The old --no-cache flag is gone. In its place, you now have --cache-strategy:
Update your CI scripts accordingly.
Supply chain attacks on open-source binaries are rising. Version 46 Hot integrates with the OSV.dev API and GitHub Advisory Database. Before shell-dep links a binary into your environment, it checks: shell dep version 46 hot
If a CVE with severity >= 7.0 is found, shell-dep refuses to install and exits with a detailed error. You can override with --hot-allow-risky, but that’s strongly discouraged.
Previous versions of shell-dep relied on a cold filesystem cache. Every shell-dep ensure would hash the lockfile, check timestamps, and re-validate existing binaries. In large monorepos with 50+ dependencies, this could take 2–3 seconds. The old --no-cache flag is gone
Version 46 Hot introduces a daemon-less shared memory cache. The first time you run a command, it builds a hot manifest in /dev/shm (or a Windows equivalent). Subsequent runs are almost instantaneous.
Benchmark:
For CI pipelines running hundreds of jobs, this translates directly into dollars saved.