Skip to content

v0.1.1 — hardening pass

Choose a tag to compare

View all tags
@sharkyger sharkyger released this 26 Apr 15:34
· 55 commits to main since this release
v0.1.1
This tag was signed with the committer’s verified signature.
sharkyger Sharky
GPG key ID: 57D49112BE969A80
Verified
Learn about vigilant mode.
916c0fe
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Internal correctness + defense-in-depth fixes following the v0.1.0 review. No flag/env-var surface change.

Highlights

  • brew list --versions parsing now uses awk '\$NF' so multi-keg installations compare against the newest installed version
  • INCOMING_DEPS is a proper bash array; pathological tap dep names with whitespace survive dedup + iteration
  • --min-age for tap-namespaced deps emits a [skip-dep-age] log line instead of relying on a homebrew-core lookup that doesn't apply
  • Dep names validated against ^[a-zA-Z0-9@._/-]+\$ before flowing into any URL or subprocess argument; same regex now also guards the main-package age check in both wrappers
  • Pre-install/upgrade warning split into distinct sections — known CVEs vs. --min-age holds — so two different risk signals are no longer conflated
  • In-code design note explains why transitive deps don't get the CVE-aware --min-age bypass that applies to the user-named package

See CHANGELOG.md for the full breakdown. PR: #25.

Notes

This release tag is GPG-signed — first signed tag on the repo.

Assets 2
Loading