yaml-boost MIT 3 versions

yaml-boost

npm Repository Homepage

Yaml Parser with additional functionality.

Versions

MIT

License

Install Scripts

Missing

Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

simlu

Keywords

yamlparserfilesmergeresolvevariables

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is a documented feature for loading YAML or JS files; conditional on file extension, not arbitrary code execution.	ai	2026/04/21
dependencies	unvetted-dep:lodash.set	AI (dependencies): lodash.set is a well-known utility with pinned version; already marked as accepted risk.	ai	2026/04/21

Versions (showing 3 of 3)

Version	Deps	Published
1.10.7	4 / 18	2021-03-09
1.9.22	4 / 18	2020-05-27
1.7.1	4 / 10	2018-06-02