惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Blog — PlanetScale
Blog — PlanetScale
SecWiki News
SecWiki News
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes
Jina AI
Jina AI
N
Netflix TechBlog - Medium
GbyAI
GbyAI
IT之家
IT之家
Apple Machine Learning Research
Apple Machine Learning Research
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
L
Lohrmann on Cybersecurity
C
Cybersecurity and Infrastructure Security Agency CISA
I
Intezer
T
Tor Project blog
P
Palo Alto Networks Blog
P
Privacy & Cybersecurity Law Blog
P
Privacy International News Feed
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
T
Tailwind CSS Blog
C
Check Point Blog
Cloudbric
Cloudbric
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
Forbes - Security
Forbes - Security
Last Week in AI
Last Week in AI
S
Security Affairs
博客园 - Franky
F
Fortinet All Blogs
量子位
M
MIT News - Artificial intelligence
C
Cisco Blogs
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
V
Visual Studio Blog
AI
AI
美团技术团队
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 三生石上(FineUI控件)
阮一峰的网络日志
阮一峰的网络日志
Engineering at Meta
Engineering at Meta
人人都是产品经理
人人都是产品经理
Microsoft Security Blog
Microsoft Security Blog
T
Threatpost
Cyberwarzone
Cyberwarzone

Hacker News: Show HN

PurrrrrFocus: Pomodoro Timer App - App Store Workflow Engine — Multi-Step Orchestration for Bun RapidPhoto: Pro Photo Editor App - App Store GitHub - DheerG/swarms: Achieve extraordinary results with claude code across a variety of tasks SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads Show HN: VCoding – A 5 MB native Windows IDE with no dynamic dependencies Show HN: LLMs don't hallucinate because they're bad at math, it's the format GitHub - Agent-FM/agentfm-core: AgentFM is a peer-to-peer network that turns everyday computers into a decentralized AI supercomputer. AgentFM lets you run massive AI workloads directly across a global mesh of idle CPUs and GPUs. Show HN: Tracking Top US Science Olympiad Alumni over Last 25 Years GitHub - Potarix/agent-hub: One place to talk to all your agents Show HN: Runtime security for AI agents(injection,tool abuse, data exfiltration) GitHub - dubeyKartikay/lazyspotify: Terminal Spotify client for macOS and Linux GitHub - the-banana-tool/king-louie: Easy to use GUI Personal AI Assistant. Win/Linux/Mac. Show HN I made my vacation rental bookable by AI agents–no Airbnb, 0% commission GitHub - basteez/jsf-autoreload: maven plugin to enable hot reload on jsf projects uvm32/hosts/host-gdbstub at main · ringtailsoftware/uvm32 GitHub - labsai/EDDI: Config-driven engine that turns JSON into production-grade AI agents. Multi-agent orchestration, 12+ LLM providers, MCP/A2A protocols, RAG, persistent memory, and enterprise compliance (EU AI Act, GDPR, HIPAA). Built on Quarkus. GitHub - glitchnsec/fortyone-oss: AI Executive Assistant Platform Quickstart | Alien GitHub - muxshed/shed: One stream in, or many. Every destination, simultaneously. No cloud middleman, no per-channel fees, no limits. GitHub - ocrbase-hq/ocrbase: 📄 PDF/IMG ->.MD/JSON Document OCR API for PaddleOCR and GLMOCR. Self-hostable. GitHub - impactjo/home-memory: MCP server that lets your AI assistant remember everything about your home. GitHub - Sets88/dbcls: DbCls is a powerful terminal database client that supports various databases GitHub - neptun2000/heor-agent-mcp GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh RollQuation: Math Puzzles - Apps on Google Play GitHub - dropbox/witchcraft Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis GitHub - opentalon/opentalon: OpenTalon is an open-source platform built from the ground up in Go as a robust alternative to OpenClaw LinkedIn™ 职位抓取工具 - Chrome 应用商店 GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens. HN Vibes — Week 15, Apr 7–13 2026 GitHub - chojs23/ec: Easy terminal-native 3-way git mergetool vim-like workflow GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. GitHub - JakOb-dotcom/cloud-sandbox-security-analysis: Technical analysis and Proof of Concept (PoC) regarding environment variable exfiltration in containerized cloud sandboxes via side-channel data leaks. Springboards - Flint Alpha Show HN: A simpler coding agent harness GitHub - audiodude/sudomake-friends GitHub - 256thFission/mini-mythos: OSS clone of Anthropic’s Mythos harness to locate C/C++ memory vulnerabilities Show HN: OpenParallax: OS-level privilege separation for AI agent execution Hacker News Sorted - Chrome 应用商店 Show HN: How to Install Docker on Ubuntu 24.04 LTS: Complete 2026 Guide GitHub - himanshudongre/smriti GitHub - sverrirsig/claude-control: macOS desktop dashboard for monitoring and managing multiple Claude Code sessions GitHub - ory/dockertest: Write better integration tests! Dockertest helps you boot up ephermal docker images for your Go tests with minimal work. Chiral - Chrome 应用商店 Show HN: Two Claudes collaborating through shared memory on a $100 mini-PC GitHub - pmichaillat/latex-cv: Minimalist LaTeX template for academic CVs GitHub - oguzbilgic/posse: A web UI for Anthropic Managed Agents. GitHub - sshiraz/depsly: Dependency risk analysis tool for npm packages ABI Add safari/agent-harness — Safari browser automation via safari-mcp by achiya-automation · Pull Request #212 · HKUDS/CLI-Anything GitHub - Halfblood-Prince/trustcheck: Verify PyPI package attestations and improve Python supply-chain security GitHub - oguzbilgic/kern-ai: Agents that do the work and show it. GitHub - bruits/satteri: High-performance Markdown and MDX processing for the JavaScript ecosystem GitHub - tylergibbs1/feedstock: High-performance web crawler and scraper for TypeScript, powered by Bun and Playwright GitHub - Grimm67123/grimmbot: The self-improving sandboxed and open-source AI agent. With persistent memory and scheduling. GitHub - whitevanillaskies/whitebloom: Local whiteboard that blooms. GitHub - hwdsl2/docker-whisper: Docker image for a self-hosted Whisper speech-to-text server with speaker diarization and OpenAI-compatible transcription and translation APIs. Powered by faster-whisper. Supports all Whisper models, NVIDIA GPU (CUDA) acceleration, JSON/SRT/VTT output, SSE streaming, offline mode, and multi-arch (amd64, arm64). GitHub - yisding/reviewwiggum GitHub - MarwanAlsoltany/serrors: Structured errors for Go: sentinel hierarchies, typed data, custom formatting, and slog integration. GitHub - soatok/age-php GitHub - Luthiraa/markitme GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits GitHub - tombedor/excalicharts GitHub - wh1le/excalidraw-edit: Open and edit .excalidraw files from the terminal. Offline, auto-saves to disk. MalExt Sentry - Malicious Extension Scanner - Chrome 应用商店 GitHub - syi0808/asciianimesvg: Generate animated ASCII art SVGs from text. CLI, Rust library, WASM, and web editor. GitHub - zaina-ml/ml_forge: A visual-based graph node editor for training computer vision models. GitHub - anakin87/llm-rl-environments-lil-course: 🌱 A little course on Reinforcement Learning Environments for evaluating and training Language Models GitHub - takaakit/superpowers-uml: Superpowers-UML modifies Superpowers to ensure a software development workflow in which AI agents design through UML modeling. AdriByte Studio - Sviluppo Web e Soluzioni Digitali GitHub - chouligi/angel-copilot: Your personalized Angel Investment Advisor Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 GitHub - agenteractai/lodmem: Level Of Detail Context Management for Agents GitHub - ostefani/subnetlens: A fast, concurrent network scanner with a TUI and plain-text CLI, built in Go. It discovers live hosts on your network, scans their open ports, resolves hostnames, and fingerprints operating systems—delivered. Cyber Pulse: Agentic Intel - Apps on Google Play Whisper API: Self-Hostable Speech to Text Transcription The Agent-Web Protocol Stack: A Research Thesis GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Show HN: Provepy – A Python decorator that proves your code using Lean and LLMs Show HN: Pardonned.com – A searchable database of US Pardons GitHub - patrickdappollonio/dux: Dux is a terminal UI that lets you run multiple AI coding agents side by side, each in its own git worktree, with full companion terminals, macros, commit generation, and a command palette that knows more tricks than you do. kMC Crystal Simulator Show HN: HyperFlow – A self-improving agent framework built on LangGraph GitHub - stef41/vibescore: 🎵 Grade your vibe-coded project. One command, instant letter grade across security, quality, dependencies, and testing. GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. imgur.com GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. GitHub - nowork-studio/toprank: Open-source Claude Code skills for SEO, SEM, Google Ads GitHub - tacomanator/sash: Lightweight macOS menu bar app for reliably cycling through windows of the current application. Appents | Social Media Management for Product-First Teams GitHub - pnhoang/youtube-spam-blocker: Automatically detects and hides spam messages in YouTube Live chat. Set rate limits, keyword filters, and block repeat offenders. GitHub - decisionnode/DecisionNode: CLI + Local MCP - A shared structured memory store across Claude Code, Cursor, Windsurf, Antigravity, and every MCP client. Semantically queryable. GitHub - AvaCodeSolutions/django-email-learning: An open source Django app for creating email-based learning platforms with IMAP integration and React frontend components. The $100K Gap in Kubernetes Security Tooling Function Calling Harness: From 6.75% to 100%
GitHub - arnica/depsguard: Harden your package manager configs against supply chain attacks.
eranation · 2026-06-02 · via Hacker News: Show HN

CI Security Audit crates.io License: MIT MSRV

     _                                          _
  __| | ___ _ __  ___  __ _ _   _  __ _ _ __ __| |
 / _` |/ _ \ '_ \/ __|/ _` | | | |/ _` | '__/ _` |
| (_| |  __/ |_) \__ \ (_| | |_| | (_| | | | (_| |
 \__,_|\___| .__/|___/\__, |\__,_|\__,_|_|  \__,_|
           |_|        |___/

Guard your dependencies against supply chain attacks. Single static binary, zero Rust crate dependencies.

By [arnica]

Table of contents

  • Overview
  • Install
  • Usage
  • What gets checked
  • Config file locations
  • Urgent security fix
  • Backups and restore
  • How it works
  • Troubleshooting
  • Help & feedback
  • See also
  • License

Overview

DepsGuard looks for npm, pnpm, yarn, bun, uv, pip, poetry, and aube on your machine, reads their config files, compares them to recommended supply-chain settings, and can apply fixes interactively. It also scans for Renovate and Dependabot configs in your repos. It never runs package installs; it only edits config files you approve, and it writes backups before any change.

Key features

  • Interactive TUI: scan, review, toggle fixes, apply
  • scan subcommand for read-only reporting
  • restore subcommand to pick a backup and roll back a file
  • Cross-platform: Linux, macOS, Windows
  • No bundled third-party Rust crates (stdlib + small amount of platform FFI for the terminal)

Tech stack

Area Details
Language Rust (MSRV 1.74, see Cargo.toml)
CLI / TUI src/main.rs, src/ui.rs, src/term.rs
Config logic src/manager.rs, src/fix.rs
Website Static site under docs/ (separate from the binary)

Install

Prebuilt binaries

Each GitHub Release includes archives for:

  • Linux: x86_64 (glibc), x86_64 (musl), aarch64 (glibc)
  • macOS: Intel and Apple Silicon
  • Windows: x86_64 ZIP containing depsguard.exe

Download the archive for your platform, unpack it, and put the binary on your PATH.

Verify integrity using the matching .sha256 file next to each asset on the release page.

Install by platform

Linux (Debian/Ubuntu via APT)

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg
echo "deb [arch=amd64,arm64 signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" | sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null
sudo apt update
sudo apt install depsguard

macOS (Intel / Apple Silicon)

# Homebrew tap
brew tap arnica/depsguard https://github.com/arnica/depsguard
brew install depsguard

Windows

# WinGet
winget install Arnica.DepsGuard

# Scoop
scoop bucket add depsguard https://github.com/arnica/depsguard
scoop install depsguard

Or download manually via PowerShell:

$zip = "$env:TEMP\\depsguard.zip"
Invoke-WebRequest -Uri "https://github.com/arnica/depsguard/releases/latest/download/depsguard-x86_64-pc-windows-msvc.zip" -OutFile $zip
Expand-Archive -LiteralPath $zip -DestinationPath "$env:TEMP\\depsguard" -Force
Copy-Item "$env:TEMP\\depsguard\\depsguard.exe" "$HOME\\AppData\\Local\\Microsoft\\WindowsApps\\depsguard.exe" -Force
depsguard.exe --help

crates.io

Requires a Rust toolchain with cargo.

Package managers (when published by your vendor)

If your organization ships DepsGuard via Homebrew, Scoop, or WinGet, use their instructions. Setting up or automating those channels (Homebrew core PRs, buckets, WinGet PRs, CI secrets) is maintainer documentation — see AGENTS.md under Release & distribution.

App stores / package managers

Channel Linux macOS Windows Install command
APT (custom repo) yes no no sudo apt install depsguard (after repo setup above)
crates.io yes yes yes cargo install depsguard
Homebrew (custom tap) yes yes no brew tap arnica/depsguard https://github.com/arnica/depsguard ; brew install depsguard
Scoop (custom bucket) no no yes scoop bucket add depsguard https://github.com/arnica/depsguard ; scoop install depsguard
WinGet no no yes winget install Arnica.DepsGuard

Build from source

git clone https://github.com/arnica/depsguard.git
cd depsguard
cargo build --release

The binary is target/release/depsguard (.exe on Windows). Rust 1.74+ is required.

Usage

depsguard              # interactive: scan, choose fixes, apply
depsguard scan         # report only; no writes
depsguard --no-search  # skip recursive file search, check local configs only
depsguard restore      # restore from a previous backup
depsguard --help       # CLI help

How to use

  1. Install – pick your platform above.
  2. Run depsguard to launch the interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix selector. Repo-level config discovery starts from the current directory and searches downward. Use depsguard scan for a read-only report, or depsguard --no-search to skip the recursive file search and only check user-level configs.

    Note: some settings require a minimum version. If your version is too old you'll see: ℹ min-release-age – requires npm ≥ 11.10 (have 10.2.0). Upgrade with npm install -g npm@latest and re-run.

  3. Navigate & select – use to move through the list (^u ^d to page). Press Space to toggle a fix on or off. Use quick-filter keys to bulk-select by file: a all, n .npmrc, u uv.toml, etc. – press once to select, again to deselect, a third time to clear the filter. Press f to show only currently selected fixes.
  4. Preview – press d to see a diff of what will change before you commit to anything.
  5. Apply – press Enter to apply the selected fixes. A timestamped backup is created before any file is written.
  6. Rescan – DepsGuard automatically reruns the scan after applying, so you can verify everything is green.
  7. Restore – run depsguard restore at any time to roll back from the backup list. Press q or Esc to quit.

What gets checked

Manager Config Setting Target Why
npm ~/.npmrc min-release-age 7 (days) Delay brand-new releases (requires npm >= 11.10)
npm/pnpm ~/.npmrc ignore-scripts true Reduce install-script risk
pnpm ~/.npmrc minimum-release-age 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm global rc (pnpm <= 10) minimum-release-age 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm global rc (pnpm <= 10) block-exotic-subdeps true Block untrusted transitive deps (requires pnpm >= 10.26)
pnpm global rc (pnpm <= 10) trust-policy no-downgrade Block provenance downgrades (requires pnpm >= 10.21)
pnpm global rc (pnpm <= 10) strict-dep-builds true Fail on unreviewed build scripts (requires pnpm >= 10.3)
pnpm global rc (pnpm <= 10) ignore-scripts true Block malicious install scripts
pnpm global config.yaml (pnpm >= 11) minimumReleaseAge 10080 (minutes) Delay new versions by 7 days
pnpm global config.yaml (pnpm >= 11) blockExoticSubdeps true Block untrusted transitive deps
yarn .yarnrc.yml npmMinimalAgeGate 7d Delay new versions by 7 days (requires yarn >= 4.10)
pnpm pnpm-workspace.yaml minimumReleaseAge 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm pnpm-workspace.yaml strictDepBuilds true Fail on unreviewed build scripts (requires pnpm >= 10.3)
pnpm pnpm-workspace.yaml trustPolicy no-downgrade Block provenance downgrades (requires pnpm >= 10.21)
pnpm pnpm-workspace.yaml blockExoticSubdeps true Block untrusted transitive deps (requires pnpm >= 10.26)
bun ~/.bunfig.toml install.minimumReleaseAge 604800 (seconds) ~7 day delay
aube ~/.npmrc minimumReleaseAge 10080 (minutes) Delay new versions by 7 days
uv uv.toml exclude-newer 7 days Delay new publishes (requires uv >= 0.9.17)
pip pip.conf ([install]) uploaded-prior-to P7D (7 days) Delay new publishes (requires pip >= 26.1)
poetry config.toml ([solver]) min-release-age 7 (days) Delay new publishes (requires poetry >= 2.4)
renovate renovate.json etc. minimumReleaseAge 7 days Delay dependency update PRs by 7 days
dependabot .github/dependabot.yml cooldown.default-days 7 Delay dependency update PRs by 7 days

Config file locations

Manager Linux macOS Windows
npm/pnpm/aube ~/.npmrc ~/.npmrc %USERPROFILE%\.npmrc
pnpm global $XDG_CONFIG_HOME/pnpm/rc or ~/.config/pnpm/rc $XDG_CONFIG_HOME/pnpm/rc or ~/Library/Preferences/pnpm/rc %LOCALAPPDATA%\pnpm\config\rc
yarn ~/.yarnrc.yml ~/.yarnrc.yml %USERPROFILE%\.yarnrc.yml
pnpm pnpm-workspace.yaml pnpm-workspace.yaml pnpm-workspace.yaml
bun $XDG_CONFIG_HOME/.bunfig.toml or ~/.bunfig.toml $XDG_CONFIG_HOME/.bunfig.toml or ~/.bunfig.toml %USERPROFILE%\.bunfig.toml
uv $XDG_CONFIG_HOME/uv/uv.toml or ~/.config/uv/uv.toml $XDG_CONFIG_HOME/uv/uv.toml or ~/.config/uv/uv.toml %APPDATA%\uv\uv.toml
pip $XDG_CONFIG_HOME/pip/pip.conf or ~/.config/pip/pip.conf ~/Library/Application Support/pip/pip.conf or ~/.config/pip/pip.conf (or $XDG_CONFIG_HOME/pip/pip.conf when set) %APPDATA%\pip\pip.ini
poetry $XDG_CONFIG_HOME/pypoetry/config.toml or ~/.config/pypoetry/config.toml $XDG_CONFIG_HOME/pypoetry/config.toml (when set) or ~/Library/Application Support/pypoetry/config.toml %APPDATA%\pypoetry\config.toml
renovate renovate.json, .renovaterc, .github/renovate.json, etc. (same) (same)
dependabot .github/dependabot.yml (same) (same)

User-level config files are read from their standard locations (including XDG-based paths where the tool supports them). Repo-level configs are discovered by searching downward from the current directory, skipping known large directories (node_modules, .git, target, Library, .cache, and others) so scans stay fast. Repo-level .npmrc, .yarnrc.yml, pnpm-workspace.yaml, Renovate configs, and Dependabot configs are all searched. pnpm settings can live in ~/.npmrc, the pnpm global config file (rc on pnpm <= 10, config.yaml on pnpm >= 11), or pnpm-workspace.yaml; DepsGuard checks all three locations independently. For pip, uv, and poetry, DepsGuard resolves the single effective user-level config and reports just that file, rather than flagging shadowed files separately. pip and poetry merge their config files by precedence (the highest-precedence file that sets the cooldown wins, or the preferred location if none do); uv reads a single user file ($XDG_CONFIG_HOME/uv/uv.toml when XDG_CONFIG_HOME is set, otherwise ~/.config/uv/uv.toml) rather than merging both. For bun, if multiple user-level config files exist (for example both an XDG path and a home-directory path), DepsGuard scans each existing file separately. When ~/.npmrc is missing, DepsGuard uses pnpm's global config path so fixes can create the config file directly. aube reads the same ~/.npmrc as npm/pnpm (minimumReleaseAge, in minutes) and is also checked on discovered repo-level .npmrc files; pip and poetry are scanned at their user-level config (pip.conf / pypoetry/config.toml).

Urgent security fix

If the patched version is newer than your cooldown window, add a narrow exception, install the fix, and then remove the exception.

Prefer a package-specific exception over lowering the global cooldown. That keeps the delay in place for every other dependency.

Manager How to bypass the cooldown
npm npm install <pkg>@<ver> --min-release-age=0
pnpm Add an entry to minimumReleaseAgeExclude in pnpm-workspace.yaml, run pnpm add <pkg>@<ver>, then remove the entry. Excluding by package name works on pnpm 10.16+; pinning a specific version (<pkg>@<ver>) additionally requires pnpm 10.19+. pnpm has no documented CLI override for minimumReleaseAge.
yarn Add <pkg> (or a glob) to npmPreapprovedPackages in .yarnrc.yml, or run YARN_NPM_MINIMAL_AGE_GATE=0s yarn up <pkg>@<ver> for one command. npmPreapprovedPackages exempts matches from all Yarn package gates, not only the age gate.
bun Add <pkg> to install.minimumReleaseAgeExcludes in a repo-level bunfig.toml or user-level ~/.bunfig.toml, or run bun add <pkg>@<ver> --minimum-release-age 0.
aube Add <pkg> to minimumReleaseAgeExclude in .npmrc, or set AUBE_MINIMUM_RELEASE_AGE=0 (or npm_config_minimum_release_age=0) for a single install.
uv Add "<pkg>" = false to exclude-newer-package in uv.toml or pyproject.toml, run uv add <pkg>==<ver>, then remove the entry. exclude-newer-package is a separate per-package override of the global exclude-newer cutoff. uv's CLI accepts --exclude-newer-package PACKAGE=DATE but not PACKAGE=false.
pip Run pip install <pkg>==<ver> --uploaded-prior-to=P0D for one install. P0D disables the cooldown only for that command; pip has no per-package exclusion in config.
poetry Add <pkg> to solver.min-release-age-exclude (comma-separated) in poetry.toml/config.toml, run poetry add <pkg>@<ver>, then remove the entry. solver.min-release-age-exclude-source exempts every package from a named index instead.
Renovate Security updates already bypass minimumReleaseAge. For a version update, add a packageRules entry with matchPackageNames: ["<pkg>"] and minimumReleaseAge: null.
Dependabot Security updates already bypass cooldown. For a version update, add <pkg> to cooldown.exclude.

Before you bypass the cooldown:

  1. Check whether the CVE actually affects your usage.
  2. Check whether a known-good older version is already available. A rollback may be safer.
  3. Remove temporary exceptions after the upgrade.

Backups and restore

Before modifying a file, DepsGuard writes a backup to ~/.depsguard/backups/.

Run depsguard restore to list backups and restore one.

How it works

src/
  main.rs    CLI args, run loop
  term.rs    Raw mode + input (Unix termios / Windows console FFI)
  manager.rs Detection, scanning, recommendations
  fix.rs     Read/write .npmrc, TOML, YAML; backup/restore
  ui.rs      Banner, tables, selector
  • Zero third-party crates — intentional for a small security-adjacent tool; see AGENTS.md if you change that policy.
  • Colors use ANSI sequences; modern terminals on Windows (e.g. Windows Terminal) are supported.

Troubleshooting

Symptom What to try
depsguard: command not found Ensure the install directory is on PATH, or use the full path to the binary.
Permission errors writing config DepsGuard only edits files in your user profile; run as a normal user, not elevated unless those files are owned by admin.
Keys not working on Windows Use Windows Terminal or another VT-capable terminal; legacy cmd.exe may not handle all keys.
pnpm workspaces missing Ensure pnpm-workspace.yaml lives under your home directory tree; very unusual layouts may not be discovered.
cargo install fails Install Rust via rustup and use Rust ≥ 1.74.

Help & feedback

See also

  • Dependency Cooldowns (cooldowns.dev) — a reference guide and companion shell helper (cooldowns.sh) focused specifically on minimum-release-age cooldowns. Complements DepsGuard: it covers a broader set of ecosystems on the cooldown axis (pip, uv, npm, pnpm, Yarn, Bun, Deno, Cargo), while DepsGuard covers npm/pnpm/yarn/bun/aube/uv/pip/poetry plus Renovate/Dependabot and adds other hardening settings (ignore-scripts, block-exotic-subdeps, trust-policy, strict-dep-builds) with an interactive TUI, diff preview, and backup/restore.

Python ecosystem note: DepsGuard scans the package managers that expose a release-age cooldown as a persistent config settinguv (exclude-newer), pip (uploaded-prior-to, pip ≥ 26.1), and poetry (solver.min-release-age, poetry ≥ 2.4). pdm and conda currently offer release-age only via one-off CLI flags / unreleased proposals (nothing to scan in a config file), and pixi's exclude-newer is project-scoped (no user-level config); these may be added later. pipenv and hatch have no cooldown setting yet.

License

MIT

Star History

Star History Chart

Links: Repository · Documentation site