This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Affected surfaces
ReleasePort's take
Light signalRelease v0.15.0 adds maintainer‑transfer detection via npm _npmUser and introduces an opt‑in tarball‑source‑drift detector, while limiting drift checks to direct dependencies.
Why it matters: If you enable the new detectors, they will alert on ownership changes or source mismatches; restrict drift analysis to direct deps by default. Review configs before upgrade.
Summary
AI summaryAdded maintainer-transfer and tarball-source-drift detectors, restricted drift to direct dependencies.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
Detects maintainer transfer via npm _npmUser field Detects maintainer transfer via npm _npmUser field Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Adds opt-in tarball-source-drift detector via AEGIS_DRIFT=1 Adds opt-in tarball-source-drift detector via AEGIS_DRIFT=1 Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Restricts tarball-drift detector to direct dependencies by default Restricts tarball-drift detector to direct dependencies by default Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes scanner noise and pnpm v9 lockfile parser compatibility Fixes scanner noise and pnpm v9 lockfile parser compatibility Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixes drift detector behavior on truncated GitHub tree Fixes drift detector behavior on truncated GitHub tree Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Low |
Skips drift detection on truncated GitHub tree Skips drift detection on truncated GitHub tree Source: granite4.1:30b@2026-05-24-audit Confidence: low |
— |
Full changelog
aegis-cli v0.15.0
Supply-chain security CLI for npm / bun / yarn / pnpm.
Verifying releases
All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:
cosign verify-blob \
--certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
sha256sum -c checksums.txt
SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.
Added
- maintainer-transfer detector via npm _npmUser (#46) (a5bbc96)
- tarball-source-drift detector (opt-in via AEGIS_DRIFT=1) (#45) (e56cbe6)
Fixed
- scanner noise + pnpm v9 lockfile parser (#44) (79a3730)
- skip drift on truncated github tree (#48) (a58274e)
Changed
Build
- deps: bump actions/configure-pages from 5 to 6 (#37) (5d24aa2)
- deps: bump actions/setup-node from 4 to 6 (#40) (f179cf0)
- deps: bump actions/upload-pages-artifact from 3 to 5 (#39) (39a57b1)
- deps: bump googleapis/release-please-action from 4 to 5 (#41) (52ca641)
- deps: bump lodash from 4.17.20 to 4.18.1 in /examples/demo (#36) (3fa07f0)
- deps: bump lodash in /examples/reachability/cve-in-unused-dep (#31) (a734103)
- deps: bump minimist from 1.2.5 to 1.2.6 in /examples/demo (#34) (fceb14c)
- deps: bump mlugg/setup-zig from 1 to 2 (#38) (2db285e)
- deps: bump zod in /examples/reachability/cve-in-unused-dep (#32) (b8a49b3)
CI
Apache-2.0 — see LICENSE.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About qwexvf/aegis-cli
All releases →Related context
Beta — feedback welcome: [email protected]