enhance: vp pm audit — supply chain signals beyond CVE databases #1271
Description
Description
vp pm audit and vp pm audit --fix already pass through to the underlying package manager, covering known CVEs and automated fixes. The remaining gap is supply chain signals that CVE databases don't catch:
- Unexpected publish authors (first-time push from an account that never touched the package)
- New post-install scripts that weren't present in the prior version
- Version bumps with no changelog entry
These signals preceded several major incidents in 2025 — including the axios compromise on March 31st — and none of them would have been caught by a standard audit passthrough.
Suggested enhancement
Layer supply chain signal checks on top of the existing vp pm audit passthrough, backed by OSV/GitHub Advisory for CVEs plus registry metadata for behavioral signals:
- Flag packages where a new publisher account made the latest release
- Flag new or modified
postinstall/preinstallscripts since the last installed version - Warn on version bumps with no changelog when a changelog previously existed
- Optional auto-run on
vp dev/vp buildbehind a config flag - Output consistent with Vite+'s existing diagnostic style
Additional context
Metadata
Metadata
Assignees
Labels
No labels
Type
Fields
Give feedbackPriority
None yet
Start date
None yet
Target date
None yet
Effort
None yet