qwexvf/aegis-cli

v0.12.1 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 28d CLI & Terminal

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ast-analysis cli cve dependency-scanner security go

+13 more

lockfile malware-detection npm-security osv python-security sbom sca shai-hulud supply-chain-attack supply-chain-security tree-sitter typosquatting vulnerability-scanning

Summary

AI summary

Fixed domain parsing integer overflow by clamping at 1e9.

Full changelog

aegis-cli v0.12.1

Supply-chain security CLI for npm / bun / yarn / pnpm.

Verifying releases

All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --certificate checksums.txt.pem \
  --signature   checksums.txt.sig \
  checksums.txt
sha256sum -c checksums.txt

SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.

Fixed

domain: clamp parseInt at 1e9 to prevent silent int overflow (f7f9393)

Apache-2.0 — see LICENSE.

Security Fixes

Prevented silent integer overflow in domain parsing by clamping parseInt at 1e9

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track qwexvf/aegis-cli

Get notified when new releases ship.

About qwexvf/aegis-cli

All releases →