update-notifier — Greenflagged

Update notifications for your CLI app

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

sindresorhussboudriaseddiemongeaddyosmanimischahzckrsulisesgasconmshimaruyadorno

Keywords

npmupdateupdaternotifynotifiercheckcheckerclimodulepackageversion

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is used to load the consuming package's package.json for version checking — core functionality of an update notifier, not arbitrary module loading.	ai	2026/04/22
maintainer-change	maintainer-added	AI (maintainer-change): New maintainers (ulisesgascon, mshima, ruyadorno) are well-known Node.js core collaborators; addition is consistent with legitimate open-source governance transition.	ai	2026/04/22
provenance	publisher-changed	AI (provenance): Transfer from sboudrias to sindresorhus is legitimate; sindresorhus is the documented author and a highly trusted npm publisher. This is a stable, expected transition for this package.	ai	2026/04/22
phantom-deps	phantom-dep:import-lazy	AI (phantom-deps): import-lazy is a declared runtime dep used for lazy-loading; static import analysis misses its usage pattern. Stable false positive for this package.	ai	2026/04/22
publish-pattern	new-deps-added	AI (publish-pattern): is-in-ci replaces is-ci/has-yarn/is-yarn-global as a consolidation; it is a sindresorhus package consistent with this ecosystem. Not a supply-chain risk.	ai	2026/04/22
dependencies	unvetted-dep:semver-diff	AI (dependencies): semver-diff is a standard utility for comparing semver versions, core to update-notifier's functionality.	ai	2026/04/21
dependencies	unvetted-dep:has-yarn	AI (dependencies): has-yarn is a small utility to detect yarn usage, appropriate for update-notifier to suggest the correct install command.	ai	2026/04/21
dependencies	unvetted-dep:is-ci	AI (dependencies): is-ci is a well-known utility for detecting CI environments, appropriate for update-notifier's use case of suppressing notifications in CI.	ai	2026/04/21
dependencies	unvetted-dep:is-yarn-global	AI (dependencies): is-yarn-global detects yarn global installs, used by update-notifier to tailor upgrade instructions.	ai	2026/04/21
publish-pattern	dormant-publish	AI (publish-pattern): sindresorhus is the canonical maintainer; dormancy reflects infrequent but legitimate maintenance, not account takeover. Changes are consistent with modernization.	ai	2026/04/21
bogus-package	bogus-package	AI (bogus-package): Inflated semver reflects migration of an established project to npm; co-maintainer mass-production signal does not apply to this well-known sindresorhus/yeoman package.	ai	2026/04/21
dependencies	unvetted-dep:pupa	AI (dependencies): pupa is a long-standing sindresorhus utility for string interpolation; stable, low-risk dependency for this package.	ai	2026/04/21
phantom-deps	phantom-dep:is-yarn-global	AI (phantom-deps): Lazily required via import-lazy; used to detect global yarn installs.	ai	2026/04/21
phantom-deps	phantom-dep:latest-version	AI (phantom-deps): Lazily required via import-lazy; core dep for fetching latest npm version.	ai	2026/04/21
phantom-deps	phantom-dep:has-yarn	AI (phantom-deps): Lazily required via import-lazy; used to detect yarn usage.	ai	2026/04/21
semgrep	semgrep:child-process-import	AI (semgrep): child_process.fork is used to spawn a background update-check process, which is the canonical implementation pattern for non-blocking update notifiers.	ai	2026/04/21
phantom-deps	phantom-dep:pupa	AI (phantom-deps): Package uses import-lazy for lazy requires; static analysis cannot detect the require calls. All deps are legitimately used.	ai	2026/04/21
phantom-deps	phantom-dep:boxen	AI (phantom-deps): Lazily required via import-lazy; legitimate dep for rendering the update notification box.	ai	2026/04/21
phantom-deps	phantom-dep:chalk	AI (phantom-deps): Lazily required via import-lazy; legitimate dep for terminal coloring.	ai	2026/04/21
phantom-deps	phantom-dep:is-ci	AI (phantom-deps): Lazily required via import-lazy; used to suppress notifications in CI environments.	ai	2026/04/21
phantom-deps	phantom-dep:is-npm	AI (phantom-deps): Lazily required via import-lazy; legitimate dep.	ai	2026/04/21
phantom-deps	phantom-dep:semver	AI (phantom-deps): Lazily required via import-lazy; used for version comparison.	ai	2026/04/21
phantom-deps	phantom-dep:is-installed-globally	AI (phantom-deps): Lazily required via import-lazy; legitimate dep.	ai	2026/04/21
phantom-deps	phantom-dep:configstore	AI (phantom-deps): Lazily required via import-lazy; used to cache version check results.	ai	2026/04/21
phantom-deps	phantom-dep:semver-diff	AI (phantom-deps): Lazily required via import-lazy; used to compute version difference type.	ai	2026/04/21
phantom-deps	phantom-dep:xdg-basedir	AI (phantom-deps): Lazily required via import-lazy; legitimate dep.	ai	2026/04/21
semgrep	semgrep:silent-process-exec	AI (semgrep): Detached background process is update-notifier's documented design for checking updates without blocking the main app.	ai	2026/04/21
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Detached background process is update-notifier's documented design for checking updates without blocking the main app.	ai	2026/04/21