Skip to content

Releases: divisionseven/pkg-defender

pkg-defender v1.0.1

Choose a tag to compare

@github-actions github-actions released this 04 Jul 05:59
v1.0.1
f52b885
pkg-defender logo

pkg-defender v1.0.1

Released July 4, 2026


What's Changed

Fixed

  • Fix release pipeline: binary artifacts for non-Windows platforms were not published in v1.0.0 due to a GitHub Actions artifact-naming collision
  • Fix smoke test schema mismatch.

📝 1 commit since v1.0.0
Commit Description Author
f52b885 fix(release): fix binary artifacts for non-Windows platforms publish error in v1.0.0 due to artifact-naming collision; smoke test schema mismatch. Division 7

Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md

pkg-defender v1.0.0

Choose a tag to compare

@github-actions github-actions released this 04 Jul 05:18
v1.0.0
e37e9fd
pkg-defender logo

pkg-defender v1.0.0

Released July 4, 2026


What's Changed

Added

  • pkgd audit — Lock file scanner for threats and cooldown violations across 7 lock file formats
  • pkgd audit-logs — Audit event log queries with filtering and aggregate statistics
  • pkgd bypass — Create targeted bypass entries for cooldown and threat checks (development environments only)
  • pkgd completion — Shell tab-completion script generation for bash, zsh, fish, PowerShell, and Nushell
  • pkgd config — Full configuration management with 7 subcommands (view, list, options, set, set-secret, get, reset)
  • pkgd daemon — Background daemon with process management and system service installation
  • pkgd db — Database snapshot management with SHA256 verification and integrity checking
  • pkgd health — System diagnostic checks for config, database, feed sync, API tokens, and disk space
  • pkgd hooks — Shell function generation for intelligent, transparent package manager command wrapping
  • pkgd intel — Intelligence feed management with sync, search, and threat reporting
  • pkgd logs — Log viewer with tail-follow capability
  • pkgd reset — Complete tool state reset (threat database, config, logs, daemon state)
  • pkgd setup — Interactive first-run wizard with shell detection, config creation, and initial feed sync
  • pkgd status — Overview of feed health, active bypasses, and threat summary by severity
  • Registry adapters for 18+ ecosystems — npm, PyPI, Homebrew, Cargo, RubyGems, APT, DNF, YUM, Bun, Bundler, Composer, Conda, Pipenv, pnpm, Poetry, uv, Yarn, and Gem
  • Unified registry adapter protocol with batch operations, search, and dependency resolution
  • OSV.dev feed — Open Source Vulnerability database synchronization
  • GitHub Security Advisories (GHSA) — Curated security advisory feed
  • npm Advisory — npm-specific security advisory feed
  • OpenSSF Malicious Packages — Community-reported malicious package feed
  • Socket.dev — Real-time package risk assessment API
  • RSS feed ingestion — Configurable RSS security feed support
  • Social intelligence feeds — Mastodon, Reddit, and X/Twitter threat monitoring
  • Concurrent feed aggregator — Parallel sync across all intelligence sources
  • Lock file auditor — Scans package-lock.json, poetry.lock, requirements.txt, yarn.lock, pnpm-lock.yaml, uv.lock, and Pipfile.lock
  • Cooldown engine — Time-based package age enforcement with configurable windows and per-package overrides
  • Threat scorer — Confidence-weighted scoring with severity multipliers and recency decay
  • Pre-install checker — Real-time threat database querying before package installation
  • Background daemon with PID file management and heartbeat monitoring
  • Platform service generators — launchd (macOS), systemd (Linux), and Task Scheduler (Windows) support
  • TOML-based configuration with layered precedence (defaults to file to environment variables)
  • PKGD_ prefix environment variable overrides for all configuration settings
  • SQLite-powered threat database with WAL mode for concurrent access
  • Database snapshot downloads from GitHub Releases with cryptographic verification
  • Shell detection and completion script installation for bash, zsh, fish, PowerShell, and Nushell
  • Async HTTP client with connection pooling and automatic retry logic
  • Rich terminal output formatting with color-coded severity indicators
  • Structured logging with rotation, CI-friendly modes, and log level controls
  • XML external entity (XXE) protection via defusedxml for safe XML parsing
  • Zstandard decompression support for compressed RPM repodata
  • Docker multi-stage build (python:3.11-alpine, non-root user)
  • GitHub Action for CI/CD pipeline integration
  • Homebrew formula for macOS installation
  • Man page with full command reference
  • Pre-built binary distribution for macOS (arm64, amd64), Linux (amd64), and Windows (amd64)

📝 21 commits since snapshot-latest
Commit Description Author
e37e9fd fix(release): use macos-15-intel runner and parallelize build-binaries Division 7
13c94ac fix(ci): align Trivy image-ref with actual Docker push tag Division 7
b46aa03 chore(release): bump date in changelog for v1.0.0 release Division 7
5b4463b ci(homebrew): overhaul tap release pipeline with brew formula fixes, SHA cross-verification, auto-merge, and tap CI Division 7
6d037d5 chore(sha-mapping): modify action sha mapping script to output to scripts/data/ directory; minor docs improvements Division 7
c6604bc chore(readme): minor improvements to root readme content and formatting Division 7
c193794 fix(homebrew): update release.yml for fine-grained PAT and Homebrew 6.0 compatibility; update tap repo readme Division 7
2218afb feat(snapshot): GHSA auth fix, replace npm feed with ossf_malicious, update relevant docs Division 7
c43b9b8 style(snapshot): polish snapshot release template body formatting Division 7
3a2973b feat: snapshot release body template, GHSA token auth fix, release badge v-filter Division 7
c221ff2 refactor(formula): relocate Homebrew formula to homebrew-tap/ directory and update references Division 7
d12f42a fix(test): snap test timestamp to mid-hour to prevent hour-boundary race on macOS CI Division 7
31e2a89 fix(windows): add encoding="utf-8" to 2 remaining read_text() calls in test_setup_wizard.py and test_cli_ux.py Division 7
7bf6594 fix(windows): resolve banner encoding, JSON output, temp paths, file locking, path separators, permission mocking, mock targets, and repr escaping Division 7
3f494d6 fix: resolve Windows os.replace for atomic writes, binary mode for TOML, UTF-8 encoding, SIGKILL guard, and logging shutdown before unlink Division 7
c8731bd fix: resolve deterministic setup tests, cross-platform OSError tests, and absolute-path marker bug Division 7
a63c3df fix: resolve additional constraints with Linux/Windows/macOS matrix — dependency constraints, test mocks, and platform guards Division 7
96cd54e fix(ci): resolve matrix failures, pin aiohttp<3.14, guard Windows-only imports, replace dateutil with stdlib Division 7
9fd18ab fix: Click 8.4 compat, dateutil removal, fcntl Windows guard Division 7
71c56c3 fix: replace StringIO with BytesIO for Click 8.4+ binary completion output Division 7
6ca65e3 fix(types): remove testing-use types-click type stubs targeting click 7.x Division 7

Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md

Threat Intelligence Snapshot — 2026-07-04 13:37 UTC

Choose a tag to compare

@github-actions github-actions released this 04 Jul 13:37
78f45bb
pkg-defender logo

Threat Intelligence Snapshot — Latest

Build Time: 2026-07-04 13:37 UTC

PKG-Defender (PKGD) v1.0.1

What Is This?

This "snapshot" is a pre-built, machine-readable threat intelligence database for the open-source package ecosystem, published fresh every 6 hours under the snapshot-latest tag. It aggregates known-malicious packages from multiple data sources, curated automatically by the PKG-Defender project. On each scheduled run, the previous snapshot release is automatically deleted and replaced by the latest published version under the snapshot-latest tag. This ensures users can never accidentally retrieve stale data.

Why this matters: Malicious package attacks (typosquatting, dependency confusion, protestware, credential theft) are on the rise. Fresh threat intelligence is critical for effective detection. This snapshot updates every 6 hours, ensuring your security tooling has the latest data — not last week's.

Who should use this: Security engineers, DevOps teams, platform maintainers, and anyone running automated package risk analysis. Download and use it with pkgd CLI, integrate it into your CI/CD pipelines, or consume the raw database directly.

Latest Snapshot — General Stats

Metric Value
Total known threats 317,516
Ecosystems covered 12
Compressed database size 32.4 MB
SHA-256 checksum fd74e02e61cb5232ce7b00a853959643b5231e3ac403558999c5671f1d73056b

Latest Snapshot — Ecosystem Breakdown

Ecosystem Threats
npm 256,366
pypi 23,460
go 10,598
maven 8,921
packagist 6,726
nuget 4,710
cargo 2,618
rubygems 2,348
composer 1,736
swift 31
pub 1
unknown 1

Latest Snapshot — Data Sources

Source Records
osv 271,168
ossf_malicious 31,183
ghsa 15,165

How to Use a Snapshot

Download the Latest Snapshot

pkgd db snapshot --download

This pulls the latest threats-latest.db.gz and its checksum, verifies integrity, and makes the database available for local queries.

List Available Snapshots

pkgd db snapshot --latest

Shows metadata for the most recent snapshot — build time, threat count, checksum, and file size — without downloading.

Verify a Snapshot

pkgd db snapshot --verify

Checks the SHA-256 hash of your local database against the published checksum to confirm it hasn't been tampered with or corrupted.


Learn More

Resource Link
CLI Reference Snapshot CLI Documentation (pkgd db) →
CI/CD Guide Integrating Threat Snapshots Into Pipelines →
Getting Started PKG-Defender Quickstart →
Architecture Snapshot System Design →
Report an Issue File a Bug or Feature Request →

This release was automatically generated by the PKG-Defender Snapshot workflow (.github/workflows/snapshot.yml). For questions or feedback, please open an issue.

Thank you for supporting PKG-Defender.

— Division 7