i.what it is

Stop trusting dependencies
you never audited.

PackGuard is a local-first CLI and dashboard that governs package versions across every repo you own. Offset policy, supply-chain intelCVE · malware · typosquatand a live dependency graph. One Rust binary, no cloud.

Install PackGuardView on GitHub

Works with npm (npm · pnpm · yarn) and PyPI (poetry · uv · pip). Cargo + Go modules next.

contamination chain48 nodes · 47 edges · 1 chain
ii.what you get
01

Offset policy, not lockstep

Enforce "latest - N" with conservative defaults. Rust workspace, npm monorepo, pip-compile — all driven by one .packguard.yml.

02

Supply-chain intel included

OSV + GitHub Advisory + OSV-MAL + typosquat heuristic + optional Socket.dev — one sync, local SQLite, usable offline.

03

Graph with contamination chains

Trace any CVE from your workspace root to the vulnerable leaf. Transitive edges harvested from real lockfiles, not estimates.

04

From findings to next steps

Every CVE, malware hit, or policy violation becomes a prioritized action with a copyable fix command (pnpm · uv · poetry — auto-detected). Dismiss in the UI, the CI gate respects it.

05

Dashboard-first onboarding

Dark mode with a 3-state toggle, a tree view workspace selector built from your lockfile hierarchy, and an Add-workspace modal for the first scan. Monorepo navigation and onboarding without ever leaving the browser.

06

100% local, air-gap ready

One static Rust binary. No SaaS, no telemetry, no daemon. Bring your own intel dump and run on a disconnected build host.

iii.the dashboard

One binary. One dashboard. Every workspace.

PackGuard ships a single Rust binary that embeds the dashboard, the REST API, and every CLI command. Run packguard ui locally and the UI opens in your browser against the same SQLite store the CLI writes to.

01

Overview at a glance

Health score, tracked packages, CVE matches, and supply-chain signals. Every number is scoped to the active workspace.

PackGuard dashboard Overview — health score, packages tracked, CVE matches, malware & typosquat donuts.
02

Trace a CVE to its root

The graph view runs a BFS from the vulnerable leaf and lights up every contamination chain. Same algorithm as packguard graph --contaminated-by.

Graph view highlighting a contamination chain from a textlint root down to a vulnerable lodash version.
03

Per-workspace policy

Monorepo-ready: each workspace has its own .packguard.yml with its own offset, stability, and block rules. Edit in the UI or on disk.

Policies editor — CodeMirror YAML with dry-run preview vs current policy.
iv.30 seconds in

Install in thirty seconds.

Four channels, one binary. Pick whichever you already have on your path.

~/packguard · homebrew
# Homebrew — macOS recommended
brew tap Tmauc/packguard
brew install packguard
~/packguard · install.sh
# install.sh — SHA256-verified, no sudo
curl -fsSL \
https://raw.githubusercontent.com/Tmauc/packguard/main/install.sh \
| sh
~/packguard · docker
# Docker — ~46 MB, multi-arch
docker run --rm \
-v "$PWD":/workspace \
ghcr.io/tmauc/packguard:latest scan /workspace
~/packguard · cargo
# Cargo — from source, any platform
cargo install packguard-cli --features ui-embed
Read the full install guide