← Home

figgy-pudding

npm Repository Homepage

Delicious, festive, cascading config/opts definitions

13
Versions
ISC
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

adam_baldwinclaudiahdzdarcyclarkeisaacsruyadorno

Keywords

configoptionsyummy

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
maintainer-change maintainer-takeover AI (maintainer-change): Maintainer change reflects npm CLI team reorganization (~2020); all new maintainers are known npm Inc./GitHub employees. ai
provenance publisher-changed AI (provenance): Publisher change from zkat to isaacs is a known npm team transition, not account compromise. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainers are all recognized npm Inc./GitHub staff (isaacs, darcyclarke, claudiahdz, ruyadorno, adam_baldwin). ai
maintainer-change maintainer-removed AI (maintainer-change): Removed maintainers (iarna, zkat) left npm Inc.; removal is expected organizational change. ai
publish-pattern dormant-publish AI (publish-pattern): Package is effectively archived/maintenance-mode; infrequent publishes are expected for stable utility. ai

Versions (showing 13 of 13)

Version Deps Published
3.5.1 0 / 5
3.5.0 0 / 5
3.4.1 0 / 5
3.4.0 0 / 5
3.3.0 0 / 5
3.2.1 0 / 5
3.2.0 0 / 5
3.1.0 0 / 5
3.0.0 0 / 5
2.0.1 0 / 5
2.0.0 0 / 5
1.0.0 0 / 3
0.0.1 0 / 3

v3.5.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.5.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.4.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.3.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.2.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.1.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.0

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.