{"id":48448307,"url":"https://github.com/arnica/depsguard","last_synced_at":"2026-04-12T22:58:24.547Z","repository":{"id":349585985,"uuid":"1198037858","full_name":"arnica/depsguard","owner":"arnica","description":"Harden your package manager configs against supply chain attacks.","archived":false,"fork":false,"pushed_at":"2026-04-06T18:29:50.000Z","size":1232,"stargazers_count":17,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-06T19:09:33.154Z","etag":null,"topics":["dependencies","npm","pnpm","software-supply-chain-security","uv"],"latest_commit_sha":null,"homepage":"http://depsguard.com/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arnica.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":"arnica"}},"created_at":"2026-04-01T04:25:48.000Z","updated_at":"2026-04-06T18:29:58.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/arnica/depsguard","commit_stats":null,"previous_names":["arnica/depsguard"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/arnica/depsguard","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arnica%2Fdepsguard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arnica%2Fdepsguard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arnica%2Fdepsguard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arnica%2Fdepsguard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arnica","download_url":"https://codeload.github.com/arnica/depsguard/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arnica%2Fdepsguard/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31526666,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T16:28:08.000Z","status":"ssl_error","status_checked_at":"2026-04-07T16:28:06.951Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependencies","npm","pnpm","software-supply-chain-security","uv"],"created_at":"2026-04-06T19:00:38.884Z","updated_at":"2026-04-10T06:03:14.309Z","avatar_url":"https://github.com/arnica.png","language":"Rust","funding_links":["https://github.com/sponsors/arnica"],"categories":["Dependency intelligence"],"sub_categories":[],"readme":"# depsguard\n\n[![CI](https://github.com/arnica/depsguard/actions/workflows/ci.yml/badge.svg)](https://github.com/arnica/depsguard/actions/workflows/ci.yml)\n[![Security Audit](https://github.com/arnica/depsguard/actions/workflows/audit.yml/badge.svg)](https://github.com/arnica/depsguard/actions/workflows/audit.yml)\n[![crates.io](https://img.shields.io/crates/v/depsguard.svg)](https://crates.io/crates/depsguard)\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n[![MSRV](https://img.shields.io/badge/MSRV-1.74-orange.svg)](https://blog.rust-lang.org/2023/11/16/Rust-1.74.0.html)\n\n```text\n     _                                          _\n  __| | ___ _ __  ___  __ _ _   _  __ _ _ __ __| |\n / _` |/ _ \\ '_ \\/ __|/ _` | | | |/ _` | '__/ _` |\n| (_| |  __/ |_) \\__ \\ (_| | |_| | (_| | | | (_| |\n \\__,_|\\___| .__/|___/\\__, |\\__,_|\\__,_|_|  \\__,_|\n           |_|        |___/\n```\n\nGuard your dependencies against supply chain attacks. **Single static binary, zero Rust crate dependencies.**\n\nBy **[[arnica](https://arnica.io)]**\n\n## Table of contents\n\n- [Overview](#overview)\n- [Install](#install)\n- [Usage](#usage)\n- [What gets checked](#what-gets-checked)\n- [Config file locations](#config-file-locations)\n- [Backups and restore](#backups-and-restore)\n- [How it works](#how-it-works)\n- [Troubleshooting](#troubleshooting)\n- [Help \u0026 feedback](#help--feedback)\n- [License](#license)\n\n## Overview\n\nDepsGuard looks for **npm**, **pnpm**, **yarn**, **bun**, and **uv** on your machine, reads their config files, compares them to recommended supply-chain settings, and can **apply fixes interactively**. It also scans for **Renovate** and **Dependabot** configs in your repos. It never runs package installs; it only edits config files you approve, and it writes **backups** before any change.\n\n### Key features\n\n- Interactive TUI: scan, review, toggle fixes, apply\n- `scan` subcommand for read-only reporting\n- `restore` subcommand to pick a backup and roll back a file\n- Cross-platform: Linux, macOS, Windows\n- No bundled third-party Rust crates (stdlib + small amount of platform FFI for the terminal)\n\n### Tech stack\n\n| Area | Details |\n|------|---------|\n| Language | Rust (MSRV **1.74**, see `Cargo.toml`) |\n| CLI / TUI | `src/main.rs`, `src/ui.rs`, `src/term.rs` |\n| Config logic | `src/manager.rs`, `src/fix.rs` |\n| Website | Static site under `docs/` (separate from the binary) |\n\n## Install\n\n### Prebuilt binaries\n\nEach [GitHub Release](https://github.com/arnica/depsguard/releases) includes archives for:\n\n- Linux: `x86_64` (glibc), `x86_64` (musl), `aarch64` (glibc)\n- macOS: Intel and Apple Silicon\n- Windows: `x86_64` ZIP containing `depsguard.exe`\n\nDownload the archive for your platform, unpack it, and put the binary on your `PATH`.\n\nVerify integrity using the matching `.sha256` file next to each asset on the release page.\n\n### Install by platform\n\n#### Linux (Debian/Ubuntu via APT)\n\n```bash\nsudo install -d -m 0755 /etc/apt/keyrings\ncurl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg\necho \"deb [signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main\" | sudo tee /etc/apt/sources.list.d/depsguard.list \u003e/dev/null\nsudo apt update\nsudo apt install depsguard\n```\n\n#### macOS (Intel / Apple Silicon)\n\n```bash\n# Homebrew tap\nbrew tap arnica/depsguard https://github.com/arnica/depsguard\nbrew install depsguard\n```\n\n#### Windows\n\n```powershell\n# WinGet\nwinget install Arnica.DepsGuard\n\n# Scoop\nscoop bucket add depsguard https://github.com/arnica/depsguard\nscoop install depsguard\n```\n\nOr download manually via PowerShell:\n\n```powershell\n$zip = \"$env:TEMP\\\\depsguard.zip\"\nInvoke-WebRequest -Uri \"https://github.com/arnica/depsguard/releases/latest/download/depsguard-x86_64-pc-windows-msvc.zip\" -OutFile $zip\nExpand-Archive -LiteralPath $zip -DestinationPath \"$env:TEMP\\\\depsguard\" -Force\nCopy-Item \"$env:TEMP\\\\depsguard\\\\depsguard.exe\" \"$HOME\\\\AppData\\\\Local\\\\Microsoft\\\\WindowsApps\\\\depsguard.exe\" -Force\ndepsguard.exe --help\n```\n\n### crates.io\n\n```bash\ncargo install depsguard\n```\n\nRequires a [Rust toolchain](https://rustup.rs/) with `cargo`.\n\n### Package managers (when published by your vendor)\n\nIf your organization ships DepsGuard via Homebrew, Scoop, or WinGet, use their instructions. **Setting up or automating those channels** (Homebrew core PRs, buckets, WinGet PRs, CI secrets) is maintainer documentation — see [`AGENTS.md`](AGENTS.md) under *Release \u0026 distribution*.\n\n#### App stores / package managers\n\n| Channel | Linux | macOS | Windows | Install command |\n|---------|-------|-------|---------|-----------------|\n| APT (custom repo) | yes | no | no | `sudo apt install depsguard` (after repo setup above) |\n| crates.io | yes | yes | yes | `cargo install depsguard` |\n| Homebrew (custom tap) | yes | yes | no | `brew tap arnica/depsguard https://github.com/arnica/depsguard ; brew install depsguard` |\n| Scoop (custom bucket) | no | no | yes | `scoop bucket add depsguard https://github.com/arnica/depsguard ; scoop install depsguard` |\n| WinGet | no | no | yes | `winget install Arnica.DepsGuard` |\n\n### Build from source\n\n```bash\ngit clone https://github.com/arnica/depsguard.git\ncd depsguard\ncargo build --release\n```\n\nThe binary is `target/release/depsguard` (`.exe` on Windows). Rust **1.74+** is required.\n\n## Usage\n\n```bash\ndepsguard              # interactive: scan, choose fixes, apply\ndepsguard scan         # report only; no writes\ndepsguard --no-search  # skip recursive file search, check local configs only\ndepsguard restore      # restore from a previous backup\ndepsguard --help       # CLI help\n```\n\n### How to use\n\n1. **Install** – pick your platform [above](#install).\n2. **Run** `depsguard` to launch the interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix selector. Repo-level config discovery starts from the current directory and searches downward. Use `depsguard scan` for a read-only report, or `depsguard --no-search` to skip the recursive file search and only check user-level configs.\n   \u003e **Note:** some settings require a minimum version. If your version is too old you'll see:\n   \u003e `ℹ min-release-age – requires npm ≥ 11.10 (have 10.2.0)`.\n   \u003e Upgrade with `npm install -g npm@latest` and re-run.\n3. **Navigate \u0026 select** – use `↑` `↓` to move through the list (`^u` `^d` to page). Press `Space` to toggle a fix on or off. Use quick-filter keys to bulk-select by file: `a` all, `n` .npmrc, `u` uv.toml, etc. – press once to select, again to deselect, a third time to clear the filter. Press `f` to show only currently selected fixes.\n4. **Preview** – press `d` to see a diff of what will change before you commit to anything.\n5. **Apply** – press `Enter` to apply the selected fixes. A timestamped backup is created before any file is written.\n6. **Rescan** – DepsGuard automatically reruns the scan after applying, so you can verify everything is green.\n7. **Restore** – run `depsguard restore` at any time to roll back from the backup list. Press `q` or `Esc` to quit.\n\n## What gets checked\n\n| Manager | Config | Setting | Target | Why |\n|---------|--------|---------|--------|-----|\n| npm | `~/.npmrc` | `min-release-age` | `7` (days) | Delay brand-new releases (requires npm \u003e= 11.10) |\n| npm/pnpm | `~/.npmrc` | `ignore-scripts` | `true` | Reduce install-script risk |\n| pnpm | `~/.npmrc` | `minimum-release-age` | `10080` (minutes) | Delay new versions by 7 days (requires pnpm \u003e= 10.16) |\n| pnpm | global `rc` (pnpm \u003c= 10) | `minimum-release-age` | `10080` (minutes) | Delay new versions by 7 days (requires pnpm \u003e= 10.16) |\n| pnpm | global `rc` (pnpm \u003c= 10) | `block-exotic-subdeps` | `true` | Block untrusted transitive deps (requires pnpm \u003e= 10.26) |\n| pnpm | global `rc` (pnpm \u003c= 10) | `trust-policy` | `no-downgrade` | Block provenance downgrades (requires pnpm \u003e= 10.21) |\n| pnpm | global `rc` (pnpm \u003c= 10) | `strict-dep-builds` | `true` | Fail on unreviewed build scripts (requires pnpm \u003e= 10.3) |\n| pnpm | global `rc` (pnpm \u003c= 10) | `ignore-scripts` | `true` | Block malicious install scripts |\n| pnpm | global `config.yaml` (pnpm \u003e= 11) | `minimumReleaseAge` | `10080` (minutes) | Delay new versions by 7 days |\n| pnpm | global `config.yaml` (pnpm \u003e= 11) | `blockExoticSubdeps` | `true` | Block untrusted transitive deps |\n| yarn | `.yarnrc.yml` | `npmMinimalAgeGate` | `7d` | Delay new versions by 7 days (requires yarn \u003e= 4.10) |\n| pnpm | `pnpm-workspace.yaml` | `minimumReleaseAge` | `10080` (minutes) | Delay new versions by 7 days (requires pnpm \u003e= 10.16) |\n| pnpm | `pnpm-workspace.yaml` | `strictDepBuilds` | `true` | Fail on unreviewed build scripts (requires pnpm \u003e= 10.3) |\n| pnpm | `pnpm-workspace.yaml` | `trustPolicy` | `no-downgrade` | Block provenance downgrades (requires pnpm \u003e= 10.21) |\n| pnpm | `pnpm-workspace.yaml` | `blockExoticSubdeps` | `true` | Block untrusted transitive deps (requires pnpm \u003e= 10.26) |\n| bun | `~/.bunfig.toml` | `install.minimumReleaseAge` | `604800` (seconds) | ~7 day delay |\n| uv | `uv.toml` | `exclude-newer` | `7 days` | Delay new publishes |\n| renovate | `renovate.json` etc. | `minimumReleaseAge` | `7 days` | Delay dependency update PRs by 7 days |\n| dependabot | `.github/dependabot.yml` | `cooldown.default-days` | `7` | Delay dependency update PRs by 7 days |\n\n## Config file locations\n\n| Manager | Linux | macOS | Windows |\n|---------|-------|-------|---------|\n| npm/pnpm | `~/.npmrc` | `~/.npmrc` | `%USERPROFILE%\\.npmrc` |\n| pnpm global | `$XDG_CONFIG_HOME/pnpm/rc` or `~/.config/pnpm/rc` | `$XDG_CONFIG_HOME/pnpm/rc` or `~/Library/Preferences/pnpm/rc` | `%LOCALAPPDATA%\\pnpm\\config\\rc` |\n| yarn | `~/.yarnrc.yml` | `~/.yarnrc.yml` | `%USERPROFILE%\\.yarnrc.yml` |\n| pnpm | `pnpm-workspace.yaml` | `pnpm-workspace.yaml` | `pnpm-workspace.yaml` |\n| bun | `$XDG_CONFIG_HOME/.bunfig.toml` or `~/.bunfig.toml` | `$XDG_CONFIG_HOME/.bunfig.toml` or `~/.bunfig.toml` | `%USERPROFILE%\\.bunfig.toml` |\n| uv | `$XDG_CONFIG_HOME/uv/uv.toml` or `~/.config/uv/uv.toml` | `$XDG_CONFIG_HOME/uv/uv.toml` or `~/.config/uv/uv.toml` | `%APPDATA%\\uv\\uv.toml` |\n| renovate | `renovate.json`, `.renovaterc`, `.github/renovate.json`, etc. | (same) | (same) |\n| dependabot | `.github/dependabot.yml` | (same) | (same) |\n\nUser-level config files are read from their standard locations (including XDG-based paths where the tool supports them). Repo-level configs are discovered by searching downward from the current directory, skipping known large directories (`node_modules`, `.git`, `target`, `Library`, `.cache`, and others) so scans stay fast. Repo-level `.npmrc`, `.yarnrc.yml`, `pnpm-workspace.yaml`, Renovate configs, and Dependabot configs are all searched. pnpm settings can live in `~/.npmrc`, the pnpm global config file (`rc` on pnpm \u003c= 10, `config.yaml` on pnpm \u003e= 11), or `pnpm-workspace.yaml`; DepsGuard checks all three locations independently. If multiple user-level uv or bun config files exist (for example both an XDG path and a home-directory path), DepsGuard scans each existing file separately instead of merging them. When `~/.npmrc` is missing, DepsGuard uses pnpm's global config path so fixes can create the config file directly.\n\n## Backups and restore\n\nBefore modifying a file, DepsGuard writes a backup to `~/.depsguard/backups/`.\n\nRun `depsguard restore` to list backups and restore one.\n\n## How it works\n\n```\nsrc/\n  main.rs    CLI args, run loop\n  term.rs    Raw mode + input (Unix termios / Windows console FFI)\n  manager.rs Detection, scanning, recommendations\n  fix.rs     Read/write .npmrc, TOML, YAML; backup/restore\n  ui.rs      Banner, tables, selector\n```\n\n- **Zero third-party crates** — intentional for a small security-adjacent tool; see `AGENTS.md` if you change that policy.\n- **Colors** use ANSI sequences; modern terminals on Windows (e.g. Windows Terminal) are supported.\n\n## Troubleshooting\n\n| Symptom | What to try |\n|---------|-------------|\n| `depsguard: command not found` | Ensure the install directory is on `PATH`, or use the full path to the binary. |\n| Permission errors writing config | DepsGuard only edits files in your user profile; run as a normal user, not elevated unless those files are owned by admin. |\n| Keys not working on Windows | Use **Windows Terminal** or another VT-capable terminal; legacy `cmd.exe` may not handle all keys. |\n| pnpm workspaces missing | Ensure `pnpm-workspace.yaml` lives under your home directory tree; very unusual layouts may not be discovered. |\n| `cargo install` fails | Install Rust via [rustup](https://rustup.rs/) and use Rust **≥ 1.74**. |\n\n## Help \u0026 feedback\n\n- [Report a bug or request a feature](https://github.com/arnica/depsguard/issues)\n- [Report a security vulnerability](https://github.com/arnica/depsguard/security/advisories/new) (see [`SECURITY.md`](SECURITY.md))\n- Development workflow for contributors lives in [`AGENTS.md`](AGENTS.md).\n\n## License\n\nMIT\n\n---\n\n**Links:** [Repository](https://github.com/arnica/depsguard) · [Documentation site](https://depsguard.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farnica%2Fdepsguard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farnica%2Fdepsguard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farnica%2Fdepsguard/lists"}