Highlights
🛡️ Install Gate (Beta) — vet dependencies before they hit disk. New in this release and under active refinement; flags and verdicts may change between releases. Prefix any pip / npm / yarn / pnpm / uv install with corgea to screen every package it would install — named and transitive — against Corgea's vulnerability API before anything lands. Known-vulnerable or malicious versions block the install (exit 1) and print the safe fixed in version; a clean set runs the underlying command untouched. No token needed for baseline public-CVE checks; corgea login upgrades to authenticated fail-closed enforcement. A recency gate (default 14 days, configurable) also blocks freshly published packages to catch typosquats before advisory feeds catch up.
corgea npm install lodash@4.17.20 # blocks: known-vulnerable (CVE-2025-13465), exits 1
corgea pip install requests # resolves, checks the verdict, then runs pipWhat's Changed
Install Gate
- Install gate, Phase 0: vuln-api contract + test harness by @juangaitanv in #110
- Install gate, Phase 1: core gate —
corgea pip|npm install <named targets>by @juangaitanv in #111 - Install gate, Phase 2: gate the full would-install set (tree pass) by @juangaitanv in #112
- Install gate, Phase 3: uv/yarn/pnpm wrappers +
--jsonmachine output by @juangaitanv in #114 - Install gate, Phase 3: org guarantee — authenticated fail-closed mode by @juangaitanv in #115
- Install gate: move recency gate from flags to a config toggle by @juangaitanv in #119
Scanning
- Add
--excludeflag to scan command for glob-based file exclusion by @Ibrahimrahhal in #86 - Fix false "Project not found" errors by fetching scan issues by
project_nameinstead ofscan_id(COR-1493) by @Ibrahimrahhal in #117
Maintenance
- CI: bump
actions/checkoutv4 → v6 across workflows by @juangaitanv in #116
Full Changelog: v1.9.0...v1.9.1