@deepv-code/safe-npm 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli/check.d.ts +1 -0
- package/dist/cli/check.js +5 -1
- package/dist/index.js +1 -0
- package/dist/scanner/index.js +6 -2
- package/dist/scanner/types.d.ts +1 -0
- package/dist/scanner/typosquatting.js +3 -0
- package/package.json +6 -2
package/dist/cli/check.d.ts
CHANGED
package/dist/cli/check.js
CHANGED
|
@@ -114,7 +114,11 @@ export async function checkPackages(packages, options = {}) {
|
|
|
114
114
|
const shouldInstall = await promptInstallCorrect(result.suggestedPackage);
|
|
115
115
|
if (shouldInstall) {
|
|
116
116
|
console.log(chalk.green(`\n${t('installingCorrect')}: ${result.suggestedPackage}...`));
|
|
117
|
-
|
|
117
|
+
const installArgs = ['install', result.suggestedPackage];
|
|
118
|
+
if (options.isGlobal) {
|
|
119
|
+
installArgs.push('-g');
|
|
120
|
+
}
|
|
121
|
+
await runNpm(installArgs);
|
|
118
122
|
// Return false to stop the original (malicious) installation logic
|
|
119
123
|
// But we essentially succeeded in the user's intent.
|
|
120
124
|
// However, to keep flow clean, we exit the process here or return false to block original.
|
package/dist/index.js
CHANGED
package/dist/scanner/index.js
CHANGED
|
@@ -137,8 +137,12 @@ export async function scanPackage(packageName, options = {}, onProgress) {
|
|
|
137
137
|
if (issue.severity === 'fatal') {
|
|
138
138
|
riskLevel = 'fatal';
|
|
139
139
|
canBypass = false;
|
|
140
|
-
//
|
|
141
|
-
if (issue.
|
|
140
|
+
// Use explicit suggestion if available
|
|
141
|
+
if (issue.suggestion) {
|
|
142
|
+
suggestedPackage = issue.suggestion;
|
|
143
|
+
}
|
|
144
|
+
// Fallback: Try to extract from details (legacy/fallback)
|
|
145
|
+
else if (issue.type === 'typosquat' && issue.details?.includes('"')) {
|
|
142
146
|
const match = issue.details.match(/"([^"]+)"/);
|
|
143
147
|
if (match)
|
|
144
148
|
suggestedPackage = match[1];
|
package/dist/scanner/types.d.ts
CHANGED
|
@@ -88,6 +88,7 @@ export async function scanTyposquatting(packageName) {
|
|
|
88
88
|
severity: 'fatal',
|
|
89
89
|
message: t('typosquatDetected'),
|
|
90
90
|
details: `Similar to popular package "${popular}" (distance: ${distance})`,
|
|
91
|
+
suggestion: popular,
|
|
91
92
|
});
|
|
92
93
|
break;
|
|
93
94
|
}
|
|
@@ -97,6 +98,7 @@ export async function scanTyposquatting(packageName) {
|
|
|
97
98
|
severity: 'fatal',
|
|
98
99
|
message: t('typosquatDetected'),
|
|
99
100
|
details: `Suspicious similarity to "${popular}"`,
|
|
101
|
+
suggestion: popular,
|
|
100
102
|
});
|
|
101
103
|
break;
|
|
102
104
|
}
|
|
@@ -116,6 +118,7 @@ export async function scanTyposquatting(packageName) {
|
|
|
116
118
|
severity: 'fatal',
|
|
117
119
|
message: t('typosquatDetected'),
|
|
118
120
|
details: `Scope Hijacking Detected: This package "${packageName}" mimics the official package "${popular}". Verify the scope carefully!`,
|
|
121
|
+
suggestion: popular,
|
|
119
122
|
});
|
|
120
123
|
break;
|
|
121
124
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@deepv-code/safe-npm",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.2",
|
|
4
4
|
"description": "A security-focused npm wrapper that scans packages before installation",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"type": "module",
|
|
@@ -11,7 +11,11 @@
|
|
|
11
11
|
"start": "node dist/index.js",
|
|
12
12
|
"build": "tsc",
|
|
13
13
|
"dev": "tsc -w",
|
|
14
|
-
"test": "vitest"
|
|
14
|
+
"test": "vitest",
|
|
15
|
+
"prepublishOnly": "npm run build && npm run test",
|
|
16
|
+
"patch": "npm version patch && npm publish",
|
|
17
|
+
"minor": "npm version minor && npm publish",
|
|
18
|
+
"major": "npm version major && npm publish"
|
|
15
19
|
},
|
|
16
20
|
"keywords": [
|
|
17
21
|
"npm",
|