How is this different from pip-audit or composer audit?

Those are post-install audits — they run after a package's code is already on disk (and may have run). A 5bats gate checks before the install, across the whole dependency tree, and holds back releases too new to have been vetted.

Do the gates make outbound calls?

They query public vulnerability feeds (OSV, advisory databases) to check a package — that is the job — but they send no telemetry and keep no account. The check runs locally and fails closed when a feed is unreachable.

Why is there no npm gate?

By design. pnpm ships a built-in minimum-release-age setting and there are solid existing tools for npm, so 5bats does not reinvent that. The gates focus on pip, Composer, Homebrew and AI coding assistants.

Supply-chain gates

pip install, composer install and brew upgrade run a package’s own code during installation — so a malicious package executes the moment it lands, before any post-install audit can look. These gates move the check to before the install.

Why this matters

Attackers exploit that install-time execution constantly — typosquats, hijacked maintainer accounts, and zero-day malicious releases that land and get downloaded for hours before any database flags them. OWASP ranks vulnerable and outdated components as A06 in its Top 10, and the most dangerous window is the first hours after a bad version ships — exactly when no advisory has indexed it yet, so a post-install audit can’t help.

Two May 2026 incidents make it concrete (as reported): in Laravel-Lang, attackers with stolen credentials pushed malicious releases across roughly 700 versions in minutes, executing through Composer’s post-install hooks before composer audit could flag them; in TrapDoor, 34+ packages across PyPI, npm and Crates.io auto-executed on import to steal SSH keys and credentials — and every PyPI package was under 72 hours old when reported, so a freshness hold alone would have blocked them, no CVE required.

The gates below run that check before the install — across the whole dependency tree, holding back releases too new to trust, and failing closed when something can’t be verified.

→ Full explainer: What is a software supply chain attack? — how it works, the attack types, the freshness window, and how to defend.

Further reading: OWASP — A06: Vulnerable & Outdated Components · TrapDoor (The Hacker News) · Laravel-Lang Packagist compromise (alert).

The check moves before the install: a malicious or too-fresh package never reaches your machine.

The tools

Several install from the 5bats Homebrew tap — add it once: brew tap sharkyger/tap.

pip-cve-gate

A drop-in pip wrapper (safe-pip) that resolves the full dependency tree and checks it against three feeds (OSV.dev, the PyPI Advisory database, the OSSF malicious-packages list) with a 3-day freshness hold — before pip runs anything.

pip install pip-cve-gate          # or: brew install sharkyger/tap/pip-cve-gate
safe-pip install -r requirements.txt

github.com/sharkyger/pip-cve-gate · MIT

composer-cve-gate

Closes the gap Composer’s own policy leaves open: it gates at composer install from the lockfile (not just update), checking five signals (OSV, GitHub Advisory, NVD, a Packagist freshness hold, OSSF malicious-packages), plus a read-only safe-scan of vendor/. A DDEV add-on runs it inside the container for TYPO3/Drupal/Laravel.

composer require sharkyger/composer-cve-gate --dev
composer safe-install monolog/monolog
composer safe-scan

github.com/sharkyger/composer-cve-gate · MIT

homebrew-safe-upgrade

A security-first wrapper for brew install/upgrade. It checks every package and its dependencies against three databases, holds back releases under 3 days old, verifies the download SHA against the formula, and fails closed when a package’s age can’t be confirmed.

brew install sharkyger/tap/safe-upgrade
brew safe-upgrade
brew safe-install wget curl

github.com/sharkyger/homebrew-safe-upgrade · MIT

claude-code-cve-gate

A PreToolUse hook that intercepts every install Claude Code attempts (pip, npm, composer, cargo, go, gem, brew), resolves the dependency tree, and checks it against NVD, OSV and the GitHub Advisory database — with a freshness hold for pip/npm. Because an AI assistant installs with your credentials and file access, the install is your attack surface.

git clone https://github.com/sharkyger/claude-code-cve-gate.git
cd claude-code-cve-gate && bash install.sh

github.com/sharkyger/claude-code-cve-gate · MIT

mistral-code-cve-gate

The same pre-install gate for Mistral-powered coding tools, with an auditable JSON record of every check — built for EU data-sovereign, regulated workflows (NIS2, DORA, GDPR Art. 32). Shares its config with claude-code-cve-gate.

git clone https://github.com/sharkyger/mistral-code-cve-gate.git
cd mistral-code-cve-gate && bash install.sh

github.com/sharkyger/mistral-code-cve-gate · MIT

TrapDoor didn’t stop at packages — it also turned AI assistants into accomplices.

See AI-agent security for the other half of the defence.