This release includes 3 security fixes for security teams reviewing exposed deployments.
Topics
+10 more
Affected surfaces
Summary
AI summaryFixed three supply‑chain alerts on npm by moving curl|bash commands, removing child_process import, and documenting a fetch false positive.
Full changelog
Security
- Socket.dev alert fixes — Resolved 3 supply-chain alerts on npm:
curl|bashupdate commands moved fromconstants.tsinto adapter files (eliminates obfuscated code alert)child_processimport removed fromdeploy.ts— usesremoveStaleHostKey()utility insteadglobalThis["fetch"]false positive documented in SOCKET_JUSTIFICATION.md
Full Changelog: https://github.com/kastelldev/kastell/compare/v1.9.0...v1.9.1
Security Fixes
- Moved `curl|bash` update commands from `constants.ts` into adapter files — eliminates obfuscated code alert
- Removed `child_process` import from `deploy.ts`; now uses `removeStaleHostKey()` utility — resolves unsafe execution alert
- Documented `globalThis["fetch"]` false positive in SOCKET_JUSTIFICATION.md — addresses spurious dependency‑scan alert
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About kastelldev/kastell
Server security auditing and hardening toolkit. 413 security checks across 29 categories (SSH, Firewall, Docker, TLS, HTTP Headers), CIS/PCI-DSS/HIPAA compliance mapping, 19-step production hardening, fleet management, and forensic evidence collection. Supports Hetzner, DigitalOcean, Vultr, and Linode. 13 MCP tools.
Related context
Related tools
Beta — feedback welcome: [email protected]