Skip to content

v1.9.1

Latest

Choose a tag to compare

@juangaitanv juangaitanv released this 26 Jun 14:42
4629cf7

Highlights

🛡️ Install Gate (Beta) — vet dependencies before they hit disk. New in this release and under active refinement; flags and verdicts may change between releases. Prefix any pip / npm / yarn / pnpm / uv install with corgea to screen every package it would install — named and transitive — against Corgea's vulnerability API before anything lands. Known-vulnerable or malicious versions block the install (exit 1) and print the safe fixed in version; a clean set runs the underlying command untouched. No token needed for baseline public-CVE checks; corgea login upgrades to authenticated fail-closed enforcement. A recency gate (default 14 days, configurable) also blocks freshly published packages to catch typosquats before advisory feeds catch up.

corgea npm install lodash@4.17.20   # blocks: known-vulnerable (CVE-2025-13465), exits 1
corgea pip install requests         # resolves, checks the verdict, then runs pip

What's Changed

Install Gate

  • Install gate, Phase 0: vuln-api contract + test harness by @juangaitanv in #110
  • Install gate, Phase 1: core gate — corgea pip|npm install <named targets> by @juangaitanv in #111
  • Install gate, Phase 2: gate the full would-install set (tree pass) by @juangaitanv in #112
  • Install gate, Phase 3: uv/yarn/pnpm wrappers + --json machine output by @juangaitanv in #114
  • Install gate, Phase 3: org guarantee — authenticated fail-closed mode by @juangaitanv in #115
  • Install gate: move recency gate from flags to a config toggle by @juangaitanv in #119

Scanning

  • Add --exclude flag to scan command for glob-based file exclusion by @Ibrahimrahhal in #86
  • Fix false "Project not found" errors by fetching scan issues by project_name instead of scan_id (COR-1493) by @Ibrahimrahhal in #117

Maintenance

Full Changelog: v1.9.0...v1.9.1