Skip to content

v0.2.0 — arch-aware bottle-SHA + self-healing updater

Choose a tag to compare

View all tags
@sharkyger sharkyger released this 03 Jun 21:40
· 19 commits to main since this release
v0.2.0
This tag was signed with the committer’s verified signature.
sharkyger Sharky
GPG key ID: 57D49112BE969A80
Verified
Learn about vigilant mode.
2b31610
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security-first wrapper around brew upgrade / brew install — checks every package against NIST NVD, OSV.dev, and GitHub Advisory before the upgrade proceeds. Fail-closed by design.

Highlights since v0.1.1

  • Arch-aware bottle-SHA resolver — fixes a uniform Intel (x86_64) false positive where the SHA check flagged every bottle as [BLOCKED] SHA mismatch (it compared the Intel bottle's SHA against the arm64 bottle's). Now resolves the bottle tag by the host's real arch + OS, never crossing architecture. Confirmed fixed on real Intel hardware.
  • SHA verification is default-on for brew safe-install / safe-upgrade (local bottle SHA vs the canonical SHA at formulae.brew.sh). Tampering blocks and is never overridable by --yes. Opt out with --no-verify-sha.
  • --min-age 3-day freshness hold by default — holds back formulae published in the last N days (supply-chain worm window), with a CVE-aware bypass so security patches still reach you. --min-age 0 to disable.
  • Curated cask → NVD keyword map (cask_nvd_map.py) for better cask CVE coverage.
  • Self-healing brew safe-update — updates itself first, then re-runs, so a single brew safe-update always pulls the full current file set (no more "run it twice" / bottle SHA resolver not found).

Full details in CHANGELOG.md.

Install

curl -fsSL https://raw.githubusercontent.com/sharkyger/homebrew-safe-upgrade/main/install.sh | bash
Assets 2
Loading