nopt — Greenflagged

Option parsing for Node, supporting types, shorthands, etc. Used by npm.

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

saquibkhannpm-cli-opsreggiowlstronaut

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
provenance	missing-githead	AI (provenance): nopt is an official npm org package; missing gitHead reflects a publish environment change, not a security concern. Stable false positive for this package.	ai	2026/04/23
provenance	publisher-changed	AI (provenance): Publisher changed to GitHub Actions as part of npm CLI team's standard automated publishing pipeline. SLSA provenance attestation confirms integrity.	ai	2026/04/21
maintainer-change	maintainer-takeover	AI (maintainer-change): New maintainers are the npm CLI team at GitHub (gar, npm-cli-ops, etc.). Package is officially owned by GitHub Inc./npm org. SLSA provenance confirms legitimate CI/CD publishing.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers are known npm CLI team members at GitHub. Legitimate organizational ownership transfer.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Previous maintainers removed as part of npm CLI team taking ownership. Consistent with GitHub/npm organizational transition.	ai	2026/04/21
publish-pattern	dormant-publish	AI (publish-pattern): Dormancy followed by major version bump (5→9) reflects npm team modernization effort, not account takeover. SLSA provenance confirms legitimate publish.	ai	2026/04/21
typosquat	typosquat.levenshtein:got	AI (typosquat): nopt is a completely different category of package from 'got'; the 2-edit Levenshtein distance is coincidental and not indicative of squatting.	ai	2026/04/21
provenance	no-provenance	AI (provenance): nopt is a legacy package predating Sigstore provenance; absence is expected and not a risk signal for this well-known, trusted package.	ai	2026/04/21
typosquat	typosquat.levenshtein:nuxt	AI (typosquat): nopt is a well-established npm option-parsing library predating 'nuxt'; the name similarity is purely coincidental and not a typosquat.	ai	2026/04/21
typosquat	typosquat.levenshtein:next	AI (typosquat): nopt is a well-established npm option-parsing library predating 'next'; the name similarity is purely coincidental and not a typosquat.	ai	2026/04/21

Versions (showing 38 of 38)

Version	Deps	Published
10.0.0	1 / 2	2026-05-15
9.0.0	1 / 3	2025-10-22
8.1.0	1 / 3	2025-01-21
8.0.0	1 / 3	2024-09-04
7.2.1	1 / 3	2024-05-04
7.2.0	1 / 3	2023-06-15
7.1.0	1 / 3	2023-03-21
7.0.0	1 / 3	2022-11-02
6.0.0	1 / 3	2022-07-20
5.0.0	1 / 1	2020-08-17
4.0.3	2 / 1	2020-03-08
4.0.2	2 / 1	2020-03-08
4.0.1	2 / 1	2016-12-14
4.0.0	2 / 1	2016-12-13
3.0.6	1 / 1	2015-11-12
3.0.5	1 / 1	2015-11-12
3.0.4	1 / 1	2015-09-10
3.0.3	1 / 1	2015-06-23
3.0.2	1 / 1	2015-05-19
3.0.1	1 / 1	2014-07-01
3.0.0	1 / 1	2014-06-06
2.2.1	1 / 1	2014-04-28
2.2.0	1 / 1	2014-02-16
2.1.2	1 / 0	2013-07-17
2.1.1	1 / 0	2013-01-18
2.1.0	1 / 0	2013-01-17
2.0.0	1 / 0	2012-07-23
1.0.10	1 / 0	2011-10-05
1.0.9	1 / 0	2011-09-22
1.0.8	1 / 0	2011-09-15
1.0.7	1 / 0	2011-09-08
1.0.6	1 / 0	2011-07-06
1.0.5	1 / 0	2011-04-29
1.0.4	1 / 0	2011-03-31
1.0.3	1 / 0	2011-03-31
1.0.2	1 / 0	2011-03-31
1.0.1	1 / 0	2011-03-30
1.0.0	1 / 0	2011-03-30

v10.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v8.1.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: isaacs → npm-cli-ops (on 2025-01-21) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2025-01-21. This could indicate a legitimate maintainer transition or an account compromise.

v8.0.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: isaacs → npm-cli-ops (on 2024-09-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2024-09-04. This could indicate a legitimate maintainer transition or an account compromise.

v7.2.1

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

INFO Publisher changed: isaacs → npm-cli-ops (on 2024-05-04) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2024-05-04. This could indicate a legitimate maintainer transition or an account compromise.

v7.2.0

2 findings

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v0.2). This is the strongest supply chain integrity signal.

INFO Publisher changed: gar → npm-cli-ops (on 2023-06-15) provenance

[Accepted risk] This version was published by a different npm account than previous versions on 2023-06-15. This could indicate a legitimate maintainer transition or an account compromise.

v7.1.0

2 findings

HIGH Missing gitHead — previous versions had it provenance

This version has no gitHead field linking it to a source commit, but previous versions did. This suggests the publish environment changed. Published by: gar.