v1.9.1

Highlights

🛡️ Install Gate (Beta) — vet dependencies before they hit disk. New in this release and under active refinement; flags and verdicts may change between releases. Prefix any pip / npm / yarn / pnpm / uv install with corgea to screen every package it would install — named and transitive — against Corgea's vulnerability API before anything lands. Known-vulnerable or malicious versions block the install (exit 1) and print the safe fixed in version; a clean set runs the underlying command untouched. No token needed for baseline public-CVE checks; corgea login upgrades to authenticated fail-closed enforcement. A recency gate (default 14 days, configurable) also blocks freshly published packages to catch typosquats before advisory feeds catch up.

corgea npm install lodash@4.17.20   # blocks: known-vulnerable (CVE-2025-13465), exits 1
corgea pip install requests         # resolves, checks the verdict, then runs pip

What's Changed

Install Gate

• Install gate, Phase 0: vuln-api contract + test harness by @juangaitanv in #110
• Install gate, Phase 1: core gate — corgea pip|npm install <named targets> by @juangaitanv in #111
• Install gate, Phase 2: gate the full would-install set (tree pass) by @juangaitanv in #112
• Install gate, Phase 3: uv/yarn/pnpm wrappers + --json machine output by @juangaitanv in #114
• Install gate, Phase 3: org guarantee — authenticated fail-closed mode by @juangaitanv in #115
• Install gate: move recency gate from flags to a config toggle by @juangaitanv in #119

Scanning

• Add --exclude flag to scan command for glob-based file exclusion by @Ibrahimrahhal in #86
• Fix false "Project not found" errors by fetching scan issues by project_name instead of scan_id (COR-1493) by @Ibrahimrahhal in #117

Maintenance

• CI: bump actions/checkout v4 → v6 across workflows by @juangaitanv in #116

Full Changelog: v1.9.0...v1.9.1

v1.9.0

What's Changed

• Add ./harness quality contract + CI coverage gate by @juangaitanv in #92
• Fix flaky Linux wheel CI maturin download by @juangaitanv in #97
• Add corgea deps offline inventory (scan/graph/explain/diff/sbom/policy) by @juangaitanv in #93
• Add corgea skill install command by @Ibrahimrahhal in #95

Full Changelog: 1.8.8...v1.9.0

1.8.8

What's Changed

• Bump openssl from 0.10.73 to 0.10.78 by @dependabot[bot] in #87
• Bump openssl from 0.10.78 to 0.10.79 by @dependabot[bot] in #88
• Bump openssl from 0.10.79 to 0.10.80 by @dependabot[bot] in #90
• Retry on network error by @yhoztak in #94

Full Changelog: v1.8.7...1.8.8

v1.8.7

What's Changed

• Supporting JWT token by @Ibrahimrahhal in #83
• Bump version from 1.8.6 to 1.8.7 by @Ibrahimrahhal in #84

Full Changelog: v1.8.6...v1.8.7

v1.8.6

What's Changed

• Adding skill file by @Ibrahimrahhal in #79
• Print response in debug mode by @Ibrahimrahhal in #80
• Fail on offset mistach when uploading a report by @Ibrahimrahhal in #81
• Supporting cookies by @Ibrahimrahhal in #82

Full Changelog: v1.8.4...v1.8.6

v1.8.5

• Add more debugging to scan upload #80

Full Changelog: v1.8.4...v1.8.5

v1.8.4

What's Changed

• Fix npm package by @abronte in #77

Full Changelog: v1.8.3...v1.8.4

v1.8.3

What's Changed

• Linux musl binary by @abronte in #76

Full Changelog: v1.8.2...v1.8.3

v1.8.2

What's Changed

• Supporting project name param by @Ibrahimrahhal in #74

Full Changelog: v1.8.1...v1.8.2

v1.8.1

What's Changed

• Fix OAuth callback race in corgea login by @asadeddin in #73

Full Changelog: v1.8.0...v1.8.1