conf — Greenflagged

Simple config handling for your app or module

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhus

Keywords

configstoreappstorageconfconfigurationsettingspreferencesjsondatapersistpersistentsaveloadreadwritecache

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
source-diff	source-size-dropped	AI (source-diff): Size reduction reflects refactoring to use external dependencies (dot-prop, env-paths, mkdirp, pkg-up) rather than bundled code; normal pattern.	ai	2026/04/23
dependencies	unvetted-dep:onetime	AI (dependencies): onetime is a well-known sindresorhus utility package with wide ecosystem adoption; same trusted publisher as conf itself. Stable false positive for this package.	ai	2026/04/23
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is guarded by null-check; safely reads package.json for project name metadata.	ai	2026/04/23
maintainer-change	maintainer-added	AI (maintainer-change): sindresorhus has been the sole maintainer of conf for years; this finding is an artifact of the old baseline version.	ai	2026/04/23
maintainer-change	maintainer-removed	AI (maintainer-change): jfd was the original early publisher; removal is expected given sindresorhus has maintained this package for years.	ai	2026/04/23
maintainer-change	maintainer-takeover	AI (maintainer-change): Legitimate transfer to sindresorhus, a prominent trusted maintainer; documented in public GitHub history.	ai	2026/04/23
publish-pattern	new-deps-added	AI (publish-pattern): All new deps are well-known legitimate packages consistent with conf's config-handling purpose (schema validation, atomic writes, path resolution). Publisher sindresorhus has exceptional track record.	ai	2026/04/23
dependencies	unvetted-dep:debounce-fn	AI (dependencies): debounce-fn is a stable utility dependency; no security concern for conf's use case.	ai	2026/04/23
dependencies	unvetted-dep:env-paths	AI (dependencies): env-paths is a standard XDG/platform paths utility; legitimate dependency for config storage paths.	ai	2026/04/23
dependencies	unvetted-dep:atomically	AI (dependencies): atomically provides atomic file writes; essential for reliable config persistence without corruption.	ai	2026/04/23
provenance	no-provenance	AI (provenance): sindresorhus is a highly trusted publisher; lack of provenance attestation is not a meaningful risk signal for this author.	ai	2026/04/21
typosquat	typosquat.levenshtein:cors	AI (typosquat): conf and cors are semantically unrelated packages; false positive from edit distance heuristic.	ai	2026/04/21

Versions (showing 30 of 30)

Version	Deps	Published
9.0.0	10 / 16	2021-01-22
7.0.1	10 / 16	2020-07-03
6.0.0	9 / 7	2019-09-09
5.0.0	7 / 7	2019-06-20
4.1.0	7 / 7	2019-06-01
4.0.2	7 / 7	2019-04-28
4.0.1	7 / 7	2019-04-11
4.0.0	7 / 7	2019-04-02
3.0.0	5 / 7	2019-03-04
2.2.0	5 / 5	2019-01-18
2.1.0	5 / 5	2018-11-12
2.0.0	5 / 5	2018-05-27
1.4.0	5 / 5	2018-01-04
1.3.1	5 / 5	2017-09-25
1.3.0	5 / 5	2017-09-17
1.2.0	5 / 5	2017-09-04
1.1.2	4 / 5	2017-06-07
1.1.1	4 / 5	2017-05-12
1.1.0	5 / 5	2017-05-10
1.0.0	4 / 5	2017-04-30
0.12.0	4 / 4	2017-01-17
0.11.2	4 / 4	2016-07-21
0.11.1	4 / 4	2016-07-12
0.11.0	4 / 4	2016-06-24
0.10.0	4 / 3	2016-06-21
0.8.4	0 / 0	2011-08-23
0.8.3	0 / 0	2011-06-08
0.8.2	0 / 0	2011-05-30
0.8.1	0 / 0	2011-04-27
0.8.0	0 / 0	2011-02-27

v9.0.0

2 findings

HIGH Complete maintainer takeover detected maintainer-change

All previous maintainers (jfd) were replaced by new maintainers (sindresorhus). This is a strong signal of a potential package hijack and requires careful review.