v0.3.0 - Critical Security Fixes

Security - Critical Fixes from Security Audit

BREAKING: Fail-closed behavior on network errors

• Previously: Network errors returned "no vulnerabilities" (DANGEROUS)
• Now: Network errors deny the install with clear message

Parser bypass fixes:

• Full path commands now detected (/usr/bin/npm, ~/.nvm/.../npm)
• npx -p <pkg> and --package=<pkg> flags now scanned
• npm link, yarn link, bun link commands now detected
• eval "npm install ..." with quoted strings now parsed
• 16 additional command wrappers added (caffeinate, watch, xargs, proxychains, etc.)

Changes

• OSV API calls now run in parallel (O(1) instead of O(n))
• Reduced per-request timeout from 8s to 4s
• Removed any type usage for better type safety
• Added CheckResult type to distinguish success vs error
• 20 new security tests (87 total)

Installation (Alpha Testers)

From npm tarball

npm install -g https://github.com/ProduktEntdecker/patchpilot-cli/releases/download/v0.3.0/patchpilot-0.3.0.tgz

From GitHub directly

npm install -g github:ProduktEntdecker/patchpilot-cli#v0.3.0

Setup Claude Code Hook

Add to ~/.claude/settings.json:

{
  "hooks": {
    "PreToolUse": [{
      "matcher": "Bash",
      "hooks": [{
        "type": "command",
        "command": "patchpilot",
        "timeout": 10
      }]
    }]
  }
}