Releases

New Audit Rules

62 new audit rules added across multiple categories, bringing comprehensive coverage for accessibility, performance, and security best practices.

Accessibility (48 new rules)

ARIA validation and naming:

• aria-valid-attr / aria-valid-attr-value - Validates ARIA attribute names and values
• aria-roles - Checks for valid ARIA role values
• aria-required-attr / aria-required-parent / aria-required-children - Ensures proper ARIA structure
• aria-hidden-body / aria-hidden-focus - Prevents hiding content from assistive technology incorrectly
• aria-command-name / aria-input-field-name / aria-toggle-field-name - Ensures interactive elements have accessible names

Element accessibility:

• button-name - Checks all buttons have accessible names
• empty-heading - Detects headings without content
• frame-title - Ensures iframes have title attributes
• select-name - Validates select elements have labels

Structure and navigation:

• definition-list / dlitem / list-structure / listitem - Validates list markup
• landmark-one-main - Ensures exactly one main landmark
• tabindex - Checks for appropriate tabindex values
• duplicate-id-aria - Prevents duplicate IDs in ARIA references

Language and content:

• html-lang-valid / valid-lang / html-xml-lang-mismatch - Validates language attributes
• meta-refresh - Detects problematic auto-refresh
• link-in-text-block - Ensures links are visually distinguishable
• paste-inputs - Detects inputs that block pasting (accessibility anti-pattern)

Performance (14 new rules)

• doctype / charset - Validates HTML5 document structure
• compression - Checks for Gzip/Brotli compression
• cache-headers - Analyzes Cache-Control configuration
• http2 - Checks HTTP/2 protocol support
• total-byte-weight - Monitors total page weight
• unminified-css / unminified-js - Detects unminified assets
• duplicate-js - Finds duplicate JavaScript libraries
• legacy-js - Detects ES5 polyfills and legacy code
• js-libraries - Identifies libraries and known vulnerabilities
• source-maps - Checks for exposed source maps
• animated-content - Suggests converting GIFs to video
• images/offscreen-lazy / images/optimized / images/responsive-size - Image optimization checks

Security (1 new rule)

• third-party-cookies - Detects third-party tracking resources

📖 Full rule documentation: https://docs.squirrelscan.com/rules

New Commands

squirrel auth - Authentication

Authenticate with your squirrelscan account for publishing reports and accessing :

squirrel auth login           # Opens browser for OAuth login
squirrel auth status          # Check authentication status
squirrel auth logout          # Sign out and revoke token

squirrel report --publish - Report Publishing

Publish audit reports to share with your team:

squirrel report --publish                        # Publish with default visibility
squirrel report --publish --visibility unlisted  # Unlisted report
squirrel report --publish --visibility private   # Private report

Published reports are available at reports.squirrelscan.com and can be managed from your dashboard.

Other Improvements

• squirrel report --list now shows published report status and URLs
• Added crawlId to JSON report output for tracking
• Shell completions updated with new auth commands and --publish/--visibility options
• Added musl (Alpine Linux) platform support in release manifest

Added

• Linux musl/Alpine builds in x64 and arm64

Fixed

• Hotfix on race condition on install

Added

• New feature: Coverage mode for crawling with --coverage flag. Options are: quick for a quick scan, surface for surface level (with single-sample url tree detection) or full for a full crawl (which will also check all content). Documentation is here and the default is surface
• Support for 8-character short ID prefix in report command
• URL pattern detection for surface crawl mode

Fixed

• SQLite file lock cleanup issues on Windows

Performance

• Parallel crawl loop with content store caching improves performance across crawls

Added

• llm output format is now further optimized with token outputs
• squirrel skills update subcommand to update skill installs - see reference
• core audit-website skill updated to version 1.10 - more performance and running hints

Fixed

• squirrel feedback was failing at times
• fallback with squirrel skills commands

Performance

• Removed redundant details section from LLM output

Added

• New performance rule - perf/js-redirects - detect javascript 3xx redirects [see docs]
• New crawlability rule - crawl/redirect-chain - detects redirects in links and suggests shortcutting to target [see docs]
• New link rule - links/weak-internal-links - Detects pages with a low number of internal dofollow links pointing to them [see docs]

Fixed

• Improved rule detection for js-redirects and weak-internal-links

Fixed

• Hang on first run that would happen sometimes

Added

• Added squirrel skills install command for managing skills
• Added release permalink pages on website
• Installer now installs skills

Changed

• Increased maximum pages cap from 500 to 5,000

Added

• Added security/leaked-secrets security rule for detecting exposed credentials - rule docs
• Added security/form-captcha rule for form protection checks - rule docs
• Install now available on npm as squirrelscan

Changed

• CLI options now use kebab-case for consistency
• Agent use documentation

Added

• --bin-dir flag for CLI with shell-aware PATH instructions
• Markdown and LLM output formats for audit command

Fixed

• App formatting issues

Added

• WAF detection in crawler
• Display config and database paths on command execution

Changed

• Removed node-tls-client dependency from crawler

Fixed

• Project setup on init and config setting
• Updated quickstart configuration

Added

• Compact LLM output format for reports
• Skills updates with Makefile support

Changed

• Improvements and refactoring to core functionality
• Updated core audit-website skill

Fixed

• Graceful fallback to standard fetch when TLS client unavailable in compiled binary

Added

• File-based debug logging with configurable levels
• Browser impersonation (IMPIT) for WAF bypass
• Footer with issue link and feedback command in CLI
• New audit rules: orphan pages, dead-end pages, and indexability checks
• Robots.txt parsing and schema utilities
• Resource checks and redirect tracking
• Configurable thresholds for orphan page detection
• Configurable anchor link handling in dead-end page detection

Changed

• Auto-update now shows notifications only instead of auto-installing
• Overhauled output formats for reports
• Overhauled scoring system with curve-based calculations and penalties
• Unified parsing architecture to eliminate duplicate HTML parsing
• Renamed "domain" to "category" across the codebase
• Improved CLI validation and reachability checks
• Enhanced pattern matching with exact segments and regex support

Fixed

• Audits now always create new crawls instead of resuming incomplete ones
• TLS client improvements for better compatibility
• Restored missing indexability rules
• Improved report command error messages
• Corrected indexability API usage
• Improved audit scoring and schema robustness

Added

• Live progress display with gradient banner during audits
• Broken external link detection
• HTTP and client-side redirect following on seed URL
• Random browser user-agent rotation for more reliable crawling
• Page URLs shown for each issue in reports with grouped broken links
• Enhanced HTML report branding and page visibility indicators

Performance

• Breadth-first crawling with intelligent prefix-based throttling
• Eliminated redundant DOM parsing - significant speed improvement
• Optimized database queries to remove N+1 query patterns

Changed

• Rules can now be marked as disabled in schema instead of using --all flag

Fixed

• HTML report generation dependencies

Installation

curl -fsSL https://squirrelscan.com/install.sh | bash

Or download the binary for your platform below.