← Home

yargs

npm Repository Homepage

yargs the modern, pirate-themed, successor to optimist.

51
Versions
MIT
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bcoeoss-bot

Keywords

argumentargsoptionparserparsingclicommand

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
dependencies unvetted-dep:string AI (dependencies): The `string` package is a legitimate, widely-used utility library. This is a stable false positive for yargs across versions. ai
phantom-deps phantom-dep:require-main-filename AI (phantom-deps): require-main-filename is used for entry point detection; indirect usage through yargs' public API is stable. ai
phantom-deps phantom-dep:lodash.assign AI (phantom-deps): lodash.assign is used for object merging; indirect usage through yargs' public API is stable. ai
phantom-deps phantom-dep:read-pkg-up AI (phantom-deps): read-pkg-up is used for package.json discovery; indirect usage through yargs' public API is stable. ai
phantom-deps phantom-dep:os-locale AI (phantom-deps): os-locale is used for locale detection; indirect usage through yargs' public API is stable. ai
phantom-deps phantom-dep:pkg-conf AI (phantom-deps): pkg-conf is used for config file reading; indirect usage through yargs' public API is stable. ai
phantom-deps phantom-dep:yargs-parser AI (phantom-deps): yargs-parser is the core parsing engine; indirect usage is the documented design pattern. ai
phantom-deps phantom-dep:y18n AI (phantom-deps): y18n is yargs' i18n engine; indirect usage through yargs' public API is expected and stable. ai
provenance missing-githead AI (provenance): yargs transitioned to oss-bot automated publishing which doesn't set gitHead; this is a known workflow change for the yargs org. ai
semgrep semgrep:env-bulk-read AI (semgrep): yargs intentionally reads process.env to support envPrefix option mapping — this is a documented feature, not exfiltration. Stable across all versions of this package. ai
maintainer-change maintainer-takeover AI (maintainer-change): Legitimate transfer from chevex to bcoe/oss-bot (yargs org). bcoe is the well-known primary yargs maintainer; stable for this package. ai
dependencies unvetted-dep:lodash.assign AI (dependencies): lodash.assign is a canonical utility; appropriate for yargs. ai
dependencies unvetted-dep:pkg-conf AI (dependencies): pkg-conf is an established utility for reading package config; appropriate for yargs. ai
dependencies unvetted-dep:read-pkg-up AI (dependencies): read-pkg-up is a standard utility for reading package.json; stable for yargs. ai
phantom-deps phantom-dep:camelcase AI (phantom-deps): camelcase is referenced in config files as documented; stable for yargs. ai
dependencies unvetted-dep:which-module AI (dependencies): which-module is an established utility; stable dependency for yargs. ai
semgrep semgrep:dynamic-require AI (semgrep): Dynamic require is intentional for loading user-provided config extends in yargs; scoped to config paths, not arbitrary code injection. ai
publish-pattern new-deps-added AI (publish-pattern): All 4 new deps (camelcase, decamelize, os-locale, read-pkg-up) are established utilities serving legitimate CLI functions; no suspicious patterns. ai
dependencies unvetted-dep:window-size AI (dependencies): window-size is a terminal utility; stable dependency for CLI tools like yargs. ai
source-diff obfuscated-file:build/index.cjs AI (source-diff): Rollup-bundled CJS output from TypeScript source; devDeps include rollup + rollup-plugin-terser. Standard build artifact. ai
source-diff source-size-tripled AI (source-diff): Diff is against v3.x; v17.x is a full rewrite with bundled CJS output. Size increase is expected. ai
provenance publisher-changed AI (provenance): 2020 publisher change (bcoe → oss-bot) is a documented, legitimate project transition; stable for yargs. ai
source-diff large-new-source-files AI (source-diff): Diff is against v3.x; v17.x is a complete TypeScript rewrite. File count increase is expected. ai
maintainer-change maintainer-added AI (maintainer-change): New maintainer addition is normal for active open-source projects; no compromise indicators. ai
maintainer-change maintainer-removed AI (maintainer-change): Removal of prior maintainers alongside addition of new ones is consistent with documented governance transitions. ai
license uncommon-license:MIT/X11 AI (license): MIT/X11 is a well-known permissive license variant; no legal concern. Stable for this package. ai
dependencies unvetted-dep:cliui AI (dependencies): cliui is a long-standing, well-known dependency of yargs; stable false positive for this package. ai
provenance no-provenance AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker; yargs predates widespread Sigstore adoption. ai
dependencies unvetted-dep:require-directory AI (dependencies): require-directory is a long-standing, well-known dependency of yargs; stable false positive for this package. ai

Versions (showing 51 of 175)

Show 3 prereleases View all versions
Version Deps Published
18.0.0 6 / 22
17.7.2 7 / 22
17.7.1 7 / 22
17.7.0 7 / 22
17.6.2 7 / 22
17.6.1 7 / 22
17.6.0 7 / 22
17.5.1 7 / 22
17.5.0 7 / 22
17.4.1 7 / 22
17.4.0 7 / 22
17.3.1 7 / 22
17.3.0 7 / 22
17.2.1 7 / 22
17.2.0 7 / 22
17.1.1 7 / 22
17.1.0 7 / 22
17.0.1 7 / 22
17.0.0 7 / 22
16.2.0 7 / 21
16.1.1 7 / 21
16.1.0 7 / 21
16.0.3 7 / 26
16.0.2 7 / 26
16.0.1 7 / 26
16.0.0 7 / 26
15.4.1 11 / 24
15.4.0 11 / 23
15.3.1 11 / 13
15.3.0 11 / 12
15.2.0 11 / 13
15.1.0 11 / 13
15.0.2 11 / 13
15.0.1 11 / 13
15.0.0 11 / 14
14.2.3 11 / 14
14.2.2 11 / 14
14.2.1 11 / 14
14.2.0 11 / 14
14.1.0 11 / 14
14.0.0 11 / 14
13.3.2 10 / 14
13.3.0 10 / 14
13.2.4 11 / 14
13.2.2 11 / 14
13.2.1 11 / 14
13.2.0 11 / 14
13.1.0 11 / 14
12.0.5 12 / 14
12.0.4 12 / 14
12.0.2 12 / 14