Dependency cooldowns for every repo. One command.
depshield is a repo-first CLI for checking whether dependency managers delay freshly published package releases
before they reach local installs and CI. v0.1 is a read-only proof: it scans a repository, reports native cooldown
coverage, and returns CI-friendly exit codes without network requests.
depshield scan
depshield check$ depshield scan --dir examples/npm-protected --no-color
depshield v0.1.0
Policy: default
Minimum age: 7 days
Manager Source Cooldown Status
────────────────────────────────────────────────────────────
npm .npmrc 7 days protected
pnpm - - not_found
yarn - - not_found
bun - - not_found
uv - - not_found
pip - - not_found
go - - not_found
cargo - - not_found
composer - - not_found
deno - - not_found
Summary: 1 protected, 0 partial, 0 unprotected, 0 unsupported, 9 not found, 0 errors
go install github.com/depshield/depshield/cmd/depshield@latestFor local development:
go run ./cmd/depshield scan
go test ./...depshield scan --dir . --format human
depshield scan --dir . --format json
depshield check --dir .
depshield versionscan exits 0 after a completed scan, 2 for usage errors, and 3 for runtime errors. check exits 1 when
native cooldown policy is violated, 2 for usage errors, and 3 for runtime errors.
| Manager | Read-only check | Native cooldown key | Auto-fix |
|---|---|---|---|
| npm | yes | .npmrc min-release-age |
no |
| pnpm | yes | pnpm-workspace.yaml minimumReleaseAge |
no |
| Yarn Berry | yes | .yarnrc.yml npmMinimalAgeGate |
no |
| Bun | yes | bunfig.toml [install].minimumReleaseAge |
no |
| uv | yes | pyproject.toml [tool.uv].exclude-newer |
no |
| pip | advisory | --uploaded-prior-to is absolute-date only |
no |
| Go modules | advisory | no native rolling cooldown | no |
| Cargo | advisory | no native rolling cooldown | no |
| Composer | advisory | no native rolling cooldown | no |
| Deno | advisory | no v0.1 native policy | no |
Dependency cooldowns reduce the chance that a newly published malicious release is installed before maintainers, registries, vulnerability scanners, or the wider community have had time to detect it.
depshield is not a vulnerability scanner, malware scanner, SaaS agent, or registry proxy. It does not make network
requests in scan or v0.1 check, and it does not edit package-manager configs in v0.1.
Cooldowns can delay security fixes. Use them together with Dependabot, Renovate, OSV, npm audit, pip-audit, or the
scanner already used by your team.
v0.1 can be run directly after building from source:
name: depshield
on:
pull_request:
push:
branches:
- main
jobs:
depshield:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: "1.23"
- run: go run ./cmd/depshield check --format json- v0.2:
.depshield.yml,init,fix --project, diff preview, generated GitHub workflow, markdown output. - v0.3: lockfile freshness analyzer, registry cache, SARIF, GitHub annotations, Action beta.
- v1.0: signed releases, checksums, SBOM, SLSA provenance, Homebrew, npm launcher, install script.
MIT