Skip to content

CHANGELOG.md

Latest commit

 

History

History
90 lines (68 loc) · 3.39 KB

CHANGELOG.md

File metadata and controls

90 lines (68 loc) · 3.39 KB

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[0.3.1] - 2026-04-19

Fixed

False positives on npx <tool> and other unversioned package references

When a package was referenced without a version (e.g. npx vite, npx playwright install chromium), PatchPilot queried OSV without a version field. OSV returns vulnerabilities across all versions ever published in that case, surfacing patched CVEs as active threats.

Real-world impact before the fix:

  • vite@latest reported with 5 HIGH vulnerabilities — vite@8.0.8 (current latest) has 0
  • playwright@latest reported with 1 HIGH — playwright@1.59.1 has 0

Fix: when no version is specified, resolve latest from the npm or PyPI registry first, then query OSV with that concrete version. On registry failure (404, timeout, network error), falls back to the previous unversioned query — preserves fail-closed behavior for unknown packages.

The resolved version now appears in the hook output (vite@8.0.8 instead of misleading vite@latest).

Closes #19, #21.

[0.3.0] - 2024-01-06

Security - Critical Fixes from Security Audit

BREAKING: Fail-closed behavior on network errors

  • Previously: Network errors returned "no vulnerabilities" (DANGEROUS)
  • Now: Network errors deny the install with clear message

Parser bypass fixes:

  • Full path commands now detected (/usr/bin/npm, ~/.nvm/.../npm)
  • npx -p <pkg> and --package=<pkg> flags now scanned (not just the executable)
  • npm link, yarn link, bun link commands now detected
  • eval "npm install ..." with quoted strings now parsed
  • 16 additional command wrappers added (caffeinate, watch, xargs, proxychains, etc.)

Changed

  • OSV API calls now run in parallel (O(1) instead of O(n) for multiple packages)
  • Reduced per-request timeout from 8s to 4s to fit within hook budget
  • Removed any type usage for better type safety
  • Added CheckResult type to distinguish success vs error

Added

  • 20 new security tests for bypass prevention
  • Total test count: 87

[0.2.0] - 2024-01-06

Added

  • Shell-aware command parsing using shell-quote library
  • Support for command wrappers: env, sudo, exec, nohup, timeout, etc.
  • Support for alternative package managers:
    • npm ecosystem: pnpm, yarn, bun
    • Python ecosystem: pipx, poetry, uv, python -m pip
    • Homebrew: brew reinstall, brew upgrade
  • Detection of npx, bunx, and npm exec execution (not just installs)
  • Nested shell command detection (bash -c "npm install...")
  • Command chaining detection (&&, ||, ;, |)
  • Environment variable prefix handling (NODE_ENV=prod npm install)
  • Honest messaging for Homebrew (no vulnerability database available)
  • 67 comprehensive tests for parser

Security

  • Fixed bypass via command wrappers (env, sudo, exec)
  • Fixed bypass via alternative package managers
  • Fixed bypass via npx/bunx execution
  • Fixed bypass via command chaining
  • Fixed bypass via nested shell commands

[0.1.0] - 2024-01-05

Added

  • Initial release
  • Basic npm, pip, brew install detection
  • OSV (Open Source Vulnerabilities) database integration
  • Claude Code PreToolUse hook integration
  • Decision engine for vulnerability severity assessment