Skip to main content

Releases

Release history and changelogs

All releases up to v0.1 will be in the stable channel.

Release channel

Release History

v0.0.36Feb 11, 2026Latest

Release Notes

Lots of performance improvements and resilience in crawling and analysis - especially with larger crawls on larger websites. llm output format further optimized.

Improvements

  • WAF Challenge Page Detection: Audit now detects bot-protection interstitial pages (Cloudflare, Imperva, PerimeterX, etc.) and excludes them from page-level scoring to prevent false positives. A new crawl/waf-challenge-pages warning surfaces when challenge pages are detected.

  • SQLite Lock Handling: Improved error messages and warnings when database lock conflicts occur from parallel CLI commands. Added 15-second busy timeout to reduce lock failures.

  • Smarter Audit Selection:

    • analyze command now selects the latest completed crawl instead of potentially picking a still-running one
    • report command blocks incomplete or non-analyzed audits with clear error messages
    • Latest audit lookup now matches apex/www domain aliases (e.g., example.com matches www.example.com)
  • LLM Report Output Improvements:

    • Affected pages are now sampled breadth-first (shallower paths first) and capped at 5 per issue
    • Evidence item lists capped to prevent oversized reports
    • Object metadata now serializes properly instead of showing [object Object]
  • Documentation: Added warning about avoiding parallel crawl, audit, analyze, or report commands against the same workspace database

Downloads

Windows
Linux
v0.0.35Feb 10, 2026

Release Notes

New Audit Rules

1 new rule added to help catch user-facing issues:

Links

  • Tel/Mailto Mismatch Detection — Warns when the displayed phone number or email doesn't match the href value (e.g., <a href="tel:+1555111">+1555222</a>), preventing users from contacting the wrong number/address (thanks @wildfiremedia via https://github.com/squirrelscan/squirrelscan/issues/11)

View all rules →

Other Improvements

  • Reduced false positives for empty anchor text — Now checks aria-label, aria-labelledby, title, SVG titles, and role="img" before flagging links as empty
  • Image dimension warnings now show HTML snippets — Easier to identify which <img> tags are missing width/height
  • Fixed 0% rounding bug in E-E-A-T rules — Author byline and content date checks now correctly report "No pages have..." instead of "0% of pages"
  • Privacy policy check is now site-scoped — Scans all crawled pages for a privacy link instead of just one page
  • Improved console output formatting — Report sections now display with cleaner box-drawing borders
  • Reserved command protection — Added agent to reserved names to prevent CLI conflicts
v0.0.34Feb 9, 2026

Release Notes

New Audit Rules

1 new rule added to help optimize your site's performance:

Performance

Other Improvements

v0.0.33Feb 8, 2026

Release Notes

New Audit Rules

Two new crawl rules to help ensure Googlebot can fully index your content:

  • crawl/html-size - Warns when HTML documents approach or exceed Googlebot's 2MB truncation limit
  • crawl/pdf-size - Checks linked PDFs against Googlebot's 64MB limit via HEAD requests

View all rules →

Other Improvements

  • Query string support in paths - URL output now includes query strings (e.g., /search?q=test instead of just /search)
  • Improved console output - Category breakdown now shows visual progress bars with pass/warn/fail counts per category
  • HTML report polish - Redesigned score card with circular progress ring, human-friendly dates, colored category counts, docs links for each rule, and improved typography. See example published report
  • Better category sorting - Report categories now sort by priority rather than issue count
  • Updated thin content guidance - Word count rule solution text updated to reflect Google's June 2025 core update deindexing behavior
v0.0.32Feb 6, 2026

Release Notes

Fixed

  • Failed connection handling
  • Better console error handling and returns
  • Logging and tracing
  • Other bug fixes

Added

  • More settings can be adjusted from the command line conf option
  • More settings in squirrel settings.json exposed
v0.0.31Feb 6, 2026

Release Notes

New Audit Rules

This release adds 6 new accessibility and performance rules for expanded coverage. Near-100% coverage of lighthouse tests.

Accessibility (5 new rules)

  • a11y/aria-dialog-name - Ensures dialog elements have accessible names for screen readers
  • a11y/aria-text - Validates that role="text" elements don't contain focusable descendants
  • a11y/duplicate-id-active - Detects duplicate IDs on focusable elements that break keyboard navigation
  • a11y/th-has-data-cells - Checks that table headers have associated data cells
  • Expanded a11y/button-name to separately report input button accessibility

Performance (1 new rule)

  • perf/critical-request-chains - Identifies render-blocking CSS, synchronous scripts, and CSS @import chains that delay page rendering

View all rules →

Other Improvements

  • Auto-update reminders - Periodic reminder when auto-updates are disabled (every 7 days)
v0.0.30Feb 4, 2026

Release Notes

Improved Audit Rules

Accessibility Enhancements

  • aria-required-parent: Now checks both explicit ARIA roles and implicit HTML element roles (e.g., <li> outside <ul>)
  • color-contrast: Extended detection to include CSS class patterns (Tailwind, Bootstrap), <style> block analysis, and framework-agnostic low-contrast patterns
  • link-text: Improved accessible name computation following ARIA spec, better detection of icon-only links and SVG accessibility
  • skip-link: Now recognizes multiple WCAG 2.4.1 bypass mechanisms including <main> landmarks and heading navigation
  • zoom-disabled: Aligned with Lighthouse threshold (maximum-scale < 5), added minimum-scale detection

Performance Improvements

  • source-maps: Now detects SourceMap HTTP headers, resolves relative URLs, and checks fetched script content for sourceMappingURL references
  • js-libraries: Enhanced detection with inline code pattern matching, HTML runtime markers, and CVE references for vulnerabilities
  • total-byte-weight: Aggregates resources across all crawled pages with deduplication, provides detailed breakdowns by resource type
  • unminified-css/unminified-js: Improved analysis with potential savings estimates, better minification heuristics
  • doctype: Handles BOM characters and XML declarations, validates doctype position

Crawl & Core

  • redirect-chain: Now specifically flags entry URL redirects and provides chain visualization
  • viewport: Handles both single and double quote attribute syntax
v0.0.29Feb 4, 2026

Release Notes

New Audit Rules

This release significantly expands rule coverage with improved detection across accessibility, performance, and security categories.

Accessibility Enhancements

  • Color Contrast: Now performs actual WCAG 2.1 contrast ratio calculations (4.5:1 for normal text, 3:1 for large text) instead of pattern matching
  • Link Text Detection: Expanded generic link text patterns from 12 to 50+ terms including action words, CTAs, and navigation patterns
  • Redundant Alt Text: Added 20+ new patterns covering technical diagrams, file references, and lazy placeholder text
  • ARIA Role Mappings: Added implicit ARIA role detection for 40+ HTML elements (lists, tables, forms, landmarks)

Performance Enhancements

  • JS Library Detection: Expanded from 12 to 35+ libraries including:
    • Frameworks: Svelte, Next.js, Nuxt
    • State management: Redux, MobX, Zustand
    • Visualization: Chart.js, Highcharts, ApexCharts
    • Animation: Framer Motion, Anime.js, Lottie
    • Legacy libraries with vulnerability tracking: Prototype.js, YUI
  • Total Byte Weight: Now tracks external JavaScript file sizes for more accurate page weight reporting

Security Enhancements

  • CSP Detection: Upgraded severity from info to warning, now validates specific directives (script-src, frame-ancestors, object-src) and detects weak values
  • Leaked Secrets: Reduced false positives by filtering code identifiers (camelCase, snake_case function names) and requiring assignment context

View all rules →

Other Improvements

  • Improved accuracy of AWS secret key detection patterns
  • Fixed false positive detection in security scans for array elements vs assigned values
v0.0.28Feb 3, 2026

Release Notes

New Features

Diff Reports

We added an issue fingerprinting system and a new diff/reporting mode to squirrel report so agents can track regressions and improvements between audits. Diff mode compares a baseline audit to a current audit and outputs added, removed, and changed issues with stable fingerprints, making it easier to see what actually changed across runs. It supports the existing output formats (console, text, json, llm, markdown), and treats status shifts (warn ↔ fail) as a change rather than a new/removal, so trend analysis is consistent.

New flags include --diff <audit-id|domain>, --regression-since <audit-id|domain>, and --allow-cross-site (for comparing different base URLs when needed). The JSON/LLM outputs include structured diff summaries plus baseline/current metadata, so automation and agent workflows can reliably parse and act on regressions.

Compare audit reports to track changes over time:

# Compare current report against a baseline
squirrel report --diff <audit-id>

# Compare latest report against a baseline for regression tracking
squirrel report --regression-since <audit-id-or-domain>

# Allow comparison across different base URLs
squirrel report --diff <audit-id> --allow-cross-site

Diff reports show:

  • Added - New issues not in baseline
  • Removed - Issues fixed since baseline
  • Changed - Issues with status changes (regressions/improvements)

Output formats: console, text, json, markdown, llm

XML Output Format

Export audit reports in XML format:

squirrel audit https://example.com --format xml
squirrel audit https://example.com --format xml --output report.xml

Other Improvements

  • Streamlined publish output - --publish flag now outputs just the URL for easier scripting and CI integration
  • Improved URL pattern matching - --exclude and --include patterns now match against pathname instead of full URL, making patterns more intuitive (e.g., /blog/* works as expected)
  • Better shell completions - Added completions for new --diff, --regression-since, and --allow-cross-site flags
v0.0.27Feb 2, 2026

Release Notes

Bug Fixes

  • JSON-LD validation fix: Fixed schema/json-ld-valid rule always reporting failure due to accessing wrong field (#3) - thanks @Fede654
  • Schema deserialization fix: Fixed cached audit results losing schema getter methods, causing rules to fail on subsequent runs (#4) - thanks @Fede654
  • Multi-type schema preservation: Schemas with multiple @type values (e.g., ["LocalBusiness", "Organization"]) are now preserved as arrays instead of being normalized to a single type (#5) - thanks @Fede654
  • Schema.org @context inheritance: Child items within @graph structures now properly inherit the parent's @context, fixing false "Missing @context" validation errors (#2)
  • thanks @bberenberg

Improvements

  • Expanded LocalBusiness detection: Extended support from ~15 types to the full Schema.org LocalBusiness hierarchy (140+ subtypes including all Restaurant, Store, MedicalBusiness, and other specialized business types) (#7) - thanks @Fede654
  • Multilingual E-E-A-T page detection: About, Contact, Privacy, Terms, and Editorial policy page detection now supports URLs in 10+ languages (English, Spanish, French, German, Portuguese, Italian, Dutch, Polish, Russian, Japanese) (#6) - thanks @Fede654
v0.0.26Feb 2, 2026

Release Notes

New Audit Rules

62 new audit rules added across multiple categories, bringing comprehensive coverage for accessibility, performance, and security best practices.

Accessibility (48 new rules)

ARIA validation and naming:

  • aria-valid-attr / aria-valid-attr-value - Validates ARIA attribute names and values
  • aria-roles - Checks for valid ARIA role values
  • aria-required-attr / aria-required-parent / aria-required-children - Ensures proper ARIA structure
  • aria-hidden-body / aria-hidden-focus - Prevents hiding content from assistive technology incorrectly
  • aria-command-name / aria-input-field-name / aria-toggle-field-name - Ensures interactive elements have accessible names

Element accessibility:

  • button-name - Checks all buttons have accessible names
  • empty-heading - Detects headings without content
  • frame-title - Ensures iframes have title attributes
  • select-name - Validates select elements have labels

Structure and navigation:

  • definition-list / dlitem / list-structure / listitem - Validates list markup
  • landmark-one-main - Ensures exactly one main landmark
  • tabindex - Checks for appropriate tabindex values
  • duplicate-id-aria - Prevents duplicate IDs in ARIA references

Language and content:

  • html-lang-valid / valid-lang / html-xml-lang-mismatch - Validates language attributes
  • meta-refresh - Detects problematic auto-refresh
  • link-in-text-block - Ensures links are visually distinguishable
  • paste-inputs - Detects inputs that block pasting (accessibility anti-pattern)

Performance (14 new rules)

  • doctype / charset - Validates HTML5 document structure
  • compression - Checks for Gzip/Brotli compression
  • cache-headers - Analyzes Cache-Control configuration
  • http2 - Checks HTTP/2 protocol support
  • total-byte-weight - Monitors total page weight
  • unminified-css / unminified-js - Detects unminified assets
  • duplicate-js - Finds duplicate JavaScript libraries
  • legacy-js - Detects ES5 polyfills and legacy code
  • js-libraries - Identifies libraries and known vulnerabilities
  • source-maps - Checks for exposed source maps
  • animated-content - Suggests converting GIFs to video
  • images/offscreen-lazy / images/optimized / images/responsive-size - Image optimization checks

Security (1 new rule)

  • third-party-cookies - Detects third-party tracking resources

📖 Full rule documentation: https://docs.squirrelscan.com/rules

New Commands

squirrel auth - Authentication

Authenticate with your squirrelscan account for publishing reports and accessing :

squirrel auth login           # Opens browser for OAuth login
squirrel auth status          # Check authentication status
squirrel auth logout          # Sign out and revoke token

squirrel report --publish - Report Publishing

Publish audit reports to share with your team:

squirrel report --publish                        # Publish with default visibility
squirrel report --publish --visibility unlisted  # Unlisted report
squirrel report --publish --visibility private   # Private report

Published reports are available at reports.squirrelscan.com and can be managed from your dashboard.

Other Improvements

  • squirrel report --list now shows published report status and URLs
  • Added crawlId to JSON report output for tracking
  • Shell completions updated with new auth commands and --publish/--visibility options
  • Added musl (Alpine Linux) platform support in release manifest
v0.0.25Jan 28, 2026

Release Notes

Added

  • Linux musl/Alpine builds in x64 and arm64

Fixed

  • Hotfix on race condition on install
v0.0.24Jan 27, 2026

Release Notes

Added

  • New feature: Coverage mode for crawling with --coverage flag. Options are: quick for a quick scan, surface for surface level (with single-sample url tree detection) or full for a full crawl (which will also check all content). Documentation is here and the default is surface
  • Support for 8-character short ID prefix in report command
  • URL pattern detection for surface crawl mode

Fixed

  • SQLite file lock cleanup issues on Windows

Performance

  • Parallel crawl loop with content store caching improves performance across crawls
v0.0.22Jan 27, 2026

Release Notes

Added

  • llm output format is now further optimized with token outputs
  • squirrel skills update subcommand to update skill installs - see reference
  • core audit-website skill updated to version 1.10 - more performance and running hints

Fixed

  • squirrel feedback was failing at times
  • fallback with squirrel skills commands

Performance

  • Removed redundant details section from LLM output
v0.0.21Jan 26, 2026

Release Notes

Added

  • New performance rule - perf/js-redirects - detect javascript 3xx redirects [see docs]
  • New crawlability rule - crawl/redirect-chain - detects redirects in links and suggests shortcutting to target [see docs]
  • New link rule - links/weak-internal-links - Detects pages with a low number of internal dofollow links pointing to them [see docs]

Fixed

  • Improved rule detection for js-redirects and weak-internal-links

Audit your site in one command

SEO, performance, security, accessibility and agent experience issues, with exact fixes for your coding agent.

Install
$

No account needed for the CLI. Cloud audits include free monthly credits.