@deepv-code/safe-npm 0.1.0

package/dist/tui/screens/PopularScreen.js

@@ -0,0 +1,39 @@
+import React, { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { popularPackages, popularGlobalTools, popularAgents } from '../../data/popular-packages.js';
+export function PopularScreen({ onSelect, onBack }) {
+    const [selectedIndex, setSelectedIndex] = useState(0);
+    // Combine lists for display
+    const items = [
+        ...popularAgents.map(a => ({ name: a.name, desc: a.desc })),
+        ...popularGlobalTools.map(t => ({ name: t.name, desc: t.desc })),
+        ...popularPackages.map(p => ({ name: p, desc: '' }))
+    ];
+    const visibleItems = items.slice(0, 20); // Show only top 20 for now to avoid scrolling issues initially
+    useInput((input, key) => {
+        if (key.upArrow) {
+            setSelectedIndex(i => Math.max(0, i - 1));
+        }
+        if (key.downArrow) {
+            setSelectedIndex(i => Math.min(visibleItems.length - 1, i + 1));
+        }
+        if (key.return) {
+            onSelect(visibleItems[selectedIndex].name);
+        }
+        if (input === 'q' || key.escape) {
+            onBack();
+        }
+    });
+    return (React.createElement(Box, { flexDirection: "column" },
+        React.createElement(Text, { bold: true, color: "cyan" }, "Popular Packages & Tools"),
+        React.createElement(Text, { dimColor: true }, "Select a package to scan it"),
+        React.createElement(Box, { flexDirection: "column", marginTop: 1 }, visibleItems.map((item, i) => (React.createElement(Box, { key: item.name },
+            React.createElement(Text, { color: i === selectedIndex ? 'green' : undefined },
+                i === selectedIndex ? '❯ ' : '  ',
+                item.name),
+            item.desc && (React.createElement(Text, { dimColor: true },
+                " - ",
+                item.desc)))))),
+        React.createElement(Box, { marginTop: 1 },
+            React.createElement(Text, { dimColor: true }, "Press Enter to scan, q to back"))));
+}

package/dist/tui/screens/SettingsScreen.d.ts

@@ -0,0 +1,6 @@
+import React from 'react';
+interface Props {
+    onBack: () => void;
+}
+export declare function SettingsScreen({ onBack }: Props): React.ReactElement;
+export {};

package/dist/tui/screens/SettingsScreen.js

@@ -0,0 +1,64 @@
+import React, { useState } from 'react';
+import { Box, Text, useInput } from 'ink';
+import { getConfig, saveConfig } from '../../utils/config.js';
+export function SettingsScreen({ onBack }) {
+    const [config, setConfig] = useState(getConfig());
+    const [selectedIndex, setSelectedIndex] = useState(0);
+    const settings = [
+        {
+            key: 'language',
+            label: 'Language',
+            value: config.language,
+            toggle: () => {
+                const newLang = config.language === 'en' ? 'zh' : 'en';
+                updateConfig({ language: newLang });
+            }
+        },
+        {
+            key: 'vt_enabled',
+            label: 'VirusTotal Scan',
+            value: config.virustotal.enabled ? 'Enabled' : 'Disabled',
+            toggle: () => {
+                updateConfig({
+                    virustotal: { ...config.virustotal, enabled: !config.virustotal.enabled }
+                });
+            }
+        },
+        {
+            key: 'offline',
+            label: 'Offline Mode',
+            value: config.offline ? 'On' : 'Off',
+            toggle: () => {
+                updateConfig({ offline: !config.offline });
+            }
+        }
+    ];
+    const updateConfig = (newPart) => {
+        saveConfig(newPart);
+        setConfig(getConfig()); // Reload to be sure
+    };
+    useInput((input, key) => {
+        if (key.upArrow) {
+            setSelectedIndex(i => Math.max(0, i - 1));
+        }
+        if (key.downArrow) {
+            setSelectedIndex(i => Math.min(settings.length - 1, i + 1));
+        }
+        if (key.return || input === ' ') {
+            settings[selectedIndex].toggle();
+        }
+        if (key.escape || input === 'q') {
+            onBack();
+        }
+    });
+    return (React.createElement(Box, { flexDirection: "column" },
+        React.createElement(Text, { bold: true, color: "cyan" }, "Settings"),
+        React.createElement(Box, { flexDirection: "column", marginTop: 1 }, settings.map((item, i) => (React.createElement(Box, { key: item.key },
+            React.createElement(Text, { color: i === selectedIndex ? 'green' : undefined },
+                i === selectedIndex ? '❯ ' : '  ',
+                item.label,
+                ": ",
+                React.createElement(Text, { bold: true }, String(item.value))))))),
+        React.createElement(Box, { marginTop: 1 },
+            React.createElement(Text, { dimColor: true }, "Space/Enter to toggle, q to back"))));
+}

package/dist/utils/config.d.ts

@@ -0,0 +1,16 @@
+import type { Language } from '../i18n/index.js';
+export interface Config {
+    language: Language;
+    virustotal: {
+        apiKey: string;
+        enabled: boolean;
+    };
+    offline: boolean;
+    cache: {
+        ttl: number;
+    };
+}
+export declare function hasConfigFile(): boolean;
+export declare function getConfig(): Config;
+export declare function saveConfig(config: Partial<Config>): void;
+export declare function resetConfigCache(): void;

package/dist/utils/config.js

@@ -0,0 +1,69 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+const DEFAULT_VT_KEY = '3886ca2a3f7f9f42cb161f314cd1446fb7fd88e4097c5e004e1b64435d0726a9';
+const defaultConfig = {
+    language: 'en',
+    virustotal: {
+        apiKey: DEFAULT_VT_KEY,
+        enabled: true,
+    },
+    offline: false,
+    cache: {
+        ttl: 86400,
+    },
+};
+function getConfigDir() {
+    return join(homedir(), '.safe-npm');
+}
+function getConfigPath() {
+    return join(getConfigDir(), 'config.json');
+}
+export function hasConfigFile() {
+    return existsSync(getConfigPath());
+}
+let cachedConfig = null;
+export function getConfig() {
+    if (cachedConfig)
+        return cachedConfig;
+    const configPath = getConfigPath();
+    if (existsSync(configPath)) {
+        try {
+            const content = readFileSync(configPath, 'utf-8');
+            const loaded = JSON.parse(content);
+            cachedConfig = {
+                ...defaultConfig,
+                ...loaded,
+                virustotal: {
+                    ...defaultConfig.virustotal,
+                    ...(loaded.virustotal || {})
+                }
+            };
+            // Ensure API key is set (fallback to default if empty)
+            if (!cachedConfig?.virustotal.apiKey) {
+                // @ts-ignore
+                cachedConfig.virustotal.apiKey = DEFAULT_VT_KEY;
+            }
+            return cachedConfig;
+        }
+        catch {
+            cachedConfig = defaultConfig;
+            return cachedConfig;
+        }
+    }
+    cachedConfig = defaultConfig;
+    return cachedConfig;
+}
+export function saveConfig(config) {
+    const configDir = getConfigDir();
+    const configPath = getConfigPath();
+    if (!existsSync(configDir)) {
+        mkdirSync(configDir, { recursive: true });
+    }
+    const newConfig = { ...getConfig(), ...config };
+    writeFileSync(configPath, JSON.stringify(newConfig, null, 2));
+    cachedConfig = newConfig;
+}
+export function resetConfigCache() {
+    cachedConfig = null;
+}

package/dist/utils/npm-package.d.ts

@@ -0,0 +1,38 @@
+export interface PackageInfo {
+    name: string;
+    version: string;
+    tarballUrl: string;
+    tarballSha: string;
+    scripts: Record<string, string>;
+    main?: string;
+    dependencies: Record<string, string>;
+}
+export interface PackageFiles {
+    packageJson: Record<string, unknown>;
+    scripts: Record<string, string>;
+    entryFile?: string;
+    entryContent?: string;
+    allJsFiles: {
+        path: string;
+        content: string;
+    }[];
+}
+/**
+ * Get package info from npm registry
+ */
+export declare function getPackageInfo(packageName: string): Promise<PackageInfo | null>;
+/**
+ * Check if a package exists in the registry
+ */
+export declare function checkPackageExists(packageName: string): Promise<boolean>;
+/**
+ * Download package tarball and return SHA256 hash
+ */
+export declare function downloadPackageAndHash(tarballUrl: string): Promise<{
+    hash: string;
+    buffer: Buffer;
+} | null>;
+/**
+ * Extract tarball and scan files
+ */
+export declare function extractAndScanPackage(packageName: string): Promise<PackageFiles | null>;

package/dist/utils/npm-package.js

@@ -0,0 +1,191 @@
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import { createHash } from 'crypto';
+import { tmpdir } from 'os';
+import { join } from 'path';
+import { mkdirSync, rmSync, existsSync, readFileSync } from 'fs';
+import axios from 'axios';
+const execAsync = promisify(exec);
+/**
+ * Get package info from npm registry
+ */
+export async function getPackageInfo(packageName) {
+    try {
+        // Parse package name and version
+        let name = packageName;
+        let version = 'latest';
+        if (packageName.includes('@') && !packageName.startsWith('@')) {
+            const parts = packageName.split('@');
+            name = parts[0];
+            version = parts[1] || 'latest';
+        }
+        else if (packageName.startsWith('@')) {
+            // Scoped package like @types/node@1.0.0
+            const lastAt = packageName.lastIndexOf('@');
+            if (lastAt > 0) {
+                name = packageName.substring(0, lastAt);
+                version = packageName.substring(lastAt + 1) || 'latest';
+            }
+        }
+        const { stdout } = await execAsync(`npm view ${name}@${version} --json`, {
+            timeout: 30000,
+        });
+        const info = JSON.parse(stdout);
+        return {
+            name: info.name,
+            version: info.version,
+            tarballUrl: info.dist?.tarball || '',
+            tarballSha: info.dist?.shasum || '',
+            scripts: info.scripts || {},
+            main: info.main,
+            dependencies: info.dependencies || {},
+        };
+    }
+    catch (error) {
+        if (error.stdout && error.stdout.includes('E404')) {
+            return null; // Clearly not found
+        }
+        // For other errors, we also return null currently but log it
+        // Suppress logging if it's just a 404 (npm view output usually contains the error)
+        if (!error.message.includes('code E404')) {
+            console.error(`Failed to get package info for ${packageName}:`, error.message);
+        }
+        return null;
+    }
+}
+/**
+ * Check if a package exists in the registry
+ */
+export async function checkPackageExists(packageName) {
+    try {
+        await execAsync(`npm view ${packageName} name`, { timeout: 10000 });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Download package tarball and return SHA256 hash
+ */
+export async function downloadPackageAndHash(tarballUrl) {
+    try {
+        const response = await axios.get(tarballUrl, {
+            responseType: 'arraybuffer',
+            timeout: 60000,
+        });
+        const buffer = Buffer.from(response.data);
+        const sha256 = createHash('sha256').update(buffer).digest('hex');
+        return { hash: sha256, buffer };
+    }
+    catch (error) {
+        console.error('Failed to download tarball:', error);
+        return null;
+    }
+}
+/**
+ * Extract tarball and scan files
+ */
+export async function extractAndScanPackage(packageName) {
+    const tempDir = join(tmpdir(), `safe-npm-scan-${Date.now()}`);
+    try {
+        mkdirSync(tempDir, { recursive: true });
+        // Use npm pack to download the package
+        const { stdout } = await execAsync(`npm pack ${packageName} --pack-destination="${tempDir}"`, {
+            timeout: 60000,
+            cwd: tempDir,
+        });
+        const tgzFile = stdout.trim();
+        const tgzPath = join(tempDir, tgzFile);
+        // Extract the tarball
+        await execAsync(`tar -xzf "${tgzPath}" -C "${tempDir}"`, {
+            timeout: 30000,
+        });
+        const packageDir = join(tempDir, 'package');
+        if (!existsSync(packageDir)) {
+            return null;
+        }
+        // Read package.json
+        const packageJsonPath = join(packageDir, 'package.json');
+        const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+        // Collect all JS files (limit to entry point and install scripts area)
+        const allJsFiles = [];
+        const filesToScan = [];
+        // Add main entry file
+        const mainFile = packageJson.main || 'index.js';
+        const mainPath = join(packageDir, mainFile);
+        if (existsSync(mainPath)) {
+            filesToScan.push(mainPath);
+        }
+        // Add bin files
+        if (packageJson.bin) {
+            const bins = typeof packageJson.bin === 'string'
+                ? [packageJson.bin]
+                : Object.values(packageJson.bin);
+            for (const bin of bins) {
+                const binPath = join(packageDir, bin);
+                if (existsSync(binPath)) {
+                    filesToScan.push(binPath);
+                }
+            }
+        }
+        // Scan preinstall/postinstall scripts if they reference files
+        const scripts = packageJson.scripts || {};
+        for (const [scriptName, scriptCmd] of Object.entries(scripts)) {
+            if (['preinstall', 'install', 'postinstall'].includes(scriptName)) {
+                // Check if script references a JS file
+                const cmd = scriptCmd;
+                const jsMatch = cmd.match(/node\s+([^\s]+\.js)/);
+                if (jsMatch) {
+                    const scriptPath = join(packageDir, jsMatch[1]);
+                    if (existsSync(scriptPath)) {
+                        filesToScan.push(scriptPath);
+                    }
+                }
+            }
+        }
+        // Read files to scan
+        for (const filePath of filesToScan) {
+            try {
+                const content = readFileSync(filePath, 'utf-8');
+                allJsFiles.push({
+                    path: filePath.replace(packageDir, ''),
+                    content,
+                });
+            }
+            catch {
+                // Skip unreadable files
+            }
+        }
+        // Get entry content
+        let entryContent;
+        if (existsSync(mainPath)) {
+            try {
+                entryContent = readFileSync(mainPath, 'utf-8');
+            }
+            catch {
+                // Ignore
+            }
+        }
+        return {
+            packageJson,
+            scripts: packageJson.scripts || {},
+            entryFile: mainFile,
+            entryContent,
+            allJsFiles,
+        };
+    }
+    catch (error) {
+        console.error('Failed to extract package:', error);
+        return null;
+    }
+    finally {
+        // Cleanup temp directory
+        try {
+            rmSync(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore cleanup errors
+        }
+    }
+}

package/dist/utils/npm-runner.d.ts

@@ -0,0 +1,7 @@
+export interface NpmResult {
+    exitCode: number;
+    stdout: string;
+    stderr: string;
+}
+export declare function runNpm(args: string[]): Promise<NpmResult>;
+export declare function runNpmPassthrough(args: string[]): Promise<number>;

package/dist/utils/npm-runner.js

@@ -0,0 +1,56 @@
+import { spawn } from 'child_process';
+export function runNpm(args) {
+    return new Promise((resolve) => {
+        const isWin = process.platform === 'win32';
+        const command = isWin ? 'cmd.exe' : 'npm';
+        // On Windows, use /d /s /c to run the command safely
+        // npm.cmd is usually in PATH, but we can specify it directly if needed.
+        // Usually 'npm' works inside cmd.
+        const finalArgs = isWin ? ['/d', '/s', '/c', 'npm', ...args] : args;
+        const child = spawn(command, finalArgs, {
+            stdio: ['inherit', 'pipe', 'pipe'],
+            shell: false,
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout?.on('data', (data) => {
+            stdout += data.toString();
+            process.stdout.write(data);
+        });
+        child.stderr?.on('data', (data) => {
+            stderr += data.toString();
+            process.stderr.write(data);
+        });
+        child.on('close', (code) => {
+            resolve({
+                exitCode: code ?? 1,
+                stdout,
+                stderr,
+            });
+        });
+        child.on('error', () => {
+            resolve({
+                exitCode: 1,
+                stdout,
+                stderr: stderr || 'Failed to run npm',
+            });
+        });
+    });
+}
+export function runNpmPassthrough(args) {
+    return new Promise((resolve) => {
+        const isWin = process.platform === 'win32';
+        const command = isWin ? 'cmd.exe' : 'npm';
+        const finalArgs = isWin ? ['/d', '/s', '/c', 'npm', ...args] : args;
+        const child = spawn(command, finalArgs, {
+            stdio: 'inherit',
+            shell: false,
+        });
+        child.on('close', (code) => {
+            resolve(code ?? 1);
+        });
+        child.on('error', () => {
+            resolve(1);
+        });
+    });
+}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@deepv-code/safe-npm",
+  "version": "0.1.0",
+  "description": "A security-focused npm wrapper that scans packages before installation",
+  "main": "dist/index.js",
+  "type": "module",
+  "bin": {
+    "safe-npm": "dist/index.js"
+  },
+  "scripts": {
+    "start": "node dist/index.js",
+    "build": "tsc",
+    "dev": "tsc -w",
+    "test": "vitest"
+  },
+  "keywords": [
+    "npm",
+    "security",
+    "malware",
+    "scanner"
+  ],
+  "author": "DeepV Code",
+  "license": "MIT",
+  "files": [
+    "dist",
+    "README.md",
+    "README.zh-CN.md",
+    "LICENSE"
+  ],
+  "dependencies": {
+    "axios": "^1.13.4",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "form-data": "^4.0.5",
+    "ink": "^6.6.0",
+    "ink-text-input": "^6.0.0",
+    "ora": "^9.1.0",
+    "react": "^19.2.4"
+  },
+  "devDependencies": {
+    "@types/form-data": "^2.2.1",
+    "@types/ink-text-input": "^2.0.5",
+    "@types/node": "^25.0.10",
+    "@types/react": "^19.2.10",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.18"
+  }
+}