Releases: d-kimuson/npm-fw
Releases · d-kimuson/npm-fw
v0.0.4
Changes
Features
npm-fw cache-cleancommand — clears the advisory cache from disk and from the running daemon's in-memory state. If the daemon is running, it reloads afterward so subsequent requests re-fetch fresh advisory data.
Fixes
- Advisory checks now correctly consider the package version's semver range. Previously, advisories flagged against a package could incorrectly apply to versions outside the affected range, potentially blocking non-vulnerable versions. Now only advisories whose
vulnerable_versionsrange actually covers the requested version are reported.
v0.0.3
Changes
Fixes
- Advisory cache now correctly stores results for packages with no vulnerabilities, avoiding redundant API requests for safe packages.
v0.0.2
Highlights
- npm-fw now supports yarn (Berry and v1) and pnpm v11, in addition to npm
- Advisory cache is persisted to disk and survives daemon restarts
- New
configcommands let you persistently configure the minimum advisory severity - New
cleancommand tears down the daemon and removes all registry overrides in one step
Changes
Features
- yarn support — npm-fw now intercepts yarn Berry and yarn v1 by setting
YARN_NPM_REGISTRY_SERVER/YARN_REGISTRYand writingnpmRegistryServerto~/.yarnrc.yml - pnpm v11 support — npm-fw sets
pnpm_config_registryfor pnpm v11, which no longer reads the legacynpm_config_*environment variables - clean command —
npm-fw cleanstops the daemon and removes registry overrides from.npmrcand.yarnrc.yml, providing a one-command teardown - persistent advisory cache — advisory data is now stored on disk and loaded automatically on startup, so the firewall can immediately recognize known vulnerabilities after a restart
- user config —
npm-fw config listshows current configuration, andnpm-fw config set minSeverity <level>persistently changes the minimum advisory severity. The setting is stored indaemon.jsonand read on daemon startup.
v0.0.1
Highlights
npm-fw is now available as @kimuson/npm-fw. This first release provides an npm registry proxy with an advisory-based firewall, plus CLI tools for setup, diagnostics, and daemon management.
Changes
Features
- npm registry proxy with advisory-based firewall — npm-fw acts as a local proxy for the npm registry, blocking packages with known security advisories. Advisory lookups use a 12-hour TTL cache to stay responsive while keeping results fresh.
- CLI commands for daily operations —
doctorchecks the health of your npm-fw setup,setup-standaloneconfigures npm to route through the proxy, anddaemon-startkeeps the proxy running in the background. - Flexible CLI passthrough — Options and arguments the CLI doesn't recognize are passed through to npm, so you can mix npm-fw subcommands with standard npm flags naturally.