@npmcli/config
Configuration management for the npm cli
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:mkdirp-infer-owner | AI (dependencies): mkdirp-infer-owner is an isaacs-authored utility used throughout the npm CLI toolchain; legitimate dependency for this package. | ai | |
| npm-metadata | suspicious-initial-version | AI (npm-metadata): 0.0.0 is isaacs/npm's standard bootstrapping version for official npm CLI packages; not indicative of malicious intent for this well-established package. | ai | |
| provenance | no-provenance | AI (provenance): Official npm CLI workspace package; lack of Sigstore provenance is not a risk signal here. | ai | |
| provenance | publisher-changed | AI (provenance): Both owlstronaut and gar are known npm CLI team members; routine maintainer rotation within the npm org. | ai | |
| provenance | missing-githead | AI (provenance): Reflects publish environment change; no material code changes. Normal for npm org packages. | ai | |
| semgrep | semgrep:base64-decode | AI (semgrep): Base64 encode/decode of npm registry credentials is standard auth handling for this config module. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Loads npm's own package.json via a controlled internal path, not arbitrary user input. | ai | |
| semgrep | semgrep:npmrc-access | AI (semgrep): This package IS npm's config manager; accessing .npmrc is its core purpose. Stable false positive. | ai |
Versions (showing 51 of 93)
| Version | Deps | Published |
|---|---|---|
| 10.10.0 | 8 / 4 | |
| 10.9.1 | 8 / 4 | |
| 10.9.0 | 8 / 4 | |
| 10.8.0 | 8 / 4 | |
| 10.7.1 | 8 / 4 | |
| 10.7.0 | 8 / 4 | |
| 10.6.0 | 8 / 4 | |
| 10.5.0 | 8 / 4 | |
| 10.4.5 | 8 / 4 | |
| 10.4.4 | 8 / 4 | |
| 10.4.3 | 8 / 4 | |
| 10.4.2 | 8 / 4 | |
| 10.4.1 | 8 / 4 | |
| 10.4.0 | 8 / 4 | |
| 10.3.1 | 8 / 4 | |
| 10.3.0 | 8 / 4 | |
| 10.2.0 | 8 / 4 | |
| 10.1.0 | 8 / 4 | |
| 10.0.1 | 8 / 4 | |
| 10.0.0 | 8 / 4 | |
| 9.0.0 | 8 / 4 | |
| 8.3.4 | 8 / 4 | |
| 8.3.3 | 8 / 4 | |
| 8.3.2 | 8 / 4 | |
| 8.3.1 | 8 / 4 | |
| 8.3.0 | 8 / 4 | |
| 8.2.2 | 8 / 4 | |
| 8.2.1 | 8 / 4 | |
| 8.2.0 | 8 / 4 | |
| 8.1.0 | 8 / 4 | |
| 8.0.3 | 8 / 4 | |
| 8.0.2 | 8 / 4 | |
| 8.0.1 | 8 / 4 | |
| 8.0.0 | 8 / 4 | |
| 7.2.0 | 8 / 4 | |
| 7.1.0 | 8 / 4 | |
| 7.0.1 | 8 / 4 | |
| 7.0.0 | 8 / 4 | |
| 6.4.1 | 8 / 4 | |
| 6.4.0 | 8 / 4 | |
| 6.3.0 | 8 / 4 | |
| 6.2.1 | 8 / 4 | |
| 6.2.0 | 7 / 3 | |
| 6.1.7 | 7 / 3 | |
| 6.1.6 | 7 / 3 | |
| 6.1.5 | 7 / 3 | |
| 6.1.4 | 7 / 3 | |
| 6.1.3 | 7 / 3 | |
| 6.1.2 | 7 / 3 | |
| 6.1.1 | 7 / 3 | |
| 6.1.0 | 7 / 3 |
v10.10.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.9.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.9.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.8.0
2 findingsAccessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/b657fa797d0526c7720833c4f3583cd0ec0add76/lib/definitions/definitions.js#L2347 2345 | }), 2346 | userconfig: new Definition('userconfig', { > 2347 | default: '~/.npmrc', 2348 | type: path, 2349 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.7.1
3 findingsThis version was published by a different npm account than previous versions on 2026-02-19. This could indicate a legitimate maintainer transition or an account compromise.
Accessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/f52180d2ae1bdb8b0edde0314239f1c3b7cd0c37/lib/definitions/definitions.js#L2333 2331 | }), 2332 | userconfig: new Definition('userconfig', { > 2333 | default: '~/.npmrc', 2334 | type: path, 2335 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.7.0
3 findingsThis version was published by a different npm account than previous versions on 2026-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Accessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/4fb69e314d4d648150ef76dea600593451ba14ad/lib/definitions/definitions.js#L2333 2331 | }), 2332 | userconfig: new Definition('userconfig', { > 2333 | default: '~/.npmrc', 2334 | type: path, 2335 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.6.0
4 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
This version was published by a different npm account than previous versions on 2026-02-04. This could indicate a legitimate maintainer transition or an account compromise.
Accessing .npmrc can expose npm auth tokens 2308 | }), 2309 | userconfig: new Definition('userconfig', { > 2310 | default: '~/.npmrc', 2311 | type: path, 2312 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.5.0
2 findingsAccessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/bda624ecf485588206f73e0efb19b5de04628207/lib/definitions/definitions.js#L2296 2294 | }), 2295 | userconfig: new Definition('userconfig', { > 2296 | default: '~/.npmrc', 2297 | type: path, 2298 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.5
2 findingsAccessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/3b718e41f4c978c2a604d6e53eb98838fc7b0c8b/lib/definitions/definitions.js#L2296 2294 | }), 2295 | userconfig: new Definition('userconfig', { > 2296 | default: '~/.npmrc', 2297 | type: path, 2298 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.4
2 findingsAccessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/61f0471c45029e83dbeecffc8a3d7272f4a00828/lib/definitions/definitions.js#L2301 2299 | }), 2300 | userconfig: new Definition('userconfig', { > 2301 | default: '~/.npmrc', 2302 | type: path, 2303 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.3
2 findingsAccessing .npmrc can expose npm auth tokens Source: https://github.com/npm/cli/blob/7b6cc82eaa5aeb904a5f5d2e24df139e5e704356/lib/definitions/definitions.js#L2301 2299 | }), 2300 | userconfig: new Definition('userconfig', { > 2301 | default: '~/.npmrc', 2302 | type: path, 2303 | description: `
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.4.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-09-03. This could indicate a legitimate maintainer transition or an account compromise.
v10.3.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-07-24. This could indicate a legitimate maintainer transition or an account compromise.
v10.3.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v10.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-08. This could indicate a legitimate maintainer transition or an account compromise.
v10.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v10.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v9.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v8.2.2
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-10. This could indicate a legitimate maintainer transition or an account compromise.
v8.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2024-04-03. This could indicate a legitimate maintainer transition or an account compromise.
v8.2.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.0.2
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v8.0.1
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-18. This could indicate a legitimate maintainer transition or an account compromise.
v8.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.4.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v6.4.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-10-06. This could indicate a legitimate maintainer transition or an account compromise.
v6.3.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-09-18. This could indicate a legitimate maintainer transition or an account compromise.
v6.2.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
v6.2.0
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: lukekarrys.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-31. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.7
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-05-18. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.6
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-04-19. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.5
3 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-30. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.4
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-03-15. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2023-02-07. This could indicate a legitimate maintainer transition or an account compromise.
v6.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v6.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.