Skip to main content

PKG-Defender: Supply Chain Attack Defense CLI — Stop malicious packages BEFORE they reach your machine or CI pipeline.

Project description

pkg-defender

PKG-Defender (PKGD)

Stop supply chain attacks before they reach your machine or CI pipeline

License Python Binary Snapshot Codecov Build

Ecosystems Systems Platforms

Highlights

The supply chain attack defense CLI — Cooldown gates, multi-source threat intelligence, command wrappers, CI/CD interception, and lock file dependency auditing for all major package managers.

  • Unified Command Wrapper: pkgd [OPTIONS] MANAGER SUBCOMMAND [PACKAGE...] [MANAGER_OPTIONS...]
    • Wrap any supported "dangerous" package manager command (pkgd pip install requests, pkgd npm install express, pkgd brew upgrade tree, etc.)
    • "Dangerous Commands" are defined as any package manager command that has the potential to put software on your machine (install, update, download, add, sync, etc.)
  • Auto-Detect Manager: automatically detects package manager from project files or system packages
  • Version Detection: get_installed_version() for all 18 package managers across 10 ecosystems enables version comparison
  • Fail-Closed Security: any failure blocks installation with warning and options for informed manual override
  • Alternative PM Coverage: python -m pip, pipx, yarn, pnpm and other alt manager calls all supported
  • Cooldown Gates: configurable time-since-release hold window with per-package, tracked and auditable overrides (ships with a default of 7 days)
  • Multi-source Threat Intelligence: OSV.dev, GHSA, Socket.dev, npm advisories, and more all synced and stored locally (with automatic staleness detection)
  • Social Intelligence Feeds: Mastodon, Reddit, RSS, X/Twitter - free sources shipped / B.Y.O.K. options available (informational only — non-blocking)
  • Lock File Auditing: all major formats: package-lock.json, poetry.lock, requirements.txt, yarn.lock, pnpm-lock.yaml, uv.lock, Pipfile.lock (currently supported formats)
  • Background Daemon: automated background intelligence feed sync with OS-native launchd / systemd / Task Scheduler
  • CI/CD Integration: --fail-on-threat exits on CRITICAL/HIGH for secure pipeline gating

Full Documentation Index →

Why It Exists

The overwhelming frequency of recent supply chain attacks have shown how quickly malicious packages can spread. The threat landscape has changed significantly. Four of the most significant open-source supply chain attacks ever recorded all happened within the last few months of writing:

  • TanStack Router (May 2026): A self-propagating worm compromised 42 @tanstack/* packages and spread to 160+ others across npm and PyPI. The malicious versions carried valid SLSA Build Level 3 provenance attestations, meaning the supply chain controls that the industry spent years building offered zero protection.
  • Axios (March 2026): A North Korea-linked threat actor compromised the lead maintainer's account of the most popular JavaScript HTTP client (~100M weekly downloads) and published a cross-platform RAT targeting macOS, Windows, and Linux. The poisoned versions were live for under 3 hours. Thousands of installs happened anyway.
  • LiteLLM (March 2026): Using tokens stolen via the Trivy compromise, attackers published backdoored releases of a widely-deployed AI gateway (~95M monthly downloads). The payload ran a three-stage attack: harvest SSH keys, AWS/GCP/Azure credentials, and Kubernetes secrets → move laterally across clusters → install a persistent systemd backdoor.
  • Trivy (March 2026): The world's most popular container security scanner was weaponized. Attackers spoofed maintainer commits, pushed a malicious release, and used Trivy's own CI/CD runner access to steal publishing tokens from every downstream project that scanned with it — kicking off a cascade of follow-on attacks.

These incidents succeed because fresh packages are often installed based on trust alone. PKG-Defender adds a practical and secure defense layer: local threat intelligence and dependency auditing combined with a configurable cooldown window to catch the latest threats before they land on your machine, your dependency tree, or your production pipelines.

Installation

From PyPI

# Recommended with uv
uv pip install pkg-defender

# Alternative with pip
pip install pkg-defender

From Homebrew (macOS/Linux)

brew tap divisionseven/pkg-defender
brew install pkg-defender

Tap Trust (Homebrew 6.0.0+)

As of Homebrew 6.0.0, brew's automatic trust evaluation requires explicit trust confirmation for taps. If needed, users may be prompted to run:

brew trust divisionseven/pkg-defender

[!Important] Homebrew installation is not yet available. The formula will be activated upon v1.0.0 release. SHA256 checksums will be updated per-release. Once published, this note will be removed and the above commands will work as shown.

[!Note] The tap formula is available at the homebrew-pkg-defender repository. View Tap →

From Binary (macOS/Linux/Windows)

Pre-built standalone binaries are attached to every GitHub Release:

  • macOS (arm64): pkgd-darwin-arm64
  • macOS (x86_64): pkgd-darwin-amd64
  • Linux (x86_64): pkgd-linux-amd64
  • Windows (x86_64): pkgd-windows-amd64.exe

Each binary has a matching .sha256 checksum file. Download, verify, and run:

# Example for macOS arm64
curl -LO https://github.com/divisionseven/pkg-defender/releases/latest/download/pkgd-darwin-arm64
curl -LO https://github.com/divisionseven/pkg-defender/releases/latest/download/pkgd-darwin-arm64.sha256
shasum -a 256 -c pkgd-darwin-arm64.sha256
chmod +x pkgd-darwin-arm64
./pkgd-darwin-arm64 --help

From Source

git clone https://github.com/divisionseven/pkg-defender
cd pkg-defender

# Using uv (recommended)
uv sync --dev

# Using pip
pip install -e ".[test,lint]"

Full installation guide →

Quick Start

# Simple setup wizard to configure settings,
# add optional secrets, sync intelligence feeds
pkgd setup

# Use the command wrapper pattern to intercept supported commands:
pkgd pip install requests
pkgd npm install express
pkgd brew install tree
# ...and so on

Complete quick start →

CI/CD Usage

Github Action Snapshot

pkg-defender is also designed for use in automated pipelines with non-interactive CI mode:

# Use --ci flag to skip all prompts
pkgd --ci pip install axios

# Or set the environment variable
export PKGD_CI=1
pkgd pip install axios

In CI pipelines:

# Quick audit with snapshots (faster)
pkgd db snapshot --download
pkgd audit --fail-on-threat -o json

# Or sync for most current data
pkgd intel sync
pkgd audit --fail-on-threat --output json

Environment setup:

Variable Description
PKGD_CI=1 Enable non-interactive mode
PKGD_GITHUB_TOKEN GHSA API token (higher rate limits); alternatively set feeds.ghsa_token in pkgd.toml
PKGD_FEEDS_SOCKET_API_KEY Socket.dev API key (legacy: PKGD_TWITTER_API_KEY)

GitHub Actions CI Integration Example Flow

┌─────────────────────────────────────────────────────────────────┐
│                      Example CI Pipeline                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│   divisionseven/pkg-defender-action@v1                          │
│         │                                                       │
│         ├──▶ Check Cache (GitHub Actions)                       │
│         │         │                                             │
│         │         ├──▶ HIT: Use cached DB (<6 hours old)        │
│         │         │                                             │
│         │         └──▶ MISS: Download fresh snapshot            │
│         │                   │                                   │
│         │                   └──▶ SHA256 Verify                  │
│         │                             │                         │
│         │                             ├──▶ FAIL: Rebuild        │
│         │                             │                         │
│         │                             └──▶ SUCCESS: Use DB      │
│         │                                                       │
│         ├──▶ Run pkgd audit                                     │
│         │         │                                             │
│         │         └──▶ Find vulnerabilities?                    │
│         │                   │                                   │
│         │                   ├──▶ YES: Create PR annotations     │
│         │                   │         │                         │
│         │                   │         └──▶ Exit 4 (fail-on)     │
│         │                   │                                   │
│         │                   └──▶ NO: Exit 0 (pass)              │
│         │                                                       │
│         └──▶ Done                                               │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
        │                                             ▲
        │           GitHub Snapshot Releases          │
        │      ┌───────────────────────────────┐      │
        └─────▶│  threats-latest.db.gz         │──────┘
               │  threats-latest.db.gz.sha256  │
               └───────────────────────────────┘
                                ▲
            Published           │
            Every 6 Hours       │
            (GitHub Actions)    │
                                │
                ┌───────────────┴──────────────┐
                │                              │
                │       build_snapshot.py      │
                │               │              │
                │      ┌────────┼────────┐     │
                │      │        │        │     │
                │     OSV     GHSA     OSSF    │
                │                              │
                │      (Tier 1 Feeds Only)     │
                │                              │
                ├──────────────────────────────┤
                │     PKG-Defender GitHub      │
                └──────────────────────────────┘

Full CI/CD guide →

How It Works

  1. Intercept — Command wrappers (pkgd pip install, pkgd npm install) wrap package manager commands across 18 package managers in 10 ecosystems.
  2. Checkcheck_package() queries the local SQLite threat database (zero network I/O).
  3. Inform — social intelligence feeds add community-sourced early warnings (never blocks).
  4. Cooldown — Package age is checked against the configured window (default: 7 days).
  5. Decide — Threats scoring ≥ 0.3 are blocked; social feed findings are informational only.
  6. Sync — Background daemon periodically refreshes threat intelligence from 9 feeds.

Threat scoring concepts →

Threat Intelligence

pkg-defender syncs from 9 feeds: 6 structured (OSV.dev, GHSA, npm advisory, OSSF Malicious Package List, RSS, Homebrew) and 3 social (Mastodon, Reddit, X/Twitter). Socket.dev is also available as a point-query source (not bulk sync). Structured feeds can block installs; social feeds are informational only. Feeds sync on configurable intervals with staleness detection.

Full threat feed guide →

Auditing

Scan 7 lock file formats for known threats and cooldown-pending packages. Output in rich terminal, JSON, or CSV. Use --fail-on-threat for CI/CD pipeline gating (exits 4 on CRITICAL/HIGH only).

Auditing guide →

Tab Completion

Automatic tab completion for pkgd commands in bash, zsh, and fish. Generated via pkgd completion generate.

[!Note] PowerShell and Nushell are accepted as CLI arguments for consistency with other shell commands, but Click's built-in completion only supports bash, zsh, and fish natively. Custom completion scripts for PowerShell/Nushell will be added in a future release if demand is proven.

# Bash (one of):
pkgd completion generate bash > /etc/bash_completion.d/pkgd  # system-wide
pkgd completion generate bash > ~/.local/share/bash-completion/completions/pkgd  # user

# Zsh
pkgd completion generate zsh > ~/.zsh/completions/_pkgd

# Fish
pkgd completion generate fish | source

Restart your shell after installation to enable completion.

Tab completion guide →

Configuration

Config Loading Order

Configuration is loaded in this order (later sources override earlier):

  1. Built-In Defaults
  2. System Config (/etc/pkgd/pkgd.toml) — loaded first, can be overridden
  3. User Config (~/.config/pkg-defender/pkgd.toml, platform equivalent) — overrides system
  4. Project Config (./pkgd.toml or nearest parent) — highest file priority
  5. PKGD_CONFIG_PATH environment variable — only consulted if config_path param is None
  6. PKGD_* environment variable overrides — highest priority, always applied

Config TOML File

Default global config file with all values — automatically generated during pkgd setup for effortless customization. Generated at project-level with cd path/to/project && pkgd setup --init

[cooldown]

# Minimum age in days before a new package version is allowed.
# Default: 7
default_days = 7

# Whether cooldown checking is active. Set false to disable entirely.
# Default: True
enabled = true

# If True, audit exits non-zero when threats are found during cooldown enforcement.
# If False, audit exits zero even with threats (weakened security posture).
# Default: True
strict_mode = true

# If True, a reason must be provided when bypassing the cooldown.
# Default: True
bypass_require_reason = true

# Number of days to retain bypass audit log entries.
# Note: Displayed in config listings only — no auto-prune enforcement code.
# Default: 90
bypass_log_retention_days = 90

[cooldown.overrides]
# Per-package cooldown days override (package name → days).
# Package names must be quoted to avoid TOML parsing errors.
# Examples:
#   "react" = 14
#   "@babel/core" = 21
#   "some-package" = 7

[cooldown.per_ecosystem]
# Per-ecosystem cooldown window overrides (ecosystem → days).
# Examples:
#   npm = 7
#   pypi = 14

# …continued

Full configuration reference →

Command Reference

Base Command Group Description
pkgd audit Scan lock files for threats and cooldown-pending packages
pkgd status Show recent threats, bypasses, and feed state
pkgd bypass Create bypass for a blocked package
pkgd health Check system health
pkgd reset Reset all data (database, config, feeds)
pkgd setup Interactive first-run setup wizard
pkgd audit-logs Query and manage audit event logs
pkgd logs View and manage pkg-defender logs
pkgd completion Generate shell completion scripts
pkgd hooks Generate shell functions for wrapped manager commands
pkgd intel sync Sync all threat intelligence feeds
pkgd intel search Search local threat database
pkgd intel report Threat intelligence dashboard
pkgd config view Display current configuration
pkgd config list List all configuration values with sources
pkgd config set Set a config value (dot notation)
pkgd config set-secret Set a secret configuration value with hidden input
pkgd config get Get a specific configuration value
pkgd config reset Reset to defaults
pkgd config options List all configurable options with descriptions
pkgd daemon Background daemon for periodic sync
pkgd db snapshot Download/verify database snapshots
pkgd db verify Verify local database integrity and report summary

Global Flags

These flags apply to every pkgd command:

Flag(s) Description
--version, -V Show version information
--help Show help message and exit
--config, -c Path to configuration file (default: platform-dependent)
--quiet, -q Suppress all non-error output
--verbose, -v Increase verbosity (-v=INFO, -vv=DEBUG)
--no-verbose Disable verbose output (overrides PKGD_OUTPUT_VERBOSE)
--debug, -d Show full tracebacks for unexpected errors
--no-color Disable colored terminal output
--ascii Force ASCII-only output (useful on Windows or CI)
--yes, -y Auto-confirm all prompts
--force, -f Force operations (skip confirmations, overwrite files)
--dry-run, -n Show what would happen without making changes
--ci, --non-interactive Run in non-interactive CI/CD mode (reads PKGD_CI)
--explain Show detailed explanation of why packages were blocked
--json Output results as JSON

Command-Specific Flags

Command Flag(s) Description
pkgd audit --deep, -d Perform deep scan (include cooldown status checks)
pkgd audit --fail-on-threat, -f Exit with code 4 if CRITICAL or HIGH threats detected (CI/CD)
pkgd audit --since Only flag threats seen within duration (e.g., 7d, 24h)
pkgd audit --output, -o Output format: rich, json, csv (default: rich)
pkgd status --feeds Show per-feed health status
pkgd health --output, -o Output format: rich, json (default: rich)
pkgd setup --init, -i Create pkgd.toml with defaults
pkgd setup --shell, -s Override auto-detected shell
pkgd bypass --manager, -m Package manager (default: npm)
pkgd bypass --reason Reason for bypass (required)
pkgd bypass --expires Bypass expiry duration (e.g., 24h, 7d, 30m)
pkgd intel sync --exclude-feed Exclude a specific feed (repeatable)
pkgd logs view --lines, -n Number of lines to show (default: 100)
pkgd db snapshot --download, -d Download latest threat intelligence snapshot
pkgd db snapshot --verify, -v Verify local database integrity
pkgd reset --teardown, -t Full teardown (remove database and config)
pkgd audit-logs query --ecosystem Filter audit log entries by ecosystem
pkgd audit-logs query --verdict Filter by verdict (PASS, PARTIAL_PASS, FAIL, BLOCKED, WARN, ERROR)

Environment Variables

Variable Affects Description
PKGD_DRY_RUN --dry-run default When set to 1, enables dry-run mode by default
PKGD_OUTPUT_VERBOSE --no-verbose Override verbose output at the environment level
PKGD_CI --ci mode When set to 1, forces CI mode (non-interactive)
PKGD_CONFIG_PATH Config loading Path to configuration file (alternative to --config)

Full CLI reference →

Supported Ecosystems

Ecosystem Coverage Tier Key:

The ecosystem's package publication timestamp source/availability (for use in cooldown calculation) determines the tier assignment:

  • FULL: Threat check runs, cooldown check runs, verified publish timestamps available
  • PARTIAL: Threat check runs, cooldown check runs, proxied publish timestamps available
  • AUDIT: Threat check runs, cooldown check is SKIPPED (no reliable registry publish timestamp source available)

FULL and PARTIAL are functionally identical in terms of what checks run. The difference is in the quality of the timestamp source:

  • FULL means the timestamps are cryptographically verified/authoritative (PyPI native API, npm registry, etc.)
  • PARTIAL means they're proxied/approximate but still usable for cooldown (GitHub Releases/Tags API, Libraries.io, etc.)
Ecosystem Manager Registry Adapter Coverage Tier Lock File Wrapper
npm npm, yarn, pnpm, bun Yes FULL / PARTIAL package-lock.json, yarn.lock, pnpm-lock.yaml Yes
PyPI pip, pipx, poetry, pipenv, uv Yes FULL / PARTIAL requirements.txt, poetry.lock, Pipfile.lock, uv.lock Yes
Cargo cargo Yes FULL Yes
RubyGems gem, bundler Yes FULL / PARTIAL Yes
Packagist composer Yes FULL Yes
Homebrew brew Yes PARTIAL Yes
APT apt Yes AUDIT Yes
Yum yum Yes AUDIT Yes
DNF dnf Yes AUDIT Yes
Conda conda Yes FULL Yes

Full ecosystem guide →

Dependencies

[!NOTE] Each dependency below includes a pre-crafted audit link: a Google-dorking search query scoped to supply chain attacks, compromises, and security advisories for that package, filtered to the past year.

This is intentional. PKG-Defender exists because developers install packages on trust alone; we think that habit should stop, including with tools like ours. Before installing PKG-Defender in a sensitive environment, we encourage you to click through and do a 30-second check on each of our dependencies. That's exactly the kind of scrutiny this project was built to promote.

PyPI Link Purpose Audit Link
aiohttp Async HTTP for feed sync and registry lookups AUDIT ME →
click CLI framework AUDIT ME →
defusedxml Safe XML parsing for RPM repodata AUDIT ME →
feedparser Atom/RSS feed parsing AUDIT ME →
packaging Python version spec parsing AUDIT ME →
platformdirs Platform-appropriate config/data directories AUDIT ME →
pyyaml YAML parsing for pnpm-lock.yaml lock files AUDIT ME →
rich Terminal output formatting AUDIT ME →
tomlkit TOML config file read/write (setup wizard) AUDIT ME →
zstandard Zstandard decompression for RPM repodata AUDIT ME →

See current dependency list →

Contributing

Makefile

For common development tasks, you can use the Makefile:

Command Description
make install Install all dependencies
make lint Check code style
make typecheck Type checking
make test Run tests
make check Run lint, typecheck, and tests
make build Build the package
make clean Clean build artifacts

Direct

Use uv directly:

uv run pytest
uv build
# continued...

See CONTRIBUTING.md →

Support & Community

PKG-Defender Sponsors

GitHub Sponsors BuyMeACoffee

[!Note] PKG-Defender is free and open-source software, built and maintained independently. If the tool provides value to your workflow or organization, consider supporting its continued development, and starring the project so that others can find it.

Your support helps fund ongoing maintenance, feature development, and infrastructure costs — keeping the project available to everyone at no cost. Thank you.

Join the Conversation

GitHub Issues GitHub Discussions

Security

[!Important] While PKG-Defender aims to provide practical defense against supply chain threats, no tool can ever guarantee complete protection. Threats may evolve faster than intelligence feeds, and sophisticated attacks may evade public detection. This tool is intended to be used as one layer of a broader security strategy — not as a silver bullet.

PKG-Defender is in active development and we strive to continually evolve in response to the modern threat landscape.

See SECURITY.md →

See DISCLAIMER.md →

Security Model Limitations (v1)

PKG-Defender is a practical defense layer, not a guarantee. Understanding its architectural boundaries helps you calibrate expectations and deploy it where it adds the most value for you and your organization.

Shell Functions Protect Interactive CLI Use Only

PKG-Defender protects interactive pip install, npm install, and similar CLI commands by wrapping package manager invocations via shell functions, or via direct invocation. If you do not directly wrap manager commands in non-interactive environments (pkgd [OPTIONS] MANAGER SUBCOMMAND [PACKAGE...] [MANAGER_OPTIONS...]), your configured shell functions will not protect:

  • Dockerfiles / container buildsRUN pip install inside a Dockerfile does not pass through pkgd shell functions.
  • CI/CD scripts — Unless explicitly configured to use pkgd <manager> instead of the bare manager command.
  • Automated / headless installs — Scripts, Makefiles, or system package operations that call the package manager directly.

After clearing a command, os.execvp() replaces the pkgd process with the real package manager, leaving zero runtime overhead.

No Transitive Dependency Resolution

pkgd audit currently inspects top-level packages only. Transitive dependency scanning is planned for a future release.

Post-Execution Audit Gap

PKG-Defender records its pre-install assessment in the audit log — the verdict, config state, and threat analysis at decision time. However, because os.execvp() replaces the process, pkgd cannot verify whether the install actually succeeded or whether the package manager encountered an error. To confirm outcomes, cross-reference pkgd's audit log (pkgd audit-logs) with your package manager's actual installed state.

AUDIT-Tier Managers Have No Cooldown Protection

Package managers on the AUDIT coverage tier (apt, yum, dnf) receive threat-detection-only protection — the threat database IS queried, but cooldown verification is skipped (these ecosystems lack reliable publish timestamps).

Scoring Threshold Is a Tunable Heuristic

The block threshold (0.3 in checker.py) is a starting value chosen through reasoned defaults, not empirical validation against real-world attack data. It may produce false positives (blocking legitimate packages) or false negatives (allowing malicious packages whose threat signals don't reach the threshold). Users deploying in sensitive environments should test and adjust this value.

Pre-Existing Attacks

PKG-Defender cannot protect against attacks that are already in motion at install time. The tool assesses threat signals from intelligence feeds, not runtime behavior.

Signal-Based Cooldown

The v1 release provides signal-based cooldown escalation where threat severity can dynamically extend cooldown windows. Verified advisories trigger an immediate block, and Tier 3 social signals extend the cooldown window. However, users cannot configure per-signal thresholds or escalation policies directly; the behavior is hard-coded in the step_check_cooldown() pipeline.

License

PKG-Defender is distributed under Apache-2.0 →

Acknowledgements

PKG-Defender would not be possible without the following external projects, services, data sources, libraries, and tools. Thank you for your contributions.

Threat Intelligence Data Sources

Package Registries

  • npm — npm registry (npm, Inc.)
  • PyPI — Python Package Index (Python Software Foundation)
  • RubyGems — Ruby gem server
  • crates.io — Rust package registry
  • Packagist — PHP/Composer package repository
  • Homebrew — macOS/Linux package manager (formulae.brew.sh)
  • Anaconda — Python/R data science distribution (Anaconda Inc.)
  • conda-forge — Community-led conda package channel

Timestamp Resolution Services

Social & Community Data Sources

Security Blog RSS Feeds

Security intelligence aggregated from blog RSS feeds:

  • Socket.dev blog, Snyk blog, OpenSSF blog, GitHub Security blog, GitGuardian blog, Sonatype blog

Runtime Dependencies

PKG-Defender's runtime dependencies are listed in the Dependencies table above with full transparency audit links.

  • aiohttp — Async HTTP for feed sync and registry lookups
  • click — CLI framework
  • defusedxml — Safe XML parsing for RPM repodata
  • feedparser — Atom/RSS feed parsing
  • packaging — Python version spec parsing
  • platformdirs — Platform-appropriate config/data directories
  • PyYAML — YAML parsing for pnpm-lock.yaml lock files
  • rich — Terminal output formatting
  • tomlkit — TOML config file read/write (setup wizard)
  • zstandard — Zstandard decompression for RPM repodata

Development & Build Tools

CI/CD & Infrastructure

  • GitHub Actions — CI/CD and snapshot automation
  • Codecov — Code coverage reporting
  • shields.io — Badge generation service
  • Trivy — Container image vulnerability scanner (Aqua Security)
  • Docker — Container runtime and image distribution

Community Standards

ASCII Art & Branding

  • artty — ASCII art generation for the PKG-Defender logo banner (used offline in development for asset generation)

Last updated: 2026-07-03


Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pkg_defender-1.0.0.tar.gz (2.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pkg_defender-1.0.0-py3-none-any.whl (395.7 kB view details)

Uploaded Python 3

File details

Details for the file pkg_defender-1.0.0.tar.gz.

File metadata

  • Download URL: pkg_defender-1.0.0.tar.gz
  • Upload date:
  • Size: 2.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for pkg_defender-1.0.0.tar.gz
Algorithm Hash digest
SHA256 f6fd5d7cff291418d7c94e0cac35d2b45c30db3a254837dd775efd8a4a3793d1
MD5 e5e71737ce475964d5b0a9b86008318c
BLAKE2b-256 70e26f1c9c6e2deb6c9ce810b5d2d80f1cbfe946d71ddb4b0e4883b47ad8f4c1

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkg_defender-1.0.0.tar.gz:

Publisher: release.yml on divisionseven/pkg-defender

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pkg_defender-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: pkg_defender-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 395.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for pkg_defender-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a9f22fec0b90cc9c0537ca81a5502972bb192f17c356de941d4c95ca48244120
MD5 e259e70321c860b4840885dad8f37e08
BLAKE2b-256 e35d119eb9f3d643f83cd60dc5b1acab338512003a520aaa17084484d88425fd

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkg_defender-1.0.0-py3-none-any.whl:

Publisher: release.yml on divisionseven/pkg-defender

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page