts during monorepo migration, not code replacement with a stub. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition to methuselah96 as part of Redux DevTools monorepo migration to the official reduxjs GitHub org. Publisher has 347 approved / 0 rejected packages. | ai | |
| phantom-deps | phantom-dep:react-themeable | AI (phantom-deps): react-themeable is legitimately declared in dependencies; used as a peer dependency for theming support. | ai | |
| phantom-deps | phantom-dep:css-loader | AI (phantom-deps): css-loader is legitimately declared in dependencies and used in webpack build config; common pattern for UI libraries. | ai | |
| phantom-deps | phantom-dep:style-loader | AI (phantom-deps): style-loader is legitimately declared in dependencies and used in webpack build config; common pattern for UI libraries. | ai | |
| phantom-deps | phantom-dep:@alexkuz/react-json-tree | AI (phantom-deps): Declared in dependencies and authored by the same publisher; used as a component library for JSON rendering. | ai | |
| phantom-deps | phantom-dep:babel-runtime | AI (phantom-deps): babel-runtime is a legacy Babel 6 runtime dependency declared for transform-runtime; not directly imported in source is expected for this usage pattern. | ai | |
| phantom-deps | phantom-dep:@types/dragula | AI (phantom-deps): @types/* packages are consumed by TypeScript compiler, not directly imported in source. False positive for this TypeScript package. | ai | |
| phantom-deps | phantom-dep:@types/prop-types | AI (phantom-deps): @types/* packages are consumed by TypeScript compiler, not directly imported in source. False positive for this TypeScript package. | ai |
Versions (showing 40 of 40)
| Version | Deps | Published |
|---|---|---|
| 0.14.0 | 14 / 26 | |
| 0.13.1 | 14 / 33 | |
| 0.13.0 | 16 / 33 | |
| 0.12.1 | 16 / 33 | |
| 0.12.0 | 16 / 33 | |
| 0.11.3 | 13 / 43 | |
| 0.11.2 | 14 / 40 | |
| 0.11.0 | 14 / 40 | |
| 0.10.0 | 14 / 39 | |
| 0.9.4 | 14 / 39 | |
| 0.9.3 | 14 / 39 | |
| 0.9.2 | 14 / 39 | |
| 0.9.1 | 14 / 39 | |
| 0.9.0 | 14 / 39 | |
| 0.8.0 | 14 / 38 | |
| 0.7.1 | 14 / 38 | |
| 0.7.0 | 14 / 38 | |
| 0.6.1 | 14 / 37 | |
| 0.6.0 | 14 / 37 | |
| 0.5.3 | 14 / 37 | |
| 0.5.2 | 14 / 37 | |
| 0.5.1 | 14 / 37 | |
| 0.5.0 | 14 / 37 | |
| 0.4.1 | 14 / 37 | |
| 0.4.0 | 14 / 37 | |
| 0.3.5 | 13 / 33 | |
| 0.3.4 | 13 / 33 | |
| 0.3.3 | 13 / 33 | |
| 0.3.2 | 13 / 33 | |
| 0.3.1 | 13 / 33 | |
| 0.2.2 | 12 / 33 | |
| 0.2.1 | 11 / 33 | |
| 0.2.0 | 10 / 34 | |
| 0.1.7 | 10 / 33 | |
| 0.1.6 | 10 / 33 | |
| 0.1.5 | 9 / 32 | |
| 0.1.4 | 11 / 32 | |
| 0.1.3 | 10 / 32 | |
| 0.1.2 | 10 / 32 | |
| 0.1.1 | 9 / 32 |
v0.14.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.13.0
2 findingsPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: methuselah96.
v0.12.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: methuselah96.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.12.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: methuselah96.
This version was published by a different npm account than previous versions on 2020-07-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.11.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.10.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.7.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.6.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.5.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.4.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.3.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.2.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v0.1.1
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.