Description
vp pm audit and vp pm audit --fix already pass through to the underlying package manager, covering known CVEs and automated fixes. The remaining gap is supply chain signals that CVE databases don't catch:
- Unexpected publish authors (first-time push from an account that never touched the package)
- New post-install scripts that weren't present in the prior version
- Version bumps with no changelog entry
These signals preceded several major incidents in 2025 — including the axios compromise on March 31st — and none of them would have been caught by a standard audit passthrough.
Suggested enhancement
Layer supply chain signal checks on top of the existing vp pm audit passthrough, backed by OSV/GitHub Advisory for CVEs plus registry metadata for behavioral signals:
- Flag packages where a new publisher account made the latest release
- Flag new or modified
postinstall/preinstall scripts since the last installed version
- Warn on version bumps with no changelog when a changelog previously existed
- Optional auto-run on
vp dev/vp build behind a config flag
- Output consistent with Vite+'s existing diagnostic style
Additional context
Description
vp pm auditandvp pm audit --fixalready pass through to the underlying package manager, covering known CVEs and automated fixes. The remaining gap is supply chain signals that CVE databases don't catch:These signals preceded several major incidents in 2025 — including the axios compromise on March 31st — and none of them would have been caught by a standard
auditpassthrough.Suggested enhancement
Layer supply chain signal checks on top of the existing
vp pm auditpassthrough, backed by OSV/GitHub Advisory for CVEs plus registry metadata for behavioral signals:postinstall/preinstallscripts since the last installed versionvp dev/vp buildbehind a config flagAdditional context