cosmiconfig
Find and load configuration from a package.json property, rc file, TypeScript module, and more!
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:json-parse-helpfulerror | AI (dependencies): json-parse-helpfulerror is a well-known benign JSON error-formatting utility; its use as a replacement for parse-json in cosmiconfig is a legitimate, low-risk dependency swap. | ai | |
| dependencies | unvetted-dep:bluebird | AI (dependencies): bluebird is a well-known, widely-used Promise library with no malicious history; its use here is a routine dependency for async operations. | ai | |
| phantom-deps | phantom-dep:parse-json | AI (phantom-deps): parse-json is legitimately declared and used for JSON config parsing; expected pattern. | ai | |
| phantom-deps | phantom-dep:graceful-fs | AI (phantom-deps): graceful-fs is legitimately declared and used for file operations; expected pattern. | ai | |
| phantom-deps | phantom-dep:lodash | AI (phantom-deps): lodash is legitimately declared and used in config parsing; normal for config loaders. | ai | |
| phantom-deps | phantom-dep:js-yaml | AI (phantom-deps): js-yaml is legitimately declared and used for YAML config parsing; expected pattern. | ai | |
| phantom-deps | phantom-dep:require-from-string | AI (phantom-deps): require-from-string is legitimately declared and used for dynamic module loading; expected pattern. | ai | |
| provenance | publisher-changed | AI (provenance): Legitimate maintainer transition from davidtheclark to d-fischer; new author listed in package.json with GitHub funding link. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer d-fischer has clean track record; appears to be intentional package handoff. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of previous maintainers is consistent with documented transition to new maintainer. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (env-paths, js-yaml) are established packages appropriate for config loading; no suspicious patterns. | ai | |
| phantom-deps | phantom-dep:@types/parse-json | AI (phantom-deps): The @types/parse-json dep is used for TypeScript type re-exports, not direct JS imports; phantom-dep finding is a stable false positive for this package. | ai | |
| dependencies | unvetted-dep:@types/parse-json | AI (dependencies): cosmiconfig intentionally ships @types/parse-json as a runtime dep to re-export TypeScript types; it is a harmless DefinitelyTyped package, not a security risk. | ai | |
| provenance | no-provenance | AI (provenance): cosmiconfig v7.0.0 predates Sigstore npm provenance; no provenance is expected for this era of the package. | ai | |
| dependencies | unvetted-dep:env-paths | AI (dependencies): env-paths is a standard cross-platform utility; appropriate dependency for configuration package. | ai |
Versions (showing 51 of 53)
| Version | Deps | Published |
|---|---|---|
| 9.0.1 | 4 / 21 | |
| 9.0.0 | 4 / 21 | |
| 8.3.6 | 4 / 24 | |
| 8.3.5 | 4 / 24 | |
| 8.3.4 | 4 / 24 | |
| 8.3.3 | 4 / 24 | |
| 8.3.2 | 4 / 24 | |
| 8.3.1 | 4 / 24 | |
| 8.3.0 | 4 / 24 | |
| 8.2.0 | 4 / 28 | |
| 8.1.3 | 4 / 28 | |
| 8.1.2 | 4 / 28 | |
| 8.1.1 | 4 / 28 | |
| 8.1.0 | 4 / 27 | |
| 8.0.0 | 4 / 27 | |
| 7.1.0 | 5 / 25 | |
| 7.0.1 | 5 / 25 | |
| 7.0.0 | 5 / 25 | |
| 6.0.0 | 5 / 25 | |
| 5.2.1 | 4 / 18 | |
| 5.2.0 | 4 / 18 | |
| 5.1.0 | 5 / 18 | |
| 5.0.7 | 4 / 18 | |
| 5.0.6 | 3 / 18 | |
| 5.0.5 | 3 / 18 | |
| 5.0.4 | 3 / 18 | |
| 5.0.3 | 3 / 18 | |
| 5.0.2 | 3 / 18 | |
| 5.0.1 | 3 / 18 | |
| 4.0.0 | 4 / 13 | |
| 3.1.0 | 4 / 13 | |
| 3.0.1 | 4 / 13 | |
| 3.0.0 | 4 / 13 | |
| 2.2.2 | 7 / 10 | |
| 2.2.1 | 7 / 10 | |
| 2.2.0 | 8 / 10 | |
| 2.1.3 | 7 / 10 | |
| 2.1.2 | 7 / 10 | |
| 2.1.1 | 6 / 9 | |
| 2.1.0 | 7 / 9 | |
| 2.0.2 | 6 / 8 | |
| 2.0.1 | 6 / 8 | |
| 2.0.0 | 6 / 8 | |
| 1.1.0 | 8 / 4 | |
| 1.0.2 | 8 / 3 | |
| 1.0.1 | 8 / 3 | |
| 1.0.0 | 8 / 3 | |
| 0.5.0 | 8 / 3 | |
| 0.4.1 | 7 / 3 | |
| 0.4.0 | 8 / 3 | |
| 0.3.0 | 7 / 3 |
v9.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2022-11-12. This could indicate a legitimate maintainer transition or an account compromise.
v7.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v7.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v6.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.7
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.6
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-08-09. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.5
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.4
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.3
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-05-15. This could indicate a legitimate maintainer transition or an account compromise.
v5.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v5.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v4.0.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2018-01-16. This could indicate a legitimate maintainer transition or an account compromise.
v3.1.0
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-10-02. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.1
2 findings[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
[Accepted risk] This version was published by a different npm account than previous versions on 2017-09-17. This could indicate a legitimate maintainer transition or an account compromise.
v3.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.2.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.3
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v2.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
v1.1.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.2
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v1.0.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.5.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.1
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.4.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.3.0
1 finding[Accepted risk] Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.