Skip to content

v0.18.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 13 May 06:20
· 100 commits to main since this release
v0.18.0
8e4037c
This commit was signed with the committer’s verified signature.
qwexvf Maruchan
GPG key ID: 50AA29109D975AE8
Verified
Learn about vigilant mode.

aegis-cli v0.18.0

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Changelog

Features

  • 4744527: feat(sbom): --cdx-version flag, CycloneDX 1.6 support (@qwexvf)
  • 5ac6302: feat(sbom): extract package licenses from registries (@qwexvf)
  • 60c256c: feat: aegis snapshot rescan — retroactive OSV re-scan (@qwexvf)
  • 88ff837: feat: retract range support, SARIF merge, docs --suggest (@qwexvf)

Bug fixes

  • 7c2f6fd: fix(actions): add eval(atob()) pattern to suspicious run checks (@qwexvf)
  • 899c1d2: fix(heuristics): extend nonStandardRuntimePattern to cover deno run (@qwexvf)
  • 8e4037c: fix: block-form retract parsing, pypi url encoding, eval hint (@qwexvf)

Other

  • 293dee2: chore: remove bloated router_init.js fixture (585 KB) (@qwexvf)
  • 3916f60: ci(sbom): validate CycloneDX 1.5 output against schema (@qwexvf)

Apache-2.0 — see LICENSE.

Contributors

qwexvf
Assets 12
Loading