kief.dev

Changelog

All notable changes to Vekt. Follows Keep a Changelog conventions.

1.0.0

2026-05-30
added

New CLI commands: ci, ignore, audit

97da6b5
  • `vekt ci` -- CI/CD mode with `--fail-on` severity threshold (malicious/high/medium/low) and SARIF v2.1.0 output
  • `vekt ignore` -- Manage `.vektignore` rules: `add`, `list`, `remove` with wildcard patterns and expiry dates
  • `vekt audit` -- Pre-install package scanning: check packages before installing (`vekt audit express@4.18.2`, `vekt audit pypi:requests`)
  • Ecosystem prefix support for audit: npm, pypi, cargo, go, ruby, composer, nuget, pub, hex, hackage
  • Auto-latest version resolution when no version specified in audit
changed

CLI UI overhaul

97da6b5
  • Polished terminal output with box-drawing characters and unicode severity badges
  • Branded header/footer with version and timing info
  • Clean column alignment for scan results
  • Severity badges: [MALICIOUS] [VULN] [HOLDER] with color coding
  • All commands (scan, check, list, ci, ignore, audit) share the new visual style
added

92 unit tests and 5-platform binaries

97da6b5
  • Full test coverage for all 22 lockfile parsers with fixture data
  • OSV client, threat classification, and security-holder detection tests
  • Edge case tests: empty files, malformed input, deduplication, version stripping
  • Cross-platform release binaries: Linux x86_64, Linux aarch64, macOS x86_64, macOS aarch64 (Apple Silicon), Windows x86_64
  • Branded install script with mandatory checksum verification
added

LSP and browser extension improvements

97da6b5
  • LSP: Fixed-version code actions -- suggests update to patched version from OSV data
  • LSP: pubspec.yaml (Flutter/Dart) and mix.exs (Elixir) manifest parser support
  • Browser extension: Complete UI with trust scores, maintainer data, typosquat detection
  • Browser extension: Options page with malicious-only filter and cache controls
  • Browser extension: Popup with scan statistics and API key management
security

Security hardening

97da6b5
  • XSS prevention in browser extension content script (escaped vuln IDs and URL scheme allowlist)
  • Symlink-safe .vektignore writes prevent arbitrary file overwrite
  • SARIF output uses relative paths to prevent local directory leakage
  • Install script mandatory checksum verification (no silent degradation)
  • URL-encoded package names in registry API queries prevent URL injection

0.2.0

2026-04-06 breaking
added

Cloud authorize/report flow

8708496
  • New `vekt auth ` command to store your API key locally at `~/.config/vekt/config.toml`
  • `vekt auth --status` shows current auth state; `vekt auth --logout` removes stored key
  • Global `--api-key` flag and `VEKT_API_KEY` environment variable for CI/CD
  • CLI calls `/api/vekt/authorize` before scanning to validate key and decrement quota
  • Scan telemetry reported to `/api/vekt/report` after scanning -- no lockfile content is ever uploaded
  • Graceful degradation: if authorization fails, scanning continues locally without quota tracking
  • Config file written with `0600` permissions on Unix systems
  • `vekt auth --status` shows only last 4 characters of key as fingerprint
security

Server-side hardening

8708496
  • File upload scan endpoint (`POST /api/vekt/scan`) retired with HTTP 410 Gone
  • One-time scan tokens bind `request_id` to API key -- prevents fabricated telemetry reports
  • Report endpoint validates inputs: allowlisted lockfile types, range-checked numerics
  • Nginx `client_max_body_size 4k` scoped to `/api/vekt/` routes
  • Bot protection exempts `/api/` routes so SDK clients (python-requests, httpx) work correctly
  • Stripe SDK migrated to v8: Billing Meter Events API, Invoice.parent.subscription_details
deprecated

Upload scan endpoint retired

8708496
  • `POST /api/vekt/scan` now returns `410 Gone` with migration instructions
  • Use the CLI for scanning: `curl -fsSL https://kief.dev/vekt/install.sh | sh`
  • Authenticate with `vekt auth `, then scan with `vekt scan .`

0.1.2

2026-03-30
added

Chrome extension approved

b3c560c
  • Browser extension published on the [Chrome Web Store](https://chromewebstore.google.com/detail/fkhdbbbhignkhicjadpjpapkepcmpdjb)
  • Trust badge on npm, PyPI, crates.io, and 6 more registries
  • Full trust panel: OpenSSF Scorecard, maintainer profiles with GitHub stars, vulnerability count, provenance status
  • Maintainer profiles link to GitHub with star counts

0.1.1

2026-03-28
added

Browser extension enrichment pipeline

8682542
  • Full enrichment pipeline in extension panel: OpenSSF Scorecard, download stats, version timeline
  • Fixed bottom overlay bar design with traffic light indicators
  • npm publish date uses `time[version]` instead of `modified` for accuracy

0.1.0

2026-03-28
added

Initial release

16c8ce7
  • Rust CLI scanning 22 lockfile formats across 12 package ecosystems
  • Real-time threat intelligence from OSV.dev with batched queries
  • Three threat levels: MALICIOUS, VULN, HOLDER (security placeholder)
  • Parallel lockfile parsing with deduplication across lockfiles
  • JSON output (`--json`) for CI/CD integration
  • Quiet mode (`--quiet`) suppresses output on clean scans
  • Exit code conventions: 0 = clean, 1 = findings, 2 = error
  • LSP server (`vekt-lsp`) for IDE integration
  • Cargo workspace with `vekt-core`, `vekt-cli`, and `vekt-lsp` crates
Download binaries · Quickstart guide · CLI reference