Skip to content

Dev#11

Merged
akosidencio merged 2 commits intomainfrom
dev
Apr 4, 2026
Merged

Dev#11
akosidencio merged 2 commits intomainfrom
dev

Conversation

@akosidencio
Copy link
Copy Markdown
Contributor

@akosidencio akosidencio commented Apr 4, 2026

No description provided.

@akosidencio
feat(supply-chain): add watch-install phantom dependency detector (v0…
c6f78ca 
….3.0)

Introduces  — a drop-in wrapper for npm/yarn/pnpm/bun
that monitors node_modules/ in real time during install and halts if a postinstall
script exhibits dropper behaviour (create binary → execute → delete), as seen in
the 2025 axios-ecosystem supply-chain attack.

- New command: watch-install <pm> [args...] with --no-fail flag
- Detects phantom files (EphemeralFile) and executable drops (ExecutableDrop)
- Configured via [supply_chain] in .greengate.toml: block_phantom_scripts,
  enforce_sandbox, allow_postinstall allowlist (warns but does not fail)
- 250ms polling loop, zero new dependencies
- 17 unit tests (WatchState logic, package_from_path, is_executable)
- 11 integration tests covering phantom, exec-drop, allowlist, config, --no-fail
- Docs: new watch-install command reference, roadmap (sandbox-install as Feature 2),
  updated README, getting-started, use-cases, ci-integration, VitePress sidebar
@akosidencio
fix(deps): upgrade rustls-webpki 0.103.9 → 0.103.10 (GHSA-pwjx-qhcg-rvj4
88810df 
)
@akosidencio akosidencio merged commit ed93a45 into main Apr 4, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@akosidencio