Releases: divisionseven/pkg-defender
Release list
pkg-defender v1.0.1
pkg-defender v1.0.1
Released July 4, 2026
What's Changed
Fixed
- Fix release pipeline: binary artifacts for non-Windows platforms were not published in v1.0.0 due to a GitHub Actions artifact-naming collision
- Fix smoke test schema mismatch.
📝 1 commit since v1.0.0
| Commit | Description | Author |
|---|---|---|
f52b885 |
fix(release): fix binary artifacts for non-Windows platforms publish error in v1.0.0 due to artifact-naming collision; smoke test schema mismatch. | Division 7 |
Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md
pkg-defender v1.0.0
pkg-defender v1.0.0
Released July 4, 2026
What's Changed
Added
pkgd audit— Lock file scanner for threats and cooldown violations across 7 lock file formatspkgd audit-logs— Audit event log queries with filtering and aggregate statisticspkgd bypass— Create targeted bypass entries for cooldown and threat checks (development environments only)pkgd completion— Shell tab-completion script generation for bash, zsh, fish, PowerShell, and Nushellpkgd config— Full configuration management with 7 subcommands (view, list, options, set, set-secret, get, reset)pkgd daemon— Background daemon with process management and system service installationpkgd db— Database snapshot management with SHA256 verification and integrity checkingpkgd health— System diagnostic checks for config, database, feed sync, API tokens, and disk spacepkgd hooks— Shell function generation for intelligent, transparent package manager command wrappingpkgd intel— Intelligence feed management with sync, search, and threat reportingpkgd logs— Log viewer with tail-follow capabilitypkgd reset— Complete tool state reset (threat database, config, logs, daemon state)pkgd setup— Interactive first-run wizard with shell detection, config creation, and initial feed syncpkgd status— Overview of feed health, active bypasses, and threat summary by severity- Registry adapters for 18+ ecosystems — npm, PyPI, Homebrew, Cargo, RubyGems, APT, DNF, YUM, Bun, Bundler, Composer, Conda, Pipenv, pnpm, Poetry, uv, Yarn, and Gem
- Unified registry adapter protocol with batch operations, search, and dependency resolution
- OSV.dev feed — Open Source Vulnerability database synchronization
- GitHub Security Advisories (GHSA) — Curated security advisory feed
- npm Advisory — npm-specific security advisory feed
- OpenSSF Malicious Packages — Community-reported malicious package feed
- Socket.dev — Real-time package risk assessment API
- RSS feed ingestion — Configurable RSS security feed support
- Social intelligence feeds — Mastodon, Reddit, and X/Twitter threat monitoring
- Concurrent feed aggregator — Parallel sync across all intelligence sources
- Lock file auditor — Scans package-lock.json, poetry.lock, requirements.txt, yarn.lock, pnpm-lock.yaml, uv.lock, and Pipfile.lock
- Cooldown engine — Time-based package age enforcement with configurable windows and per-package overrides
- Threat scorer — Confidence-weighted scoring with severity multipliers and recency decay
- Pre-install checker — Real-time threat database querying before package installation
- Background daemon with PID file management and heartbeat monitoring
- Platform service generators — launchd (macOS), systemd (Linux), and Task Scheduler (Windows) support
- TOML-based configuration with layered precedence (defaults to file to environment variables)
- PKGD_ prefix environment variable overrides for all configuration settings
- SQLite-powered threat database with WAL mode for concurrent access
- Database snapshot downloads from GitHub Releases with cryptographic verification
- Shell detection and completion script installation for bash, zsh, fish, PowerShell, and Nushell
- Async HTTP client with connection pooling and automatic retry logic
- Rich terminal output formatting with color-coded severity indicators
- Structured logging with rotation, CI-friendly modes, and log level controls
- XML external entity (XXE) protection via defusedxml for safe XML parsing
- Zstandard decompression support for compressed RPM repodata
- Docker multi-stage build (python:3.11-alpine, non-root user)
- GitHub Action for CI/CD pipeline integration
- Homebrew formula for macOS installation
- Man page with full command reference
- Pre-built binary distribution for macOS (arm64, amd64), Linux (amd64), and Windows (amd64)
📝 21 commits since snapshot-latest
| Commit | Description | Author |
|---|---|---|
e37e9fd |
fix(release): use macos-15-intel runner and parallelize build-binaries |
Division 7 |
13c94ac |
fix(ci): align Trivy image-ref with actual Docker push tag | Division 7 |
b46aa03 |
chore(release): bump date in changelog for v1.0.0 release | Division 7 |
5b4463b |
ci(homebrew): overhaul tap release pipeline with brew formula fixes, SHA cross-verification, auto-merge, and tap CI | Division 7 |
6d037d5 |
chore(sha-mapping): modify action sha mapping script to output to scripts/data/ directory; minor docs improvements |
Division 7 |
c6604bc |
chore(readme): minor improvements to root readme content and formatting | Division 7 |
c193794 |
fix(homebrew): update release.yml for fine-grained PAT and Homebrew 6.0 compatibility; update tap repo readme | Division 7 |
2218afb |
feat(snapshot): GHSA auth fix, replace npm feed with ossf_malicious, update relevant docs | Division 7 |
c43b9b8 |
style(snapshot): polish snapshot release template body formatting | Division 7 |
3a2973b |
feat: snapshot release body template, GHSA token auth fix, release badge v-filter | Division 7 |
c221ff2 |
refactor(formula): relocate Homebrew formula to homebrew-tap/ directory and update references |
Division 7 |
d12f42a |
fix(test): snap test timestamp to mid-hour to prevent hour-boundary race on macOS CI | Division 7 |
31e2a89 |
fix(windows): add encoding="utf-8" to 2 remaining read_text() calls in test_setup_wizard.py and test_cli_ux.py |
Division 7 |
7bf6594 |
fix(windows): resolve banner encoding, JSON output, temp paths, file locking, path separators, permission mocking, mock targets, and repr escaping | Division 7 |
3f494d6 |
fix: resolve Windows os.replace for atomic writes, binary mode for TOML, UTF-8 encoding, SIGKILL guard, and logging shutdown before unlink | Division 7 |
c8731bd |
fix: resolve deterministic setup tests, cross-platform OSError tests, and absolute-path marker bug | Division 7 |
a63c3df |
fix: resolve additional constraints with Linux/Windows/macOS matrix — dependency constraints, test mocks, and platform guards | Division 7 |
96cd54e |
fix(ci): resolve matrix failures, pin aiohttp<3.14, guard Windows-only imports, replace dateutil with stdlib | Division 7 |
9fd18ab |
fix: Click 8.4 compat, dateutil removal, fcntl Windows guard | Division 7 |
71c56c3 |
fix: replace StringIO with BytesIO for Click 8.4+ binary completion output | Division 7 |
6ca65e3 |
fix(types): remove testing-use types-click type stubs targeting click 7.x |
Division 7 |
Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md
Threat Intelligence Snapshot — 2026-07-04 13:37 UTC
Threat Intelligence Snapshot — Latest
Build Time: 2026-07-04 13:37 UTC
PKG-Defender (PKGD) v1.0.1
What Is This?
This "snapshot" is a pre-built, machine-readable threat intelligence database for the open-source package ecosystem, published fresh every 6 hours under the snapshot-latest tag. It aggregates known-malicious packages from multiple data sources, curated automatically by the PKG-Defender project. On each scheduled run, the previous snapshot release is automatically deleted and replaced by the latest published version under the snapshot-latest tag. This ensures users can never accidentally retrieve stale data.
Why this matters: Malicious package attacks (typosquatting, dependency confusion, protestware, credential theft) are on the rise. Fresh threat intelligence is critical for effective detection. This snapshot updates every 6 hours, ensuring your security tooling has the latest data — not last week's.
Who should use this: Security engineers, DevOps teams, platform maintainers, and anyone running automated package risk analysis. Download and use it with pkgd CLI, integrate it into your CI/CD pipelines, or consume the raw database directly.
Latest Snapshot — General Stats
| Metric | Value |
|---|---|
| Total known threats | 317,516 |
| Ecosystems covered | 12 |
| Compressed database size | 32.4 MB |
| SHA-256 checksum | fd74e02e61cb5232ce7b00a853959643b5231e3ac403558999c5671f1d73056b |
Latest Snapshot — Ecosystem Breakdown
| Ecosystem | Threats |
|---|---|
| npm | 256,366 |
| pypi | 23,460 |
| go | 10,598 |
| maven | 8,921 |
| packagist | 6,726 |
| nuget | 4,710 |
| cargo | 2,618 |
| rubygems | 2,348 |
| composer | 1,736 |
| swift | 31 |
| pub | 1 |
| unknown | 1 |
Latest Snapshot — Data Sources
| Source | Records |
|---|---|
| osv | 271,168 |
| ossf_malicious | 31,183 |
| ghsa | 15,165 |
How to Use a Snapshot
Download the Latest Snapshot
pkgd db snapshot --downloadThis pulls the latest threats-latest.db.gz and its checksum, verifies integrity, and makes the database available for local queries.
List Available Snapshots
pkgd db snapshot --latestShows metadata for the most recent snapshot — build time, threat count, checksum, and file size — without downloading.
Verify a Snapshot
pkgd db snapshot --verifyChecks the SHA-256 hash of your local database against the published checksum to confirm it hasn't been tampered with or corrupted.
Learn More
| Resource | Link |
|---|---|
| CLI Reference | Snapshot CLI Documentation (pkgd db) → |
| CI/CD Guide | Integrating Threat Snapshots Into Pipelines → |
| Getting Started | PKG-Defender Quickstart → |
| Architecture | Snapshot System Design → |
| Report an Issue | File a Bug or Feature Request → |
This release was automatically generated by the PKG-Defender Snapshot workflow (.github/workflows/snapshot.yml). For questions or feedback, please open an issue.
Thank you for supporting PKG-Defender.
— Division 7