supply-chain-guard 5.2.32 → 5.2.33
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -0
- package/dist/cli.js +1 -1
- package/dist/reporter.js +4 -4
- package/package.json +5 -2
package/README.md
CHANGED
|
@@ -342,6 +342,17 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
|
|
|
342
342
|
|
|
343
343
|
## Changelog
|
|
344
344
|
|
|
345
|
+
### v5.2.33 (2026-06-14)
|
|
346
|
+
**Security: fix devDependency vulnerabilities (vitest, esbuild)**
|
|
347
|
+
|
|
348
|
+
Dependabot flagged three advisories in the dev/test toolchain. All are `devDependencies` and none ship in the published npm tarball (`files[]` is limited to `dist`, `action.yml`, `README.md`, `LICENSE`, `socket.yml`), so consumers of the package were never exposed - but a security tool should not carry known-vulnerable dev deps.
|
|
349
|
+
|
|
350
|
+
- **vitest** bumped from `^3.0.0` to `^3.2.6`, resolving CVE-2026-47429 (critical). Stays within the 3.x line to avoid the breaking changes of the Dependabot-proposed 4.x major bump; all 799 tests pass unchanged.
|
|
351
|
+
- **esbuild** forced to `^0.28.1` via an `overrides` entry, resolving GHSA-gv7w-rqvm-qjhr (high) and GHSA-g7r4-m6w7-qqqr (low). vitest 3.x's transitive vite otherwise pins an older esbuild; the override pulls the patched build without a vitest major upgrade.
|
|
352
|
+
- `npm audit` now reports 0 vulnerabilities. Supersedes Dependabot PR #25.
|
|
353
|
+
|
|
354
|
+
Also adds `.supply-chain-guard.yml` (committed separately) with documented accepted-risk suppressions for the project's own self-scan: `GHA_OIDC_WRITE_PERM` and `WORKFLOW_SECRET_TO_UPLOAD_PATH` are by-design tradeoffs for npm Trusted Publishing, `LOCKFILE_ORPHANED_DEPENDENCY` is informational. Self-scan result: 0/100 clean.
|
|
355
|
+
|
|
345
356
|
### v5.2.32 (2026-06-13)
|
|
346
357
|
**Threat-intel update: Arch Linux AUR mass-hijack npm dropper (atomic-lockfile)**
|
|
347
358
|
|
package/dist/cli.js
CHANGED
|
@@ -20,7 +20,7 @@ const program = new commander_1.Command();
|
|
|
20
20
|
program
|
|
21
21
|
.name("supply-chain-guard")
|
|
22
22
|
.description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
|
|
23
|
-
.version("5.2.
|
|
23
|
+
.version("5.2.33");
|
|
24
24
|
// ── scan command ────────────────────────────────────────────────────
|
|
25
25
|
program
|
|
26
26
|
.command("scan")
|
package/dist/reporter.js
CHANGED
|
@@ -55,7 +55,7 @@ function formatJson(report) {
|
|
|
55
55
|
function formatText(report) {
|
|
56
56
|
const lines = [];
|
|
57
57
|
// ── layout constants ───────────────────────────────────────────────────────
|
|
58
|
-
const VERSION = "5.2.
|
|
58
|
+
const VERSION = "5.2.33";
|
|
59
59
|
const W = 76; // visible chars between "│ " and " │" (total line = 80)
|
|
60
60
|
// ── ANSI helpers ───────────────────────────────────────────────────────────
|
|
61
61
|
const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
|
|
@@ -462,7 +462,7 @@ function formatSarif(report) {
|
|
|
462
462
|
tool: {
|
|
463
463
|
driver: {
|
|
464
464
|
name: "supply-chain-guard",
|
|
465
|
-
version: "5.2.
|
|
465
|
+
version: "5.2.33",
|
|
466
466
|
informationUri: "https://github.com/homeofe/supply-chain-guard",
|
|
467
467
|
rules,
|
|
468
468
|
},
|
|
@@ -524,7 +524,7 @@ function formatSbom(report) {
|
|
|
524
524
|
timestamp: report.timestamp,
|
|
525
525
|
tools: {
|
|
526
526
|
components: [
|
|
527
|
-
{ type: "application", name: "supply-chain-guard", version: "5.2.
|
|
527
|
+
{ type: "application", name: "supply-chain-guard", version: "5.2.33" },
|
|
528
528
|
],
|
|
529
529
|
},
|
|
530
530
|
component: {
|
|
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
|
|
|
676
676
|
` : ""}
|
|
677
677
|
|
|
678
678
|
<footer>
|
|
679
|
-
Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.
|
|
679
|
+
Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.33
|
|
680
680
|
</footer>
|
|
681
681
|
</div>
|
|
682
682
|
<script>
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "supply-chain-guard",
|
|
3
|
-
"version": "5.2.
|
|
3
|
+
"version": "5.2.33",
|
|
4
4
|
"description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -61,6 +61,9 @@
|
|
|
61
61
|
"devDependencies": {
|
|
62
62
|
"@types/node": "^22.13.0",
|
|
63
63
|
"typescript": "^5.7.0",
|
|
64
|
-
"vitest": "^3.
|
|
64
|
+
"vitest": "^3.2.6"
|
|
65
|
+
},
|
|
66
|
+
"overrides": {
|
|
67
|
+
"esbuild": "^0.28.1"
|
|
65
68
|
}
|
|
66
69
|
}
|