npm - @aldegad/safedeps - Versions diffs - 2.1.0 - Mend

@aldegad/safedeps 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/ARCHITECTURE.md +595 -0
package/LICENSE +190 -0
package/README.md +311 -0
package/ROADMAP.md +131 -0
package/SKILL.md +200 -0
package/agents/openai.yaml +4 -0
package/bin/safedeps +842 -0
package/lib/ledger/ledger.sh +346 -0
package/lib/providers/providers.sh +479 -0
package/package.json +41 -0
package/scripts/install/install-safedeps-hooks.mjs +209 -0
package/scripts/install/install-safedeps-recheck-agent.mjs +203 -0
package/scripts/install/migrate-safedeps-state.mjs +91 -0
package/scripts/safedeps-post-verify.sh +584 -0
package/scripts/safedeps-pre-guard.sh +427 -0
package/scripts/safedeps-recheck-alert.sh +115 -0
package/scripts/test/e2e.sh +107 -0
package/scripts/test/fixture-provider.mjs +104 -0
package/scripts/test/smoke.sh +89 -0

package/scripts/test/fixture-provider.mjs ADDED Viewed

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+import http from 'node:http';
+import fs from 'node:fs';
+const portFile = process.argv[2];
+const stateFile = process.argv[3];
+if (!portFile || !stateFile) {
+  console.error('usage: fixture-provider.mjs <port-file> <state-file>');
+  process.exit(2);
+}
+function readJson(req) {
+  return new Promise((resolve) => {
+    let body = '';
+    req.setEncoding('utf8');
+    req.on('data', (chunk) => {
+      body += chunk;
+    });
+    req.on('end', () => {
+      try {
+        resolve(JSON.parse(body || '{}'));
+      } catch {
+        resolve({});
+      }
+    });
+  });
+}
+function state() {
+  return JSON.parse(fs.readFileSync(stateFile, 'utf8'));
+}
+function osvVuln(id, fixed) {
+  const events = [{ introduced: '0' }];
+  if (fixed) events.push({ fixed });
+  return {
+    id,
+    aliases: [id],
+    affected: [
+      {
+        package: { ecosystem: 'npm', name: 'fixture' },
+        ranges: [{ type: 'SEMVER', events }]
+      }
+    ]
+  };
+}
+function osvResponse(packageName, version) {
+  const key = `${packageName}@${version}`;
+  const current = state();
+  if (current.vulnerable?.includes(key)) {
+    return { vulns: [osvVuln('CVE-2026-1000', null)] };
+  }
+  if (packageName === 'fixture-vuln' && version === '1.0.0') {
+    return { vulns: [osvVuln('CVE-2026-1001', '1.0.1')] };
+  }
+  if (packageName === 'fixture-unpatched') {
+    return { vulns: [osvVuln('CVE-2026-1002', null)] };
+  }
+  if (packageName === 'fixture-kev') {
+    return { vulns: [osvVuln('CVE-2026-9999', null)] };
+  }
+  return {};
+}
+const server = http.createServer(async (req, res) => {
+  if (req.method === 'POST' && req.url === '/osv/v1/query') {
+    const body = await readJson(req);
+    const packageName = body.package?.name || '';
+    const version = body.version || '';
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify(osvResponse(packageName, version)));
+    return;
+  }
+  if (req.method === 'GET' && req.url === '/kev.json') {
+    res.setHeader('content-type', 'application/json');
+    res.end(JSON.stringify({
+      vulnerabilities: [
+        {
+          cveID: 'CVE-2026-9999',
+          vendorProject: 'fixture',
+          product: 'fixture-kev',
+          vulnerabilityName: 'Fixture KEV'
+        }
+      ]
+    }));
+    return;
+  }
+  if (req.method === 'GET' && req.url.startsWith('/advisories')) {
+    res.setHeader('content-type', 'application/json');
+    res.end('[]');
+    return;
+  }
+  res.statusCode = 404;
+  res.end('not found');
+});
+server.listen(0, '127.0.0.1', () => {
+  fs.writeFileSync(portFile, String(server.address().port));
+});

package/scripts/test/smoke.sh ADDED Viewed

@@ -0,0 +1,89 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)
+cd "${ROOT_DIR}"
+pass() {
+  printf 'ok - %s\n' "$1"
+}
+fail() {
+  printf 'not ok - %s\n' "$1" >&2
+  exit 1
+}
+tmp_root=$(mktemp -d "${TMPDIR:-/tmp}/safedeps-smoke.XXXXXX")
+cleanup() {
+  rm -rf "${tmp_root}"
+}
+trap cleanup EXIT
+bash -n bin/safedeps
+bash -n lib/providers/providers.sh
+bash -n lib/ledger/ledger.sh
+bash -n scripts/safedeps-pre-guard.sh
+bash -n scripts/safedeps-post-verify.sh
+bash -n scripts/safedeps-recheck-alert.sh
+pass "bash syntax"
+node --check scripts/install/install-safedeps-hooks.mjs >/dev/null
+node --check scripts/install/install-safedeps-recheck-agent.mjs >/dev/null
+node --check scripts/install/migrate-safedeps-state.mjs >/dev/null
+node --check scripts/test/fixture-provider.mjs >/dev/null
+node scripts/install/install-safedeps-recheck-agent.mjs --help >/dev/null
+pass "node syntax"
+version_json=$(HOME="${tmp_root}/home-version" SAFEDEPS_HOME="${tmp_root}/safe-version" ./bin/safedeps --json version)
+[[ "$(jq -r '.version' <<< "${version_json}")" == "2.1.0" ]] || fail "version json is 2.1.0"
+pass "cli version"
+ledger_json=$(HOME="${tmp_root}/home-ledger" SAFEDEPS_HOME="${tmp_root}/safe-ledger" ./bin/safedeps --json ledger)
+[[ "$(jq -r '.count' <<< "${ledger_json}")" == "0" ]] || fail "isolated ledger starts empty"
+pass "isolated ledger"
+provider_tmp="${tmp_root}/missing/provider/tmp"
+provider_created=$(
+  TMPDIR="${provider_tmp}" \
+  SAFEDEPS_HOME="${tmp_root}/safe-provider" \
+  bash -c 'source lib/providers/providers.sh; d=$(safedeps_provider_mktemp_dir); test -d "$d"; printf "%s" "$d"'
+)
+[[ "${provider_created}" == "${provider_tmp%/}/safedeps-providers."* ]] || fail "provider tmp helper uses requested TMPDIR"
+pass "provider temp dir"
+project_dir="${tmp_root}/project"
+mkdir -p "${project_dir}"
+printf '{"dependencies":{}}\n' > "${project_dir}/package.json"
+deny_json=$(
+  HOME="${tmp_root}/home-hook" SAFEDEPS_HOME="${tmp_root}/safe-hook" \
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install left-pad@1.3.0"},"cwd":"${project_dir}"}
+EOF
+)
+[[ "$(jq -r '.hookSpecificOutput.permissionDecision' <<< "${deny_json}")" == "deny" ]] || fail "hook denies unapproved install"
+pass "hook denies unapproved install"
+mkdir -p "${tmp_root}/safe-hook-allow"
+SAFEDEPS_HOME="${tmp_root}/safe-hook-allow" lib/ledger/ledger.sh approve npm left-pad 1.3.0 1.3.0 smoke >/dev/null
+allow_output=$(
+  HOME="${tmp_root}/home-hook-allow" SAFEDEPS_HOME="${tmp_root}/safe-hook-allow" \
+  scripts/safedeps-pre-guard.sh <<EOF
+{"tool_name":"Bash","tool_input":{"command":"npm install left-pad@1.3.0"},"cwd":"${project_dir}"}
+EOF
+)
+[[ -z "${allow_output}" ]] || fail "hook allows approved install"
+pass "hook allows approved install"
+fixture_json="${tmp_root}/recheck-fixture.json"
+printf '%s\n' '{"command":"re-check","checked":2,"still_clean":1,"newly_vulnerable":[],"kev_hit":[],"revoked":[]}' > "${fixture_json}"
+SAFEDEPS_NOTIFY=0 \
+  HOME="${tmp_root}/home-recheck" \
+  SAFEDEPS_HOME="${tmp_root}/safe-recheck" \
+  SAFEDEPS_RECHECK_FIXTURE_JSON="${fixture_json}" \
+  scripts/safedeps-recheck-alert.sh
+grep -q '"checked":2' "${tmp_root}/safe-recheck/recheck.log" || fail "re-check wrapper writes log"
+grep -q '"provider_skipped":1' "${tmp_root}/safe-recheck/recheck-alerts.jsonl" || fail "re-check wrapper alerts on skipped provider checks"
+pass "re-check alert wrapper"
+printf 'smoke passed\n'