v0.10.1 — leaner default install
Fixed
A default install no longer pulls sigstore and the MCP SDK. They were declared as optionalDependencies, which npm installs by default (skipped only when installation fails) — so a plain npm install safeinstall-cli pulled ~130 packages, dragging eval/network/shell/URL capability signals through the transitive tree and contradicting the "3 runtime dependencies, loads on demand" promise.
They are now peerDependencies marked optional in peerDependenciesMeta. A fresh consumer install now pulls only the three real runtime dependencies (npm-package-arg, semver, yaml) — verified: ~130 packages down to a handful.
The lazy-import paths are unchanged: enabling provenance.mode or running safeinstall mcp without the package still prints a clear install hint. A release-metadata test guards against regressing these back into installed dependencies.
No API or behavior change — a supply-chain tool should carry the smallest supply chain it can.
Full changelog: https://github.com/Mickdownunder/SafeInstall/blob/main/CHANGELOG.md