@oclif/config
base config object and standard interfaces for oclif components
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| publish-pattern | new-deps-added | AI (publish-pattern): The added dependency is 'debug', one of the most trusted npm packages. This is a benign addition for a CLI config library. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): anycli-bot is an oclif project automation account; adding bot maintainers is standard practice for this org and generalizes across versions. | ai | |
| provenance | missing-githead | AI (provenance): Established oclif package with long history; missing gitHead reflects a publish environment change, not a compromise signal for this well-known package. | ai | |
| publish-pattern | dormant-publish | AI (publish-pattern): Dormancy followed by a minor housekeeping release (moving conventional-changelog-cli to devDeps) is consistent with legitimate maintenance, not account takeover. | ai | |
| provenance | publisher-changed | AI (provenance): dickeyxxx is the original author (Jeff Dickey @jdxcode) returning to maintain their own package; the publisher change from rasphilco back to dickeyxxx is a legitimate transition. | ai | |
| phantom-deps | phantom-dep:conventional-changelog-cli | AI (phantom-deps): conventional-changelog-cli is used only in the 'version' npm lifecycle script for changelog generation; it's a misplaced devDependency, not a malicious phantom dep. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is used for plugin/manifest loading in oclif's CLI framework — this is the intended design pattern, not a security risk. | ai | |
| phantom-deps | phantom-dep:tslib | AI (phantom-deps): tslib is a standard TypeScript runtime helper; its use as an implicit dependency is expected and benign for TypeScript-compiled packages. | ai |
Versions (showing 51 of 131)
| Version | Deps | Published |
|---|---|---|
| 1.18.17 | 6 / 18 | |
| 1.18.16 | 6 / 18 | |
| 1.18.15 | 6 / 18 | |
| 1.18.14 | 6 / 18 | |
| 1.18.13 | 6 / 18 | |
| 1.18.12 | 6 / 18 | |
| 1.18.11 | 6 / 18 | |
| 1.18.10 | 6 / 18 | |
| 1.18.9 | 6 / 18 | |
| 1.18.8 | 6 / 18 | |
| 1.18.7 | 6 / 18 | |
| 1.18.6 | 6 / 18 | |
| 1.18.5 | 6 / 18 | |
| 1.18.4 | 6 / 18 | |
| 1.18.3 | 6 / 18 | |
| 1.18.2 | 6 / 18 | |
| 1.18.1 | 6 / 18 | |
| 1.18.0 | 7 / 19 | |
| 1.17.1 | 6 / 18 | |
| 1.17.0 | 6 / 18 | |
| 1.16.0 | 6 / 18 | |
| 1.15.1 | 4 / 19 | |
| 1.15.0 | 4 / 19 | |
| 1.14.0 | 4 / 19 | |
| 1.13.3 | 3 / 19 | |
| 1.13.2 | 3 / 19 | |
| 1.13.1 | 3 / 19 | |
| 1.13.0 | 2 / 20 | |
| 1.12.12 | 2 / 20 | |
| 1.12.11 | 2 / 21 | |
| 1.12.10 | 2 / 21 | |
| 1.12.9 | 2 / 21 | |
| 1.12.8 | 2 / 21 | |
| 1.12.6 | 2 / 21 | |
| 1.12.4 | 2 / 21 | |
| 1.12.2 | 2 / 21 | |
| 1.12.0 | 2 / 19 | |
| 1.10.4 | 2 / 19 | |
| 1.10.3 | 2 / 19 | |
| 1.10.2 | 2 / 19 | |
| 1.10.0 | 3 / 18 | |
| 1.9.0 | 2 / 18 | |
| 1.8.8 | 2 / 18 | |
| 1.8.7 | 2 / 18 | |
| 1.8.6 | 2 / 18 | |
| 1.8.5 | 2 / 18 | |
| 1.8.4 | 2 / 18 | |
| 1.8.3 | 2 / 18 | |
| 1.8.2 | 2 / 18 | |
| 1.8.1 | 2 / 18 | |
| 1.8.0 | 2 / 18 |
v1.18.15
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.14
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.13
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.12
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.11
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.10
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.9
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.2
1 findingPackage was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.18.1
2 findingsThis version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.18.0
2 findingsThis version was published by a different npm account than previous versions on 2021-11-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.1
2 findingsThis version was published by a different npm account than previous versions on 2021-11-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.17.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.16.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
This version was published by a different npm account than previous versions on 2020-06-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.15.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: chadian.
This version was published by a different npm account than previous versions on 2020-04-14. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.14.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.2
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.1
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.13.0
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.12
2 findingsThis version was published by a different npm account than previous versions on 2019-03-29. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.11
2 findingsThis version was published by a different npm account than previous versions on 2019-03-20. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.10
2 findingsThis version was published by a different npm account than previous versions on 2019-03-13. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.9
2 findingsThis version was published by a different npm account than previous versions on 2019-02-28. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.8
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2019-02-19. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.6
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2019-02-11. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.4
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2019-01-31. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2019-01-30. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.12.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2019-01-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.4
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.3
2 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: rasphilco.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.2
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2018-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.10.0
3 findingsThis version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: dickeyxxx.
This version was published by a different npm account than previous versions on 2018-12-18. This could indicate a legitimate maintainer transition or an account compromise.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.9.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.8
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.7
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.6
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.5
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.4
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.3
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.2
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.1
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.8.0
1 findingPackage was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.