Home 零对冲(ZeroHedge)每日HackerNews

Show HN: DepsGuard – 一条命令加固 NPM/pnpm/yarn/bun/uv 配置
Show HN: DepsGuard – One command to harden NPM/pnpm/yarn/bun/uv configs

原始链接: https://github.com/arnica/depsguard

**DepsGuard** 是一款旨在通过强化依赖管理工具配置来保护软件供应链的安全工具。它能够扫描 npm、pnpm、yarn、bun、uv 以及 Renovate 和 Dependabot 的配置文件,并提供安全最佳实践建议,例如设置“最低发布期限”冷却时间、禁用安装脚本以及阻止不可信的子依赖项。 **主要功能:** * **交互式 TUI:** 提供可视化的差异预览,方便用户轻松扫描、审查并在应用更改前切换修复方案。 * **安全第一:** 从不执行软件包安装。仅修改您批准的配置文件,并自动创建带有时间戳的备份,以便轻松恢复。 * **零依赖二进制文件:** 使用 Rust 编写,无第三方 crate,确保了极小的体积和高度的安全性。 * **跨平台支持:** 可通过多种包管理器(APT、Homebrew、WinGet、Scoop)或作为独立二进制文件在 Linux、macOS 和 Windows 上运行。 无论是检查本地用户设置还是扫描递归仓库配置,DepsGuard 都提供了一种简便的方式来抵御恶意依赖更新和供应链攻击,无需复杂的手动配置。

**DepsGuard** 是一款全新的开源工具,旨在通过自动化配置包管理器(npm、pnpm、yarn、bun 和 uv)来简化供应链安全。 尽管安全专家经常建议实施“冷却期”(最小发布时间)并禁用安装脚本以减轻供应链攻击,但在不同的文件、格式和时间单位之间手动更新这些设置非常繁琐。DepsGuard 通过提供一个单一的 Rust 二进制文件解决了这个问题,它可以扫描你的配置,显示当前设置的摘要,并允许你通过一条命令应用推荐的加固实践。 主要功能包括: * **一键加固**:在所有受支持的包管理器中标准化 `min-release-age`(最小发布时间)和 `ignore-scripts`(忽略脚本)等设置。 * **安全功能**:提供差异预览、创建带时间戳的备份,并包含 `restore`(恢复)功能。 * **可见性**:提供只读扫描模式,用于审计你当前的安全状况。 * **轻量级**:无运行时依赖,采用 MIT 许可证,且跨平台兼容。 虽然 DepsGuard 不能替代完整的软件成分分析 (SCA) 或漏洞扫描,但它为防御常见的、有时效性的供应链攻击提供了一种主动的、“设置好后无需再管”的防御手段。你可以通过 `cargo`、`brew` 或其他标准包管理器进行安装。
相关文章
原文

CI Security Audit crates.io License: MIT MSRV

     _                                          _
  __| | ___ _ __  ___  __ _ _   _  __ _ _ __ __| |
 / _` |/ _ \ '_ \/ __|/ _` | | | |/ _` | '__/ _` |
| (_| |  __/ |_) \__ \ (_| | |_| | (_| | | | (_| |
 \__,_|\___| .__/|___/\__, |\__,_|\__,_|_|  \__,_|
           |_|        |___/

Guard your dependencies against supply chain attacks. Single static binary, zero Rust crate dependencies.

By [arnica]

DepsGuard looks for npm, pnpm, yarn, bun, and uv on your machine, reads their config files, compares them to recommended supply-chain settings, and can apply fixes interactively. It also scans for Renovate and Dependabot configs in your repos. It never runs package installs; it only edits config files you approve, and it writes backups before any change.

  • Interactive TUI: scan, review, toggle fixes, apply
  • scan subcommand for read-only reporting
  • restore subcommand to pick a backup and roll back a file
  • Cross-platform: Linux, macOS, Windows
  • No bundled third-party Rust crates (stdlib + small amount of platform FFI for the terminal)
Area Details
Language Rust (MSRV 1.74, see Cargo.toml)
CLI / TUI src/main.rs, src/ui.rs, src/term.rs
Config logic src/manager.rs, src/fix.rs
Website Static site under docs/ (separate from the binary)

Each GitHub Release includes archives for:

  • Linux: x86_64 (glibc), x86_64 (musl), aarch64 (glibc)
  • macOS: Intel and Apple Silicon
  • Windows: x86_64 ZIP containing depsguard.exe

Download the archive for your platform, unpack it, and put the binary on your PATH.

Verify integrity using the matching .sha256 file next to each asset on the release page.

Linux (Debian/Ubuntu via APT)

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg
echo "deb [signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" | sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null
sudo apt update
sudo apt install depsguard

macOS (Intel / Apple Silicon)

# Homebrew tap
brew tap arnica/depsguard https://github.com/arnica/depsguard
brew install depsguard
# WinGet
winget install Arnica.DepsGuard

# Scoop
scoop bucket add depsguard https://github.com/arnica/depsguard
scoop install depsguard

Or download manually via PowerShell:

$zip = "$env:TEMP\\depsguard.zip"
Invoke-WebRequest -Uri "https://github.com/arnica/depsguard/releases/latest/download/depsguard-x86_64-pc-windows-msvc.zip" -OutFile $zip
Expand-Archive -LiteralPath $zip -DestinationPath "$env:TEMP\\depsguard" -Force
Copy-Item "$env:TEMP\\depsguard\\depsguard.exe" "$HOME\\AppData\\Local\\Microsoft\\WindowsApps\\depsguard.exe" -Force
depsguard.exe --help

Requires a Rust toolchain with cargo.

Package managers (when published by your vendor)

If your organization ships DepsGuard via Homebrew, Scoop, or WinGet, use their instructions. Setting up or automating those channels (Homebrew core PRs, buckets, WinGet PRs, CI secrets) is maintainer documentation — see AGENTS.md under Release & distribution.

App stores / package managers

Channel Linux macOS Windows Install command
APT (custom repo) yes no no sudo apt install depsguard (after repo setup above)
crates.io yes yes yes cargo install depsguard
Homebrew (custom tap) yes yes no brew tap arnica/depsguard https://github.com/arnica/depsguard ; brew install depsguard
Scoop (custom bucket) no no yes scoop bucket add depsguard https://github.com/arnica/depsguard ; scoop install depsguard
WinGet no no yes winget install Arnica.DepsGuard 
git clone https://github.com/arnica/depsguard.git
cd depsguard
cargo build --release

The binary is target/release/depsguard (.exe on Windows). Rust 1.74+ is required.

depsguard              # interactive: scan, choose fixes, apply
depsguard scan         # report only; no writes
depsguard --no-search  # skip recursive file search, check local configs only
depsguard restore      # restore from a previous backup
depsguard --help       # CLI help
  1. Install – pick your platform above.
  2. Run depsguard to launch the interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix selector. Repo-level config discovery starts from the current directory and searches downward. Use depsguard scan for a read-only report, or depsguard --no-search to skip the recursive file search and only check user-level configs.

    Note: some settings require a minimum version. If your version is too old you'll see: ℹ min-release-age – requires npm ≥ 11.10 (have 10.2.0). Upgrade with npm install -g npm@latest and re-run.

  3. Navigate & select – use to move through the list (^u ^d to page). Press Space to toggle a fix on or off. Use quick-filter keys to bulk-select by file: a all, n .npmrc, u uv.toml, etc. – press once to select, again to deselect, a third time to clear the filter. Press f to show only currently selected fixes.
  4. Preview – press d to see a diff of what will change before you commit to anything.
  5. Apply – press Enter to apply the selected fixes. A timestamped backup is created before any file is written.
  6. Rescan – DepsGuard automatically reruns the scan after applying, so you can verify everything is green.
  7. Restore – run depsguard restore at any time to roll back from the backup list. Press q or Esc to quit.
Manager Config Setting Target Why
npm ~/.npmrc min-release-age 7 (days) Delay brand-new releases (requires npm >= 11.10)
npm/pnpm ~/.npmrc ignore-scripts true Reduce install-script risk
pnpm ~/.npmrc minimum-release-age 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm global rc (pnpm <= 10) minimum-release-age 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm global rc (pnpm <= 10) block-exotic-subdeps true Block untrusted transitive deps (requires pnpm >= 10.26)
pnpm global rc (pnpm <= 10) trust-policy no-downgrade Block provenance downgrades (requires pnpm >= 10.21)
pnpm global rc (pnpm <= 10) strict-dep-builds true Fail on unreviewed build scripts (requires pnpm >= 10.3)
pnpm global rc (pnpm <= 10) ignore-scripts true Block malicious install scripts
pnpm global config.yaml (pnpm >= 11) minimumReleaseAge 10080 (minutes) Delay new versions by 7 days
pnpm global config.yaml (pnpm >= 11) blockExoticSubdeps true Block untrusted transitive deps
yarn .yarnrc.yml npmMinimalAgeGate 7d Delay new versions by 7 days (requires yarn >= 4.10)
pnpm pnpm-workspace.yaml minimumReleaseAge 10080 (minutes) Delay new versions by 7 days (requires pnpm >= 10.16)
pnpm pnpm-workspace.yaml strictDepBuilds true Fail on unreviewed build scripts (requires pnpm >= 10.3)
pnpm pnpm-workspace.yaml trustPolicy no-downgrade Block provenance downgrades (requires pnpm >= 10.21)
pnpm pnpm-workspace.yaml blockExoticSubdeps true Block untrusted transitive deps (requires pnpm >= 10.26)
bun ~/.bunfig.toml install.minimumReleaseAge 604800 (seconds) ~7 day delay
uv uv.toml exclude-newer 7 days Delay new publishes (requires uv >= 0.9.17)
renovate renovate.json etc. minimumReleaseAge 7 days Delay dependency update PRs by 7 days
dependabot .github/dependabot.yml cooldown.default-days 7 Delay dependency update PRs by 7 days
Manager Linux macOS Windows
npm/pnpm ~/.npmrc ~/.npmrc %USERPROFILE%\.npmrc
pnpm global $XDG_CONFIG_HOME/pnpm/rc or ~/.config/pnpm/rc $XDG_CONFIG_HOME/pnpm/rc or ~/Library/Preferences/pnpm/rc %LOCALAPPDATA%\pnpm\config\rc
yarn ~/.yarnrc.yml ~/.yarnrc.yml %USERPROFILE%\.yarnrc.yml
pnpm pnpm-workspace.yaml pnpm-workspace.yaml pnpm-workspace.yaml
bun $XDG_CONFIG_HOME/.bunfig.toml or ~/.bunfig.toml $XDG_CONFIG_HOME/.bunfig.toml or ~/.bunfig.toml %USERPROFILE%\.bunfig.toml
uv $XDG_CONFIG_HOME/uv/uv.toml or ~/.config/uv/uv.toml $XDG_CONFIG_HOME/uv/uv.toml or ~/.config/uv/uv.toml %APPDATA%\uv\uv.toml
renovate renovate.json, .renovaterc, .github/renovate.json, etc. (same) (same)
dependabot .github/dependabot.yml (same) (same)

User-level config files are read from their standard locations (including XDG-based paths where the tool supports them). Repo-level configs are discovered by searching downward from the current directory, skipping known large directories (node_modules, .git, target, Library, .cache, and others) so scans stay fast. Repo-level .npmrc, .yarnrc.yml, pnpm-workspace.yaml, Renovate configs, and Dependabot configs are all searched. pnpm settings can live in ~/.npmrc, the pnpm global config file (rc on pnpm <= 10, config.yaml on pnpm >= 11), or pnpm-workspace.yaml; DepsGuard checks all three locations independently. If multiple user-level uv or bun config files exist (for example both an XDG path and a home-directory path), DepsGuard scans each existing file separately instead of merging them. When ~/.npmrc is missing, DepsGuard uses pnpm's global config path so fixes can create the config file directly.

If the patched version is newer than your cooldown window, add a narrow exception, install the fix, and then remove the exception.

Prefer a package-specific exception over lowering the global cooldown. That keeps the delay in place for every other dependency.

Manager How to bypass the cooldown
npm npm install <pkg>@<ver> --min-release-age=0
pnpm Add an entry to minimumReleaseAgeExclude in pnpm-workspace.yaml, run pnpm add <pkg>@<ver>, then remove the entry. Excluding by package name works on pnpm 10.16+; pinning a specific version (<pkg>@<ver>) additionally requires pnpm 10.19+. pnpm has no documented CLI override for minimumReleaseAge.
yarn Add <pkg> (or a glob) to npmPreapprovedPackages in .yarnrc.yml, or run YARN_NPM_MINIMAL_AGE_GATE=0s yarn up <pkg>@<ver> for one command. npmPreapprovedPackages exempts matches from all Yarn package gates, not only the age gate.
bun Add <pkg> to install.minimumReleaseAgeExcludes in a repo-level bunfig.toml or user-level ~/.bunfig.toml, or run bun add <pkg>@<ver> --minimum-release-age 0.
uv Add "<pkg>" = false to exclude-newer-package in uv.toml or pyproject.toml, run uv add <pkg>==<ver>, then remove the entry. exclude-newer-package is a separate per-package override of the global exclude-newer cutoff. uv's CLI accepts --exclude-newer-package PACKAGE=DATE but not PACKAGE=false.
Renovate Security updates already bypass minimumReleaseAge. For a version update, add a packageRules entry with matchPackageNames: ["<pkg>"] and minimumReleaseAge: null.
Dependabot Security updates already bypass cooldown. For a version update, add <pkg> to cooldown.exclude.

Before you bypass the cooldown:

  1. Check whether the CVE actually affects your usage.
  2. Check whether a known-good older version is already available. A rollback may be safer.
  3. Remove temporary exceptions after the upgrade.

Before modifying a file, DepsGuard writes a backup to ~/.depsguard/backups/.

Run depsguard restore to list backups and restore one.

src/
  main.rs    CLI args, run loop
  term.rs    Raw mode + input (Unix termios / Windows console FFI)
  manager.rs Detection, scanning, recommendations
  fix.rs     Read/write .npmrc, TOML, YAML; backup/restore
  ui.rs      Banner, tables, selector
  • Zero third-party crates — intentional for a small security-adjacent tool; see AGENTS.md if you change that policy.
  • Colors use ANSI sequences; modern terminals on Windows (e.g. Windows Terminal) are supported.
Symptom What to try
depsguard: command not found Ensure the install directory is on PATH, or use the full path to the binary.
Permission errors writing config DepsGuard only edits files in your user profile; run as a normal user, not elevated unless those files are owned by admin.
Keys not working on Windows Use Windows Terminal or another VT-capable terminal; legacy cmd.exe may not handle all keys.
pnpm workspaces missing Ensure pnpm-workspace.yaml lives under your home directory tree; very unusual layouts may not be discovered.
cargo install fails Install Rust via rustup and use Rust ≥ 1.74.
  • Dependency Cooldowns (cooldowns.dev) — a reference guide and companion shell helper (cooldowns.sh) focused specifically on minimum-release-age cooldowns. Complements DepsGuard: it covers a broader set of ecosystems on the cooldown axis (pip, uv, npm, pnpm, Yarn, Bun, Deno, Cargo), while DepsGuard covers npm/pnpm/yarn/bun/uv plus Renovate/Dependabot and adds other hardening settings (ignore-scripts, block-exotic-subdeps, trust-policy, strict-dep-builds) with an interactive TUI, diff preview, and backup/restore.

MIT

Star History Chart

Links: Repository · Documentation site

联系我们 contact @ memedata.com