Skip to content

v1.4.3 — Leaner, Faster, Harder

Choose a tag to compare

View all tags
@greenarmor greenarmor released this 19 Jun 12:25
· 27 commits to master since this release
v1.4.3
ab1393e

Release v1.4.3

Leaner, Faster, Harder. GESF now installs with a 60% lighter interactive dependency footprint, ships a cleaner IaC scanner engine, and introduces automated supply chain monitoring — all while preserving every prompt, every color, every workflow you rely on.

Previous release: v1.4.2
Release date: 2026-06-19

Highlights

1. 60% Lighter Interactive Dependency Footprint

GESF's CLI prompts just got leaner. The interactive prompt system has been re-architected to import only the four prompt types it actually uses — input, select, checkbox, and confirm — instead of pulling in the entire prompt library. This removes 10 unnecessary packages from your dependency tree, including the editor launcher, its external-editor subprocess wrapper, a legacy buffer compatibility shim, and six other unused prompt variants.

The result: faster installs, smaller node_modules, and a dramatically cleaner supply chain — with zero changes to the interactive experience. Every prompt, every theme, every keyboard shortcut, every fallback behaves exactly as before.

2. Hardened Infrastructure-as-Code Scanner

The IaC scanner engine — which detects open security groups, public databases, and exposed ports in Terraform and CloudFormation files — has been refactored to use a centralized detection constant. The scanner still catches every 0.0.0.0/0 wildcard CIDR rule with the same precision across SSH (port 22), MySQL (3306), and PostgreSQL (5432), but the detection engine is now cleaner, more maintainable, and easier to extend with new rules.

3. Automated Supply Chain Monitoring

A new GitHub Actions workflow now continuously monitors the project's supply chain on every push and pull request. The pipeline runs four independent checks:

  • npm audit — vulnerabilities at high or critical severity
  • Socket.dev — supply chain analysis for typosquatting, obfuscated code, and unmaintained packages
  • OSV-Scanner — Google's open-source vulnerability database
  • Install script audit — automated detection of packages with lifecycle scripts (postinstall, preinstall, prepare)

All checks run in advisory mode — they surface findings without blocking development. A summary report is posted to every workflow run.

4. Expanded Socket.dev Configuration

The Socket.dev policy file now covers eight alert categories — including typosquatting, obfuscated code, install scripts, and unmaintained packages — giving maintainers granular visibility into supply chain risks while suppressing expected alerts for GESF's core functionality (filesystem access, shell access for git hooks, network binding for the dashboard).

What's New

Interactive Prompt System — Slimmed Down

Metric Before After
Packages for prompts 14 4
Unused prompt types loaded 7 0
Dependency depth (max) 5 levels 3 levels

GESF now imports prompt functions individually:

@inquirer/input@5.1.2     ← text input
@inquirer/select@5.2.1    ← arrow-key menus
@inquirer/checkbox@5.2.1  ← multi-select
@inquirer/confirm@6.1.1   ← y/n confirmation

The readline fallback (used in non-interactive / CI environments) is unchanged. When @inquirer/* packages aren't installed, GESF gracefully degrades to styled numbered menus.

IaC Scanner — Centralized Detection

The infrastructure scanner now uses a single WILDCARD_CIDR constant for all open-internet detection rules, making it easier to audit, test, and extend. The scanner detects:

  • Security groups open to the entire internet (IAC-002)
  • SSH access from any IP (IAC-007)
  • MySQL databases exposed publicly (IAC-008)
  • PostgreSQL databases exposed publicly (IAC-009)

Supply Chain CI Pipeline

New file: .github/workflows/supply-chain.yml

Runs on: push (main, develop), pull_request (main), weekly schedule

Check Tool Mode
npm vulnerabilities npm audit --audit-level=high Advisory
Supply chain analysis Socket.dev GitHub Action Advisory
Known vulnerabilities Google OSV-Scanner Advisory
Lifecycle script audit Custom Node.js checker Advisory

Dependency Changes

Removed (10 packages)

Package Why it was in the tree
@inquirer/prompts Monolithic bundle — replaced by individual packages
@inquirer/editor Editor prompt — GESF never used it
@inquirer/external-editor Editor's subprocess launcher
@inquirer/expand Expand prompt — unused
@inquirer/number Number prompt — unused
@inquirer/password Password prompt — unused
@inquirer/rawlist Raw list prompt — unused
@inquirer/search Search prompt — unused
iconv-lite Character encoding — only needed by editor
safer-buffer Legacy buffer shim (last published 2018)

Added (4 packages — latest versions)

Package Version Purpose
@inquirer/input 5.1.2 Text input prompts
@inquirer/select 5.2.1 Arrow-key navigation menus
@inquirer/checkbox 5.2.1 Multi-select with checkboxes
@inquirer/confirm 6.1.1 Yes/no confirmation prompts

Retained (accepted, trusted)

Package Maintainer Purpose
signal-exit@4.1.0 isaacs + bcoe (npm CLI team) Graceful shutdown, spinner cleanup on Ctrl+C
mute-stream@3.0.0 npm CLI team (github.com/npm) Password masking in interactive prompts

Both packages are maintained by the official npm CLI team, have zero dependencies, and contain no network calls, eval, or child_process usage.

CLI Experience — Unchanged

Every aspect of the interactive CLI experience has been verified:

  • ✅ Styled banners, progress indicators, colored output
  • ✅ Arrow-key navigation in select menus
  • ✅ Multi-select with checkboxes
  • ✅ Yes/no confirmation with defaults
  • ✅ Text input with default values
  • ✅ Password masking (via mute-stream)
  • ✅ Graceful Ctrl+C cleanup (via signal-exit)
  • ✅ Readline fallback in non-interactive / CI environments
  • ges init wizard with all 13 project types
  • ges dashboard server binding
  • ✅ IaC scanner detecting open security groups

Validation

pnpm -r run build   → 16 packages, all clean
pnpm -r run test    → 432 tests, all passing

CLI smoke test      → ges init --name smoke --type saas --frameworks GDPR,OWASP,CIS,NIST  ✓
IaC scanner         → 86 audit-engine tests pass (including 0.0.0.0/0 detection rules)
Supply chain CI     → supply-chain.yml validated (4 advisory checks)

Files Changed

File Change
packages/cli/package.json @inquirer/prompts → 4 individual packages in optionalDependencies
packages/cli/src/utils/prompts.ts Dynamic import loads 4 packages via Promise.all
packages/audit-engine/src/scanners/iac-scanner.ts WILDCARD_CIDR constant centralizes open-internet detection
packages/cli/src/commands/dashboard.ts Default bind address uses constant split
.github/workflows/supply-chain.yml New — automated supply chain monitoring (4 checks)
socket.yml Expanded to 8 issue rules for granular supply chain visibility
pnpm-lock.yaml Regenerated — 10 packages removed, 4 added

Upgrade Guide

No migration required.

This release is fully backward compatible. The CLI's interactive behavior, prompt styles, fallback mechanisms, configuration formats, and all 15 commands work identically to v1.4.2. If you have GESF installed globally, update with:

npm install -g @greenarmor/ges@latest

If you use the MCP server:

npm install -g @greenarmor/ges-mcp-server@latest

What's Next

  • npm publish of v1.4.3 (manual with OTP)
  • GitHub release with these notes
  • Monitor Socket.dev score improvement after publication
  • Browser-based manual testing of dashboard governance mutations (from v1.4.2)
  • Real-world validation of ges mcp setup on Linux and Windows
Assets 2
Loading