Releases

Big quality-of-life release: a new fully-offline mode, much faster rendered audits, honest per-audit credit accounting, and a pile of fixes for auditing very large sites.

New: --offline

• squirrel audit <url> --offline runs a completely local audit — no cloud analysis, no publishing, no telemetry, no update checks, and no probing of third-party links. The only thing squirrel talks to is the site you're auditing. Results land in the local database as usual, so squirrel report, history, and all export formats work exactly the same. --offline can't be combined with --publish or --render (both need cloud access), and the CLI says so instead of guessing.
• Clearer logged-out messaging — audits without an account now print "not signed in — run 'squirrel auth login' to enable cloud features" instead of a confusing "offline — 0 credits".

Performance

• Rendered audits are ~2.3× faster — cloud browser-render jobs now run concurrently (new [cloud].render_concurrency setting, default 4, max 8) instead of effectively one at a time. A 100-page rendered audit that previously timed out now finishes comfortably.
• Mega-site sitemaps no longer stall audits — sites with giant sitemap indexes (TechCrunch's lists 400k+ URLs across 2000+ child sitemaps) used to grind a 100-page audit past 15 minutes just ingesting sitemap entries. Sitemap ingestion is now capped relative to your page budget with round-robin sampling across child sitemaps; the same audit completes in ~3 minutes.
• Rules phase up to 2× faster — the HTTP→HTTPS redirect checks ran serially with long delays between probes; they now run in a small concurrent pool while keeping the politeness stagger.

Credits & Reporting

• The "Cloud credits used" line now tells the whole truth — browser rendering, bulk dead-link checks, and report publishing are included alongside AI analysis, so the CLI total matches your ledger. The dashboard shows the same per-audit figure in the audit and report lists.
• Rendered pages no longer report fake TTFB — render queue + browser time was being counted as server response time, flagging perfectly fast sites with "Very slow server response (15000ms)". Rendered fetches now skip the TTFB check instead of lying about it.

Publishing & Dashboard

• Published audits now populate the dashboard Issues page — CLI-published reports previously showed issue counts but an empty Issues tab.
• Publishing very large sites no longer fails validation — oversized sitemap entry lists, extremely long rule-item identifiers, and huge robots.txt files (looking at you, nytimes.com) are trimmed to server limits instead of rejecting the whole report.
• Website screenshots capture on the first published audit — new websites created by --publish now get their screenshot immediately, and the dashboard refreshes automatically while the first capture is in flight instead of showing a permanent placeholder.
• Dead-link cloud checks work again — a server-side query bug made every bulk dead-link call fail (you were never charged; the CLI silently fell back to slower local checks). Cloud-cached link checking is back.
• Dashboard "Run New Audit" now shows you the CLI command to copy instead of failing — audits run from the CLI and publish to the dashboard.

cloud-powered audits 🐿️☁️

The big one: audits can now call squirrelscan cloud for checks that are impossible to run locally. Log in (squirrel auth login) and these run automatically alongside the local rules — logged-out audits stay 100% local, free, and unlimited, forever.

New cloud rules

• ai/site-type, ai/page-type-match, ai/llm-parsability (upgraded), eeat/authority-signals — AI analysis of how parsers and LLMs see your pages
• adblock/blocked-links, adblock/element-hiding, adblock/privacy-blocked — find resources and markup that EasyList/EasyPrivacy ad blockers will nuke
• links/dead-links — bulk external dead-link checking against a shared cloud cache (way faster than hammering every URL yourself)
• gaps/keywords, gaps/content — competitor keyword & content gap analysis (opt-in)

Cloud browser rendering

• New --render flag (or [cloud] rendering = "browser" in squirrel.toml) crawls JS-heavy sites with a real headless browser instead of plain HTTP.

Credits & spend controls

• New squirrel credits command — balance, plan, and per-feature pricing.
• Audit start now shows who you're logged in as and your credit balance (offline — 0 credits when logged out).
• Spend guardrails in [cloud] config: max_credits_per_audit (default 200), confirm_threshold (default 50, prompts before spending), enabled master switch. End-of-run summary shows exactly what was spent.
• Published reports record the credits an audit used; it shows in the dashboard report view.

Pricing

• Free accounts now get 500 credits every month — no card required.
• Starter ($19/mo) now includes 5,000 credits/month (up from 2,000).
• Credit packs are gone; paid plans can top up any amount from $10 (100 credits per $1, never expire).

Fixes

• content/broken-html now emits stable item ids, so publishing reports for sites with malformed HTML no longer fails validation.

Local audits never cost credits. Run squirrel self update to grab this release.

Bug-fix release focused on false positives, publish reliability, and binary compatibility. Huge thanks to @AnkitClassicVision, @MoriNo23, @wildfiremedia, and @v2lightingintl for the detailed reports that drove this release.

Audit Rule Fixes

• E-E-A-T rules now understand @graph JSON-LD (#21, thanks @AnkitClassicVision) — author bylines, content dates, and LocalBusiness data nested in Yoast-style @graph wrappers (most WordPress sites) are now detected. Previously these rules reported "no author / no dates" on fully-marked-up sites.
• Contact, About, Privacy, and Terms pages are always crawled first (#21) — large sitemaps no longer crowd them out of the page budget, fixing false "No Contact page found" / "No Privacy Policy found" warnings.
• Leaked-secrets rule no longer flags public client-side keys — Stripe publishable keys, Google Maps/Firebase browser keys, GTM/GA tag IDs, OAuth client IDs, Sentry DSNs, Mapbox public tokens, and Supabase anon keys are now reported as informational (public by design) instead of errors. Real secrets (e.g. sk_live_…, AWS keys, private key blocks) still fail.
• Fixed a11y/duplicate-id-aria rule error (#21) — "CSS is not defined" no longer crashes the rule.
• Issue severity now reflects what actually happened — a rule whose checks all came back as warnings reports as a warning, not an error.
• mailto:?subject=… share links are no longer flagged invalid (#17, thanks @wildfiremedia) — address-less mailto links are a legitimate email-share pattern.
• Shopify's native hCaptcha is now detected (#24, thanks @v2lightingintl) — the form-captcha rule recognizes the captcha-bootstrap inline loader and CDN script.
• social/og-image-size now names the image (#18, thanks @wildfiremedia) — warnings include the og:image URL instead of just the page.

Publishing & Crawling

• Fixed "Invalid report format" publish failures — relative links like href="index.html" no longer resolve to bogus hosts, duplicate source-page lists are deduplicated, and validation errors from the server now show the exact field and reason.
• Publish no longer hangs forever — the upload has a 30s timeout and retries transient connection failures.
• Crawler watchdog (#13) — a wedged crawl batch can no longer hang an audit indefinitely; the crawl finishes with partial results instead.

Compatibility & Updates

• Linux/Windows x64 binaries now run on older CPUs (#22, thanks @MoriNo23) — built without AVX requirements, fixing "Illegal instruction" crashes on pre-2013 hardware (e.g. Sandy Bridge).
• Self-update fixes (#14, thanks @wildfiremedia) — draft releases are never offered as updates, and answering "y" to an update prompt that can't proceed now explains why instead of silently doing nothing.

Fixed: squirrel auth login (important)

Login was broken for everyone — sessions always reported as expired due to a timestamp comparison bug in the API. This release fixes the full flow end to end:

• squirrel auth login works again — complete sign-in via browser and the CLI picks up your token reliably
• After signing in with Google you now land back on the CLI auth page instead of being redirected away mid-handshake
• Re-running a used login link now gives a clear "session already used — run squirrel auth login again" message instead of hanging
• The expiry date shown by squirrel auth status now matches your actual token

If you're signed out or your login previously failed, just run squirrel auth login.

Published reports now link to your website projects

• squirrel audit <url> -p and squirrel report -p now automatically create (or find) the matching website project in squirrelscan cloud
• Published reports appear in the website's audit history with health score, issue counts, and report link
• Reports that exceed the 5 MB publish limit now get a clear error instead of a generic failure

Other Improvements

• Leaner, faster CLI: removed the experimental built-in agent — squirrel is now a focused deterministic scanner built to pair with Claude Code, Cursor, and your own agents
• Dependency refresh across the board

Release focuses on report generation and published reports. New HTML format that is more concise based on feedback.

The published report urls will now return text, llm format, markdown etc. based on request header negotiation.

See an example report and the different formats you can request:

Improvements

• Redesigned HTML reports: Rules now collapse by default with a scannable summary line showing name, severity, and affected page count
• Report package — Report generation logic (HTML, Markdown, text, XML, JSON, LLM formats)
• Fixed report grouping — Meta title, meta description, OG tags, and button name checks now group correctly across pages instead of creating one row per unique value
• API content negotiation — Report endpoint now supports Accept: text/plain, Accept: application/xml, and Accept: text/x-llm headers for alternative output formats
• --publish flag now on audit subcommand along with --visibility

# Publish a public report
squirrel audit example.com --publish

# Publish a private report
squirrel audit example.com --publish --visibility private

Fixes

• Smaller published reports: Publish payload reduced by ~60% by trimming bulk data
• Fixed long URL overflow: Report links no longer break layout when URLs are very long
• Accessibility fix: Fixed duplicate ID detection for IDs containing special characters
• Shell completions updated: Added completions for new --publish and --visibility flags in bash, zsh, and fish

Lots of performance improvements and resilience in crawling and analysis - especially with larger crawls on larger websites. llm output format further optimized.

Improvements

• WAF Challenge Page Detection: Audit now detects bot-protection interstitial pages (Cloudflare, Imperva, PerimeterX, etc.) and excludes them from page-level scoring to prevent false positives. A new crawl/waf-challenge-pages warning surfaces when challenge pages are detected.

• SQLite Lock Handling: Improved error messages and warnings when database lock conflicts occur from parallel CLI commands. Added 15-second busy timeout to reduce lock failures.

• Smarter Audit Selection:

  • analyze command now selects the latest completed crawl instead of potentially picking a still-running one
  • report command blocks incomplete or non-analyzed audits with clear error messages
  • Latest audit lookup now matches apex/www domain aliases (e.g., example.com matches www.example.com)

• LLM Report Output Improvements:

  • Affected pages are now sampled breadth-first (shallower paths first) and capped at 5 per issue
  • Evidence item lists capped to prevent oversized reports
  • Object metadata now serializes properly instead of showing [object Object]

• Documentation: Added warning about avoiding parallel crawl, audit, analyze, or report commands against the same workspace database

New Audit Rules

1 new rule added to help catch user-facing issues:

Links

• Tel/Mailto Mismatch Detection — Warns when the displayed phone number or email doesn't match the href value (e.g., <a href="tel:+1555111">+1555222</a>), preventing users from contacting the wrong number/address (thanks @wildfiremedia via https://github.com/squirrelscan/squirrelscan/issues/11)

View all rules →

Other Improvements

• Reduced false positives for empty anchor text — Now checks aria-label, aria-labelledby, title, SVG titles, and role="img" before flagging links as empty
• Image dimension warnings now show HTML snippets — Easier to identify which <img> tags are missing width/height
• Fixed 0% rounding bug in E-E-A-T rules — Author byline and content date checks now correctly report "No pages have..." instead of "0% of pages"
• Privacy policy check is now site-scoped — Scans all crawled pages for a privacy link instead of just one page
• Improved console output formatting — Report sections now display with cleaner box-drawing borders
• Reserved command protection — Added agent to reserved names to prevent CLI conflicts

New Audit Rules

1 new rule added to help optimize your site's performance:

Performance

• https://docs.squirrelscan.com/rules/perf/js-file-size - Detects oversized JavaScript files that block the main thread and delay interactivity

Other Improvements

• Overhauled asset size rules - Image, CSS, and PDF size checks now use tiered warn/error thresholds instead of single limits:
  • Images: warn at 200KB, error at 1MB (https://docs.squirrelscan.com/rules/images/image-file-size)
  • CSS: warn at 150KB, error at 500KB (https://docs.squirrelscan.com/rules/perf/css-file-size)
  • JavaScript: warn at 250KB, error at 1MB (https://docs.squirrelscan.com/rules/perf/js-file-size)
  • PDFs: warn at 30MB, error at 60MB (https://docs.squirrelscan.com/rules/crawl/pdf-size)
• Fixed React SSR compatibility - Rules now correctly detect attributes like charset, tabindex, nomodule, colspan, and rowspan regardless of casing — handles React's camelCase SSR output like charSet, tabIndex (https://docs.squirrelscan.com/rules/core/charset). Thanks to https://github.com/EnkiYouTube-ui for reporting https://github.com/squirrelscan/squirrelscan/issues/8!
• Updated Googlebot limits - PDF truncation limit corrected to 60MB (was 64MB) (https://docs.squirrelscan.com/rules/crawl/pdf-size)

New Audit Rules

Two new crawl rules to help ensure Googlebot can fully index your content:

• crawl/html-size - Warns when HTML documents approach or exceed Googlebot's 2MB truncation limit
• crawl/pdf-size - Checks linked PDFs against Googlebot's 64MB limit via HEAD requests

View all rules →

Other Improvements

• Query string support in paths - URL output now includes query strings (e.g., /search?q=test instead of just /search)
• Improved console output - Category breakdown now shows visual progress bars with pass/warn/fail counts per category
• HTML report polish - Redesigned score card with circular progress ring, human-friendly dates, colored category counts, docs links for each rule, and improved typography. See example published report
• Better category sorting - Report categories now sort by priority rather than issue count
• Updated thin content guidance - Word count rule solution text updated to reflect Google's June 2025 core update deindexing behavior

Fixed

• Failed connection handling
• Better console error handling and returns
• Logging and tracing
• Other bug fixes

Added

• More settings can be adjusted from the command line conf option
• More settings in squirrel settings.json exposed

New Audit Rules

This release adds 6 new accessibility and performance rules for expanded coverage. Near-100% coverage of lighthouse tests.

Accessibility (5 new rules)

• a11y/aria-dialog-name - Ensures dialog elements have accessible names for screen readers
• a11y/aria-text - Validates that role="text" elements don't contain focusable descendants
• a11y/duplicate-id-active - Detects duplicate IDs on focusable elements that break keyboard navigation
• a11y/th-has-data-cells - Checks that table headers have associated data cells
• Expanded a11y/button-name to separately report input button accessibility

Performance (1 new rule)

• perf/critical-request-chains - Identifies render-blocking CSS, synchronous scripts, and CSS @import chains that delay page rendering

View all rules →

Other Improvements

• Auto-update reminders - Periodic reminder when auto-updates are disabled (every 7 days)

Improved Audit Rules

Accessibility Enhancements

• aria-required-parent: Now checks both explicit ARIA roles and implicit HTML element roles (e.g., <li> outside <ul>)
• color-contrast: Extended detection to include CSS class patterns (Tailwind, Bootstrap), <style> block analysis, and framework-agnostic low-contrast patterns
• link-text: Improved accessible name computation following ARIA spec, better detection of icon-only links and SVG accessibility
• skip-link: Now recognizes multiple WCAG 2.4.1 bypass mechanisms including <main> landmarks and heading navigation
• zoom-disabled: Aligned with Lighthouse threshold (maximum-scale < 5), added minimum-scale detection

Performance Improvements

• source-maps: Now detects SourceMap HTTP headers, resolves relative URLs, and checks fetched script content for sourceMappingURL references
• js-libraries: Enhanced detection with inline code pattern matching, HTML runtime markers, and CVE references for vulnerabilities
• total-byte-weight: Aggregates resources across all crawled pages with deduplication, provides detailed breakdowns by resource type
• unminified-css/unminified-js: Improved analysis with potential savings estimates, better minification heuristics
• doctype: Handles BOM characters and XML declarations, validates doctype position

Crawl & Core

• redirect-chain: Now specifically flags entry URL redirects and provides chain visualization
• viewport: Handles both single and double quote attribute syntax

New Audit Rules

This release significantly expands rule coverage with improved detection across accessibility, performance, and security categories.

Accessibility Enhancements

• Color Contrast: Now performs actual WCAG 2.1 contrast ratio calculations (4.5:1 for normal text, 3:1 for large text) instead of pattern matching
• Link Text Detection: Expanded generic link text patterns from 12 to 50+ terms including action words, CTAs, and navigation patterns
• Redundant Alt Text: Added 20+ new patterns covering technical diagrams, file references, and lazy placeholder text
• ARIA Role Mappings: Added implicit ARIA role detection for 40+ HTML elements (lists, tables, forms, landmarks)

Performance Enhancements

• JS Library Detection: Expanded from 12 to 35+ libraries including:
  • Frameworks: Svelte, Next.js, Nuxt
  • State management: Redux, MobX, Zustand
  • Visualization: Chart.js, Highcharts, ApexCharts
  • Animation: Framer Motion, Anime.js, Lottie
  • Legacy libraries with vulnerability tracking: Prototype.js, YUI
• Total Byte Weight: Now tracks external JavaScript file sizes for more accurate page weight reporting

Security Enhancements

• CSP Detection: Upgraded severity from info to warning, now validates specific directives (script-src, frame-ancestors, object-src) and detects weak values
• Leaked Secrets: Reduced false positives by filtering code identifiers (camelCase, snake_case function names) and requiring assignment context

View all rules →

Other Improvements

• Improved accuracy of AWS secret key detection patterns
• Fixed false positive detection in security scans for array elements vs assigned values

New Features

Diff Reports

We added an issue fingerprinting system and a new diff/reporting mode to squirrel report so agents can track regressions and improvements between audits. Diff mode compares a baseline audit to a current audit and outputs added, removed, and changed issues with stable fingerprints, making it easier to see what actually changed across runs. It supports the existing output formats (console, text, json, llm, markdown), and treats status shifts (warn ↔ fail) as a change rather than a new/removal, so trend analysis is consistent.

New flags include --diff <audit-id|domain>, --regression-since <audit-id|domain>, and --allow-cross-site (for comparing different base URLs when needed). The JSON/LLM outputs include structured diff summaries plus baseline/current metadata, so automation and agent workflows can reliably parse and act on regressions.

Compare audit reports to track changes over time:

# Compare current report against a baseline
squirrel report --diff <audit-id>

# Compare latest report against a baseline for regression tracking
squirrel report --regression-since <audit-id-or-domain>

# Allow comparison across different base URLs
squirrel report --diff <audit-id> --allow-cross-site

Diff reports show:

• Added - New issues not in baseline
• Removed - Issues fixed since baseline
• Changed - Issues with status changes (regressions/improvements)

Output formats: console, text, json, markdown, llm

XML Output Format

Export audit reports in XML format:

squirrel audit https://example.com --format xml
squirrel audit https://example.com --format xml --output report.xml

Other Improvements

• Streamlined publish output - --publish flag now outputs just the URL for easier scripting and CI integration
• Improved URL pattern matching - --exclude and --include patterns now match against pathname instead of full URL, making patterns more intuitive (e.g., /blog/* works as expected)
• Better shell completions - Added completions for new --diff, --regression-since, and --allow-cross-site flags

Bug Fixes

• JSON-LD validation fix: Fixed schema/json-ld-valid rule always reporting failure due to accessing wrong field (#3) - thanks @Fede654
• Schema deserialization fix: Fixed cached audit results losing schema getter methods, causing rules to fail on subsequent runs (#4) - thanks @Fede654
• Multi-type schema preservation: Schemas with multiple @type values (e.g., ["LocalBusiness", "Organization"]) are now preserved as arrays instead of being normalized to a single type (#5) - thanks @Fede654
• Schema.org @context inheritance: Child items within @graph structures now properly inherit the parent's @context, fixing false "Missing @context" validation errors (#2)
• thanks @bberenberg

Improvements

• Expanded LocalBusiness detection: Extended support from ~15 types to the full Schema.org LocalBusiness hierarchy (140+ subtypes including all Restaurant, Store, MedicalBusiness, and other specialized business types) (#7) - thanks @Fede654
• Multilingual E-E-A-T page detection: About, Contact, Privacy, Terms, and Editorial policy page detection now supports URLs in 10+ languages (English, Spanish, French, German, Portuguese, Italian, Dutch, Polish, Russian, Japanese) (#6) - thanks @Fede654