@safedep/pmg 0.17.3 → 0.18.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +23 -10
- package/package.json +6 -6
package/README.md
CHANGED
|
@@ -67,16 +67,16 @@ PMG takes a defense in depth approach. Zero config, works across Zsh, Bash, and
|
|
|
67
67
|
|
|
68
68
|
PMG is the only free, open-source, install-time package firewall that covers developers and AI agents alike and ships with sandboxing and cooldown out of the box.
|
|
69
69
|
|
|
70
|
-
| Capability | PMG | Socket
|
|
71
|
-
| --------------------------------------- | --- |
|
|
72
|
-
| OSS / built in public | ✓ | ✗
|
|
73
|
-
| No account or API key | ✓ | ✓
|
|
74
|
-
| Install-time malicious package blocking | ✓ | ✓
|
|
75
|
-
| Dependency cooldown policy | ✓ | ✗
|
|
76
|
-
| Runtime sandboxing
|
|
77
|
-
| Protects AI coding agents transparently | ✓ | ✗
|
|
78
|
-
| Local audit logs | ✓ | ✗
|
|
79
|
-
| Known-CVE remediation PRs | ✗ | ✗
|
|
70
|
+
| Capability | PMG | Socket | safe-chain | Snyk | Dependabot |
|
|
71
|
+
| --------------------------------------- | --- | ------ | ---------- | ---- | ---------- |
|
|
72
|
+
| OSS / built in public | ✓ | ✗ | ✓ | ✗ | ✗ |
|
|
73
|
+
| No account or API key | ✓ | ✓ | ✓ | ✗ | ✗ |
|
|
74
|
+
| Install-time malicious package blocking | ✓ | ✓ | ✓ | ✗ | ✗ |
|
|
75
|
+
| Dependency cooldown policy | ✓ | ✗ | ✓ | ✗ | ✗ |
|
|
76
|
+
| Runtime sandboxing | ✓ | ✗ | ✗ | ✗ | ✗ |
|
|
77
|
+
| Protects AI coding agents transparently | ✓ | ✗ | ✗ | ✗ | ✗ |
|
|
78
|
+
| Local audit logs | ✓ | ✗ | ✗ | ✗ | ✗ |
|
|
79
|
+
| Known-CVE remediation PRs | ✗ | ✗ | ✗ | ✓ | ✓ |
|
|
80
80
|
|
|
81
81
|
## Quick Start
|
|
82
82
|
|
|
@@ -105,6 +105,18 @@ Validate your installation and verify protection is working:
|
|
|
105
105
|
pmg setup doctor
|
|
106
106
|
```
|
|
107
107
|
|
|
108
|
+
> **Optional:** PMG inspects HTTPS traffic with an on-the-fly CA that it injects into package
|
|
109
|
+
> managers per run. To persist a single CA across runs and trust it in your OS trust store
|
|
110
|
+
> (needed for tools that ignore CA environment variables, such as Go on macOS and Windows),
|
|
111
|
+
> install it once:
|
|
112
|
+
>
|
|
113
|
+
> ```bash
|
|
114
|
+
> pmg setup cert install # user scope, no sudo
|
|
115
|
+
> pmg setup cert status # check trust state and expiry
|
|
116
|
+
> ```
|
|
117
|
+
>
|
|
118
|
+
> See [Certificate Authority](docs/cert.md) for scopes, rotation, and removal.
|
|
119
|
+
|
|
108
120
|
### 3. Use
|
|
109
121
|
|
|
110
122
|
See PMG blocking threats.
|
|
@@ -248,6 +260,7 @@ PMG builds are reproducible and signed.
|
|
|
248
260
|
- [Trusted Packages Configuration](docs/trusted-packages.md)
|
|
249
261
|
- [Dependency Cooldown](docs/dependency-cooldown.md)
|
|
250
262
|
- [Proxy Mode Architecture](docs/proxy-mode.md)
|
|
263
|
+
- [Certificate Authority](docs/cert.md)
|
|
251
264
|
- [Sandboxing](docs/sandbox.md)
|
|
252
265
|
|
|
253
266
|
## Support
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@safedep/pmg",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.18.0",
|
|
4
4
|
"description": "PMG - Package Manager Guard: protect developers from malicious packages",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"keywords": [
|
|
@@ -32,11 +32,11 @@
|
|
|
32
32
|
"dist/**"
|
|
33
33
|
],
|
|
34
34
|
"optionalDependencies": {
|
|
35
|
-
"@safedep/pmg-linux-
|
|
36
|
-
"@safedep/pmg-
|
|
37
|
-
"@safedep/pmg-darwin-
|
|
38
|
-
"@safedep/pmg-
|
|
39
|
-
"@safedep/pmg-
|
|
35
|
+
"@safedep/pmg-linux-x64": "0.18.0",
|
|
36
|
+
"@safedep/pmg-darwin-arm64": "0.18.0",
|
|
37
|
+
"@safedep/pmg-darwin-x64": "0.18.0",
|
|
38
|
+
"@safedep/pmg-linux-arm64": "0.18.0",
|
|
39
|
+
"@safedep/pmg-win32-x64": "0.18.0"
|
|
40
40
|
},
|
|
41
41
|
"devDependencies": {
|
|
42
42
|
"@types/node": "25.9.1",
|