npm - @anren-utils/mcp-audit - Versions diffs - 1.0.0 - Mend

@anren-utils/mcp-audit 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

package/.editorconfig +13 -0
package/dist/audit/auditUtils.d.ts +12 -0
package/dist/audit/auditUtils.d.ts.map +1 -0
package/dist/audit/auditUtils.js +22 -0
package/dist/audit/auditUtils.js.map +1 -0
package/dist/audit/currentAudit.d.ts +53 -0
package/dist/audit/currentAudit.d.ts.map +1 -0
package/dist/audit/currentAudit.js +54 -0
package/dist/audit/currentAudit.js.map +1 -0
package/dist/audit/getDepChain.d.ts +16 -0
package/dist/audit/getDepChain.d.ts.map +1 -0
package/dist/audit/getDepChain.js +60 -0
package/dist/audit/getDepChain.js.map +1 -0
package/dist/audit/index.d.ts +11 -0
package/dist/audit/index.d.ts.map +1 -0
package/dist/audit/index.js +64 -0
package/dist/audit/index.js.map +1 -0
package/dist/audit/normalizeAuditResult.d.ts +13 -0
package/dist/audit/normalizeAuditResult.d.ts.map +1 -0
package/dist/audit/normalizeAuditResult.js +81 -0
package/dist/audit/normalizeAuditResult.js.map +1 -0
package/dist/audit/remoteAudit.d.ts +3 -0
package/dist/audit/remoteAudit.d.ts.map +1 -0
package/dist/audit/remoteAudit.js +24 -0
package/dist/audit/remoteAudit.js.map +1 -0
package/dist/generateLock/index.d.ts +17 -0
package/dist/generateLock/index.d.ts.map +1 -0
package/dist/generateLock/index.js +141 -0
package/dist/generateLock/index.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +48 -0
package/dist/index.js.map +1 -0
package/dist/mcpServer.d.ts +2 -0
package/dist/mcpServer.d.ts.map +1 -0
package/dist/mcpServer.js +34 -0
package/dist/mcpServer.js.map +1 -0
package/dist/parseProject/detectPackageManager.d.ts +8 -0
package/dist/parseProject/detectPackageManager.d.ts.map +1 -0
package/dist/parseProject/detectPackageManager.js +22 -0
package/dist/parseProject/detectPackageManager.js.map +1 -0
package/dist/parseProject/index.d.ts +11 -0
package/dist/parseProject/index.d.ts.map +1 -0
package/dist/parseProject/index.js +20 -0
package/dist/parseProject/index.js.map +1 -0
package/dist/parseProject/parseLocalProject.d.ts +17 -0
package/dist/parseProject/parseLocalProject.d.ts.map +1 -0
package/dist/parseProject/parseLocalProject.js +28 -0
package/dist/parseProject/parseLocalProject.js.map +1 -0
package/dist/parseProject/parseLocalWorkspace.d.ts +2 -0
package/dist/parseProject/parseLocalWorkspace.d.ts.map +1 -0
package/dist/parseProject/parseLocalWorkspace.js +2 -0
package/dist/parseProject/parseLocalWorkspace.js.map +1 -0
package/dist/parseProject/parseRemoteProject.d.ts +41 -0
package/dist/parseProject/parseRemoteProject.d.ts.map +1 -0
package/dist/parseProject/parseRemoteProject.js +180 -0
package/dist/parseProject/parseRemoteProject.js.map +1 -0
package/dist/parseProject/parseRemoteWorkspace.d.ts +2 -0
package/dist/parseProject/parseRemoteWorkspace.d.ts.map +1 -0
package/dist/parseProject/parseRemoteWorkspace.js +2 -0
package/dist/parseProject/parseRemoteWorkspace.js.map +1 -0
package/dist/parseProject/parseWorkspace.d.ts +19 -0
package/dist/parseProject/parseWorkspace.d.ts.map +1 -0
package/dist/parseProject/parseWorkspace.js +140 -0
package/dist/parseProject/parseWorkspace.js.map +1 -0
package/dist/render/index.d.ts +9 -0
package/dist/render/index.d.ts.map +1 -0
package/dist/render/index.js +24 -0
package/dist/render/index.js.map +1 -0
package/dist/render/markdown.d.ts +12 -0
package/dist/render/markdown.d.ts.map +1 -0
package/dist/render/markdown.js +16 -0
package/dist/render/markdown.js.map +1 -0
package/dist/render/template/audit.ejs +30 -0
package/dist/render/template/detail-item.ejs +32 -0
package/dist/render/template/detail.ejs +7 -0
package/dist/render/template/index.ejs +8 -0
package/dist/types.d.ts +371 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +2 -0
package/dist/types.js.map +1 -0
package/dist/utils/dirUtils.d.ts +11 -0
package/dist/utils/dirUtils.d.ts.map +1 -0
package/dist/utils/dirUtils.js +28 -0
package/dist/utils/dirUtils.js.map +1 -0
package/dist/utils/index.d.ts +34 -0
package/dist/utils/index.d.ts.map +1 -0
package/dist/utils/index.js +74 -0
package/dist/utils/index.js.map +1 -0
package/eslint.config.js +38 -0
package/package.json +38 -0
package/src/audit/auditUtils.ts +24 -0
package/src/audit/currentAudit.ts +116 -0
package/src/audit/getDepChain.ts +71 -0
package/src/audit/index.ts +90 -0
package/src/audit/normalizeAuditResult.ts +99 -0
package/src/audit/remoteAudit.ts +26 -0
package/src/generateLock/index.ts +203 -0
package/src/index.ts +48 -0
package/src/mcpServer.ts +43 -0
package/src/parseProject/detectPackageManager.ts +24 -0
package/src/parseProject/index.ts +20 -0
package/src/parseProject/parseLocalProject.ts +39 -0
package/src/parseProject/parseRemoteProject.ts +225 -0
package/src/parseProject/parseWorkspace.ts +202 -0
package/src/render/index.ts +30 -0
package/src/render/markdown.ts +29 -0
package/src/render/template/audit.ejs +30 -0
package/src/render/template/detail-item.ejs +32 -0
package/src/render/template/detail.ejs +7 -0
package/src/render/template/index.ejs +8 -0
package/src/types.ts +429 -0
package/src/utils/dirUtils.ts +31 -0
package/src/utils/index.ts +88 -0
package/tsconfig.json +42 -0

package/src/audit/currentAudit.ts ADDED Viewed

@@ -0,0 +1,116 @@
+import type { AuditSeverity } from "../types.js";
+import { remoteAudit } from "./remoteAudit.js";
+/**
+ * 单个漏洞问题的详细信息
+ */
+interface Problem {
+  /** 漏洞 ID (Advisory ID) */
+  source: number;
+  /** 包名 */
+  name: string;
+  /** 依赖名 */
+  dependency: string;
+  /** 漏洞标题 */
+  title: string;
+  /** 漏洞详情 URL */
+  url: string;
+  /** 严重程度 */
+  severity: AuditSeverity;
+  /** CWE 列表 */
+  cwe: string[];
+  /** CVSS 评分数据 */
+  cvss: {
+    score: number;
+    vectorString: string;
+  };
+  /** 受影响的版本范围 */
+  range: string;
+}
+/**
+ * currentAudit 函数返回的最终结果对象
+ */
+interface CurrentAuditResult {
+  /** 包名 */
+  name: string;
+  /** 版本/范围 */
+  range: string;
+  /** 节点路径，当前工程通常为根目录 '.' */
+  nodes: string[];
+  /** 依赖链，当前工程通常为空 */
+  depChains: any[]; // 如果 depChains 有具体结构，可以替换 any
+  /** 检测到的所有漏洞问题列表 */
+  problems: Problem[];
+  /** 当前包的最高严重程度 */
+  severity: AuditSeverity;
+}
+const severityLevelsMap: Record<AuditSeverity, number> = {
+  info: 0,
+  low: 1,
+  moderate: 2,
+  high: 3,
+  critical: 4,
+};
+/**
+ * @Desc: 添加当前工程的审计结果
+ * @return {*}
+ * @param {string} name
+ * @param {string} version
+ */
+export async function currentAudit(name: string, version: string) {
+  // 1. 调用 remoteAudit 函数获取审计结果
+  const auditResult = await remoteAudit(name, version);
+  // 2. 规格化审计结果
+  if (
+    !auditResult.advisories ||
+    Object.keys(auditResult.advisories).length === 0
+  ) {
+    return null;
+  }
+  const result: CurrentAuditResult = {
+    name,
+    range: version,
+    nodes: ["."],
+    depChains: [],
+    problems: [],
+    severity: "info",
+  };
+  const advisories = Object.values(auditResult.advisories);
+  let maxSeverity: AuditSeverity = "info";
+  result.problems = advisories.map((advisory) => {
+    const problem: Problem = {
+      source: advisory.id,
+      name,
+      dependency: name,
+      title: advisory.title,
+      url: advisory.url,
+      severity: advisory.severity,
+      cwe: advisory.cwe,
+      cvss: advisory.cvss,
+      range: advisory.vulnerable_versions,
+    };
+    // 更新最大严重性
+    if (severityLevelsMap[problem.severity] > severityLevelsMap[maxSeverity]) {
+      maxSeverity = problem.severity;
+    }
+    return problem;
+  });
+  result.severity = maxSeverity;
+  return result;
+}

package/src/audit/getDepChain.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import type { VulnerabilityInfo } from "../types.js";
+/**
+ * 图的伸缩算法，用于获取从给定节点出发的所有依赖链条
+ * 给定图结构中的一个节点，获取从该节点的依赖节点出发一直走到终点，一共走出的所有链条
+ * 注意：图结构中可能存在环，遇到环时，环所在的节点直接作为终点即可
+ * @param {VulnerabilityInfo} vulnerabilityInfo - 给定的漏洞信息
+ * @param {Record<string, VulnerabilityInfo>} vulnerabilities - 所有漏洞信息的映射表，键为漏洞名称，值为漏洞信息
+ * @returns {Array<string[][]>} 返回所有依赖链，每个链是一个字符串数组，每个字符串是一个漏洞名称
+ * 返回结果示例："depChains": [["@vue/cli-plugin-babel","@vue/cli-service","@intervolga/optimize-cssnano-plugin","postcss"],[
+            "@vue/cli-plugin-router",
+            "@vue/cli-service",
+            "@intervolga/optimize-cssnano-plugin",
+            "postcss"]]
+ */
+export function getDepChains(
+  vulnerabilityInfo: VulnerabilityInfo,
+  vulnerabilities: Record<string, VulnerabilityInfo>,
+) {
+  // 存储所有找到的依赖链(存储最终结果：所有找到的完整路径)
+  const chains: string[][] = [];
+  // 当前DFS路径（用于检测环）(当前正在探索的路径栈（用于记录路径和检测环）)
+  const currentPath: string[] = [];
+  /**
+   * 深度优先搜索函数
+   * @param {VulnerabilityInfo} currentVulnerabilityInfo - 当前处理的漏洞信息
+   */
+  function dfs(currentVulnerabilityInfo?: VulnerabilityInfo) {
+    // 1. 健壮性检查
+    if (!currentVulnerabilityInfo) return;
+    // 2. 环检测
+    // 检查是否形成环（当前节点已在路径中）
+    // 如果当前节点的名字已经存在于当前路径中，说明我们遇到了一个环（A->B->C->A）。
+    // 将当前路径记录下来并停止该分支的搜索。
+    if (currentPath.includes(currentVulnerabilityInfo.name)) {
+      chains.push([...currentPath]); // 注意：这里并没有把重复的节点再次加入，而是截断
+      return;
+    }
+    // 3. 前进：将当前节点加入路径头部
+    // 使用 unshift 是为了让链条保持顺序：[起点, ..., 当前节点]
+    currentPath.unshift(currentVulnerabilityInfo.name);
+    // 4. 终点判断
+    // 如果没有依赖节点，说明到达终点
+    if (
+      !currentVulnerabilityInfo.effects ||
+      currentVulnerabilityInfo.effects.length === 0
+    ) {
+      chains.push([...currentPath]);
+    } else {
+      // 5. 递归遍历
+      // 遍历当前节点的所有依赖项，对每一个依赖项递归调用 dfs
+      for (const effect of currentVulnerabilityInfo.effects) {
+        dfs(vulnerabilities[effect]);
+      }
+    }
+    // 6. 回溯
+    // 当递归返回（无论是找到了终点还是遇到了环），
+    // 必须将当前节点从路径中移除，以便探索下一条可能的路径。
+    currentPath.shift();
+  }
+  // 从给定节点开始DFS
+  dfs(vulnerabilityInfo);
+  return chains;
+}

package/src/audit/index.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import { join } from "path";
+import type { RemoteWorkspaceInfo } from "../parseProject/parseWorkspace.js";
+import type { PackageJsonInfo, PackageManager } from "../types.js";
+import { npmAudit, pnpmAudit } from "./auditUtils.js";
+import { currentAudit } from "./currentAudit.js";
+import { normalizeAuditResult } from "./normalizeAuditResult.js";
+interface AuditOptions {
+  workDir: string;
+  packageJson: PackageJsonInfo;
+  subPackageInfos: RemoteWorkspaceInfo | null;
+  currentPackageManager: PackageManager;
+}
+export async function audit(options: AuditOptions) {
+  const { subPackageInfos } = options;
+  if (subPackageInfos?.subPackageNames) {
+    return await monorepoAudit(options);
+  }
+  return await defaultAudit(options);
+}
+async function defaultAudit(options: AuditOptions) {
+  const { workDir, packageJson, currentPackageManager } = options;
+  const auditFn = currentPackageManager === "npm" ? npmAudit : pnpmAudit;
+  // 调用 npmAudit 获取审计结果
+  const auditResult = await auditFn(workDir);
+  // 规范化审计结果
+  const normalizedResult = normalizeAuditResult(auditResult);
+  // 添加当前工程的审计结果
+  const current = await currentAudit(packageJson.name, packageJson.version);
+  if (current) {
+    normalizedResult.vulnerabilities[current.severity].unshift(current);
+  }
+  // 添加汇总信息
+  normalizedResult.summary = {
+    total: Object.values(normalizedResult.vulnerabilities).reduce(
+      (sum, arr) => sum + arr.length,
+      0,
+    ),
+    critical: normalizedResult.vulnerabilities.critical.length,
+    high: normalizedResult.vulnerabilities.high.length,
+    moderate: normalizedResult.vulnerabilities.moderate.length,
+    low: normalizedResult.vulnerabilities.low.length,
+    info: normalizedResult.vulnerabilities.info.length,
+  };
+  return normalizedResult;
+}
+async function monorepoAudit(options: AuditOptions) {
+  const { workDir, packageJson, subPackageInfos, currentPackageManager } =
+    options;
+  if (!subPackageInfos) {
+    throw new Error("monorepo工程必须包含子包信息");
+  }
+  const auditFn = currentPackageManager === "npm" ? npmAudit : pnpmAudit;
+  // 调用 npmAudit 获取审计结果
+  const auditResult = await auditFn(workDir);
+  // 得到所有子包的审计结果
+  const subPackageAuditResults = await Promise.all(
+    subPackageInfos.subPackageNames.map((subPackageName) =>
+      auditFn(join(workDir, subPackageName)),
+    ),
+  );
+  const allAuditResults = [auditResult, ...subPackageAuditResults];
+  // 规范化审计结果
+  const normalizedResult = normalizeAuditResult(allAuditResults);
+  // 添加当前工程的审计结果
+  const current = await currentAudit(packageJson.name, packageJson.version);
+  if (current) {
+    normalizedResult.vulnerabilities[current.severity].unshift(current);
+  }
+  // 添加汇总信息
+  normalizedResult.summary = {
+    total: Object.values(normalizedResult.vulnerabilities).reduce(
+      (sum, arr) => sum + arr.length,
+      0,
+    ),
+    critical: normalizedResult.vulnerabilities.critical.length,
+    high: normalizedResult.vulnerabilities.high.length,
+    moderate: normalizedResult.vulnerabilities.moderate.length,
+    low: normalizedResult.vulnerabilities.low.length,
+    info: normalizedResult.vulnerabilities.info.length,
+  };
+  return normalizedResult;
+}

package/src/audit/normalizeAuditResult.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import type {
+  AuditResult,
+  AuditSeverity,
+  NormalizedVulnerabilityInfo,
+  VulnerabilityInfo,
+} from "../types.js";
+import { getDepChains } from "./getDepChain.js";
+export interface NormalizedResult {
+  vulnerabilities: Record<AuditSeverity, NormalizedVulnerabilityInfo[]>;
+  summary?: Record<AuditSeverity | "total", number>;
+}
+function _normalizeVulnerabilities(auditResult: AuditResult) {
+  // 漏洞级别分类组别，用于后续统计漏洞数量
+  const result: Record<AuditSeverity, NormalizedVulnerabilityInfo[]> = {
+    critical: [],
+    high: [],
+    moderate: [],
+    low: [],
+    info: [],
+  };
+  for (const key in auditResult.vulnerabilities) {
+    // 获取当前漏洞的包信息
+    const packageInfo = auditResult.vulnerabilities[key];
+    const normalizedPackage = _normalizePackage(packageInfo);
+    if (normalizedPackage) {
+      result[normalizedPackage.severity].push(normalizedPackage);
+    }
+  }
+  return result;
+  function _normalizePackage(packageInfo?: VulnerabilityInfo) {
+    if (!packageInfo) {
+      return null;
+    }
+    const { via = [] } = packageInfo;
+    // 只需要记录自身有漏洞的包，而不是依赖的包
+    const validVia = via.filter((it) => typeof it === "object");
+    if (validVia.length === 0) {
+      return null;
+    }
+    // 规格化漏洞信息
+    const info: NormalizedVulnerabilityInfo = {
+      name: packageInfo.name,
+      severity: packageInfo.severity,
+      problems: validVia,
+      nodes: packageInfo.nodes || [],
+    };
+    info.depChains = getDepChains(packageInfo, auditResult.vulnerabilities);
+    // info.depChains = info.depChains.filter(
+    //   (chain) => !isInvalidChain(chain, packageInfo.name)
+    // );
+    return info;
+  }
+}
+/**
+ * 处理 auditResult 是数组的情况，合并多个审计结果
+ * @param auditResults AuditResult 数组
+ * @returns 合并后的标准化结果
+ */
+export function normalizeAuditResults(auditResults: AuditResult[]) {
+  // 初始化结果对象
+  const result: Record<AuditSeverity, NormalizedVulnerabilityInfo[]> = {
+    critical: [],
+    high: [],
+    moderate: [],
+    low: [],
+    info: [],
+  };
+  // 遍历所有审计结果
+  for (const auditResult of auditResults) {
+    const normalizedResult = _normalizeVulnerabilities(auditResult);
+    // 合并每个级别的漏洞
+    for (const severity in normalizedResult) {
+      const vulnerabilities = normalizedResult[severity as AuditSeverity];
+      result[severity as AuditSeverity].push(...vulnerabilities);
+    }
+  }
+  return {
+    vulnerabilities: result,
+  } as NormalizedResult;
+}
+export function normalizeAuditResult(auditResult: AuditResult | AuditResult[]) {
+  if (Array.isArray(auditResult)) {
+    return {
+      vulnerabilities: normalizeAuditResults(auditResult).vulnerabilities,
+    } as NormalizedResult;
+  }
+  return {
+    vulnerabilities: _normalizeVulnerabilities(auditResult),
+  } as NormalizedResult;
+}

package/src/audit/remoteAudit.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { NpmAuditResponse } from "../types.js";
+const URL = "https://registry.npmjs.org/-/npm/v1/security/audits";
+export async function remoteAudit(packageName: string, packageVersion: string) {
+  const body = {
+    name: "example-audit", // 项目名字随便写
+    version: "1.0.0", // 项目的版本，随便写
+    requires: {
+      [packageName]: packageVersion,
+    },
+    dependencies: {
+      [packageName]: {
+        version: packageVersion,
+      },
+    },
+  };
+  const resp = await fetch(URL, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+  });
+  return (await resp.json()) as NpmAuditResponse;
+}

package/src/generateLock/index.ts ADDED Viewed

@@ -0,0 +1,203 @@
+import fs from "fs";
+import { join, dirname } from "path";
+import { getReadFileUrl, runCommand } from "../utils/index.js";
+import type { PackageJsonInfo, PackageManager } from "../types.js";
+import type { RemoteWorkspaceInfo } from "../parseProject/parseWorkspace.js";
+interface GenerateLockOptions {
+  workDir: string;
+  packageJson: PackageJsonInfo;
+  subPackageInfos: RemoteWorkspaceInfo | null;
+  projectRoot: string;
+  currentPackageManager: PackageManager;
+}
+/**
+ * @Desc: 处理 package.json 中的 workspace 依赖
+ * @param {Object} packageJson package.json文件内容
+ * @returns {Object} 处理后的 package.json 文件内容
+ */
+function processPackageJson(packageJson: Object) {
+  // 深拷贝 packageJson 以避免修改原始对象
+  const processedPackageJson = JSON.parse(JSON.stringify(packageJson));
+  // 处理 dependencies
+  if (processedPackageJson.dependencies) {
+    for (const [key, value] of Object.entries(
+      processedPackageJson.dependencies,
+    )) {
+      if (typeof value === "string" && value.startsWith("workspace:")) {
+        delete processedPackageJson.dependencies[key];
+      }
+    }
+  }
+  // 处理 devDependencies
+  if (processedPackageJson.devDependencies) {
+    for (const [key, value] of Object.entries(
+      processedPackageJson.devDependencies,
+    )) {
+      if (typeof value === "string" && value.startsWith("workspace:")) {
+        delete processedPackageJson.devDependencies[key];
+      }
+    }
+  }
+  // 处理 peerDependencies
+  if (processedPackageJson.peerDependencies) {
+    for (const [key, value] of Object.entries(
+      processedPackageJson.peerDependencies,
+    )) {
+      if (typeof value === "string" && value.startsWith("workspace:")) {
+        delete processedPackageJson.peerDependencies[key];
+      }
+    }
+  }
+  // 处理 optionalDependencies
+  if (processedPackageJson.optionalDependencies) {
+    for (const [key, value] of Object.entries(
+      processedPackageJson.optionalDependencies,
+    )) {
+      if (typeof value === "string" && value.startsWith("workspace:")) {
+        delete processedPackageJson.optionalDependencies[key];
+      }
+    }
+  }
+  return processedPackageJson;
+}
+/**
+ * @Desc: 根据子包的信息，生成子包的package.json文件
+ * @param {string} workDir 工作目录
+ * @param {string} projectRoot 项目根目录
+ * @param {RemoteWorkspaceInfo} subPackageInfos 子包信息
+ */
+async function writeSubPackageJson(
+  workDir: string,
+  projectRoot: string,
+  subPackageInfos: RemoteWorkspaceInfo,
+) {
+  const { gitInfo, branchName, subPackageNames } = subPackageInfos;
+  // 根据subPackageNames，在workDir下创建子包目录并写入package.json文件
+  const dirPaths = subPackageNames.map((subPackageName) =>
+    join(workDir, subPackageName),
+  );
+  // 创建子包目录
+  dirPaths.forEach((dirPath) => {
+    fs.mkdirSync(dirPath, { recursive: true });
+  });
+  if (gitInfo && branchName) {
+    for (const subPackageName of subPackageNames) {
+      const filePath = subPackageName + "/package.json";
+      const packageJsonUrl = getReadFileUrl(gitInfo, branchName, filePath);
+      const subPackageJson = (await fetch(packageJsonUrl).then((resp) =>
+        resp.json(),
+      )) as Promise<PackageJsonInfo>;
+      // 处理 package.json 中的 workspace 依赖
+      const processedPackageJson = processPackageJson(subPackageJson);
+      const packageJsonPath = join(workDir, subPackageName, "package.json");
+      // 将处理后的 packageJson 写入文件
+      await fs.promises.writeFile(
+        packageJsonPath,
+        JSON.stringify(processedPackageJson),
+        "utf8",
+      );
+    }
+  } else {
+    // 解析本地工程根目录下的package.json文件
+    for (const subPackageName of subPackageNames) {
+      const subPackageJsonPath = join(
+        projectRoot,
+        subPackageName,
+        "package.json",
+      );
+      const subPackageJson = await fs.promises.readFile(
+        subPackageJsonPath,
+        "utf8",
+      );
+      const processedPackageJson = processPackageJson(
+        JSON.parse(subPackageJson),
+      );
+      await fs.promises.writeFile(
+        join(workDir, subPackageName, "package.json"),
+        JSON.stringify(processedPackageJson),
+        "utf8",
+      );
+    }
+  }
+}
+/**
+ * @Desc: 向工作目录添加package.json文件
+ * @param {string} workDir 工作目录
+ * @param {Object} packageJson package.json文件内容
+ */
+async function writePackageJson(options: GenerateLockOptions) {
+  const { workDir, packageJson, subPackageInfos, projectRoot } = options;
+  const packageJsonPath = join(workDir, "package.json");
+  fs.mkdirSync(dirname(packageJsonPath), { recursive: true });
+  if (subPackageInfos?.subPackageNames) {
+    // 处理 package.json 中的 workspace 依赖
+    const processedPackageJson = processPackageJson(packageJson);
+    // 处理子包
+    await writeSubPackageJson(workDir, projectRoot, subPackageInfos);
+    // 将处理后的 packageJson 写入文件
+    await fs.promises.writeFile(
+      packageJsonPath,
+      JSON.stringify(processedPackageJson),
+      "utf8",
+    );
+  } else {
+    await fs.promises.writeFile(
+      packageJsonPath,
+      JSON.stringify(packageJson),
+      "utf8",
+    );
+  }
+}
+/**
+ * @Desc: 在指定工作目录中生成lock文件
+ * @param {string} workDir 工作目录
+ */
+async function createLockFile(
+  workDir: string,
+  subPackageInfos: RemoteWorkspaceInfo | null,
+  currentPackageManager: PackageManager,
+) {
+  // 只支持pnpm和npm
+  if (!subPackageInfos) {
+    const cmd = "npm install --package-lock-only --force";
+    // 在工作目录中执行命令
+    await runCommand(cmd, workDir);
+  } else {
+    const { subPackageNames } = subPackageInfos;
+    const cmd =
+      currentPackageManager === "pnpm"
+        ? `pnpm install --lockfile-only`
+        : `npm install --package-lock-only --force`;
+    // 在不同的工作目录中执行命令
+    for (const subPackageName of subPackageNames) {
+      const subPackageDir = join(workDir, subPackageName);
+      await runCommand(cmd, subPackageDir);
+    }
+    // 最后在工作目录中执行命令
+    await runCommand(cmd, workDir);
+  }
+}
+/**
+ * @Desc: 向工作目录添加package.json文件，然后生成lock文件
+ * @param {string} workDir 工作目录
+ * @param {Object} packageJson package.json文件内容
+ */
+export async function generateLock(options: GenerateLockOptions) {
+  const { workDir, subPackageInfos, currentPackageManager } = options;
+  // 1. 将 package.json 写入工作目录
+  // NOTE:不管是npm还是pnpm，package.json文件基本都是相同的
+  await writePackageJson(options);
+  // 2. 生成 lock 文件
+  await createLockFile(workDir, subPackageInfos, currentPackageManager);
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,48 @@
+import { audit } from "./audit/index.js";
+import { generateLock } from "./generateLock/index.js";
+import { detectPackageManager } from "./parseProject/detectPackageManager.js";
+import { parseProject } from "./parseProject/index.js";
+import { parseWorkspace } from "./parseProject/parseWorkspace.js";
+import { render } from "./render/index.js";
+import { createWorkDir, deleteWorkDir } from "./utils/dirUtils.js";
+import fs from "fs";
+/**
+ * 根据项目根目录，审计项目中所有的包（含项目本身）
+ * @param {string} projectRoot 项目根目录，可以是本地目录的绝对路径，也可以是远程仓库的URL
+ * @param {string} savePath 保存审计结果的文件名，审计结果是一个标准格式的markdown字符串
+ */
+export async function auditProject(projectRoot: string, savePath: string) {
+  // 1. 创建工作目录
+  const workDir = await createWorkDir();
+  // 2. 判断项目的包管理器类型
+  const currentPackageManager = detectPackageManager(projectRoot);
+  // 3. 解析项目的package.json文件
+  const packageJson = await parseProject(projectRoot);
+  // 4· 判断项目是否是monorepo工程
+  const subPackageInfos = await parseWorkspace({
+    projectRoot,
+    packageJsonRoot: packageJson,
+  });
+  // 5. 向工作目录添加package.json文件，然后生成lock文件
+  await generateLock({
+    workDir,
+    packageJson,
+    subPackageInfos,
+    projectRoot,
+    currentPackageManager,
+  });
+  // 6. 对工作目录进行审计
+  const auditResult = await audit({
+    workDir,
+    packageJson,
+    subPackageInfos,
+    currentPackageManager,
+  });
+  // 7. 渲染审计结果
+  const renderedResult = await render(auditResult, packageJson);
+  // 8. 删除工作目录
+  await deleteWorkDir(workDir);
+  // 9. 将结果保存到指定路径
+  await fs.promises.writeFile(savePath, renderedResult);
+}

package/src/mcpServer.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { z } from "zod";
+import { auditProject } from "./index.js";
+const server = new McpServer({
+  name: "audit-server",
+  title: "前端工程安全审计服务",
+  version: "0.1.0",
+});
+server.registerTool(
+  "auditProject",
+  {
+    title: "审计前端工程",
+    description:
+      "审计前端工程的所有直接和间接依赖，得到安全审计结果。支持本地工程的审计，也支持远程仓库的审计。审计结果为标准格式的markdown字符串，不用修改，直接用于展示即可。",
+    inputSchema: {
+      projectRoot: z
+        .string()
+        .describe("本地工程的根路径，或者远程仓库的URL地址"),
+      savePath: z
+        .string()
+        .describe(
+          "保存审计结果的路径，传递当前工程的根路径下的工程明audit.md，如果没有当前工程，则传递桌面路径下的audit.md（注意，桌面路径必须传入绝对路径）",
+        ),
+    },
+  },
+  async ({ projectRoot, savePath }) => {
+    await auditProject(projectRoot, savePath);
+    return {
+      content: [
+        {
+          type: "text",
+          text: `审计完成，结果已保存到: ${savePath}`,
+        },
+      ],
+    };
+  },
+);
+const transport = new StdioServerTransport();
+server.connect(transport);