Releases

Release focuses on report generation and published reports. New HTML format that is more concise based on feedback.

The published report urls will now return text, llm format, markdown etc. based on request header negotiation.

See an example report and the different formats you can request:

Improvements

• Redesigned HTML reports: Rules now collapse by default with a scannable summary line showing name, severity, and affected page count
• Report package — Report generation logic (HTML, Markdown, text, XML, JSON, LLM formats)
• Fixed report grouping — Meta title, meta description, OG tags, and button name checks now group correctly across pages instead of creating one row per unique value
• API content negotiation — Report endpoint now supports Accept: text/plain, Accept: application/xml, and Accept: text/x-llm headers for alternative output formats
• --publish flag now on audit subcommand along with --visibility

# Publish a public report
squirrel audit example.com --publish

# Publish a private report
squirrel audit example.com --publish --visibility private

Fixes

• Smaller published reports: Publish payload reduced by ~60% by trimming bulk data
• Fixed long URL overflow: Report links no longer break layout when URLs are very long
• Accessibility fix: Fixed duplicate ID detection for IDs containing special characters
• Shell completions updated: Added completions for new --publish and --visibility flags in bash, zsh, and fish

Lots of performance improvements and resilience in crawling and analysis - especially with larger crawls on larger websites. llm output format further optimized.

Improvements

• WAF Challenge Page Detection: Audit now detects bot-protection interstitial pages (Cloudflare, Imperva, PerimeterX, etc.) and excludes them from page-level scoring to prevent false positives. A new crawl/waf-challenge-pages warning surfaces when challenge pages are detected.

• SQLite Lock Handling: Improved error messages and warnings when database lock conflicts occur from parallel CLI commands. Added 15-second busy timeout to reduce lock failures.

• Smarter Audit Selection:

  • analyze command now selects the latest completed crawl instead of potentially picking a still-running one
  • report command blocks incomplete or non-analyzed audits with clear error messages
  • Latest audit lookup now matches apex/www domain aliases (e.g., example.com matches www.example.com)

• LLM Report Output Improvements:

  • Affected pages are now sampled breadth-first (shallower paths first) and capped at 5 per issue
  • Evidence item lists capped to prevent oversized reports
  • Object metadata now serializes properly instead of showing [object Object]

• Documentation: Added warning about avoiding parallel crawl, audit, analyze, or report commands against the same workspace database

New Audit Rules

1 new rule added to help catch user-facing issues:

Links

• Tel/Mailto Mismatch Detection — Warns when the displayed phone number or email doesn't match the href value (e.g., <a href="tel:+1555111">+1555222</a>), preventing users from contacting the wrong number/address (thanks @wildfiremedia via https://github.com/squirrelscan/squirrelscan/issues/11)

View all rules →

Other Improvements

• Reduced false positives for empty anchor text — Now checks aria-label, aria-labelledby, title, SVG titles, and role="img" before flagging links as empty
• Image dimension warnings now show HTML snippets — Easier to identify which <img> tags are missing width/height
• Fixed 0% rounding bug in E-E-A-T rules — Author byline and content date checks now correctly report "No pages have..." instead of "0% of pages"
• Privacy policy check is now site-scoped — Scans all crawled pages for a privacy link instead of just one page
• Improved console output formatting — Report sections now display with cleaner box-drawing borders
• Reserved command protection — Added agent to reserved names to prevent CLI conflicts

New Audit Rules

1 new rule added to help optimize your site's performance:

Performance

• https://docs.squirrelscan.com/rules/perf/js-file-size - Detects oversized JavaScript files that block the main thread and delay interactivity

Other Improvements

• Overhauled asset size rules - Image, CSS, and PDF size checks now use tiered warn/error thresholds instead of single limits:
  • Images: warn at 200KB, error at 1MB (https://docs.squirrelscan.com/rules/images/image-file-size)
  • CSS: warn at 150KB, error at 500KB (https://docs.squirrelscan.com/rules/perf/css-file-size)
  • JavaScript: warn at 250KB, error at 1MB (https://docs.squirrelscan.com/rules/perf/js-file-size)
  • PDFs: warn at 30MB, error at 60MB (https://docs.squirrelscan.com/rules/crawl/pdf-size)
• Fixed React SSR compatibility - Rules now correctly detect attributes like charset, tabindex, nomodule, colspan, and rowspan regardless of casing — handles React's camelCase SSR output like charSet, tabIndex (https://docs.squirrelscan.com/rules/core/charset). Thanks to https://github.com/EnkiYouTube-ui for reporting https://github.com/squirrelscan/squirrelscan/issues/8!
• Updated Googlebot limits - PDF truncation limit corrected to 60MB (was 64MB) (https://docs.squirrelscan.com/rules/crawl/pdf-size)

New Audit Rules

Two new crawl rules to help ensure Googlebot can fully index your content:

• crawl/html-size - Warns when HTML documents approach or exceed Googlebot's 2MB truncation limit
• crawl/pdf-size - Checks linked PDFs against Googlebot's 64MB limit via HEAD requests

View all rules →

Other Improvements

• Query string support in paths - URL output now includes query strings (e.g., /search?q=test instead of just /search)
• Improved console output - Category breakdown now shows visual progress bars with pass/warn/fail counts per category
• HTML report polish - Redesigned score card with circular progress ring, human-friendly dates, colored category counts, docs links for each rule, and improved typography. See example published report
• Better category sorting - Report categories now sort by priority rather than issue count
• Updated thin content guidance - Word count rule solution text updated to reflect Google's June 2025 core update deindexing behavior

Fixed

• Failed connection handling
• Better console error handling and returns
• Logging and tracing
• Other bug fixes

Added

• More settings can be adjusted from the command line conf option
• More settings in squirrel settings.json exposed

New Audit Rules

This release adds 6 new accessibility and performance rules for expanded coverage. Near-100% coverage of lighthouse tests.

Accessibility (5 new rules)

• a11y/aria-dialog-name - Ensures dialog elements have accessible names for screen readers
• a11y/aria-text - Validates that role="text" elements don't contain focusable descendants
• a11y/duplicate-id-active - Detects duplicate IDs on focusable elements that break keyboard navigation
• a11y/th-has-data-cells - Checks that table headers have associated data cells
• Expanded a11y/button-name to separately report input button accessibility

Performance (1 new rule)

• perf/critical-request-chains - Identifies render-blocking CSS, synchronous scripts, and CSS @import chains that delay page rendering

View all rules →

Other Improvements

• Auto-update reminders - Periodic reminder when auto-updates are disabled (every 7 days)

Improved Audit Rules

Accessibility Enhancements

• aria-required-parent: Now checks both explicit ARIA roles and implicit HTML element roles (e.g., <li> outside <ul>)
• color-contrast: Extended detection to include CSS class patterns (Tailwind, Bootstrap), <style> block analysis, and framework-agnostic low-contrast patterns
• link-text: Improved accessible name computation following ARIA spec, better detection of icon-only links and SVG accessibility
• skip-link: Now recognizes multiple WCAG 2.4.1 bypass mechanisms including <main> landmarks and heading navigation
• zoom-disabled: Aligned with Lighthouse threshold (maximum-scale < 5), added minimum-scale detection

Performance Improvements

• source-maps: Now detects SourceMap HTTP headers, resolves relative URLs, and checks fetched script content for sourceMappingURL references
• js-libraries: Enhanced detection with inline code pattern matching, HTML runtime markers, and CVE references for vulnerabilities
• total-byte-weight: Aggregates resources across all crawled pages with deduplication, provides detailed breakdowns by resource type
• unminified-css/unminified-js: Improved analysis with potential savings estimates, better minification heuristics
• doctype: Handles BOM characters and XML declarations, validates doctype position

Crawl & Core

• redirect-chain: Now specifically flags entry URL redirects and provides chain visualization
• viewport: Handles both single and double quote attribute syntax

New Audit Rules

This release significantly expands rule coverage with improved detection across accessibility, performance, and security categories.

Accessibility Enhancements

• Color Contrast: Now performs actual WCAG 2.1 contrast ratio calculations (4.5:1 for normal text, 3:1 for large text) instead of pattern matching
• Link Text Detection: Expanded generic link text patterns from 12 to 50+ terms including action words, CTAs, and navigation patterns
• Redundant Alt Text: Added 20+ new patterns covering technical diagrams, file references, and lazy placeholder text
• ARIA Role Mappings: Added implicit ARIA role detection for 40+ HTML elements (lists, tables, forms, landmarks)

Performance Enhancements

• JS Library Detection: Expanded from 12 to 35+ libraries including:
  • Frameworks: Svelte, Next.js, Nuxt
  • State management: Redux, MobX, Zustand
  • Visualization: Chart.js, Highcharts, ApexCharts
  • Animation: Framer Motion, Anime.js, Lottie
  • Legacy libraries with vulnerability tracking: Prototype.js, YUI
• Total Byte Weight: Now tracks external JavaScript file sizes for more accurate page weight reporting

Security Enhancements

• CSP Detection: Upgraded severity from info to warning, now validates specific directives (script-src, frame-ancestors, object-src) and detects weak values
• Leaked Secrets: Reduced false positives by filtering code identifiers (camelCase, snake_case function names) and requiring assignment context

View all rules →

Other Improvements

• Improved accuracy of AWS secret key detection patterns
• Fixed false positive detection in security scans for array elements vs assigned values

New Features

Diff Reports

We added an issue fingerprinting system and a new diff/reporting mode to squirrel report so agents can track regressions and improvements between audits. Diff mode compares a baseline audit to a current audit and outputs added, removed, and changed issues with stable fingerprints, making it easier to see what actually changed across runs. It supports the existing output formats (console, text, json, llm, markdown), and treats status shifts (warn ↔ fail) as a change rather than a new/removal, so trend analysis is consistent.

New flags include --diff <audit-id|domain>, --regression-since <audit-id|domain>, and --allow-cross-site (for comparing different base URLs when needed). The JSON/LLM outputs include structured diff summaries plus baseline/current metadata, so automation and agent workflows can reliably parse and act on regressions.

Compare audit reports to track changes over time:

# Compare current report against a baseline
squirrel report --diff <audit-id>

# Compare latest report against a baseline for regression tracking
squirrel report --regression-since <audit-id-or-domain>

# Allow comparison across different base URLs
squirrel report --diff <audit-id> --allow-cross-site

Diff reports show:

• Added - New issues not in baseline
• Removed - Issues fixed since baseline
• Changed - Issues with status changes (regressions/improvements)

Output formats: console, text, json, markdown, llm

XML Output Format

Export audit reports in XML format:

squirrel audit https://example.com --format xml
squirrel audit https://example.com --format xml --output report.xml

Other Improvements

• Streamlined publish output - --publish flag now outputs just the URL for easier scripting and CI integration
• Improved URL pattern matching - --exclude and --include patterns now match against pathname instead of full URL, making patterns more intuitive (e.g., /blog/* works as expected)
• Better shell completions - Added completions for new --diff, --regression-since, and --allow-cross-site flags

Bug Fixes

• JSON-LD validation fix: Fixed schema/json-ld-valid rule always reporting failure due to accessing wrong field (#3) - thanks @Fede654
• Schema deserialization fix: Fixed cached audit results losing schema getter methods, causing rules to fail on subsequent runs (#4) - thanks @Fede654
• Multi-type schema preservation: Schemas with multiple @type values (e.g., ["LocalBusiness", "Organization"]) are now preserved as arrays instead of being normalized to a single type (#5) - thanks @Fede654
• Schema.org @context inheritance: Child items within @graph structures now properly inherit the parent's @context, fixing false "Missing @context" validation errors (#2)
• thanks @bberenberg

Improvements

• Expanded LocalBusiness detection: Extended support from ~15 types to the full Schema.org LocalBusiness hierarchy (140+ subtypes including all Restaurant, Store, MedicalBusiness, and other specialized business types) (#7) - thanks @Fede654
• Multilingual E-E-A-T page detection: About, Contact, Privacy, Terms, and Editorial policy page detection now supports URLs in 10+ languages (English, Spanish, French, German, Portuguese, Italian, Dutch, Polish, Russian, Japanese) (#6) - thanks @Fede654

New Audit Rules

62 new audit rules added across multiple categories, bringing comprehensive coverage for accessibility, performance, and security best practices.

Accessibility (48 new rules)

ARIA validation and naming:

• aria-valid-attr / aria-valid-attr-value - Validates ARIA attribute names and values
• aria-roles - Checks for valid ARIA role values
• aria-required-attr / aria-required-parent / aria-required-children - Ensures proper ARIA structure
• aria-hidden-body / aria-hidden-focus - Prevents hiding content from assistive technology incorrectly
• aria-command-name / aria-input-field-name / aria-toggle-field-name - Ensures interactive elements have accessible names

Element accessibility:

• button-name - Checks all buttons have accessible names
• empty-heading - Detects headings without content
• frame-title - Ensures iframes have title attributes
• select-name - Validates select elements have labels

Structure and navigation:

• definition-list / dlitem / list-structure / listitem - Validates list markup
• landmark-one-main - Ensures exactly one main landmark
• tabindex - Checks for appropriate tabindex values
• duplicate-id-aria - Prevents duplicate IDs in ARIA references

Language and content:

• html-lang-valid / valid-lang / html-xml-lang-mismatch - Validates language attributes
• meta-refresh - Detects problematic auto-refresh
• link-in-text-block - Ensures links are visually distinguishable
• paste-inputs - Detects inputs that block pasting (accessibility anti-pattern)

Performance (14 new rules)

• doctype / charset - Validates HTML5 document structure
• compression - Checks for Gzip/Brotli compression
• cache-headers - Analyzes Cache-Control configuration
• http2 - Checks HTTP/2 protocol support
• total-byte-weight - Monitors total page weight
• unminified-css / unminified-js - Detects unminified assets
• duplicate-js - Finds duplicate JavaScript libraries
• legacy-js - Detects ES5 polyfills and legacy code
• js-libraries - Identifies libraries and known vulnerabilities
• source-maps - Checks for exposed source maps
• animated-content - Suggests converting GIFs to video
• images/offscreen-lazy / images/optimized / images/responsive-size - Image optimization checks

Security (1 new rule)

• third-party-cookies - Detects third-party tracking resources

📖 Full rule documentation: https://docs.squirrelscan.com/rules

New Commands

squirrel auth - Authentication

Authenticate with your squirrelscan account for publishing reports and accessing :

squirrel auth login           # Opens browser for OAuth login
squirrel auth status          # Check authentication status
squirrel auth logout          # Sign out and revoke token

squirrel report --publish - Report Publishing

Publish audit reports to share with your team:

squirrel report --publish                        # Publish with default visibility
squirrel report --publish --visibility unlisted  # Unlisted report
squirrel report --publish --visibility private   # Private report

Published reports are available at reports.squirrelscan.com and can be managed from your dashboard.

Other Improvements

• squirrel report --list now shows published report status and URLs
• Added crawlId to JSON report output for tracking
• Shell completions updated with new auth commands and --publish/--visibility options
• Added musl (Alpine Linux) platform support in release manifest

Added

• Linux musl/Alpine builds in x64 and arm64

Fixed

• Hotfix on race condition on install

Added

• New feature: Coverage mode for crawling with --coverage flag. Options are: quick for a quick scan, surface for surface level (with single-sample url tree detection) or full for a full crawl (which will also check all content). Documentation is here and the default is surface
• Support for 8-character short ID prefix in report command
• URL pattern detection for surface crawl mode

Fixed

• SQLite file lock cleanup issues on Windows

Performance

• Parallel crawl loop with content store caching improves performance across crawls

Added

• llm output format is now further optimized with token outputs
• squirrel skills update subcommand to update skill installs - see reference
• core audit-website skill updated to version 1.10 - more performance and running hints

Fixed

• squirrel feedback was failing at times
• fallback with squirrel skills commands

Performance

• Removed redundant details section from LLM output

Added

• New performance rule - perf/js-redirects - detect javascript 3xx redirects [see docs]
• New crawlability rule - crawl/redirect-chain - detects redirects in links and suggests shortcutting to target [see docs]
• New link rule - links/weak-internal-links - Detects pages with a low number of internal dofollow links pointing to them [see docs]

Fixed

• Improved rule detection for js-redirects and weak-internal-links

Fixed

• Hang on first run that would happen sometimes

Added

• Added squirrel skills install command for managing skills
• Added release permalink pages on website
• Installer now installs skills

Changed

• Increased maximum pages cap from 500 to 5,000

Added

• Added security/leaked-secrets security rule for detecting exposed credentials - rule docs
• Added security/form-captcha rule for form protection checks - rule docs
• Install now available on npm as squirrelscan

Changed

• CLI options now use kebab-case for consistency
• Agent use documentation

Added

• --bin-dir flag for CLI with shell-aware PATH instructions
• Markdown and LLM output formats for audit command

Fixed

• App formatting issues

Added

• WAF detection in crawler
• Display config and database paths on command execution

Changed

• Removed node-tls-client dependency from crawler

Fixed

• Project setup on init and config setting
• Updated quickstart configuration

Added

• Compact LLM output format for reports
• Skills updates with Makefile support

Changed

• Improvements and refactoring to core functionality
• Updated core audit-website skill

Fixed

• Graceful fallback to standard fetch when TLS client unavailable in compiled binary

Added

• File-based debug logging with configurable levels
• Browser impersonation (IMPIT) for WAF bypass
• Footer with issue link and feedback command in CLI
• New audit rules: orphan pages, dead-end pages, and indexability checks
• Robots.txt parsing and schema utilities
• Resource checks and redirect tracking
• Configurable thresholds for orphan page detection
• Configurable anchor link handling in dead-end page detection

Changed

• Auto-update now shows notifications only instead of auto-installing
• Overhauled output formats for reports
• Overhauled scoring system with curve-based calculations and penalties
• Unified parsing architecture to eliminate duplicate HTML parsing
• Renamed "domain" to "category" across the codebase
• Improved CLI validation and reachability checks
• Enhanced pattern matching with exact segments and regex support

Fixed

• Audits now always create new crawls instead of resuming incomplete ones
• TLS client improvements for better compatibility
• Restored missing indexability rules
• Improved report command error messages
• Corrected indexability API usage
• Improved audit scoring and schema robustness

Added

• Live progress display with gradient banner during audits
• Broken external link detection
• HTTP and client-side redirect following on seed URL
• Random browser user-agent rotation for more reliable crawling
• Page URLs shown for each issue in reports with grouped broken links
• Enhanced HTML report branding and page visibility indicators

Performance

• Breadth-first crawling with intelligent prefix-based throttling
• Eliminated redundant DOM parsing - significant speed improvement
• Optimized database queries to remove N+1 query patterns

Changed

• Rules can now be marked as disabled in schema instead of using --all flag

Fixed

• HTML report generation dependencies

Installation

curl -fsSL https://squirrelscan.com/install.sh | bash

Or download the binary for your platform below.