This release adds 1 notable feature for engineering teams evaluating rollout.
✓ No known CVEs patched in this version
Topics
+13 more
Summary
AI summaryDetect vulnerabilities and suspicious packages without the API.
Full changelog
aegis-cli v0.2.0
Supply-chain security CLI for npm / bun / yarn / pnpm.
Verifying releases
All artifacts are checksummed (checksums.txt) and the checksums file
is signed via cosign keyless OIDC. To verify:
cosign verify-blob \
--certificate-identity-regexp 'https://github.com/qwexvf/aegis-cli/.github/workflows/release.yml.*' \
--certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
--certificate checksums.txt.pem \
--signature checksums.txt.sig \
checksums.txt
sha256sum -c checksums.txt
SLSA build provenance is attached to every artifact and can be
verified with gh attestation verify <file> --owner qwexvf.
Changelog
Features
- abfa8237b462f936fa8c6e69f5eecf1174d00b5b: feat: detect vulnerabilities + suspicious packages without our API (#14) (@qwexvf)
Documentation
- 888d6931b94651a4ea15ad89a30134c30db5d0aa: docs: add commands / configuration / cookbook references (#12) (@qwexvf)
- 69a8a03cf531a5b2369437ee8b8948f4f132be10: docs: reposition CLI as local-first; mark API-dependent commands (#13) (@qwexvf)
- 9d02f78ee3105fa06e3092c5523c1eda551ae32d: docs: scrub monorepo-era paths from CI templates and design docs (#11) (@qwexvf)
Apache-2.0 — see LICENSE.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About qwexvf/aegis-cli
All releases →Related context
Beta — feedback welcome: [email protected]