Skip to content

pkg-defender v1.0.0

Choose a tag to compare

@github-actions github-actions released this 04 Jul 05:18
v1.0.0
e37e9fd
pkg-defender logo

pkg-defender v1.0.0

Released July 4, 2026


What's Changed

Added

  • pkgd audit — Lock file scanner for threats and cooldown violations across 7 lock file formats
  • pkgd audit-logs — Audit event log queries with filtering and aggregate statistics
  • pkgd bypass — Create targeted bypass entries for cooldown and threat checks (development environments only)
  • pkgd completion — Shell tab-completion script generation for bash, zsh, fish, PowerShell, and Nushell
  • pkgd config — Full configuration management with 7 subcommands (view, list, options, set, set-secret, get, reset)
  • pkgd daemon — Background daemon with process management and system service installation
  • pkgd db — Database snapshot management with SHA256 verification and integrity checking
  • pkgd health — System diagnostic checks for config, database, feed sync, API tokens, and disk space
  • pkgd hooks — Shell function generation for intelligent, transparent package manager command wrapping
  • pkgd intel — Intelligence feed management with sync, search, and threat reporting
  • pkgd logs — Log viewer with tail-follow capability
  • pkgd reset — Complete tool state reset (threat database, config, logs, daemon state)
  • pkgd setup — Interactive first-run wizard with shell detection, config creation, and initial feed sync
  • pkgd status — Overview of feed health, active bypasses, and threat summary by severity
  • Registry adapters for 18+ ecosystems — npm, PyPI, Homebrew, Cargo, RubyGems, APT, DNF, YUM, Bun, Bundler, Composer, Conda, Pipenv, pnpm, Poetry, uv, Yarn, and Gem
  • Unified registry adapter protocol with batch operations, search, and dependency resolution
  • OSV.dev feed — Open Source Vulnerability database synchronization
  • GitHub Security Advisories (GHSA) — Curated security advisory feed
  • npm Advisory — npm-specific security advisory feed
  • OpenSSF Malicious Packages — Community-reported malicious package feed
  • Socket.dev — Real-time package risk assessment API
  • RSS feed ingestion — Configurable RSS security feed support
  • Social intelligence feeds — Mastodon, Reddit, and X/Twitter threat monitoring
  • Concurrent feed aggregator — Parallel sync across all intelligence sources
  • Lock file auditor — Scans package-lock.json, poetry.lock, requirements.txt, yarn.lock, pnpm-lock.yaml, uv.lock, and Pipfile.lock
  • Cooldown engine — Time-based package age enforcement with configurable windows and per-package overrides
  • Threat scorer — Confidence-weighted scoring with severity multipliers and recency decay
  • Pre-install checker — Real-time threat database querying before package installation
  • Background daemon with PID file management and heartbeat monitoring
  • Platform service generators — launchd (macOS), systemd (Linux), and Task Scheduler (Windows) support
  • TOML-based configuration with layered precedence (defaults to file to environment variables)
  • PKGD_ prefix environment variable overrides for all configuration settings
  • SQLite-powered threat database with WAL mode for concurrent access
  • Database snapshot downloads from GitHub Releases with cryptographic verification
  • Shell detection and completion script installation for bash, zsh, fish, PowerShell, and Nushell
  • Async HTTP client with connection pooling and automatic retry logic
  • Rich terminal output formatting with color-coded severity indicators
  • Structured logging with rotation, CI-friendly modes, and log level controls
  • XML external entity (XXE) protection via defusedxml for safe XML parsing
  • Zstandard decompression support for compressed RPM repodata
  • Docker multi-stage build (python:3.11-alpine, non-root user)
  • GitHub Action for CI/CD pipeline integration
  • Homebrew formula for macOS installation
  • Man page with full command reference
  • Pre-built binary distribution for macOS (arm64, amd64), Linux (amd64), and Windows (amd64)

📝 21 commits since snapshot-latest
Commit Description Author
e37e9fd fix(release): use macos-15-intel runner and parallelize build-binaries Division 7
13c94ac fix(ci): align Trivy image-ref with actual Docker push tag Division 7
b46aa03 chore(release): bump date in changelog for v1.0.0 release Division 7
5b4463b ci(homebrew): overhaul tap release pipeline with brew formula fixes, SHA cross-verification, auto-merge, and tap CI Division 7
6d037d5 chore(sha-mapping): modify action sha mapping script to output to scripts/data/ directory; minor docs improvements Division 7
c6604bc chore(readme): minor improvements to root readme content and formatting Division 7
c193794 fix(homebrew): update release.yml for fine-grained PAT and Homebrew 6.0 compatibility; update tap repo readme Division 7
2218afb feat(snapshot): GHSA auth fix, replace npm feed with ossf_malicious, update relevant docs Division 7
c43b9b8 style(snapshot): polish snapshot release template body formatting Division 7
3a2973b feat: snapshot release body template, GHSA token auth fix, release badge v-filter Division 7
c221ff2 refactor(formula): relocate Homebrew formula to homebrew-tap/ directory and update references Division 7
d12f42a fix(test): snap test timestamp to mid-hour to prevent hour-boundary race on macOS CI Division 7
31e2a89 fix(windows): add encoding="utf-8" to 2 remaining read_text() calls in test_setup_wizard.py and test_cli_ux.py Division 7
7bf6594 fix(windows): resolve banner encoding, JSON output, temp paths, file locking, path separators, permission mocking, mock targets, and repr escaping Division 7
3f494d6 fix: resolve Windows os.replace for atomic writes, binary mode for TOML, UTF-8 encoding, SIGKILL guard, and logging shutdown before unlink Division 7
c8731bd fix: resolve deterministic setup tests, cross-platform OSError tests, and absolute-path marker bug Division 7
a63c3df fix: resolve additional constraints with Linux/Windows/macOS matrix — dependency constraints, test mocks, and platform guards Division 7
96cd54e fix(ci): resolve matrix failures, pin aiohttp<3.14, guard Windows-only imports, replace dateutil with stdlib Division 7
9fd18ab fix: Click 8.4 compat, dateutil removal, fcntl Windows guard Division 7
71c56c3 fix: replace StringIO with BytesIO for Click 8.4+ binary completion output Division 7
6ca65e3 fix(types): remove testing-use types-click type stubs targeting click 7.x Division 7

Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md