What's new
Multi-format lockfile support — pnpm, Deno, and Bun
Every gate now runs against four lockfile formats through a normalized abstraction layer (codeartifact_shield.lockfiles) with auto-detection from filename/content and a --format / CAS_LOCKFILE_FORMAT override on every command. The README carries a full per-command support matrix (full / partial / unsupported, with footnotes).
pnpm — pnpm-lock.yaml lockfileVersion 6.0 and 9.0, parsed through a hardened YAML loader (anchors/aliases rejected outright, input size-capped, mapping-root enforced). v9 removed the per-entry requiresBuild flag, so cas scripts audits the project's onlyBuiltDependencies policy (pnpm-workspace.yaml / package.json#pnpm) against --allow and fails closed with install_script_policy_unknown when no policy is discoverable. Workspace importers feed cas drift (direct + transitive + orphan).
Deno — deno.lock versions 3, 4, and 5: npm, jsr, remote, and redirects sections. npm deps get full audit/cooldown/trust; jsr deps get cooldown via api.jsr.io publish times and are surfaced as unaudited_jsr in cas audit (OSV has no JSR ecosystem — opt into failing with --fail-on-unaudited-jsr); remote https:// modules are host-gated by cas registry, with cross-host redirects reported as MEDIUM redirect_cross_host. cas pin and cas drift gain deno.json / deno.jsonc imports modes.
Bun — bun.lock (text lockfile, lockfileVersion 0/1) parsed with a strict dependency-free JSONC reader, tolerant of the per-source tuple-shape variance in real Bun output. cas scripts audits trustedDependencies (the only packages Bun allows to run lifecycle scripts) against --allow. The legacy binary bun.lockb is rejected with a clean [HIGH] FAIL pointing at bun install --save-text-lockfile.
Format-aware validation and output
- Per-format structural/tampering validation before any gate runs: path-traversal keys, control chars, absolute paths, non-HTTPS
resolved/tarball/remote/redirect URLs, malformed hashes, YAML alias bombs. - Additive
lockfile_formatandformat_versionfields in every--jsonreport. cas driftfix hints are now format-appropriate (pnpm install --lockfile-only,deno install,bun install --save-text-lockfile, and the usual npm regen command).- Formats that don't record per-entry registry URLs (pnpm/deno-npm/bun default-registry entries) are reported as INFO
registry_impliedbycas registry— explicit tarball/git/custom-registry entries are still fully gated. cas sri patchremains npm/CodeArtifact-specific and errors cleanly on other formats with per-format guidance.- Directory commands (
drift,pin) error when multiple lockfiles are present, forcing--formatdisambiguation.
Compatibility
- npm gate code paths are unchanged — existing behavior and JSON output are byte-compatible (new JSON fields are additive).
- New pinned dependency:
PyYAML==6.0.2(plustypes-PyYAMLin dev extras). - Test suite: 309 → 466 tests, with real pnpm 8/9 and Bun 1.3 lockfile output used to ground the adapters, and tampered/malicious fixtures for every format.
Pinned install
pip install "git+https://github.com/TableCheck-Labs/codeartifact-shield.git@6d2847fc3cbf239231ba5b26b4ea7520bfae3502"Verification
The tag and all release assets are signed with GPG key 5DB8C8B8BF34C3F2942B3ACA91B08AFD32525ACA (DragonStuff).
# Verify the tag:
git tag -v v0.10.0
# Verify an asset:
gpg --verify codeartifact_shield-0.10.0-py3-none-any.whl.asc codeartifact_shield-0.10.0-py3-none-any.whl
# Or verify everything via the signed checksum manifest:
gpg --verify SHA256SUMS.asc SHA256SUMS && sha256sum -c SHA256SUMS| Asset | SHA-256 |
|---|---|
codeartifact_shield-0.10.0.tar.gz |
b4aeb0f38d5c30912bfb9d398e1a8e77ff5284ddd3f7b861f318837d2797326b |
codeartifact_shield-0.10.0-py3-none-any.whl |
27469bf44415cc672adc3b36e89e8f632c166adab7ed4a041870e1575522ec5c |