yargs — Greenflagged

yargs the modern, pirate-themed, successor to optimist.

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures gitHead linked

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

bcoeoss-bot

Keywords

argumentargsoptionparserparsingclicommand

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
dependencies	unvetted-dep:string	AI (dependencies): The `string` package is a legitimate, widely-used utility library. This is a stable false positive for yargs across versions.	ai	2026/04/21
phantom-deps	phantom-dep:require-main-filename	AI (phantom-deps): require-main-filename is used for entry point detection; indirect usage through yargs' public API is stable.	ai	2026/04/21
phantom-deps	phantom-dep:lodash.assign	AI (phantom-deps): lodash.assign is used for object merging; indirect usage through yargs' public API is stable.	ai	2026/04/21
phantom-deps	phantom-dep:read-pkg-up	AI (phantom-deps): read-pkg-up is used for package.json discovery; indirect usage through yargs' public API is stable.	ai	2026/04/21
phantom-deps	phantom-dep:os-locale	AI (phantom-deps): os-locale is used for locale detection; indirect usage through yargs' public API is stable.	ai	2026/04/21
phantom-deps	phantom-dep:pkg-conf	AI (phantom-deps): pkg-conf is used for config file reading; indirect usage through yargs' public API is stable.	ai	2026/04/21
phantom-deps	phantom-dep:yargs-parser	AI (phantom-deps): yargs-parser is the core parsing engine; indirect usage is the documented design pattern.	ai	2026/04/21
phantom-deps	phantom-dep:y18n	AI (phantom-deps): y18n is yargs' i18n engine; indirect usage through yargs' public API is expected and stable.	ai	2026/04/21
provenance	missing-githead	AI (provenance): yargs transitioned to oss-bot automated publishing which doesn't set gitHead; this is a known workflow change for the yargs org.	ai	2026/04/21
semgrep	semgrep:env-bulk-read	AI (semgrep): yargs intentionally reads process.env to support envPrefix option mapping — this is a documented feature, not exfiltration. Stable across all versions of this package.	ai	2026/04/21
maintainer-change	maintainer-takeover	AI (maintainer-change): Legitimate transfer from chevex to bcoe/oss-bot (yargs org). bcoe is the well-known primary yargs maintainer; stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:lodash.assign	AI (dependencies): lodash.assign is a canonical utility; appropriate for yargs.	ai	2026/04/21
dependencies	unvetted-dep:pkg-conf	AI (dependencies): pkg-conf is an established utility for reading package config; appropriate for yargs.	ai	2026/04/21
dependencies	unvetted-dep:read-pkg-up	AI (dependencies): read-pkg-up is a standard utility for reading package.json; stable for yargs.	ai	2026/04/21
phantom-deps	phantom-dep:camelcase	AI (phantom-deps): camelcase is referenced in config files as documented; stable for yargs.	ai	2026/04/21
dependencies	unvetted-dep:which-module	AI (dependencies): which-module is an established utility; stable dependency for yargs.	ai	2026/04/21
semgrep	semgrep:dynamic-require	AI (semgrep): Dynamic require is intentional for loading user-provided config extends in yargs; scoped to config paths, not arbitrary code injection.	ai	2026/04/21
publish-pattern	new-deps-added	AI (publish-pattern): All 4 new deps (camelcase, decamelize, os-locale, read-pkg-up) are established utilities serving legitimate CLI functions; no suspicious patterns.	ai	2026/04/21
dependencies	unvetted-dep:window-size	AI (dependencies): window-size is a terminal utility; stable dependency for CLI tools like yargs.	ai	2026/04/21
source-diff	obfuscated-file:build/index.cjs	AI (source-diff): Rollup-bundled CJS output from TypeScript source; devDeps include rollup + rollup-plugin-terser. Standard build artifact.	ai	2026/04/21
source-diff	source-size-tripled	AI (source-diff): Diff is against v3.x; v17.x is a full rewrite with bundled CJS output. Size increase is expected.	ai	2026/04/21
provenance	publisher-changed	AI (provenance): 2020 publisher change (bcoe → oss-bot) is a documented, legitimate project transition; stable for yargs.	ai	2026/04/21
source-diff	large-new-source-files	AI (source-diff): Diff is against v3.x; v17.x is a complete TypeScript rewrite. File count increase is expected.	ai	2026/04/21
maintainer-change	maintainer-added	AI (maintainer-change): New maintainer addition is normal for active open-source projects; no compromise indicators.	ai	2026/04/21
maintainer-change	maintainer-removed	AI (maintainer-change): Removal of prior maintainers alongside addition of new ones is consistent with documented governance transitions.	ai	2026/04/21
license	uncommon-license:MIT/X11	AI (license): MIT/X11 is a well-known permissive license variant; no legal concern. Stable for this package.	ai	2026/04/21
dependencies	unvetted-dep:cliui	AI (dependencies): cliui is a long-standing, well-known dependency of yargs; stable false positive for this package.	ai	2026/04/21
provenance	no-provenance	AI (provenance): Provenance attestation is a best-practice recommendation, not a security blocker; yargs predates widespread Sigstore adoption.	ai	2026/04/21
dependencies	unvetted-dep:require-directory	AI (dependencies): require-directory is a long-standing, well-known dependency of yargs; stable false positive for this package.	ai	2026/04/21

Versions (showing 100 of 178)

Hide prereleases

Version	Deps	Published
18.0.0	6 / 22	2025-05-27
17.7.2	7 / 22	2023-04-27
17.7.1	7 / 22	2023-02-21
17.7.0	7 / 22	2023-02-16
17.6.2	7 / 22	2022-11-03
17.6.1	7 / 22	2022-11-02
17.6.0	7 / 22	2022-10-01
17.5.1	7 / 22	2022-05-16
17.5.0	7 / 22	2022-05-11
17.4.1	7 / 22	2022-04-09
17.4.0	7 / 22	2022-03-19
17.3.1	7 / 22	2021-12-23
17.3.0	7 / 22	2021-11-30
17.2.1	7 / 22	2021-09-25
17.2.0	7 / 22	2021-09-23
17.1.1	7 / 22	2021-08-13
17.1.0	7 / 22	2021-08-04
17.0.1	7 / 22	2021-05-03
17.0.0	7 / 22	2021-05-02
16.2.0	7 / 21	2020-12-05
16.1.1	7 / 21	2020-11-15
16.1.0	7 / 21	2020-10-16
16.0.3	7 / 26	2020-09-10
16.0.2	7 / 26	2020-09-09
16.0.1	7 / 26	2020-09-09
16.0.0	7 / 26	2020-09-09
15.4.1	11 / 24	2020-07-10
15.4.0	11 / 23	2020-07-02
15.3.1	11 / 13	2020-03-16
15.3.0	11 / 12	2020-03-08
15.2.0	11 / 13	2020-03-01
15.1.0	11 / 13	2020-01-02
15.0.2	11 / 13	2019-11-19
15.0.1	11 / 13	2019-11-16
15.0.0	11 / 14	2019-11-10
14.2.3	11 / 14	2020-03-13
14.2.2	11 / 14	2019-11-19
14.2.1	11 / 14	2019-10-30
14.2.0	11 / 14	2019-10-07
14.1.0	11 / 14	2019-09-06
14.0.0	11 / 14	2019-07-30
13.3.2	10 / 14	2020-03-13
13.3.0	10 / 14	2019-06-10
13.2.4	11 / 14	2019-05-13
13.2.2	11 / 14	2019-03-06
13.2.1	11 / 14	2019-02-18
13.2.0	11 / 14	2019-02-15
13.1.0	11 / 14	2019-02-12
12.0.5	12 / 14	2018-11-19
12.0.4	12 / 14	2018-11-10
12.0.2	12 / 14	2018-09-04
12.0.1	12 / 14	2018-06-29
12.0.0	12 / 14	2018-06-26
11.1.1	12 / 14	2019-10-07
11.1.0	12 / 14	2018-03-04
11.0.0	12 / 14	2018-01-22
10.1.2	12 / 14	2018-01-17
10.1.1	12 / 14	2018-01-09
10.1.0	12 / 14	2018-01-01
10.0.3	12 / 14	2017-10-21
10.0.2	12 / 14	2017-10-21
10.0.1	12 / 14	2017-10-19
10.0.0	12 / 14	2017-10-18
9.0.1	13 / 14	2017-09-17
9.0.0	13 / 14	2017-09-03
8.0.2	13 / 14	2017-06-12
8.0.1	13 / 14	2017-05-02
8.0.0	13 / 14	2017-05-01
7.1.2	13 / 13	2021-04-25
7.1.1	13 / 13	2020-05-22
7.1.0	13 / 13	2017-04-13
7.0.2	13 / 13	2017-03-10
7.0.1	13 / 13	2017-03-03
7.0.0	13 / 13	2017-02-26
6.6.0	13 / 13	2016-12-30
6.5.0	14 / 13	2016-12-01
6.4.0	14 / 13	2016-11-14
6.3.0	14 / 13	2016-10-21
6.2.0	14 / 13	2016-10-17
6.1.1	14 / 13	2016-10-15
6.0.0	13 / 13	2016-09-30
5.0.0	14 / 13	2016-08-16
4.8.1	14 / 13	2016-07-17
4.8.0	13 / 13	2016-07-10
4.7.1	13 / 13	2016-05-15
4.7.0	12 / 13	2016-05-05
4.6.0	12 / 13	2016-04-12
4.5.0	12 / 13	2016-04-05
4.4.0	12 / 12	2016-04-04
4.3.2	12 / 12	2016-03-20
4.3.1	12 / 12	2016-03-12
4.3.0	12 / 12	2016-03-12
4.2.0	12 / 12	2016-02-23
4.1.0	11 / 12	2016-02-15
4.0.0	11 / 12	2016-02-14
3.32.0	7 / 10	2016-01-15
3.31.0	7 / 10	2015-12-03
3.30.0	6 / 10	2015-11-14
3.29.0	6 / 10	2015-10-21
3.28.0	6 / 9	2015-10-16

Showing 100 of 178 Next page →