argv — Greenflagged

CLI Argument Parser

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

codenothing

Keywords

cliargvoptions

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
typosquat	typosquat.levenshtein:yargs	AI (typosquat): 'argv' is a legitimate CLI argument parser predating yargs; the name describes its function (process.argv), not an attempt to impersonate yargs.	ai	2026/04/24
typosquat	typosquat.levenshtein:ajv	AI (typosquat): 'argv' is a CLI argument parser with no semantic or functional relationship to ajv; the Levenshtein match is purely coincidental.	ai	2026/04/24
provenance	no-provenance	AI (provenance): Package is ~14 years old; provenance attestation did not exist when it was published. No expectation of Sigstore provenance for packages of this age.	ai	2026/04/24

Versions (showing 3 of 3)

Version	Deps	Published
0.0.3	0 / 2	2023-01-29
0.0.2	0 / 2	2013-05-19
0.0.1	0 / 1	2012-07-08

v0.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.2

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v0.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.