pkg-defender v1.0.0
pkg-defender v1.0.0
Released July 4, 2026
What's Changed
Added
pkgd audit— Lock file scanner for threats and cooldown violations across 7 lock file formatspkgd audit-logs— Audit event log queries with filtering and aggregate statisticspkgd bypass— Create targeted bypass entries for cooldown and threat checks (development environments only)pkgd completion— Shell tab-completion script generation for bash, zsh, fish, PowerShell, and Nushellpkgd config— Full configuration management with 7 subcommands (view, list, options, set, set-secret, get, reset)pkgd daemon— Background daemon with process management and system service installationpkgd db— Database snapshot management with SHA256 verification and integrity checkingpkgd health— System diagnostic checks for config, database, feed sync, API tokens, and disk spacepkgd hooks— Shell function generation for intelligent, transparent package manager command wrappingpkgd intel— Intelligence feed management with sync, search, and threat reportingpkgd logs— Log viewer with tail-follow capabilitypkgd reset— Complete tool state reset (threat database, config, logs, daemon state)pkgd setup— Interactive first-run wizard with shell detection, config creation, and initial feed syncpkgd status— Overview of feed health, active bypasses, and threat summary by severity- Registry adapters for 18+ ecosystems — npm, PyPI, Homebrew, Cargo, RubyGems, APT, DNF, YUM, Bun, Bundler, Composer, Conda, Pipenv, pnpm, Poetry, uv, Yarn, and Gem
- Unified registry adapter protocol with batch operations, search, and dependency resolution
- OSV.dev feed — Open Source Vulnerability database synchronization
- GitHub Security Advisories (GHSA) — Curated security advisory feed
- npm Advisory — npm-specific security advisory feed
- OpenSSF Malicious Packages — Community-reported malicious package feed
- Socket.dev — Real-time package risk assessment API
- RSS feed ingestion — Configurable RSS security feed support
- Social intelligence feeds — Mastodon, Reddit, and X/Twitter threat monitoring
- Concurrent feed aggregator — Parallel sync across all intelligence sources
- Lock file auditor — Scans package-lock.json, poetry.lock, requirements.txt, yarn.lock, pnpm-lock.yaml, uv.lock, and Pipfile.lock
- Cooldown engine — Time-based package age enforcement with configurable windows and per-package overrides
- Threat scorer — Confidence-weighted scoring with severity multipliers and recency decay
- Pre-install checker — Real-time threat database querying before package installation
- Background daemon with PID file management and heartbeat monitoring
- Platform service generators — launchd (macOS), systemd (Linux), and Task Scheduler (Windows) support
- TOML-based configuration with layered precedence (defaults to file to environment variables)
- PKGD_ prefix environment variable overrides for all configuration settings
- SQLite-powered threat database with WAL mode for concurrent access
- Database snapshot downloads from GitHub Releases with cryptographic verification
- Shell detection and completion script installation for bash, zsh, fish, PowerShell, and Nushell
- Async HTTP client with connection pooling and automatic retry logic
- Rich terminal output formatting with color-coded severity indicators
- Structured logging with rotation, CI-friendly modes, and log level controls
- XML external entity (XXE) protection via defusedxml for safe XML parsing
- Zstandard decompression support for compressed RPM repodata
- Docker multi-stage build (python:3.11-alpine, non-root user)
- GitHub Action for CI/CD pipeline integration
- Homebrew formula for macOS installation
- Man page with full command reference
- Pre-built binary distribution for macOS (arm64, amd64), Linux (amd64), and Windows (amd64)
📝 21 commits since snapshot-latest
| Commit | Description | Author |
|---|---|---|
e37e9fd |
fix(release): use macos-15-intel runner and parallelize build-binaries |
Division 7 |
13c94ac |
fix(ci): align Trivy image-ref with actual Docker push tag | Division 7 |
b46aa03 |
chore(release): bump date in changelog for v1.0.0 release | Division 7 |
5b4463b |
ci(homebrew): overhaul tap release pipeline with brew formula fixes, SHA cross-verification, auto-merge, and tap CI | Division 7 |
6d037d5 |
chore(sha-mapping): modify action sha mapping script to output to scripts/data/ directory; minor docs improvements |
Division 7 |
c6604bc |
chore(readme): minor improvements to root readme content and formatting | Division 7 |
c193794 |
fix(homebrew): update release.yml for fine-grained PAT and Homebrew 6.0 compatibility; update tap repo readme | Division 7 |
2218afb |
feat(snapshot): GHSA auth fix, replace npm feed with ossf_malicious, update relevant docs | Division 7 |
c43b9b8 |
style(snapshot): polish snapshot release template body formatting | Division 7 |
3a2973b |
feat: snapshot release body template, GHSA token auth fix, release badge v-filter | Division 7 |
c221ff2 |
refactor(formula): relocate Homebrew formula to homebrew-tap/ directory and update references |
Division 7 |
d12f42a |
fix(test): snap test timestamp to mid-hour to prevent hour-boundary race on macOS CI | Division 7 |
31e2a89 |
fix(windows): add encoding="utf-8" to 2 remaining read_text() calls in test_setup_wizard.py and test_cli_ux.py |
Division 7 |
7bf6594 |
fix(windows): resolve banner encoding, JSON output, temp paths, file locking, path separators, permission mocking, mock targets, and repr escaping | Division 7 |
3f494d6 |
fix: resolve Windows os.replace for atomic writes, binary mode for TOML, UTF-8 encoding, SIGKILL guard, and logging shutdown before unlink | Division 7 |
c8731bd |
fix: resolve deterministic setup tests, cross-platform OSError tests, and absolute-path marker bug | Division 7 |
a63c3df |
fix: resolve additional constraints with Linux/Windows/macOS matrix — dependency constraints, test mocks, and platform guards | Division 7 |
96cd54e |
fix(ci): resolve matrix failures, pin aiohttp<3.14, guard Windows-only imports, replace dateutil with stdlib | Division 7 |
9fd18ab |
fix: Click 8.4 compat, dateutil removal, fcntl Windows guard | Division 7 |
71c56c3 |
fix: replace StringIO with BytesIO for Click 8.4+ binary completion output | Division 7 |
6ca65e3 |
fix(types): remove testing-use types-click type stubs targeting click 7.x |
Division 7 |
Full changelog: https://github.com/divisionseven/pkg-defender/blob/main/CHANGELOG.md