@clear-capabilities/agentic-security-scanner 0.75.0 → 0.77.0

package/dist/agentic-security.mjs.sha256

@@ -1 +1 @@
-9b8c48466f12498ebcb4bcd80d6975a6c11be18efeb7ff944c6851dd0b2a5a4c  agentic-security.mjs
+eb8ec4e943af9857994437dfc4af9886d2b254591dd61da56f061d007403f112  agentic-security.mjs

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@clear-capabilities/agentic-security-scanner",
-  "version": "0.75.0",
+  "version": "0.77.0",
   "description": "Scanner engine for the agentic-security Claude Code plugin \u2014 SAST, SCA (function-level reachability + CISA KEV), secrets, IaC, prompt-injection, MCP/agent-tool audit, auth/authZ deep analysis, attack chains, PoC generation, business logic, toxic-combinations scoring, SBOM, SARIF ingest, pipeline integrity, compliance attestation, and more.",
   "type": "module",
   "main": "src/index.js",
@@ -30,13 +30,13 @@
     "CHANGELOG.md"
   ],
   "engines": {
-    "node": ">=22.0.0"
+    "node": ">=24.0.0"
   },
   "dependencies": {
-    "@babel/core": "^7.24.0",
-    "@babel/preset-react": "^7.24.0",
-    "@babel/preset-typescript": "^7.24.0",
-    "fast-glob": "^3.3.2",
+    "@babel/core": "^7.29.7",
+    "@babel/preset-react": "^7.29.7",
+    "@babel/preset-typescript": "^7.29.7",
+    "fast-glob": "^3.3.3",
     "java-parser": "^3.0.1",
     "js-yaml": "^4.1.1",
     "safe-regex": "^2.1.1"

package/src/mcp/tools.js

@@ -16,11 +16,24 @@ import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
-import { runScan } from '../runScan.js';
 import { applyFix as applyFixHistory } from '../posture/fix-history.js';
 import { verifyLastScan } from '../posture/integrity.js';
 import { redactString, redactFinding } from './redact.js';
-import { verifyFix as verifyFixCore } from '../posture/fix-verify.js';
+
+// Lazy-loaded: these transitively pull in npm packages (fast-glob,
+// @babel/core) that aren't available in the plugin-cache install path
+// (no node_modules). Deferring keeps the MCP server bootable everywhere;
+// the import only runs when a tool that needs them is actually called.
+let _runScan;
+async function getRunScan() {
+  if (!_runScan) _runScan = (await import('../runScan.js')).runScan;
+  return _runScan;
+}
+let _verifyFixCore;
+async function getVerifyFixCore() {
+  if (!_verifyFixCore) _verifyFixCore = (await import('../posture/fix-verify.js')).verifyFix;
+  return _verifyFixCore;
+}
 
 const MAX_FILES_PER_SCAN = 1024;
 const MAX_FILE_BYTES = 500_000;
@@ -315,6 +328,7 @@ export const scan_diff = {
       fileContents[rel] = content;
     }
 
+    const runScan = await getRunScan();
     const result = await runScan(sessionRoot, { network: false, fileContents });
     const wantSet = new Set(Object.keys(fileContents));
     const sevRank = { info: 0, low: 1, medium: 2, high: 3, critical: 4 };
@@ -588,6 +602,7 @@ export const verify_fix = {
       confined[relPath] = String(content);
     }
     try {
+      const verifyFixCore = await getVerifyFixCore();
       const r = await verifyFixCore({
         scanRoot: ctx.sessionRoot,
         originalFindingStableId: stable_id,

package/src/sca/base-images.json

@@ -32,7 +32,7 @@
     "14":     { "sev": "critical", "eol": "2023-04-30", "message": "Node.js 14 reached EOL on 2023-04-30." },
     "16":     { "sev": "high",     "eol": "2023-09-11", "message": "Node.js 16 reached EOL on 2023-09-11." },
     "18":     { "sev": "low",      "eol": "2025-04-30", "message": "Node.js 18 enters EOL on 2025-04-30." },
-    "latest": { "sev": "low",      "eol": null,         "message": "node:latest is a floating tag — pin to an LTS (e.g. node:22-alpine)." }
+    "latest": { "sev": "low",      "eol": null,         "message": "node:latest is a floating tag — pin to an LTS (e.g. node:24-alpine)." }
   },
   "python": {
     "2":      { "sev": "critical", "eol": "2020-01-01", "message": "Python 2 reached EOL on 2020-01-01. Migrate to Python 3." },