yargs
yargs the modern, pirate-themed, successor to optimist.
78
Versions
MIT
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
bcoeoss-bot
Keywords
argumentargsoptionparserparsingclicommand
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:string | AI (dependencies): The `string` package is a legitimate, widely-used utility library. This is a stable false positive for yargs across versions. | ai | |
| phantom-deps | phantom-dep:require-main-filename | AI (phantom-deps): require-main-filename is used for entry point detection; indirect usage through yargs' public API is stable. | ai | |
| phantom-deps | phantom-dep:lodash.assign | AI (phantom-deps): lodash.assign is used for object merging; indirect usage through yargs' public API is stable. | ai | |
| phantom-deps | phantom-dep:read-pkg-up | AI (phantom-deps): read-pkg-up is used for package.json discovery; indirect usage through yargs' public API is stable. | ai | |
| phantom-deps | phantom-dep:os-locale | AI (phantom-deps): os-locale is used for locale detection; indirect usage through yargs' public API is stable. | ai | |
| phantom-deps | phantom-dep:pkg-conf | AI (phantom-deps): pkg-conf is used for config file reading; indirect usage through yargs' public API is stable. | ai | |
| phantom-deps | phantom-dep:yargs-parser | AI (phantom-deps): yargs-parser is the core parsing engine; indirect usage is the documented design pattern. | ai | |
| phantom-deps | phantom-dep:y18n | AI (phantom-deps): y18n is yargs' i18n engine; indirect usage through yargs' public API is expected and stable. | ai | |
| provenance | missing-githead | AI (provenance): yargs transitioned to oss-bot automated publishing which doesn't set gitHead; this is a known workflow change for the yargs org. | ai | |
| semgrep | semgrep:env-bulk-read | AI (semgrep): yargs intentionally reads process.env to support envPrefix option mapping — this is a documented feature, not exfiltration. Stable across all versions of this package. | ai | |
| maintainer-change | maintainer-takeover | AI (maintainer-change): Legitimate transfer from chevex to bcoe/oss-bot (yargs org). bcoe is the well-known primary yargs maintainer; stable for this package. | ai | |
| dependencies | unvetted-dep:lodash.assign | AI (dependencies): lodash.assign is a canonical utility; appropriate for yargs. | ai | |
| dependencies | unvetted-dep:pkg-conf | AI (dependencies): pkg-conf is an established utility for reading package config; appropriate for yargs. | ai | |
| dependencies | unvetted-dep:read-pkg-up | AI (dependencies): read-pkg-up is a standard utility for reading package.json; stable for yargs. | ai | |
| phantom-deps | phantom-dep:camelcase | AI (phantom-deps): camelcase is referenced in config files as documented; stable for yargs. | ai | |
| dependencies | unvetted-dep:which-module | AI (dependencies): which-module is an established utility; stable dependency for yargs. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require is intentional for loading user-provided config extends in yargs; scoped to config paths, not arbitrary code injection. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): All 4 new deps (camelcase, decamelize, os-locale, read-pkg-up) are established utilities serving legitimate CLI functions; no suspicious patterns. | ai | |
| dependencies | unvetted-dep:window-size | AI (dependencies): window-size is a terminal utility; stable dependency for CLI tools like yargs. | ai | |
| source-diff | obfuscated-file:build/index.cjs | AI (source-diff): Rollup-bundled CJS output from TypeScript source; devDeps include rollup + rollup-plugin-terser. Standard build artifact. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Diff is against v3.x; v17.x is a full rewrite with bundled CJS output. Size increase is expected. | ai | |
| provenance | publisher-changed | AI (provenance): 2020 publisher change (bcoe → oss-bot) is a documented, legitimate project transition; stable for yargs. | ai | |
| source-diff | large-new-source-files | AI (source-diff): Diff is against v3.x; v17.x is a complete TypeScript rewrite. File count increase is expected. | ai | |
| maintainer-change | maintainer-added | AI (maintainer-change): New maintainer addition is normal for active open-source projects; no compromise indicators. | ai | |
| maintainer-change | maintainer-removed | AI (maintainer-change): Removal of prior maintainers alongside addition of new ones is consistent with documented governance transitions. | ai | |
| license | uncommon-license:MIT/X11 | AI (license): MIT/X11 is a well-known permissive license variant; no legal concern. Stable for this package. | ai | |
| dependencies | unvetted-dep:cliui | AI (dependencies): cliui is a long-standing, well-known dependency of yargs; stable false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker; yargs predates widespread Sigstore adoption. | ai | |
| dependencies | unvetted-dep:require-directory | AI (dependencies): require-directory is a long-standing, well-known dependency of yargs; stable false positive for this package. | ai |
Versions (showing 78 of 178)
| Version | Deps | Published |
|---|---|---|
| 3.27.0 | 6 / 8 | |
| 3.26.0 | 6 / 8 | |
| 3.25.0 | 6 / 8 | |
| 3.24.0 | 6 / 6 | |
| 3.23.0 | 5 / 6 | |
| 3.22.2 | 6 / 6 | |
| 3.22.1 | 6 / 6 | |
| 3.22.0 | 6 / 6 | |
| 3.21.1 | 6 / 6 | |
| 3.21.0 | 6 / 6 | |
| 3.20.0 | 6 / 6 | |
| 3.19.0 | 5 / 6 | |
| 3.18.1 | 5 / 6 | |
| 3.18.0 | 5 / 6 | |
| 3.17.1 | 5 / 6 | |
| 3.16.1 | 5 / 6 | |
| 3.16.0 | 5 / 6 | |
| 3.15.0 | 4 / 6 | |
| 3.14.0 | 4 / 6 | |
| 3.13.0 | 4 / 6 | |
| 3.12.0 | 4 / 6 | |
| 3.11.0 | 4 / 6 | |
| 3.10.0 | 4 / 6 | |
| 3.9.1 | 4 / 6 | |
| 3.9.0 | 4 / 8 | |
| 3.8.0 | 4 / 8 | |
| 3.7.2 | 4 / 8 | |
| 3.7.1 | 4 / 7 | |
| 3.7.0 | 4 / 7 | |
| 3.6.0 | 4 / 7 | |
| 3.5.4 | 4 / 7 | |
| 3.5.3 | 4 / 7 | |
| 3.5.2 | 4 / 7 | |
| 3.5.1 | 4 / 7 | |
| 3.5.0 | 4 / 7 | |
| 3.4.5 | 4 / 7 | |
| 3.4.4 | 4 / 7 | |
| 3.2.1 | 3 / 7 | |
| 3.1.0 | 2 / 7 | |
| 3.0.4 | 2 / 7 | |
| 3.0.3 | 2 / 7 | |
| 3.0.2 | 2 / 7 | |
| 3.0.1 | 2 / 7 | |
| 3.0.0 | 0 / 5 | |
| 2.3.0 | 1 / 7 | |
| 2.1.1 | 0 / 5 | |
| 1.3.3 | 0 / 3 | |
| 1.3.2 | 0 / 3 | |
| 1.3.1 | 0 / 3 | |
| 1.3.0 | 1 / 3 | |
| 1.2.6 | 1 / 3 | |
| 1.2.5 | 1 / 3 | |
| 1.2.4 | 1 / 3 | |
| 1.2.3 | 1 / 3 | |
| 1.2.2 | 1 / 3 | |
| 1.2.1 | 1 / 3 | |
| 1.2.0 | 1 / 3 | |
| 1.1.3 | 1 / 3 | |
| 1.1.2 | 1 / 3 | |
| 1.1.1 | 1 / 3 | |
| 1.1.0 | 1 / 3 | |
| 1.0.15 | 1 / 2 | |
| 1.0.13 | 1 / 2 | |
| 1.0.12 | 1 / 2 | |
| 1.0.11 | 1 / 2 | |
| 1.0.10 | 1 / 2 | |
| 1.0.9 | 1 / 2 | |
| 1.0.8 | 1 / 2 | |
| 1.0.7 | 1 / 2 | |
| 1.0.6 | 1 / 2 | |
| 1.0.5 | 1 / 2 | |
| 1.0.4 | 1 / 2 | |
| 1.0.3 | 1 / 2 | |
| 1.0.1 | 1 / 2 | |
| 1.0.0 | 1 / 2 | |
| 18.0.0-candidate.7 | 6 / 22 | |
| 18.0.0-candidate.6 | 6 / 22 | |
| 18.0.0-candidate.5 | 6 / 22 |
v18.0.0-candidate.7
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: oss-bot → bcoe (on 2025-04-25)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-25. This could indicate a legitimate maintainer transition or an account compromise.
v18.0.0-candidate.6
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: oss-bot → bcoe (on 2025-04-24)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-24. This could indicate a legitimate maintainer transition or an account compromise.
v18.0.0-candidate.5
2 findings
INFO
No provenance attestation
provenance
[Accepted risk] Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
INFO
Publisher changed: oss-bot → bcoe (on 2025-04-23)
provenance
[Accepted risk] This version was published by a different npm account than previous versions on 2025-04-23. This could indicate a legitimate maintainer transition or an account compromise.