This release adds 1 notable feature for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
ReleasePort's take
Light signalRelease v0.15.1 provides separate tarball artifacts for each supported package manager.
Why it matters: FYI: distribution now includes distinct archives per package manager; no action required.
Summary
AI summaryRelease artifacts are now provided as separate tarballs for each package manager.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Bugfix | Medium |
Release archives split per package manager, shipping all pm tarballs Release archives split per package manager, shipping all pm tarballs Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
aegis-cli v0.15.1
Supply-chain security CLI for npm / bun / yarn / pnpm.
Verifying releases
All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:
cosign verify-blob \
--certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
sha256sum -c checksums.txt
SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.
Fixed
Apache-2.0 — see LICENSE.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About qwexvf/aegis-cli
All releases →Related context
Beta — feedback welcome: [email protected]