Public package evidence

npm:react@19.0.0

Public evidence pages summarize static registry, advisory, and retained artifact signals. They do not execute package code.

LookupCompare

npm:react@19.0.0

Compared against 19.0.0-rc-1c9b1387-20241204.

low
Findings
0
Release time
2024-12-05T18:10:21.804Z
Integrity
sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==
Recommendation
No action recommended from current static metadata.
Correlation: No blocking static, advisory, artifact, retained, or behavior findings were correlated.
Safe version guidance
Review or pin to baseline version 19.0.0-rc-1c9b1387-20241204.
This is the release-over-release comparison baseline, not a reviewed safe version. Use it as a rollback candidate only after confirming it is acceptable for the project.
baseline
Package artifact
What changed

No added manifest scripts or dependencies were identified for this version.

Why it matters

Current static evidence did not produce a suspicious finding. That is not proof the package is safe.

What to do next

No action recommended from current static metadata.

Evidence

Public evidence is static metadata, OSV context, and capped artifact diffing when available. No package code was executed for this page.

No suspicious static evidence
This does not prove the package is safe. It means current static metadata, OSV context, and artifact checks did not flag this version.

Package identity

Registry identity and chain-of-custody fields used for this page.

Ecosystem
npm
Package
react
Version
19.0.0
Registry URL
https://www.npmjs.com/package/react
Description
React is a JavaScript library for building user interfaces.
Maintainers
gnoff <jcs.gnoff@gmail.com>, fb <opensource+npm@fb.com>, sophiebits <npm@sophiebits.com>, react-bot <react-core@meta.com>
Authors
None
Dist tags
beta: 19.0.0-beta-26f2496093-20240514, rc: 19.0.0-rc.1, next: 19.3.0-canary-d5736f09-20260507, backport: 19.1.8, latest: 19.2.7, experimental: 0.0.0-experimental-52912a14-20260625, canary: 19.3.0-canary-52912a14-20260625
Project URLs
Homepage: https://react.dev/ / Repository: git+https://github.com/facebook/react.git
Artifact file
react-19.0.0.tgz
Artifact type
tgz
Artifact URL
https://registry.npmjs.org/react/-/react-19.0.0.tgz
Yanked/deprecated
no
Release time
2024-12-05T18:10:21.804Z
Previous version
19.0.0-rc-1c9b1387-20241204
Comparison
19.0.0-rc-1c9b1387-20241204
Artifact host
registry.npmjs.org
Registry integrity
sha512-V8AVnmPIICiWpGfm6GLzCR/W5FXLchHop40W4nXBmdlEceh16rCN8O8LNWm5bh5XUX91fh7KpA+W0TgMKmgTpQ==
Registry shasum
6e1969251b9f108870aa4bff37a0ce9ddfaaabdd
Computed SHA-256
2178ec02d41c09f60b5a7dc21844787afd0a41f268faa6ea9ac7a06ccf64eca6
Artifact size
30.4 KB
Digest status
verified
Evidence sources
artifact_static_diff
Confidence labels
static-diff
Advisory profile
None

Confidence limits

What the evidence can prove, what it cannot prove, and which gates still apply.

Evidence sources
artifact_static_diff
Confidence labels
static-diff
Correlation factors
0
Static artifact evidence
Official registry artifacts were inspected under static caps. This can support customer findings, but it does not prove runtime behavior because package code was not executed.
strength

Manifest diff

Registry manifest changes compared with the selected baseline.

Manifest source
npm package json
Scripts in version
0
Dependencies in version
0
Optional dependencies
0
PyPI requires_dist entries
0
Project URLs
2
Changed manifest entries
0
Registry metadata fields
Name
react
metadata
Version
19.0.0
metadata
Description
React is a JavaScript library for building user interfaces.
metadata
Homepage
https://react.dev/
metadata
Repository
git+https://github.com/facebook/react.git
metadata
No registry manifest changes
The registry manifest did not add scripts or dependencies relative to the selected baseline.

Artifact forensics

Official registry artifacts only. Package code was not executed.

Analyzer
artifact-static-forensics-v2
Candidate artifact
19.0.0 / verified / sha256 2178ec02d41c09f6... / 30.4 KB
Candidate URL host
registry.npmjs.org
Candidate fetched
2026-06-26T10:23:03.973Z
Baseline artifact
19.0.0-rc-1c9b1387-20241204 / verified / sha256 dfdd2a1956ecfe25... / 30.5 KB
Baseline URL host
registry.npmjs.org
Files
27 current / 27 baseline
Diff
0 added / 5 changed / 0 deleted
Inventory rows
27 capped rows / 5 changed
Content mix
26 text / 1 opaque
Payload labels
0 native / 0 archives / 0 high entropy
Manifest and config files
1 retained / 1 changed
Manifest content diffs
1 summarized
Inventory status
0 added / 5 changed / 0 deleted
Unchanged baseline
22 unchanged rows retained
Top file types
text 26 / opaque_binary 1
Largest files
cjs/react.development.js 54.6 KB / cjs/react.react-server.development.js 39.6 KB
1 manifest/config rows retained. npm manifest 1
package.json
npm manifest / changed / 1.2 KB / inspectable text
sha256 9000ced5f7bfae34... / baseline 9ea3631d90c29c81...
changed
Parsed manifest diffs are static evidence only. They explain package release changes without executing package code.
package.json
npm manifest / changed / 1 package.json fields changed.
changed version -> 19.0.0 (baseline 19.0.0-rc-1c9b1387-20241204)
changed
cjs/react.development.js
changed text / 54.6 KB / inspectable text / entropy 4.50
sha256 0c81ce0e95e381e0... / baseline acd40ea2d7a7759a...
changed
cjs/react.react-server.development.js
changed text / 39.6 KB / inspectable text / entropy 4.50
sha256 ba4a600311a573d8... / baseline ddb8ce10ec604fdf...
changed
cjs/react.production.js
changed text / 16.5 KB / inspectable text / entropy 4.86
sha256 9d5546ae8149c2fc... / baseline 5381b8862de2f3cb...
changed
cjs/react.react-server.production.js
changed text / 12.9 KB / inspectable text / entropy 4.84
sha256 d4631a40a68004d3... / baseline 58434510a8906be4...
changed
package.json
changed text / 1.2 KB / inspectable text / entropy 4.61
sha256 9000ced5f7bfae34... / baseline 9ea3631d90c29c81...
changed
Package code was not installed, imported, or executed. Only official registry artifacts with trusted HTTPS origins were fetched. Artifact bytes were capped at 10 MiB compressed and 64 MiB expanded. File inventory is capped at 250 rows for response size. Full inventory is capped for browser review; use this panel as static package evidence, not proof of runtime behavior.