arnica

arnica / depsguard

Public

Harden your package manager configs against supply chain attacks.

depsguard.com dependencies npm pnpm software-supply-chain-security uv
19
0
100% credibility
Found Apr 08, 2026 at 19 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Rust
AI Summary

DepsGuard scans package manager configurations for security risks like new release delays and script blocking, offering interactive fixes with backups.

How It Works

1
🔍 Discover protection from risky updates

You hear about a simple tool that checks and secures your project setups against sneaky attacks from new software releases.

2
📥 Get the tool

Download the ready-to-run program for your computer with a quick click—no complicated setup needed.

3
🚀 Run the checker

Launch it and let it quietly scan your current project safety settings across your folders.

4
⚠️ Spot the weak spots

A clear list pops up showing exactly what's unsafe, like rushed new releases or risky scripts, making risks easy to understand.

5
Pick and apply fixes

Toggle what to improve, preview changes safely, and hit go—it updates everything while saving backups just in case.

6
🔄 Check it's all good

It rescans automatically to confirm your setups are now hardened and protected.

🛡️ Projects fully guarded

Rest easy knowing your work is shielded from supply chain tricks, with easy restores if needed.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 19 to 19 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is depsguard?

Depsguard scans your npm, pnpm, yarn, bun, and uv configs—plus Renovate and Dependabot setups—for weak security settings, then interactively applies fixes like delaying new releases by 7 days or blocking install scripts. Built as a single static Rust binary with zero external crates, it runs on Linux, macOS, and Windows, editing only approved files while creating timestamped backups. Use the TUI for review-and-apply, `scan` for reports, or `restore` to roll back.

Why is it gaining traction?

It stands out by hunting repo-level configs (like `.github/dependabot.yml`) via recursive search from home, skipping node_modules and .git for speed, and handling version-specific features without running installs. Cross-platform installs via APT for Debian harden package needs, Homebrew, Scoop for github harden windows security, or cargo make it dead simple—no complex github harden runner setups. The zero-deps design minimizes its own attack surface, appealing for harden system security github workflows.

Who should use this?

Node.js and full-stack devs managing multiple package managers, especially teams hardening github actions against supply chain attacks or chain exploits in trade packages. Security-conscious ops folks on Linux or Windows wanting quick configs for pnpm workspaces and Dependabot cooldowns. Ideal for harden tools github users auditing before CI runs.

Verdict

Grab it if supply chain hygiene is a priority—solid for a 19-star early project with clear docs and MIT license. The 1.0% credibility score reflects low adoption, but prebuilt binaries and backups make it low-risk to try; just verify checksums first.

(187 words)

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.