Shai-Hulud 2.0 Detector
Version updated for https://github.com/gensecaihq/Shai-Hulud-2.0-Detector to version v1.0.2.
- This action is used across all versions by 23 repositories.
Go to the GitHub Marketplace to find the latest changes.
Release notes
Shai-Hulud 2.0 Detector v1.0.2
This release includes important bug fixes and a major feature enhancement for version matching accuracy.
What’s New
šÆ Semver Version Matching (#11)
The detector now uses proper semver version range matching when checking for compromised packages. This significantly reduces false positives by accurately matching only the specific vulnerable versions.
Before: Packages were matched by name only, potentially flagging safe versions.
After: Uses semver to match exact versions, ranges, and patterns defined in the compromised packages database.
// Example: kill-port@2.0.1 is now correctly identified as SAFE
// Only kill-port@2.0.2 and @2.0.3 are flagged as compromised
š Bug Fix: Correct totalDependencies Count (#10)
Fixed an issue where totalDependencies was being overwritten in each scan loop instead of accumulated. The scan summary now correctly reports the total number of unique dependencies scanned.
Contributors
Special thanks to @albe (Alexander Berl) for both contributions!
Technical Details
| Change | Description |
|---|---|
isAffected(name, version) | Now accepts version parameter for semver matching |
satisfies() / intersects() | Uses semver library for accurate version comparison |
totalDependencies | Now uses += instead of = for correct accumulation |
| New dependency | Added semver package for version matching |
Upgrade Guide
Simply update your workflow to use the latest version:
# Use the latest v1.x (recommended)
- uses: gensecaihq/Shai-Hulud-2.0-Detector@v1
# Or pin to this specific version
- uses: gensecaihq/Shai-Hulud-2.0-Detector@v1.0.2
Links
Full Changelog: https://github.com/gensecaihq/Shai-Hulud-2.0-Detector/compare/v1.0.1...v1.0.2