Skip to content

v0.10.0: pnpm, Deno, and Bun lockfile support

Latest

Choose a tag to compare

@DragonStuff DragonStuff released this 07 Jul 05:48
v0.10.0

What's new

Multi-format lockfile support — pnpm, Deno, and Bun

Every gate now runs against four lockfile formats through a normalized abstraction layer (codeartifact_shield.lockfiles) with auto-detection from filename/content and a --format / CAS_LOCKFILE_FORMAT override on every command. The README carries a full per-command support matrix (full / partial / unsupported, with footnotes).

pnpmpnpm-lock.yaml lockfileVersion 6.0 and 9.0, parsed through a hardened YAML loader (anchors/aliases rejected outright, input size-capped, mapping-root enforced). v9 removed the per-entry requiresBuild flag, so cas scripts audits the project's onlyBuiltDependencies policy (pnpm-workspace.yaml / package.json#pnpm) against --allow and fails closed with install_script_policy_unknown when no policy is discoverable. Workspace importers feed cas drift (direct + transitive + orphan).

Denodeno.lock versions 3, 4, and 5: npm, jsr, remote, and redirects sections. npm deps get full audit/cooldown/trust; jsr deps get cooldown via api.jsr.io publish times and are surfaced as unaudited_jsr in cas audit (OSV has no JSR ecosystem — opt into failing with --fail-on-unaudited-jsr); remote https:// modules are host-gated by cas registry, with cross-host redirects reported as MEDIUM redirect_cross_host. cas pin and cas drift gain deno.json / deno.jsonc imports modes.

Bunbun.lock (text lockfile, lockfileVersion 0/1) parsed with a strict dependency-free JSONC reader, tolerant of the per-source tuple-shape variance in real Bun output. cas scripts audits trustedDependencies (the only packages Bun allows to run lifecycle scripts) against --allow. The legacy binary bun.lockb is rejected with a clean [HIGH] FAIL pointing at bun install --save-text-lockfile.

Format-aware validation and output

  • Per-format structural/tampering validation before any gate runs: path-traversal keys, control chars, absolute paths, non-HTTPS resolved/tarball/remote/redirect URLs, malformed hashes, YAML alias bombs.
  • Additive lockfile_format and format_version fields in every --json report.
  • cas drift fix hints are now format-appropriate (pnpm install --lockfile-only, deno install, bun install --save-text-lockfile, and the usual npm regen command).
  • Formats that don't record per-entry registry URLs (pnpm/deno-npm/bun default-registry entries) are reported as INFO registry_implied by cas registry — explicit tarball/git/custom-registry entries are still fully gated.
  • cas sri patch remains npm/CodeArtifact-specific and errors cleanly on other formats with per-format guidance.
  • Directory commands (drift, pin) error when multiple lockfiles are present, forcing --format disambiguation.

Compatibility

  • npm gate code paths are unchanged — existing behavior and JSON output are byte-compatible (new JSON fields are additive).
  • New pinned dependency: PyYAML==6.0.2 (plus types-PyYAML in dev extras).
  • Test suite: 309 → 466 tests, with real pnpm 8/9 and Bun 1.3 lockfile output used to ground the adapters, and tampered/malicious fixtures for every format.

Pinned install

pip install "git+https://github.com/TableCheck-Labs/codeartifact-shield.git@6d2847fc3cbf239231ba5b26b4ea7520bfae3502"

Verification

The tag and all release assets are signed with GPG key 5DB8C8B8BF34C3F2942B3ACA91B08AFD32525ACA (DragonStuff).

# Verify the tag:
git tag -v v0.10.0

# Verify an asset:
gpg --verify codeartifact_shield-0.10.0-py3-none-any.whl.asc codeartifact_shield-0.10.0-py3-none-any.whl

# Or verify everything via the signed checksum manifest:
gpg --verify SHA256SUMS.asc SHA256SUMS && sha256sum -c SHA256SUMS
Asset SHA-256
codeartifact_shield-0.10.0.tar.gz b4aeb0f38d5c30912bfb9d398e1a8e77ff5284ddd3f7b861f318837d2797326b
codeartifact_shield-0.10.0-py3-none-any.whl 27469bf44415cc672adc3b36e89e8f632c166adab7ed4a041870e1575522ec5c