This release adds 3 notable features for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Affected surfaces
ReleasePort's take
Light signalAegis CLI v0.18.0 adds the --cdx-version flag for CycloneDX 1.6 support, extracts package licenses from registries, and introduces an aegis snapshot rescan feature.
Why it matters: Test these new CLI capabilities in development before upgrading to v0.18.0; they affect license extraction and vulnerability rescanning workflows.
Summary
AI summaryAdd --cdx-version flag for CycloneDX 1.6, extract package licenses from registries, and introduce aegis snapshot rescan.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Medium |
--cdx-version flag added for CycloneDX 1.6 support. --cdx-version flag added for CycloneDX 1.6 support. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Extracts package licenses from registries. Extracts package licenses from registries. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Aegis snapshot rescan for retroactive OSV re-scan. Aegis snapshot rescan for retroactive OSV re-scan. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Feature | Medium |
Retract range support, SARIF merge, and --suggest docs added. Retract range support, SARIF merge, and --suggest docs added. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Added eval(atob()) pattern to suspicious run checks in actions. Added eval(atob()) pattern to suspicious run checks in actions. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Extended nonStandardRuntimePattern to cover deno run heuristics. Extended nonStandardRuntimePattern to cover deno run heuristics. Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Bugfix | Medium |
Fixed block-form retract parsing, pypi URL encoding, and eval hint issues. Fixed block-form retract parsing, pypi URL encoding, and eval hint issues. Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
aegis-cli v0.18.0
Supply-chain security CLI for npm / bun / yarn / pnpm.
Verifying releases
All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:
cosign verify-blob \
--certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
sha256sum -c checksums.txt
SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.
Changelog
Features
- 47445279508272603e7e62e7b466327e4c24c8e5: feat(sbom): --cdx-version flag, CycloneDX 1.6 support (@qwexvf)
- 5ac63021dfd27e8b55cc7e48e848606b8741de4a: feat(sbom): extract package licenses from registries (@qwexvf)
- 60c256cc28b2c23bf145fca6962b019bf09aa96a: feat: aegis snapshot rescan — retroactive OSV re-scan (@qwexvf)
- 88ff837fc17d3b6baed8fceffa960fc7e35b417b: feat: retract range support, SARIF merge, docs --suggest (@qwexvf)
Bug fixes
- 7c2f6fd6924abe91b674bdde4d81eb8faa10bf42: fix(actions): add eval(atob()) pattern to suspicious run checks (@qwexvf)
- 899c1d2d041ec21af20a833887c3f3cfd606128b: fix(heuristics): extend nonStandardRuntimePattern to cover deno run (@qwexvf)
- 8e4037c5ceae3d86870fcdf29e122cc6e8f35c9c: fix: block-form retract parsing, pypi url encoding, eval hint (@qwexvf)
Other
- 293dee20699ef772c7ddad661c56c1fc4794bdff: chore: remove bloated router_init.js fixture (585 KB) (@qwexvf)
- 3916f6000c158c2fe1f2530744d582a6f25cc2bf: ci(sbom): validate CycloneDX 1.5 output against schema (@qwexvf)
Apache-2.0 — see LICENSE.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About qwexvf/aegis-cli
All releases →Related context
Related tools
Beta — feedback welcome: [email protected]