Zift

v4.3.1

4.3.1

Zift

🚀 Zift v2.0.0: The Intelligent Security Gate

We are thrilled to announce the official release of Zift v2.0.0. This version transforms Zift from a static scanner into a Deterministic Pre-install Behavioral Security Gate, featuring advanced taint tracking, extreme performance, and universal ecosystem support.

🧠 Engine Intelligence

• Intra-file Taint Tracking: Detects sensitive data exfiltration (e.g., process.env) through function parameters and complex expressions.
• New Sinks: Monitoring for child_process.exec, dns.resolve, fetch, axios, and more.
• Dynamic Require Detection: Flags suspicious require(variable) patterns common in malicious loaders.
• Encoder Multipliers: Detection of Buffer.from, btoa, and atob now intelligently weights security scores.

⚡ Performance & Scale

• Parallel Engine: Concurrent file scanning with a worker-limited promise pool.
• Versioned AST Cache: 16x speedup on rescans with safe rule-invalidation tied to the package version.
• .ziftignore Support: Fine-grained control over the scan scope using standard ignore syntax.

🛡️ Supply-Chain Hardening

• Universal Lockfile Auditor: Safety scans for npm, pnpm, and bun lockfiles to catch untrusted Git/HTTP dependencies.
• Typosquat Interception: Active warning during zift install for packages mimicking popular npm modules.
• Lifecycle Risk Summary: Automatic visibility into preinstall and postinstall script risks.

🧪 Stability Certified

Zift v2.0.0 has passed a rigorous stability audit covering:

• ✅ Cache integrity (content-hash based invalidation)
• ✅ Concurrency safety (stateless parallel core)
• ✅ False-positive regression testing (React/Express/ESLint baseline)

🔦 Transparency: Known Blind Spots

Zift v2 focus on high-precision, deterministic patterns. It currently does not cover:

• Cross-file taint tracking
• Runtime-only memory payload decryption
• Post-install code generation

---

Get Started: npx @7nsane/zift .
Full Documentation: README.md