@inquirer/checkbox — Greenflagged

Inquirer checkbox prompt

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sboudriasmischah

Keywords

answeranswersaskbaseclicommandcommand-lineconfirmenquirergenerategeneratorhyperinputinquireinquirerinterfaceitermjavascriptmenunodenodejspromptpromptlypromptsquestionreadlinescaffoldscaffolderscaffoldingstdinstdoutterminalttyuiyeomanyozsh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:figures	AI (dependencies): figures is a well-known terminal symbols package, its use in a CLI prompt component like @inquirer/checkbox is expected and benign.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): Dependency swap from picocolors to yoctocolors-cjs is routine maintenance; both are legitimate color utilities with no malicious indicators.	ai	2026/04/23
dependencies	unvetted-dep:@inquirer/ansi	AI (dependencies): First-party sibling package in the @inquirer/ namespace, maintained by the same publisher (sboudrias). Not a third-party unknown.	ai	2026/04/23
dependencies	unvetted-dep:@inquirer/core	AI (dependencies): First-party sibling package in the @inquirer/ namespace, maintained by the same publisher (sboudrias). Not a third-party unknown.	ai	2026/04/23
dependencies	unvetted-dep:@inquirer/type	AI (dependencies): First-party sibling package in the @inquirer/ namespace, maintained by the same publisher (sboudrias). Not a third-party unknown.	ai	2026/04/23
dependencies	unvetted-dep:@inquirer/figures	AI (dependencies): First-party sibling package in the @inquirer/ namespace, maintained by the same publisher (sboudrias). Not a third-party unknown.	ai	2026/04/23
dependencies	unvetted-dep:ansi-escapes	AI (dependencies): ansi-escapes is a standard, widely-used ANSI escape code library; transitive dependency through established @inquirer packages.	ai	2026/04/23
provenance	no-provenance	AI (provenance): Provenance is a best-practice recommendation; absence is not a security blocker for an established, trusted publisher.	ai	2026/04/21

Versions (showing 51 of 89)

View all versions

Version	Deps	Published
5.2.1	4 / 2	2026-05-29
5.2.0	4 / 2	2026-05-25
5.1.5	4 / 2	2026-05-10
5.1.4	4 / 2	2026-04-19
5.1.3	4 / 2	2026-04-06
5.1.2	4 / 2	2026-03-15
5.1.1	4 / 2	2026-03-15
5.1.0	4 / 3	2026-02-22
5.0.7	4 / 3	2026-02-16
5.0.6	4 / 3	2026-02-14
5.0.5	4 / 3	2026-02-14
5.0.4	4 / 3	2026-01-11
5.0.3	4 / 3	2025-12-13
5.0.2	4 / 3	2025-12-02
5.0.1	4 / 3	2025-11-17
5.0.0	4 / 3	2025-11-16
4.3.2	5 / 4	2025-11-12
4.3.1	5 / 4	2025-11-08
4.3.0	5 / 4	2025-10-13
4.2.4	5 / 4	2025-09-14
4.1.5	5 / 4	2025-04-03
4.1.4	5 / 4	2025-03-15
4.1.3	5 / 4	2025-03-08
4.1.2	5 / 4	2025-02-15
4.1.1	5 / 4	2025-02-02
4.1.0	5 / 4	2025-02-02
4.0.7	5 / 4	2025-01-28
4.0.6	5 / 4	2025-01-13
4.0.5	5 / 4	2025-01-11
4.0.4	5 / 4	2024-12-20
4.0.3	5 / 4	2024-12-07
4.0.2	5 / 4	2024-11-11
4.0.1	5 / 4	2024-10-25
4.0.0	5 / 4	2024-10-06
3.0.1	5 / 1	2024-09-16
3.0.0	5 / 1	2024-09-15
2.5.0	5 / 1	2024-09-02
2.4.7	5 / 1	2024-08-05
2.4.6	5 / 1	2024-08-04
2.4.5	5 / 1	2024-07-30
2.4.4	5 / 1	2024-07-29
2.4.3	5 / 1	2024-07-28
2.4.2	5 / 1	2024-07-21
2.4.1	5 / 1	2024-07-19
2.4.0	5 / 1	2024-07-17
2.3.11	5 / 1	2024-07-16
2.3.10	5 / 1	2024-07-04
2.3.9	5 / 1	2024-07-03
2.3.8	5 / 1	2024-06-30
2.3.7	5 / 1	2024-06-26
2.3.6	5 / 1	2024-06-19