@safedep/pmg 0.17.0 → 0.17.2

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,66 +1,282 @@
 <div align="center">
-  <img src="https://raw.githubusercontent.com/safedep/pmg/main/docs/assets/pmg-banner.png" alt="PMG banner">
+    <h1>Package Manager Guard (PMG)</h1>
 </div>
 
-# Package Manager Guard (PMG)
+<p align="center">
+    <strong>Block malicious npm and pip packages before they install.</strong><br>
+    Defense in depth for the package managers you already use.
+</p>
 
-PMG intercepts package installs and checks them for malware before code executes. Install it once, and your usual package manager workflows can stay the same.
+<div align="center">
+  <img src="./docs/demo/pmg-intro.gif" width="800" alt="pmg in action">
+</div>
+
+<br>
+
+<div align="center">
+
+[![Docs](https://img.shields.io/badge/Docs-docs.safedep.io-2b9246?style=flat-square)](https://docs.safedep.io/pmg/quickstart)
+[![Website](https://img.shields.io/badge/Website-safedep.io-3b82f6?style=flat-square)](https://safedep.io)
+[![Discord](https://img.shields.io/discord/1090352019379851304?style=flat-square)](https://discord.gg/kAGEj25dCn)
+[![Featured in tl;dr sec](https://img.shields.io/badge/Featured%20in-tl%3Bdr%20sec-FF6B35?style=flat-square)](https://tldrsec.com/p/tldr-sec-316)
 
-This package is the npm distribution of PMG. The main project README at [`github.com/safedep/pmg`](https://github.com/safedep/pmg) is the source of truth for full documentation.
+[![Go Report Card](https://goreportcard.com/badge/github.com/safedep/pmg)](https://goreportcard.com/report/github.com/safedep/pmg)
+![License](https://img.shields.io/github/license/safedep/pmg)
+![Release](https://img.shields.io/github/v/release/safedep/pmg)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/safedep/pmg/badge)](https://api.securityscorecards.dev/projects/github.com/safedep/pmg)
+[![CodeQL](https://github.com/safedep/pmg/actions/workflows/codeql.yml/badge.svg?branch=main)](https://github.com/safedep/pmg/actions/workflows/codeql.yml)
+
+</div>
 
 ## Why PMG?
 
-- Protects developers and AI coding agents from malicious packages
-- Wraps tools like `npm`, `pnpm`, `yarn`, `pip`, `poetry`, and `uv`
-- Adds sandboxing and install-time security checks with minimal workflow changes
+Developers and AI coding agents install packages every day. Each `npm install` or `pip install` executes thousands of lines of code that nobody reviews.
+
+Recent compromises in popular ecosystems:
+
+- [**Mini Shai-Hulud**](https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/) - 300+ popular packages compromised
+- [**litellm 1.82.8**](https://safedep.io/malicious-litellm-1-82-8-analysis/) - a popular AI proxy library compromised to exfiltrate credentials
+- [**telnyx 4.87.2**](https://safedep.io/malicious-telnyx-pypi-compromise/) - a legitimate telecom SDK hijacked on PyPI
+- [**pino-sdk-v2**](https://safedep.io/malicious-npm-package-pino-sdk-v2-env-exfiltration/) - a typosquat package disguised as the popular pino logger
+
+**PMG is free, open source (Apache 2.0), and requires no account or API key.** It intercepts every package install and checks it against [SafeDep's free community API](https://safedep.io) for known malware **before** code executes. Install it once, and it covers every `npm install`, `pip install`, and `poetry add` after that.
+
+## How PMG Works
+
+PMG takes a defense in depth approach. Zero config, works across Zsh, Bash, and Fish, and each install passes through the enabled protection layers before code runs, plus an audit trail after.
+
+<div align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="./docs/assets/how-pmg-works-dark.svg">
+    <img alt="PMG defense in depth: install command intercepted by PMG, passed through Layer 1 Threat Intel, Layer 2 Cooldown, Layer 3 Sandbox, then run with an audit log entry" src="./docs/assets/how-pmg-works-light.svg" width="820">
+  </picture>
+</div>
+
+<details>
+<summary><strong>Layer details</strong></summary>
+
+- **Transparent Interception** - PMG wraps `npm`, `pip`, and other package managers. Developers and AI agents use the same commands. No workflow changes.
+- **Layer 1: Threat Intelligence** - PMG checks every package against [SafeDep's real-time threat intelligence](https://safedep.io) before install. Known-malicious packages are blocked. No key, no login required.
+- **Layer 2: Policy (Dependency Cooldown)** - PMG blocks package versions published inside a configurable cooldown window, so recently compromised versions are skipped during the window.
+- **Layer 3: Opt-in Sandbox** - When sandboxing is enabled and configured, PMG runs installs inside OS-native sandboxes (macOS Seatbelt, Linux Landlock by default, or Bubblewrap fallback) so install scripts have restricted system access even if a threat slips past the first two layers.
+- **Audit Logging** - PMG logs every install (what, when, from where) for a verifiable audit trail.
+
+</details>
+
+## How PMG Compares
+
+PMG is the only free, open-source, install-time package firewall that covers developers and AI agents alike and ships with sandboxing and cooldown out of the box.
+
+| Capability                              | PMG | Socket  | Snyk | Dependabot |
+| --------------------------------------- | --- | ------- | ---- | ---------- |
+| OSS / built in public                   | ✓   | ✗       | ✗    | ✗          |
+| No account or API key                   | ✓   | ✓       | ✗    | ✗          |
+| Install-time malicious package blocking | ✓   | ✓       | ✗    | ✗          |
+| Dependency cooldown policy              | ✓   | ✗       | ✗    | ✗          |
+| Runtime sandboxing                         | ✓   | ✗       | ✗    | ✗          |
+| Protects AI coding agents transparently | ✓   | ✗       | ✗    | ✗          |
+| Local audit logs                        | ✓   | ✗       | ✗    | ✗          |
+| Known-CVE remediation PRs               | ✗   | ✗       | ✓    | ✓          |
+
+## Quick Start
 
-## Install
+### 1. Install
 
 ```bash
-npm install -g @safedep/pmg
+curl -fsSL https://raw.githubusercontent.com/safedep/pmg/main/install.sh | sh
 ```
 
-You can also install PMG with Homebrew:
+> See [Installation](#installation) for Homebrew, npm, and other install methods.
+
+### 2. Setup
+
+Wire PMG into your shell so it intercepts package managers.
 
 ```bash
-brew install safedep/tap/pmg
+pmg setup install
+# Restart your terminal to apply changes
 ```
 
-## Quick Start
+> **Tip:** Re-run `pmg setup install` after upgrading PMG to pick up new configuration options.
 
-Set up PMG so your normal package manager commands are protected automatically:
+Validate your installation and verify protection is working:
 
 ```bash
-pmg setup install
+pmg setup doctor
 ```
 
-After setup, restart your terminal and keep using your tools as usual:
+### 3. Use
+
+See PMG blocking threats.
+
+```bash
+npm install --no-cache --prefer-online safedep-test-pkg@0.1.3
+```
+
+> **Note:** `safedep-test-pkg` is a benign test package flagged as malicious in SafeDep's database for
+> testing and verification purposes.
+
+Continue using your package managers as usual, or let your AI coding agent run them. PMG sits in the path, blocking malicious packages.
 
 ```bash
 npm install express
-pnpm add react
+# or
 pip install requests
 ```
 
-If you prefer, you can also run package manager commands through PMG directly:
+## Supported Package Managers
+
+PMG supports the tools you already use:
+
+| Ecosystem   | Tools    | Command Example     |
+| ----------- | -------- | ------------------- |
+| **Node.js** | `npm`    | `npm install <pkg>` |
+|             | `pnpm`   | `pnpm add <pkg>`    |
+|             | `yarn`   | `yarn add <pkg>`    |
+|             | `bun`    | `bun add <pkg>`     |
+|             | `npx`    | `npx <pkg>`         |
+|             | `pnpx`   | `pnpx <pkg>`        |
+| **Python**  | `pip`    | `pip install <pkg>` |
+|             | `poetry` | `poetry add <pkg>`  |
+|             | `uv`     | `uv add <pkg>`      |
+
+## Installation
+
+<details>
+<summary><strong>Install Script (MacOS/Linux)</strong></summary>
+
+Downloads the latest release from GitHub, verifies its SHA-256 checksum, and installs to `$HOME/.local/bin` (if on `PATH`) or `/usr/local/bin`.
+
+```bash
+curl -fsSL https://raw.githubusercontent.com/safedep/pmg/main/install.sh | sh
+```
+
+</details>
+
+<details>
+<summary><strong>Homebrew (MacOS/Linux)</strong></summary>
+
+```bash
+brew tap safedep/tap
+brew install safedep/tap/pmg
+```
+
+</details>
+
+<details>
+<summary><strong>NPM (Cross-Platform)</strong></summary>
+
+```bash
+npm install -g @safedep/pmg
+```
+
+> **Note:** NPM-based installs can be fragile when Node.js is managed by version managers like [`mise`](https://mise.jdx.dev/) or [`asdf`](https://asdf-vm.com/). The global `npm` bin path changes with the active Node version, so switching versions can leave `pmg` unavailable on `PATH` (or pointing to an old install). For these setups, prefer the install script or Homebrew.
+
+</details>
+
+<details>
+<summary><strong>Go (Build from Source)</strong></summary>
+
+```bash
+# Ensure $(go env GOPATH)/bin is in your $PATH
+go install github.com/safedep/pmg@latest
+```
+
+</details>
+
+<details>
+<summary><strong>Binary Download</strong></summary>
+
+Download the latest binary for your platform from the [Releases Page](https://github.com/safedep/pmg/releases).
+</details>
+
+## GitHub Actions
+
+Protect CI workflows with one step. PMG analyzes every `npm install`,
+`pip install`, etc. in the job.
+
+```yaml
+# Consider pinning third-party Actions to a full commit SHA
+- uses: actions/setup-node@v6
+  with:
+    node-version: 24
+- uses: safedep/pmg@v1
+- run: npm ci
+```
+
+By default you get malware blocking and dependency cooldown. Sandbox isolation
+is opt-in via the `sandbox` input. Tune behavior via inputs (`paranoid`,
+`sandbox`, `cooldown-days`, ...) or point
+`config-file` at a YAML in the repo. See
+[docs/github-action.md](docs/github-action.md) for the full reference.
+
+## Uninstallation
+
+Remove shell integration:
+
+```bash
+pmg setup remove
+```
+
+To also remove the PMG configuration file:
 
 ```bash
-pmg npm install express
-pmg pnpm add react
-pmg pip install requests
+pmg setup remove --config-file
 ```
 
-## Platform Support
+Then uninstall PMG itself:
+
+```bash
+# Homebrew
+brew uninstall safedep/tap/pmg
+
+# NPM
+npm uninstall -g @safedep/pmg
+```
+
+## Trust and Security
+
+PMG builds are reproducible and signed.
+
+- **Attestations**: GitHub and npm attestations guarantee artifact integrity.
+- **Verification**: You can cryptographically prove the binary matches the source code.
+- See [Trusting PMG](docs/trust.md) for verification steps.
+
+## User Guide
+
+- [Configuration](docs/config.md)
+- [Trusted Packages Configuration](docs/trusted-packages.md)
+- [Dependency Cooldown](docs/dependency-cooldown.md)
+- [Proxy Mode Architecture](docs/proxy-mode.md)
+- [Sandboxing](docs/sandbox.md)
+
+## Support
+
+If PMG saved you from a bad package, [star this repo](https://github.com/safedep/pmg). It helps others find it.
+
+## Star History
+
+<a href="https://star-history.com/#safedep/pmg&Date">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=safedep/pmg&type=Date&theme=dark" />
+    <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=safedep/pmg&type=Date" />
+    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=safedep/pmg&type=Date" />
+  </picture>
+</a>
+
+## Contributing
+
+Contributions welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) for build and test instructions.
 
-- macOS
-- Linux
-- Windows
+Thank you to all contributors ❤️
 
-Requires Node.js 14 or higher.
+<a href="https://github.com/safedep/pmg/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=safedep/pmg" alt="Contributors to PMG" />
+</a>
 
-## Learn More
+## Telemetry
 
-For complete documentation, installation options, troubleshooting, and project updates, see:
+PMG collects anonymous usage data. To disable, either:
 
-- [Main README](https://github.com/safedep/pmg)
-- [Quickstart Docs](https://docs.safedep.io/pmg/quickstart)
+- Set `disable_telemetry: true` in your PMG config file, or
+- Export `PMG_DISABLE_TELEMETRY=true`.

package/dist/bin.cjs

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+let e=require("node:module"),t=require("node:path"),n=require("node:fs"),r=require("node:child_process");const i=(0,e.createRequire)(require("url").pathToFileURL(__filename).href);function a(){return`@safedep/pmg-${process.platform}-${process.arch}`}function o(e){let r=(0,t.dirname)(i.resolve(`${e}/package.json`)),a=process.platform===`win32`?`pmg.exe`:`pmg`,o=(0,t.join)(r,`bin`,a);if(!(0,n.existsSync)(o))throw Error(`Binary not found at ${o}. The platform package "${e}" is installed but does not contain bin/${a}.`);return o}function s(){let e=a(),t;try{t=o(e)}catch(t){let n=t instanceof Error?t.message:String(t);console.error([`Failed to locate the platform binary.`,`Host: ${process.platform}/${process.arch}`,`Expected platform package: ${e}`,n,``,`Common causes:`,`- optionalDependencies were omitted during install`,`- this platform/arch is not published yet`,`- the platform package was published without the binary in bin/`].join(`
+`)),process.exit(1)}let n=(0,r.spawn)(t,process.argv.slice(2),{stdio:`inherit`});n.on(`exit`,(e,t)=>{if(t){process.kill(process.pid,t);return}process.exit(e??1)}),n.on(`error`,e=>{console.error(`Failed to spawn the binary: ${e}`),process.exit(1)})}s();

package/package.json

@@ -1,58 +1,50 @@
 {
   "name": "@safedep/pmg",
-  "description": "PMG protects developers from getting compromised by malicious packages",
-  "main": "bin/pmg.js",
-  "bin": {
-    "pmg": "bin/pmg.js"
-  },
-  "scripts": {
-    "preinstall": "echo \"Installing PMG binary for your platform...\"",
-    "postinstall": "node install.js"
-  },
+  "version": "0.17.2",
+  "description": "PMG - Package Manager Guard: protect developers from malicious packages",
+  "license": "Apache-2.0",
   "keywords": [
     "security",
-    "package-manager",
-    "malicious-packages",
-    "npm",
-    "cli",
-    "vulnerability",
-    "dependency-security",
-    "safedep"
+    "supply-chain",
+    "packages",
+    "safedep",
+    "pmg"
   ],
-  "author": "SafeDep <devops@safedep.io>",
-  "license": "Apache-2.0",
-  "homepage": "https://github.com/safedep/pmg#readme",
+  "engines": {
+    "node": ">=18"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/safedep/pmg.git"
   },
+  "homepage": "https://safedep.io",
   "bugs": {
     "url": "https://github.com/safedep/pmg/issues"
   },
-  "engines": {
-    "node": ">=14"
+  "publishConfig": {
+    "access": "public"
+  },
+  "type": "module",
+  "bin": {
+    "pmg": "dist/bin.cjs"
   },
-  "os": [
-    "darwin",
-    "linux",
-    "win32"
-  ],
-  "cpu": [
-    "x64",
-    "arm64",
-    "ia32"
-  ],
   "files": [
-    "bin/pmg.js",
-    "install.js",
-    "config.js",
-    "test.js",
-    "README.md",
-    ".npmignore"
+    "dist/**"
   ],
-  "publishConfig": {
-    "access": "public"
+  "optionalDependencies": {
+    "@safedep/pmg-linux-x64": "0.17.2",
+    "@safedep/pmg-linux-arm64": "0.17.2",
+    "@safedep/pmg-win32-x64": "0.17.2",
+    "@safedep/pmg-darwin-arm64": "0.17.2",
+    "@safedep/pmg-darwin-x64": "0.17.2"
   },
-  "dependencies": {},
-  "version": "0.17.0"
-}
+  "devDependencies": {
+    "@types/node": "25.9.1",
+    "tsdown": "0.22.0",
+    "typescript": "6.0.3"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}

package/.npmignore

@@ -1,17 +0,0 @@
-# Exclude the actual binary (but keep the wrapper script)
-bin/pmg
-bin/pmg.exe
-
-# Exclude temp files and directories
-temp/
-.temp/
-
-# Exclude development files
-node_modules/
-.git/
-.gitignore
-*.log
-.DS_Store
-
-# Keep only the wrapper script in bin/
-!bin/pmg.js

package/bin/pmg.js

@@ -1,76 +0,0 @@
-#!/usr/bin/env node
-
-const fs = require("fs");
-const path = require("path");
-const { spawn } = require("child_process");
-const { ORG_NAME, PACKAGE_NAME, BINARY_NAME } = require("../config");
-
-const BINARY_NAME_WITH_EXT =
-  process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME;
-const BINARY_PATH = path.join(__dirname, BINARY_NAME_WITH_EXT);
-
-function main() {
-  // Check if binary exists
-  if (!fs.existsSync(BINARY_PATH)) {
-    console.error(`❌ ${BINARY_NAME_WITH_EXT} binary not found`);
-    console.error(
-      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
-    );
-    process.exit(1);
-  }
-
-  // Verify binary is executable
-  try {
-    fs.accessSync(BINARY_PATH, fs.constants.F_OK | fs.constants.X_OK);
-  } catch (error) {
-    console.error(`❌ ${BINARY_NAME_WITH_EXT} is not executable`);
-    console.error(
-      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
-    );
-    process.exit(1);
-  }
-
-  // Pass all arguments to the binary
-  const args = process.argv.slice(2);
-
-  // Spawn the binary with inherited stdio for proper terminal interaction
-  const child = spawn(BINARY_PATH, args, {
-    stdio: "inherit",
-    windowsHide: false,
-  });
-
-  // Handle process termination
-  child.on("error", (error) => {
-    console.error(
-      `❌ Failed to execute ${BINARY_NAME_WITH_EXT}: ${error.message}`,
-    );
-    console.error(
-      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
-    );
-    process.exit(1);
-  });
-
-  // Exit with the same code as the child process
-  child.on("exit", (code, signal) => {
-    if (signal) {
-      process.kill(process.pid, signal);
-    } else {
-      process.exit(code || 0);
-    }
-  });
-
-  // Handle termination signals
-  process.on("SIGTERM", () => {
-    child.kill("SIGTERM");
-  });
-
-  process.on("SIGINT", () => {
-    child.kill("SIGINT");
-  });
-}
-
-if (require.main === module) {
-  main();
-}
-
-module.exports = { main };

package/config.js

@@ -1,34 +0,0 @@
-// Configuration for npm binary wrapper
-
-const ORG_NAME = "@safedep";
-const PACKAGE_NAME = "pmg";
-const BINARY_NAME = "pmg";
-
-// GitHub repository information for releases
-const REPO_OWNER = "safedep";
-const REPO_NAME = "pmg";
-
-// GitHub releases base URL (constructed from repo info)
-const GITHUB_RELEASES_BASE = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download`;
-
-// Platform-specific binary filename patterns (GoReleaser format)
-const BINARY_PATTERNS = {
-  "darwin-x64": `${BINARY_NAME}_Darwin_all.tar.gz`,
-  "darwin-arm64": `${BINARY_NAME}_Darwin_all.tar.gz`,
-  "linux-x64": `${BINARY_NAME}_Linux_x86_64.tar.gz`,
-  "linux-arm64": `${BINARY_NAME}_Linux_arm64.tar.gz`,
-  "linux-ia32": `${BINARY_NAME}_Linux_i386.tar.gz`,
-  "win32-x64": `${BINARY_NAME}_Windows_x86_64.zip`,
-  "win32-arm64": `${BINARY_NAME}_Windows_arm64.zip`,
-  "win32-ia32": `${BINARY_NAME}_Windows_i386.zip`,
-};
-
-module.exports = {
-  ORG_NAME,
-  PACKAGE_NAME,
-  BINARY_NAME,
-  REPO_OWNER,
-  REPO_NAME,
-  GITHUB_RELEASES_BASE,
-  BINARY_PATTERNS,
-};

package/install.js

@@ -1,243 +0,0 @@
-#!/usr/bin/env node
-
-const fs = require("fs");
-const path = require("path");
-const os = require("os");
-const https = require("https");
-const crypto = require("crypto");
-const { execSync } = require("child_process");
-const {
-  BINARY_NAME,
-  REPO_OWNER,
-  REPO_NAME,
-  GITHUB_RELEASES_BASE,
-  BINARY_PATTERNS,
-} = require("./config");
-
-// Read version from package.json with strict validation
-function getValidatedVersion() {
-  try {
-    const packageJson = JSON.parse(
-      fs.readFileSync(path.join(__dirname, "package.json"), "utf8"),
-    );
-
-    const version = packageJson.version;
-
-    // Strict validation: must be valid semver (x.y.z)
-    if (!/^\d+\.\d+\.\d+$/.test(version)) {
-      throw new Error(`Invalid version format: ${version}`);
-    }
-
-    return `v${version}`;
-  } catch (error) {
-    throw new Error(`Failed to read valid version: ${error.message}`);
-  }
-}
-
-const RELEASE_VERSION = getValidatedVersion();
-const BASE_URL = `${GITHUB_RELEASES_BASE}/${RELEASE_VERSION}`;
-
-// Platform-specific binary URLs (constructed from config)
-const BINARY_URLS = {};
-Object.keys(BINARY_PATTERNS).forEach((platform) => {
-  BINARY_URLS[platform] = `${BASE_URL}/${BINARY_PATTERNS[platform]}`;
-});
-
-const CHECKSUMS_URL = `${BASE_URL}/checksums.txt`;
-
-function getPlatformKey() {
-  const platform = process.platform;
-  const arch = process.arch;
-  return `${platform}-${arch}`;
-}
-
-function downloadFile(url, dest, maxRedirects = 5) {
-  return new Promise((resolve, reject) => {
-    if (maxRedirects < 0) {
-      reject(new Error("Too many redirects"));
-      return;
-    }
-
-    const file = fs.createWriteStream(dest);
-
-    https
-      .get(url, (response) => {
-        if (response.statusCode === 302 || response.statusCode === 301) {
-          file.close();
-          fs.unlink(dest, () => {});
-          return downloadFile(response.headers.location, dest, maxRedirects - 1)
-            .then(resolve)
-            .catch(reject);
-        }
-
-        if (response.statusCode !== 200) {
-          file.close();
-          fs.unlink(dest, () => {});
-          reject(new Error(`Download failed: ${response.statusCode}`));
-          return;
-        }
-
-        response.pipe(file);
-
-        file.on("finish", () => {
-          file.close();
-          resolve();
-        });
-
-        file.on("error", (err) => {
-          fs.unlink(dest, () => {});
-          reject(err);
-        });
-      })
-      .on("error", reject);
-  });
-}
-
-function calculateChecksum(filePath) {
-  const fileBuffer = fs.readFileSync(filePath);
-  const hashSum = crypto.createHash("sha256");
-  hashSum.update(fileBuffer);
-  return hashSum.digest("hex");
-}
-
-function validateChecksum(filePath, expectedChecksum) {
-  const actualChecksum = calculateChecksum(filePath);
-  return actualChecksum === expectedChecksum;
-}
-
-function extractArchive(archivePath, extractDir) {
-  const isZip = archivePath.endsWith(".zip");
-
-  if (isZip) {
-    if (process.platform === "win32") {
-      execSync(
-        `powershell -NoProfile -Command "Expand-Archive -Force -Path '${archivePath}' -DestinationPath '${extractDir}'"`,
-        { stdio: "pipe" },
-      );
-    } else {
-      execSync(`unzip -o "${archivePath}" -d "${extractDir}"`, {
-        stdio: "pipe",
-      });
-    }
-  } else {
-    execSync(`tar -xzf "${archivePath}" -C "${extractDir}"`, { stdio: "pipe" });
-  }
-}
-
-async function install() {
-  let tempWorkspace;
-
-  try {
-    console.log("📦 Installing PMG binary...");
-
-    // Get platform-specific URL
-    const platformKey = getPlatformKey();
-    const binaryUrl = BINARY_URLS[platformKey];
-
-    if (!binaryUrl) {
-      throw new Error(`Unsupported platform: ${platformKey}`);
-    }
-
-    console.log(`🔍 Platform: ${platformKey}`);
-    console.log(`📡 Version: ${RELEASE_VERSION}`);
-
-    // Create directories
-    const binDir = path.join(__dirname, "bin");
-    tempWorkspace = fs.mkdtempSync(path.join(os.tmpdir(), "pmg-install-"));
-
-    fs.mkdirSync(binDir, { recursive: true });
-
-    // Download binary archive
-    const archiveFilename = path.basename(binaryUrl);
-    const archivePath = path.join(tempWorkspace, archiveFilename);
-
-    console.log(`⬇️  Downloading binary...`);
-    await downloadFile(binaryUrl, archivePath);
-
-    // Download checksums
-    const checksumsPath = path.join(tempWorkspace, "checksums.txt");
-    console.log(`⬇️  Downloading checksums...`);
-    await downloadFile(CHECKSUMS_URL, checksumsPath);
-
-    // Parse checksums file
-    const checksumsContent = fs.readFileSync(checksumsPath, "utf8");
-    const checksumLines = checksumsContent.split("\n");
-
-    let expectedChecksum = null;
-    for (const line of checksumLines) {
-      if (line.includes(archiveFilename)) {
-        expectedChecksum = line.split(/\s+/)[0];
-        break;
-      }
-    }
-
-    if (!expectedChecksum) {
-      throw new Error(`Checksum not found for ${archiveFilename}`);
-    }
-
-    // Validate checksum
-    console.log(`🔐 Validating checksum...`);
-    if (!validateChecksum(archivePath, expectedChecksum)) {
-      throw new Error(
-        "Checksum validation failed - binary may be corrupted or tampered",
-      );
-    }
-
-    console.log(`✅ Checksum validated`);
-
-    // Extract archive
-    console.log(`📂 Extracting binary...`);
-    extractArchive(archivePath, tempWorkspace);
-
-    // Find and move binary
-    const binaryName =
-      process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME;
-    const extractedBinaryPath = path.join(tempWorkspace, binaryName);
-    const finalBinaryPath = path.join(binDir, binaryName);
-
-    if (!fs.existsSync(extractedBinaryPath)) {
-      throw new Error(
-        `Binary not found at expected location: ${extractedBinaryPath}`,
-      );
-    }
-
-    // Move binary to final location (handle cross-device links)
-    try {
-      fs.renameSync(extractedBinaryPath, finalBinaryPath);
-    } catch (error) {
-      if (error.code === "EXDEV") {
-        // Cross-device link not permitted, copy and delete instead
-        fs.copyFileSync(extractedBinaryPath, finalBinaryPath);
-        fs.unlinkSync(extractedBinaryPath);
-      } else {
-        throw error;
-      }
-    }
-
-    // Make executable on Unix systems
-    if (process.platform !== "win32") {
-      fs.chmodSync(finalBinaryPath, "755");
-    }
-
-    // Clean up
-    fs.rmSync(tempWorkspace, { recursive: true, force: true });
-
-    console.log("✅ PMG binary installed successfully!");
-  } catch (error) {
-    console.error("❌ Installation failed:", error.message);
-
-    // Clean up on failure
-    try {
-      if (tempWorkspace && fs.existsSync(tempWorkspace)) {
-        fs.rmSync(tempWorkspace, { recursive: true, force: true });
-      }
-    } catch (cleanupError) {
-      console.warn("⚠️  Failed to clean up:", cleanupError.message);
-    }
-
-    process.exit(1);
-  }
-}
-
-// Run installation
-install();