Skip to main content
New aislop v0.8.3: MCP server, TypeScript typecheck engine, hallucinated-import detector + 8 new multi-language patterns. Read more →
← Blog
Release · 4 min read · reads

aislop v0.7.0. Config inheritance, public score badge, security floor

Three additions that make aislop easier to adopt at scale. Teams with multiple repos or monorepos can share a base config and override per-package. Any project — open source or internal — can display a live score badge. And aislop now ships with no known vulnerable transitive dependencies.

v0.7.0 is a focused minor release. No new scan engines, no new CLI commands. Three additions that remove friction for teams running aislop across more than one repo.

1. Config inheritance with extends:

Before v0.7.0, every repo needed its own complete .aislop/config.yml. For a team running aislop across ten repos, that meant ten copies of the same thresholds and weights — and ten places to update when the standard changed.

extends: fixes this. A project config can point to a parent and declare only the keys that differ:

# packages/payments/.aislop/config.yml extends: ../../.aislop/base.yml ci: failBelow: 80 # override one key, inherit the rest

The merge rules are deliberate: nested objects deep-merge key-by-key so you only need to state what changes, and arrays replace wholesale so an explicit rule list in a child isn't accidentally extended by the parent. Multiple parents are supported via an array — later entries win. Cycles and inheritance chains longer than five levels are rejected at load time with a clear error.

The practical shape for most teams is one base.yml in the repo root or a shared config package, with per-project files that override ci.failBelow or tweak weights for specific contexts. The full spec is in docs/configuration.md.

2. Public score badge

Any project can put a live aislop score in its README. Here's ours:

aislop score badge

The SVG is shields-compatible and edge-cached on Cloudflare. The colour bands match the standard thresholds: green at 85 and above, amber between 70 and 84, red below 70, grey if the repo hasn't been scanned publicly yet.

It's free for any project. The badge reflects the last scan aislop recorded for that owner/repo combination — no separate setup step beyond running a scan. The full URL spec and edge-cache details are at badges.scanaislop.com.

3. Security: postcss floor

aislop's own scan flagged a security/vulnerable-dependency finding on this repo — a transitive postcss below 8.5.10. No direct dependency used it, so a pnpm.overrides entry is the right fix over pulling in a runtime dep we don't need. The lock now resolves to 8.5.13.

This is also a demonstration of the tool catching its own issues. aislop scans itself on every release. When it finds something, we fix it before shipping.

Install

$ npx aislop@latest scan .

Full changelog on GitHub. Star the repo to get the next release in your feed.

← All posts