Find and load configuration from a package.json property, rc file, TypeScript module, and more!
Installations
npm install cosmiconfig
Score
91.1
Supply Chain
99.5
Quality
78
Maintenance
100
Vulnerability
99.3
License
Releases
v9.0.0
Published on 28 Nov 2023
cosmiconfig: v8.3.6
Published on 13 Sept 2023
cosmiconfig: v8.3.5
Published on 08 Sept 2023
cosmiconfig: v8.3.4
Published on 04 Sept 2023
cosmiconfig: v8.3.3
Published on 03 Sept 2023
cosmiconfig: v8.3.2
Published on 02 Sept 2023
Developer
cosmiconfig
Developer Guide
Module System
CommonJS
Min. Node Version
>=14
Typescript Support
Yes
Node Version
18.17.1
NPM Version
9.6.7
Statistics
3,964 Stars
489 Commits
134 Forks
19 Watching
3 Branches
33 Contributors
Updated on 28 Nov 2024
Bundle Size
96.83 kB
Minified
34.30 kB
Minified + Gzipped
Languages
TypeScript (97.17%)
JavaScript (2.75%)
Shell (0.08%)
Total Downloads
Cumulative downloads
Total Downloads
10,210,868,123
Last day
-6.7%
11,584,521
Compared to previous day
Last week
1.9%
66,105,220
Compared to previous week
Last month
9.7%
275,147,710
Compared to previous month
Last year
15.6%
2,858,846,471
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Dependencies
4
Peer Dependencies
1
Dev Dependencies
21
cosmiconfig
Cosmiconfig searches for and loads configuration for your program.
It features smart defaults based on conventional expectations in the JavaScript ecosystem. But it's also flexible enough to search wherever you'd like to search, and load whatever you'd like to load.
By default, Cosmiconfig will check the current directory for the following:
- a
package.json
property - a JSON or YAML, extensionless "rc file"
- an "rc file" with the extensions
.json
,.yaml
,.yml
,.js
,.ts
,.mjs
, or.cjs
- any of the above two inside a
.config
subdirectory - a
.config.js
,.config.ts
,.config.mjs
, or.config.cjs
file
For example, if your module's name is "myapp", cosmiconfig will search up the directory tree for configuration in the following places:
- a
myapp
property inpackage.json
- a
.myapprc
file in JSON or YAML format - a
.myapprc.json
,.myapprc.yaml
,.myapprc.yml
,.myapprc.js
,.myapprc.ts
,.myapprc.mjs
, or.myapprc.cjs
file - a
myapprc
,myapprc.json
,myapprc.yaml
,myapprc.yml
,myapprc.js
,myapprc.ts
,myapprc.mjs
, ormyapprc.cjs
file inside a.config
subdirectory - a
myapp.config.js
,myapp.config.ts
,myapp.config.mjs
, ormyapp.config.cjs
file
Optionally, you can tell it to search up the directory tree using search strategies, checking each of these places in each directory, until it finds some acceptable configuration (or hits the home directory).
Table of contents
- Installation
- Usage for tooling developers
- Result
- Asynchronous API
- Synchronous API
- cosmiconfigOptions
- Loading JS modules
- Caching
- Differences from rc
- Usage for end users
- Contributing & Development
Installation
npm install cosmiconfig
Tested in Node 14+.
Usage for tooling developers
If you are an end user (i.e. a user of a tool that uses cosmiconfig, like prettier
or stylelint
),
you can skip down to the end user section.
Create a Cosmiconfig explorer, then either search
for or directly load
a configuration file.
1const { cosmiconfig, cosmiconfigSync } = require('cosmiconfig'); 2// ... 3const explorer = cosmiconfig(moduleName); 4 5// Search for a configuration by walking up directories. 6// See documentation for search, below. 7explorer.search() 8 .then((result) => { 9 // result.config is the parsed configuration object. 10 // result.filepath is the path to the config file that was found. 11 // result.isEmpty is true if there was nothing to parse in the config file. 12 }) 13 .catch((error) => { 14 // Do something constructive. 15 }); 16 17// Load a configuration directly when you know where it should be. 18// The result object is the same as for search. 19// See documentation for load, below. 20explorer.load(pathToConfig).then(/* ... */); 21 22// You can also search and load synchronously. 23const explorerSync = cosmiconfigSync(moduleName); 24 25const searchedFor = explorerSync.search(); 26const loaded = explorerSync.load(pathToConfig);
Result
The result object you get from search
or load
has the following properties:
- config: The parsed configuration object.
undefined
if the file is empty. - filepath: The path to the configuration file that was found.
- isEmpty:
true
if the configuration file is empty. This property will not be present if the configuration file is not empty.
Asynchronous API
cosmiconfig()
1const { cosmiconfig } = require('cosmiconfig'); 2const explorer = cosmiconfig(moduleName, /* optional */ cosmiconfigOptions)
Creates a cosmiconfig instance ("explorer") configured according to the arguments, and initializes its caches.
moduleName
Type: string
. Required.
Your module name. This is used to create the default searchPlaces
and packageProp
.
If your searchPlaces
value will include files, as it does by default (e.g. ${moduleName}rc
), your moduleName
must consist of characters allowed in filenames. That means you should not copy scoped package names, such as @my-org/my-package
, directly into moduleName
.
cosmiconfigOptions
are documented below.
You may not need them, and should first read about the functions you'll use.
explorer.search()
1explorer.search([searchFrom]).then(result => { /* ... */ })
Searches for a configuration file. Returns a Promise that resolves with a result or with null
, if no configuration file is found.
You can do the same thing synchronously with explorerSync.search()
.
Let's say your module name is goldengrahams
so you initialized with const explorer = cosmiconfig('goldengrahams');
.
Here's how your default search()
will work:
- Starting from
process.cwd()
(or some other directory defined by thesearchFrom
argument tosearch()
), look for configuration objects in the following places:- A
goldengrahams
property in apackage.json
file. - A
.goldengrahamsrc
file with JSON or YAML syntax. - A
.goldengrahamsrc.json
,.goldengrahamsrc.yaml
,.goldengrahamsrc.yml
,.goldengrahamsrc.js
,.goldengrahamsrc.ts
,.goldengrahamsrc.mjs
, or.goldengrahamsrc.cjs
file. (To learn more about how JS files are loaded, see "Loading JS modules".) - A
goldengrahamsrc
,goldengrahamsrc.json
,goldengrahamsrc.yaml
,goldengrahamsrc.yml
,goldengrahamsrc.js
,goldengrahamsrc.ts
,goldengrahamsrc.mjs
, orgoldengrahamsrc.cjs
file in the.config
subdirectory. - A
goldengrahams.config.js
,goldengrahams.config.ts
,goldengrahams.config.mjs
, orgoldengrahams.config.cjs
file. (To learn more about how JS files are loaded, see "Loading JS modules".)
- A
- If none of those searches reveal a configuration object, continue depending on the current search strategy:
- If it's
none
(which is the default if you don't specify astopDir
option), stop here and return/resolve withnull
. - If it's
global
(which is the default if you specify astopDir
option), move up one directory level and try again, recursing until arriving at the configuredstopDir
option, which defaults to the user's home directory.- After arriving at the
stopDir
, the global configuration directory (as defined byenv-paths
without prefix) is also checked, looking at the filesconfig
,config.json
,config.yaml
,config.yml
,config.js
,config.ts
,config.cjs
, andconfig.mjs
in the directory~/.config/goldengrahams/
(on Linux; seeenv-paths
documentation for other OSs).
- After arriving at the
- If it's
project
, check whether apackage.json
file is present in the current directory, and if not, move up one directory level and try again, recursing until there is one.
- If it's
- If at any point a parsable configuration is found, the
search()
Promise resolves with its result (or, withexplorerSync.search()
, the result is returned). - If no configuration object is found, the
search()
Promise resolves withnull
(or, withexplorerSync.search()
,null
is returned). - If a configuration object is found but is malformed (causing a parsing error), the
search()
Promise rejects with that error (so you should.catch()
it). (Or, withexplorerSync.search()
, the error is thrown.)
If you know exactly where your configuration file should be, you can use load()
, instead.
The search process is highly customizable.
Use the cosmiconfig options searchPlaces
and loaders
to precisely define where you want to look for configurations and how you want to load them.
searchFrom
Type: string
.
Default: process.cwd()
.
A filename.
search()
will start its search here.
If the value is a directory, that's where the search starts. If it's a file, the search starts in that file's directory.
explorer.load()
1explorer.load(loadPath).then(result => { /* ... */ })
Loads a configuration file. Returns a Promise that resolves with a result or rejects with an error (if the file does not exist or cannot be loaded).
Use load
if you already know where the configuration file is and you just need to load it.
1explorer.load('load/this/file.json'); // Tries to load load/this/file.json.
If you load a package.json
file, the result will be derived from whatever property is specified as your packageProp
.
package.yaml
will work as well if you specify these file names in your searchPlaces
.
You can do the same thing synchronously with explorerSync.load()
.
explorer.clearLoadCache()
Clears the cache used in load()
.
explorer.clearSearchCache()
Clears the cache used in search()
.
explorer.clearCaches()
Performs both clearLoadCache()
and clearSearchCache()
.
Synchronous API
cosmiconfigSync()
1const { cosmiconfigSync } = require('cosmiconfig'); 2const explorerSync = cosmiconfigSync(moduleName, /* optional */ cosmiconfigOptions)
Creates a synchronous cosmiconfig instance ("explorerSync") configured according to the arguments, and initializes its caches.
See cosmiconfig()
.
explorerSync.search()
1const result = explorerSync.search([searchFrom]);
Synchronous version of explorer.search()
.
Returns a result or null
.
explorerSync.load()
1const result = explorerSync.load(loadPath);
Synchronous version of explorer.load()
.
Returns a result.
explorerSync.clearLoadCache()
Clears the cache used in load()
.
explorerSync.clearSearchCache()
Clears the cache used in search()
.
explorerSync.clearCaches()
Performs both clearLoadCache()
and clearSearchCache()
.
cosmiconfigOptions
Type: Object
.
Possible options are documented below.
searchStrategy
Type: string
Default: global
if stopDir
is specified, none
otherwise.
The strategy that should be used to determine which directories to check for configuration files.
none
: Only checks in the current working directory.project
: Starts in the current working directory, traversing upwards until apackage.{json,yaml}
file is found.global
: Starts in the current working directory, traversing upwards until the configuredstopDir
(or the current user's home directory if none is given). Then, if no configuration is found, also look in the operating system's default configuration directory (according toenv-paths
without prefix), where a different set of file names is checked:
1[ 2 `config`, 3 `config.json`, 4 `config.yaml`, 5 `config.yml`, 6 `config.js`, 7 `config.ts`, 8 `config.cjs`, 9 `config.mjs` 10]
searchPlaces
Type: Array<string>
.
Default: See below.
An array of places that search()
will check in each directory as it moves up the directory tree.
Each place is relative to the directory being searched, and the places are checked in the specified order.
Default searchPlaces
:
For the asynchronous API, these are the default searchPlaces
:
1[ 2 'package.json', 3 `.${moduleName}rc`, 4 `.${moduleName}rc.json`, 5 `.${moduleName}rc.yaml`, 6 `.${moduleName}rc.yml`, 7 `.${moduleName}rc.js`, 8 `.${moduleName}rc.ts`, 9 `.${moduleName}rc.mjs`, 10 `.${moduleName}rc.cjs`, 11 `.config/${moduleName}rc`, 12 `.config/${moduleName}rc.json`, 13 `.config/${moduleName}rc.yaml`, 14 `.config/${moduleName}rc.yml`, 15 `.config/${moduleName}rc.js`, 16 `.config/${moduleName}rc.ts`, 17 `.config/${moduleName}rc.mjs`, 18 `.config/${moduleName}rc.cjs`, 19 `${moduleName}.config.js`, 20 `${moduleName}.config.ts`, 21 `${moduleName}.config.mjs`, 22 `${moduleName}.config.cjs`, 23];
For the synchronous API, the only difference is that .mjs
files are not included. See "Loading JS modules" for more information.
Create your own array to search more, fewer, or altogether different places.
Every item in searchPlaces
needs to have a loader in loaders
that corresponds to its extension.
(Common extensions are covered by default loaders.)
Read more about loaders
below.
package.json
is a special value: When it is included in searchPlaces
, Cosmiconfig will always parse it as JSON and load a property within it, not the whole file.
That property is defined with the packageProp
option, and defaults to your module name.
package.yaml
(used by pnpm) works the same way.
Examples, with a module named porgy
:
1// Disallow extensions on rc files: 2['package.json', '.porgyrc', 'porgy.config.js']
1// Limit the options dramatically: 2['package.json', '.porgyrc']
1// Maybe you want to look for a wide variety of JS flavors: 2[ 'porgy.config.js', 'porgy.config.mjs', 'porgy.config.ts', 'porgy.config.coffee'] 3// ^^ You will need to designate a custom loader to tell 4// Cosmiconfig how to handle `.coffee` files.
1// Look within a .config/ subdirectory of every searched directory: 2[ 3 'package.json', 4 '.porgyrc', 5 '.config/.porgyrc', 6 '.porgyrc.json', 7 '.config/.porgyrc.json' 8]
loaders
Type: Object
.
Default: See below.
An object that maps extensions to the loader functions responsible for loading and parsing files with those extensions.
Cosmiconfig exposes its default loaders on the named export defaultLoaders
and defaultLoadersSync
.
Default loaders
:
1const { defaultLoaders, defaultLoadersSync } = require('cosmiconfig'); 2 3console.log(Object.entries(defaultLoaders)); 4// [ 5// [ '.mjs', [Function: loadJs] ], 6// [ '.cjs', [Function: loadJs] ], 7// [ '.js', [Function: loadJs] ], 8// [ '.ts', [Function: loadTs] ], 9// [ '.json', [Function: loadJson] ], 10// [ '.yaml', [Function: loadYaml] ], 11// [ '.yml', [Function: loadYaml] ], 12// [ 'noExt', [Function: loadYaml] ] 13// ] 14 15console.log(Object.entries(defaultLoadersSync)); 16// [ 17// [ '.cjs', [Function: loadJsSync] ], 18// [ '.js', [Function: loadJsSync] ], 19// [ '.ts', [Function: loadTsSync] ], 20// [ '.json', [Function: loadJson] ], 21// [ '.yaml', [Function: loadYaml] ], 22// [ '.yml', [Function: loadYaml] ], 23// [ 'noExt', [Function: loadYaml] ] 24// ]
(YAML is a superset of JSON;Â which means YAML parsers can parse JSON;Â which is how extensionless files can be either YAML or JSON with only one parser.)
If you provide a loaders
object, your object will be merged with the defaults.
So you can override one or two without having to override them all.
Keys in loaders
are extensions (starting with a period), or noExt
to specify the loader for files without extensions, like .myapprc
.
Values in loaders
are a loader function (described below) whose values are loader functions.
The most common use case for custom loaders value is to load extensionless rc
files as strict JSON, instead of JSON or YAML (the default).
To accomplish that, provide the following loaders
value:
1{ 2 noExt: defaultLoaders['.json']; 3}
If you want to load files that are not handled by the loader functions Cosmiconfig exposes, you can write a custom loader function or use one from NPM if it exists.
Use cases for custom loader function:
- Allow configuration syntaxes that aren't handled by Cosmiconfig's defaults, like JSON5, INI, or XML.
- Parse JS files with Babel before deriving the configuration.
Custom loader functions have the following signature:
1// Sync 2type SyncLoader = (filepath: string, content: string) => Object | null 3 4// Async 5type AsyncLoader = (filepath: string, content: string) => Object | null | Promise<Object | null>
Cosmiconfig reads the file when it checks whether the file exists, so it will provide you with both the file's path and its content.
Do whatever you need to, and return either a configuration object or null
(or, for async-only loaders, a Promise that resolves with one of those).
null
indicates that no real configuration was found and the search should continue.
A few things to note:
- If you use a custom loader, be aware of whether it's sync or async: you cannot use async customer loaders with the sync API (
cosmiconfigSync()
). - Special JS syntax can also be handled by using a
require
hook, becausedefaultLoaders['.js']
just usesrequire
. Whether you use custom loaders or arequire
hook is up to you.
Examples:
1// Allow JSON5 syntax: 2cosmiconfig('foo', { 3 loaders: { 4 '.json': json5Loader 5 } 6}); 7 8// Allow a special configuration syntax of your own creation: 9cosmiconfig('foo', { 10 loaders: { 11 '.special': specialLoader 12 } 13}); 14 15// Allow many flavors of JS, using custom loaders: 16cosmiconfig('foo', { 17 loaders: { 18 '.coffee': coffeeScriptLoader 19 } 20}); 21 22// Allow many flavors of JS but rely on require hooks: 23cosmiconfig('foo', { 24 loaders: { 25 '.coffee': defaultLoaders['.js'] 26 } 27});
packageProp
Type: string | Array<string>
.
Default: `${moduleName}`
.
Name of the property in package.json
(or package.yaml
) to look for.
Use a period-delimited string or an array of strings to describe a path to nested properties.
For example, the value 'configs.myPackage'
or ['configs', 'myPackage']
will get you the "myPackage"
value in a package.json
like this:
1{ 2 "configs": { 3 "myPackage": {"option": "value"} 4 } 5}
If nested property names within the path include periods, you need to use an array of strings. For example, the value ['configs', 'foo.bar', 'baz']
will get you the "baz"
value in a package.json
like this:
1{ 2 "configs": { 3 "foo.bar": { 4 "baz": {"option": "value"} 5 } 6 } 7}
If a string includes period but corresponds to a top-level property name, it will not be interpreted as a period-delimited path. For example, the value 'one.two'
will get you the "three"
value in a package.json
like this:
1{ 2 "one.two": "three", 3 "one": { 4 "two": "four" 5 } 6}
stopDir
Type: string
.
Default: Absolute path to your home directory.
Directory where the search will stop.
cache
Type: boolean
.
Default: true
.
If false
, no caches will be used.
Read more about "Caching" below.
transform
Type: (Result) => Promise<Result> | Result
.
A function that transforms the parsed configuration. Receives the result.
If using search()
or load()
(which are async), the transform function can return the transformed result or return a Promise that resolves with the transformed result.
If using cosmiconfigSync
, search()
or load()
, the function must be synchronous and return the transformed result.
The reason you might use this option — instead of simply applying your transform function some other way — is that the transformed result will be cached. If your transformation involves additional filesystem I/O or other potentially slow processing, you can use this option to avoid repeating those steps every time a given configuration is searched or loaded.
ignoreEmptySearchPlaces
Type: boolean
.
Default: true
.
By default, if search()
encounters an empty file (containing nothing but whitespace) in one of the searchPlaces
, it will ignore the empty file and move on.
If you'd like to load empty configuration files, instead, set this option to false
.
Why might you want to load empty configuration files? If you want to throw an error, or if an empty configuration file means something to your program.
Loading JS modules
Your end users can provide JS configuration files as ECMAScript modules (ESM) under the following conditions:
- You (the cosmiconfig user) use cosmiconfig's asynchronous API.
- Your end user runs a version of Node that supports ESM (>=12.17.0, or earlier with the
--experimental-modules
flag). - Your end user provides an
.mjs
configuration file, or a.js
file whose nearest parentpackage.json
file contains"type": "module"
. (See Node's method for determining a file's module system.)
With cosmiconfig's asynchronous API, the default searchPlaces
include .js
, .ts
, .mjs
, and .cjs
files. Cosmiconfig loads all these file types with the dynamic import
function.
With the synchronous API, JS configuration files are always treated as CommonJS, and .mjs
files are ignored, because there is no synchronous API for the dynamic import
function.
Caching
As of v2, cosmiconfig uses caching to reduce the need for repetitious reading of the filesystem or expensive transforms. Every new cosmiconfig instance (created with cosmiconfig()
) has its own caches.
To avoid or work around caching, you can do the following:
- Set the
cosmiconfig
optioncache
tofalse
. - Use the cache-clearing methods
clearLoadCache()
,clearSearchCache()
, andclearCaches()
. - Create separate instances of cosmiconfig (separate "explorers").
Differences from rc
rc serves its focused purpose well. cosmiconfig differs in a few key ways — making it more useful for some projects, less useful for others:
- Looks for configuration in some different places: in a
package.json
property, an rc file, a.config.js
file, and rc files with extensions. - Built-in support for JSON, YAML, and CommonJS formats.
- Stops at the first configuration found, instead of finding all that can be found up the directory tree and merging them automatically.
- Options.
- Asynchronous by default (though can be run synchronously).
Usage for end users
When configuring a tool, you can use multiple file formats and put these in multiple places.
Usually, a tool would mention this in its own README file,
but by default, these are the following places, where {NAME}
represents the name of the tool:
package.json
.{NAME}rc
.{NAME}rc.json
.{NAME}rc.yaml
.{NAME}rc.yml
.{NAME}rc.js
.{NAME}rc.ts
.{NAME}rc.cjs
.config/{NAME}rc
.config/{NAME}rc.json
.config/{NAME}rc.yaml
.config/{NAME}rc.yml
.config/{NAME}rc.js
.config/{NAME}rc.ts
.config/{NAME}rc.mjs
.config/{NAME}rc.cjs
{NAME}.config.js
{NAME}.config.ts
{NAME}.config.mjs
{NAME}.config.cjs
The contents of these files are defined by the tool.
For example, you can configure prettier to enforce semicolons at the end of the line
using a file named .config/prettierrc.yml
:
1semi: true
Additionally, you have the option to put a property named after the tool in your package.json
file,
with the contents of that property being the same as the file contents. To use the same example as above:
1{ 2 "name": "your-project", 3 "dependencies": {}, 4 "prettier": { 5 "semi": true 6 } 7}
This has the advantage that you can put the configuration of all tools (at least the ones that use cosmiconfig) in one file.
You can also add a cosmiconfig
key within your package.json
file or create one of the following files
to configure cosmiconfig
itself:
.config/config.json
.config/config.yaml
.config/config.yml
.config/config.js
.config/config.ts
.config/config.cjs
The following properties are currently actively supported in these places:
1cosmiconfig: 2 # adds places where configuration files are being searched 3 searchPlaces: 4 - .config/{name}.yml 5 # to enforce a custom naming convention and format, don't merge the above with the tool-defined search places 6 # (`true` is the default setting) 7 mergeSearchPlaces: false
Note: technically, you can overwrite all options described in cosmiconfigOptions here, but everything not listed above should be used at your own risk, as it has not been tested explicitly. The only exceptions to this are the
loaders
property, which is explicitly not supported at this time, and thesearchStrategy
property, which is intentionally disallowed.
You can also add more root properties outside the cosmiconfig
property
to configure your tools, entirely eliminating the need to look for additional configuration files:
1cosmiconfig: 2 searchPlaces: [] 3 4prettier: 5 semi: true
Imports
Wherever you put your configuration (the package.json file, a root config file or a package-specific config file),
you can use the special $import
key to import another file as a base.
For example, you can import from an npm package (in this example, @foocorp/config
).
.prettierrc.base.yml
in said npm package could define some company-wide defaults:
1printWidth: 120 2semi: true 3tabWidth: 2
And then, the .prettierrc.yml
file in the project itself would just reference that file,
optionally overriding the defaults with project-specific settings:
1$import: node_modules/@foocorp/config/.prettierrc.base.yml 2# we want more space! 3printWidth: 200
It is possible to import multiple base files by specifying an array of paths, which will be processed in declaration order; that means that the last entry will win if there are conflicting properties.
It is also possible to import file formats other than the importing format as long as they are supported by the loaders specified by the developer of the tool you're configuring.
1$import: [first.yml, second.json, third.config.js]
Contributing & Development
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
And please do participate!
No vulnerabilities found.
Reason
no dangerous workflow patterns detected
Reason
GitHub workflow tokens follow principle of least privilege
Details
- Info: topLevel 'contents' permission set to 'read': .github/workflows/main.yml:15
- Info: no jobLevel write permissions found
Reason
no binaries found in the repo
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
Found 0/29 approved changesets -- score normalized to 0
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/cosmiconfig/cosmiconfig/main.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/cosmiconfig/cosmiconfig/main.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/cosmiconfig/cosmiconfig/main.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/main.yml:38
- Info: 0 out of 2 GitHub-owned GitHubAction dependencies pinned
- Info: 0 out of 1 third-party GitHubAction dependencies pinned
- Info: 0 out of 1 npmCommand dependencies pinned
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 3 are checked with a SAST tool
Score
4.8
/10
Last Scanned on 2024-11-25
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More