@inquirer/password — Greenflagged

Inquirer password prompt

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sboudriasmischah

Keywords

answeranswersaskbaseclicommandcommand-lineconfirmenquirergenerategeneratorhyperinputinquireinquirerinterfaceitermjavascriptmenunodenodejspromptpromptlypromptsquestionreadlinescaffoldscaffolderscaffoldingstdinstdoutterminalttyuiyeomanyozsh

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): Trusted long-standing maintainer (sboudrias) with 1280 approved packages; gitHead is actually present in package.json; likely a CI/CD environment change, not a supply chain concern.	ai	2026/04/27
source-diff	source-size-tripled	AI (source-diff): Size increase is due to the v2 rewrite adding dual ESM/CJS compiled output and inlining core logic previously delegated to @inquirer/input; no injected payload indicators.	ai	2026/04/24
publish-pattern	new-deps-added	AI (publish-pattern): ansi-escapes is a well-known, legitimate CLI utility package; its addition is consistent with a terminal password prompt's functionality and poses no security risk.	ai	2026/04/24
dependencies	unvetted-dep:ansi-escapes	AI (dependencies): ansi-escapes is a legitimate, well-known utility for CLI prompt libraries; appropriate dependency for this package.	ai	2026/04/23
dependencies	unvetted-dep:@inquirer/ansi	AI (dependencies): First-party dependency within the @inquirer monorepo, published by the same author (sboudrias).	ai	2026/04/21
typosquat	typosquat.levenshtein:passport	AI (typosquat): @inquirer/password is part of the official Inquirer.js monorepo; scoped namespace and clear purpose rule out brand impersonation.	ai	2026/04/21
dependencies	unvetted-dep:@inquirer/type	AI (dependencies): First-party dependency within the @inquirer monorepo, published by the same author (sboudrias).	ai	2026/04/21
dependencies	unvetted-dep:@inquirer/core	AI (dependencies): First-party dependency within the @inquirer monorepo, published by the same author (sboudrias).	ai	2026/04/21

Versions (showing 51 of 98)

View all versions

Version	Deps	Published
5.1.1	3 / 2	2026-05-29
5.1.0	3 / 2	2026-05-25
5.0.13	3 / 2	2026-05-10
5.0.12	3 / 2	2026-04-19
5.0.11	3 / 2	2026-04-06
5.0.10	3 / 2	2026-03-15
5.0.9	3 / 2	2026-03-15
5.0.8	3 / 3	2026-02-22
5.0.7	3 / 3	2026-02-16
5.0.6	3 / 3	2026-02-14
5.0.5	3 / 3	2026-02-14
5.0.4	3 / 3	2026-01-11
5.0.3	3 / 3	2025-12-13
5.0.2	3 / 3	2025-12-02
5.0.1	3 / 3	2025-11-17
5.0.0	3 / 3	2025-11-16
4.0.23	3 / 4	2025-11-12
4.0.22	3 / 4	2025-11-08
4.0.21	3 / 4	2025-10-13
4.0.20	3 / 4	2025-09-14
4.0.19	3 / 4	2025-09-14
4.0.18	3 / 4	2025-08-24
4.0.17	3 / 4	2025-07-20
4.0.16	3 / 4	2025-07-01
4.0.15	3 / 4	2025-05-25
4.0.14	3 / 4	2025-05-23
4.0.13	3 / 4	2025-05-10
4.0.12	3 / 4	2025-04-03
4.0.11	3 / 4	2025-03-15
4.0.10	3 / 4	2025-03-08
4.0.9	3 / 4	2025-02-15
4.0.8	3 / 4	2025-02-02
4.0.7	3 / 4	2025-01-28
4.0.6	3 / 4	2025-01-13
4.0.5	3 / 4	2025-01-11
4.0.4	3 / 4	2024-12-20
4.0.3	3 / 4	2024-12-07
4.0.2	3 / 4	2024-11-11
4.0.1	3 / 4	2024-10-25
4.0.0	3 / 4	2024-10-06
3.0.1	3 / 1	2024-09-16
3.0.0	3 / 1	2024-09-15
2.2.0	3 / 1	2024-09-02
2.1.22	3 / 1	2024-08-05
2.1.21	3 / 1	2024-08-04
2.1.20	3 / 1	2024-07-30
2.1.19	3 / 1	2024-07-29
2.1.18	3 / 1	2024-07-28
2.1.17	3 / 1	2024-07-21
2.1.16	3 / 1	2024-07-19
2.1.15	3 / 1	2024-07-16