supply-chain-guard 5.2.34 → 5.2.35

package/README.md

@@ -342,6 +342,16 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. The most impactful contri
 
 ## Changelog
 
+### v5.2.35 (2026-06-21)
+**Security: fix vite devDependency vulnerabilities**
+
+Two new advisories in the transitive vite dependency (via vitest), both `devDependencies` that do not ship in the published npm tarball (`files[]` is `dist`, `action.yml`, `README.md`, `LICENSE`, `socket.yml`), so package consumers were never exposed.
+
+- **vite** forced from 7.3.2 to `^7.3.5` via the existing `overrides` block, resolving GHSA-fx2h-pf6j-xcff (high) and GHSA-v6wh-96g9-6wx3 (medium). Patch-level bump within 7.x; all 803 tests pass unchanged.
+- `npm audit` reports 0 vulnerabilities.
+
+Also documents the GitHub Action distribution model in `CLAUDE.md`: `uses: homeofe/supply-chain-guard@v5` now resolves to a floating `v5` branch (kept current by a new `update-major-branch` CI job via fast-forward push), and the GitHub Marketplace publishing limitation (web-UI only, not automatable).
+
 ### v5.2.34 (2026-06-21)
 **Threat-intel update: Mastra npm scope takeover (Sapphire Sleet) + NastyC2 + crypto-javascript worm**
 

package/dist/cli.js

@@ -20,7 +20,7 @@ const program = new commander_1.Command();
 program
     .name("supply-chain-guard")
     .description("Open-source supply-chain security scanner. Detects GlassWorm and similar malware campaigns in npm packages, PyPI packages, code repos, VS Code extensions, and project dependencies.")
-    .version("5.2.34");
+    .version("5.2.35");
 // ── scan command ────────────────────────────────────────────────────
 program
     .command("scan")

package/dist/reporter.js

@@ -55,7 +55,7 @@ function formatJson(report) {
 function formatText(report) {
     const lines = [];
     // ── layout constants ───────────────────────────────────────────────────────
-    const VERSION = "5.2.34";
+    const VERSION = "5.2.35";
     const W = 76; // visible chars between "│ " and " │" (total line = 80)
     // ── ANSI helpers ───────────────────────────────────────────────────────────
     const stripAnsi = (s) => s.replace(/\x1b\[[0-9;]*m/g, "");
@@ -462,7 +462,7 @@ function formatSarif(report) {
                 tool: {
                     driver: {
                         name: "supply-chain-guard",
-                        version: "5.2.34",
+                        version: "5.2.35",
                         informationUri: "https://github.com/homeofe/supply-chain-guard",
                         rules,
                     },
@@ -524,7 +524,7 @@ function formatSbom(report) {
             timestamp: report.timestamp,
             tools: {
                 components: [
-                    { type: "application", name: "supply-chain-guard", version: "5.2.34" },
+                    { type: "application", name: "supply-chain-guard", version: "5.2.35" },
                 ],
             },
             component: {
@@ -676,7 +676,7 @@ footer{text-align:center;padding:24px;color:#94a3b8;font-size:13px}
   ` : ""}
 
   <footer>
-    Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.34
+    Generated by <a href="https://github.com/homeofe/supply-chain-guard">supply-chain-guard</a> v5.2.35
   </footer>
 </div>
 <script>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "supply-chain-guard",
-  "version": "5.2.34",
+  "version": "5.2.35",
   "description": "Open-source supply-chain security scanner for npm, PyPI, Cargo, Go, Docker, VS Code extensions, GitHub Actions, IaC and Solana C2. Detects GlassWorm, Shai-Hulud, PPE attacks, dependency confusion and 120+ malware indicators. Generates CycloneDX 1.6 SBOMs and verifies SLSA provenance.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -64,6 +64,7 @@
     "vitest": "^3.2.6"
   },
   "overrides": {
-    "esbuild": "^0.28.1"
+    "esbuild": "^0.28.1",
+    "vite": "^7.3.5"
   }
 }