v10.2.0 — npm distribution channel
[10.2.0] - 2026-04-21
Caspian is now installable from three registries: VS Code Marketplace, Open VSX, and npm. The same rule engine reaches every developer — IDE, CLI, CI — through the channel most natural for their workflow.
Added
- npm distribution. Same package, same name (
caspian-security), same source tree.npm install -g caspian-security/npx caspian-security caspian-scan ./npm install --save-dev caspian-security. No more "clone the repo first" friction for non-GitHub CI pipelines (GitLab, CircleCI, Jenkins, Drone, BuildKite all work out of the box). - Three
bincommands —caspian-scan(main SARIF scanner),caspian-git-history-scan(secret scanner for git log),caspian-check-updates(dependency audit). All three read the CLI shebang that's already present in source. filesfield scoped tightly — onlyout/, LICENSE, README, CHANGELOG, SECURITY, THREAT_MODEL, and icon ship to npm. No source tree, no tests, no.vsixartefacts.npm run publish:npmscript (runsnpm run compilefirst, thennpm publish --access public). Matches the existingpublish:vscode+publish:openvsxpattern so all three registries publish from the same compiled bits.
Changed
- BUILD.md publishing section — rewritten around a three-registry table. Each channel gets its own auth / publish walkthrough. Documents that
require('caspian-security')isn't supported (themainfield points at the VS Code extension entry which needsvscode); use the bin commands instead. - README.md — new "Install" section near the top covers VS Code / Open VSX / npm / GitHub Actions side by side. Overview copy updated to reflect the current scope (295+ rules, IaC + code, taint tracking, per-invocation consent default).
Notes
- Same rule engine, same SARIF, same baseline format across all three channels. The extension's diagnostics, the CLI's SARIF output, and the Action's uploaded results are indistinguishable once you've stripped the UI chrome.
- Publishing to npm requires a maintainer
npm login+ OTP. The script is in place; actually pushing to the registry is a one-time action the owner runs when ready.