GitHub - arnica/depsguard: Harden your package manager configs against supply chain attacks.

     _                                          _
  __| | ___ _ __  ___  __ _ _   _  __ _ _ __ __| |
 / _` |/ _ \ '_ \/ __|/ _` | | | |/ _` | '__/ _` |
| (_| |  __/ |_) \__ \ (_| | |_| | (_| | | | (_| |
 \__,_|\___| .__/|___/\__, |\__,_|\__,_|_|  \__,_|
           |_|        |___/

Guard your dependencies against supply chain attacks. Single static binary, zero Rust crate dependencies.

By [arnica]

Table of contents

• Overview
• Install
• Usage
• What gets checked
• Config file locations
• Urgent security fix
• Backups and restore
• How it works
• Troubleshooting
• Help & feedback
• See also
• License

Overview

DepsGuard looks for npm, pnpm, yarn, bun, and uv on your machine, reads their config files, compares them to recommended supply-chain settings, and can apply fixes interactively. It also scans for Renovate and Dependabot configs in your repos. It never runs package installs; it only edits config files you approve, and it writes backups before any change.

Key features

• Interactive TUI: scan, review, toggle fixes, apply
• scan subcommand for read-only reporting
• restore subcommand to pick a backup and roll back a file
• Cross-platform: Linux, macOS, Windows
• No bundled third-party Rust crates (stdlib + small amount of platform FFI for the terminal)

Tech stack

Install

Prebuilt binaries

Each GitHub Release includes archives for:

• Linux: x86_64 (glibc), x86_64 (musl), aarch64 (glibc)
• macOS: Intel and Apple Silicon
• Windows: x86_64 ZIP containing depsguard.exe

Download the archive for your platform, unpack it, and put the binary on your PATH.

Verify integrity using the matching .sha256 file next to each asset on the release page.

Install by platform

Linux (Debian/Ubuntu via APT)

sudo install -d -m 0755 /etc/apt/keyrings
curl -fsSL https://depsguard.com/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/depsguard.gpg
echo "deb [signed-by=/etc/apt/keyrings/depsguard.gpg] https://depsguard.com/apt stable main" | sudo tee /etc/apt/sources.list.d/depsguard.list >/dev/null
sudo apt update
sudo apt install depsguard

macOS (Intel / Apple Silicon)

# Homebrew tap
brew tap arnica/depsguard https://github.com/arnica/depsguard
brew install depsguard

Windows

# WinGet
winget install Arnica.DepsGuard

# Scoop
scoop bucket add depsguard https://github.com/arnica/depsguard
scoop install depsguard

Or download manually via PowerShell:

$zip = "$env:TEMP\\depsguard.zip"
Invoke-WebRequest -Uri "https://github.com/arnica/depsguard/releases/latest/download/depsguard-x86_64-pc-windows-msvc.zip" -OutFile $zip
Expand-Archive -LiteralPath $zip -DestinationPath "$env:TEMP\\depsguard" -Force
Copy-Item "$env:TEMP\\depsguard\\depsguard.exe" "$HOME\\AppData\\Local\\Microsoft\\WindowsApps\\depsguard.exe" -Force
depsguard.exe --help

crates.io

Requires a Rust toolchain with cargo.

Package managers (when published by your vendor)

If your organization ships DepsGuard via Homebrew, Scoop, or WinGet, use their instructions. Setting up or automating those channels (Homebrew core PRs, buckets, WinGet PRs, CI secrets) is maintainer documentation — see AGENTS.md under Release & distribution.

App stores / package managers

Build from source

git clone https://github.com/arnica/depsguard.git
cd depsguard
cargo build --release

The binary is target/release/depsguard (.exe on Windows). Rust 1.74+ is required.

Usage

depsguard              # interactive: scan, choose fixes, apply
depsguard scan         # report only; no writes
depsguard --no-search  # skip recursive file search, check local configs only
depsguard restore      # restore from a previous backup
depsguard --help       # CLI help

How to use

1. Install – pick your platform above.
2. Run depsguard to launch the interactive TUI. It scans your system and shows a table of findings. Press any key to continue to the fix selector. Repo-level config discovery starts from the current directory and searches downward. Use depsguard scan for a read-only report, or depsguard --no-search to skip the recursive file search and only check user-level configs.

   Note: some settings require a minimum version. If your version is too old you'll see: ℹ min-release-age – requires npm ≥ 11.10 (have 10.2.0). Upgrade with npm install -g npm@latest and re-run.

3. Navigate & select – use ↑ ↓ to move through the list (^u ^d to page). Press Space to toggle a fix on or off. Use quick-filter keys to bulk-select by file: a all, n .npmrc, u uv.toml, etc. – press once to select, again to deselect, a third time to clear the filter. Press f to show only currently selected fixes.
4. Preview – press d to see a diff of what will change before you commit to anything.
5. Apply – press Enter to apply the selected fixes. A timestamped backup is created before any file is written.
6. Rescan – DepsGuard automatically reruns the scan after applying, so you can verify everything is green.
7. Restore – run depsguard restore at any time to roll back from the backup list. Press q or Esc to quit.

What gets checked

Config file locations

User-level config files are read from their standard locations (including XDG-based paths where the tool supports them). Repo-level configs are discovered by searching downward from the current directory, skipping known large directories (node_modules, .git, target, Library, .cache, and others) so scans stay fast. Repo-level .npmrc, .yarnrc.yml, pnpm-workspace.yaml, Renovate configs, and Dependabot configs are all searched. pnpm settings can live in ~/.npmrc, the pnpm global config file (rc on pnpm <= 10, config.yaml on pnpm >= 11), or pnpm-workspace.yaml; DepsGuard checks all three locations independently. If multiple user-level uv or bun config files exist (for example both an XDG path and a home-directory path), DepsGuard scans each existing file separately instead of merging them. When ~/.npmrc is missing, DepsGuard uses pnpm's global config path so fixes can create the config file directly.

Urgent security fix

If the patched version is newer than your cooldown window, add a narrow exception, install the fix, and then remove the exception.

Prefer a package-specific exception over lowering the global cooldown. That keeps the delay in place for every other dependency.

Before you bypass the cooldown:

1. Check whether the CVE actually affects your usage.
2. Check whether a known-good older version is already available. A rollback may be safer.
3. Remove temporary exceptions after the upgrade.

Backups and restore

Before modifying a file, DepsGuard writes a backup to ~/.depsguard/backups/.

Run depsguard restore to list backups and restore one.

How it works

src/
  main.rs    CLI args, run loop
  term.rs    Raw mode + input (Unix termios / Windows console FFI)
  manager.rs Detection, scanning, recommendations
  fix.rs     Read/write .npmrc, TOML, YAML; backup/restore
  ui.rs      Banner, tables, selector

• Zero third-party crates — intentional for a small security-adjacent tool; see AGENTS.md if you change that policy.
• Colors use ANSI sequences; modern terminals on Windows (e.g. Windows Terminal) are supported.

Troubleshooting

Help & feedback

• Report a bug or request a feature
• Report a security vulnerability (see SECURITY.md)
• Development workflow for contributors lives in AGENTS.md.

See also

• Dependency Cooldowns (cooldowns.dev) — a reference guide and companion shell helper (cooldowns.sh) focused specifically on minimum-release-age cooldowns. Complements DepsGuard: it covers a broader set of ecosystems on the cooldown axis (pip, uv, npm, pnpm, Yarn, Bun, Deno, Cargo), while DepsGuard covers npm/pnpm/yarn/bun/uv plus Renovate/Dependabot and adds other hardening settings (ignore-scripts, block-exotic-subdeps, trust-policy, strict-dep-builds) with an interactive TUI, diff preview, and backup/restore.

License

MIT

Star History

Links: Repository · Documentation site