@getcodesentinel/codesentinel 1.6.4 → 1.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +54 -1
- package/dist/index.js +827 -37
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
</p>
|
|
4
4
|
<h1 align="center">CodeSentinel</h1>
|
|
5
5
|
<p align="center">
|
|
6
|
-
<a href="https://github.com/getcodesentinel/codesentinel/actions/workflows/
|
|
6
|
+
<a href="https://github.com/getcodesentinel/codesentinel/actions/workflows/release.yml"><img src="https://github.com/getcodesentinel/codesentinel/actions/workflows/release.yml/badge.svg?branch=main" alt="Release" /></a>
|
|
7
7
|
<a href="https://www.npmjs.com/package/@getcodesentinel/codesentinel"><img src="https://img.shields.io/npm/v/@getcodesentinel/codesentinel" alt="npm version" /></a>
|
|
8
8
|
<a href="https://nodejs.org/"><img src="https://img.shields.io/badge/node-%3E%3D22-339933?logo=node.js&logoColor=white" alt="Node.js >=22" /></a>
|
|
9
9
|
<a href="https://opensource.org/licenses/MIT"><img src="https://img.shields.io/badge/License-MIT-blue.svg" alt="License: MIT" /></a>
|
|
@@ -69,6 +69,7 @@ Then run:
|
|
|
69
69
|
|
|
70
70
|
```bash
|
|
71
71
|
codesentinel analyze [path]
|
|
72
|
+
codesentinel explain [path]
|
|
72
73
|
codesentinel dependency-risk <dependency[@version]>
|
|
73
74
|
```
|
|
74
75
|
|
|
@@ -78,6 +79,10 @@ Examples:
|
|
|
78
79
|
codesentinel analyze
|
|
79
80
|
codesentinel analyze .
|
|
80
81
|
codesentinel analyze ../project
|
|
82
|
+
codesentinel explain
|
|
83
|
+
codesentinel explain . --top 5 --format text
|
|
84
|
+
codesentinel explain . --file src/app/page.tsx
|
|
85
|
+
codesentinel explain . --module src/components
|
|
81
86
|
codesentinel dependency-risk react
|
|
82
87
|
codesentinel dependency-risk react@19.0.0
|
|
83
88
|
```
|
|
@@ -103,6 +108,19 @@ codesentinel analyze .
|
|
|
103
108
|
# Full output (all sections and detailed arrays)
|
|
104
109
|
codesentinel analyze . --output json
|
|
105
110
|
codesentinel analyze . --json
|
|
111
|
+
|
|
112
|
+
# Explain top hotspots with narrative output
|
|
113
|
+
codesentinel explain .
|
|
114
|
+
|
|
115
|
+
# Explain a specific file
|
|
116
|
+
codesentinel explain . --file src/app/page.tsx
|
|
117
|
+
|
|
118
|
+
# Explain a specific module
|
|
119
|
+
codesentinel explain . --module src/components
|
|
120
|
+
|
|
121
|
+
# Explain in markdown or json
|
|
122
|
+
codesentinel explain . --format md
|
|
123
|
+
codesentinel explain . --format json
|
|
106
124
|
```
|
|
107
125
|
|
|
108
126
|
Notes:
|
|
@@ -124,8 +142,31 @@ pnpm dev -- analyze
|
|
|
124
142
|
pnpm dev -- analyze .
|
|
125
143
|
pnpm dev -- analyze ../project
|
|
126
144
|
pnpm dev -- analyze . --author-identity strict_email
|
|
145
|
+
pnpm dev -- explain
|
|
146
|
+
pnpm dev -- explain . --top 5 --format text
|
|
147
|
+
pnpm dev -- explain . --file src/app/page.tsx
|
|
127
148
|
```
|
|
128
149
|
|
|
150
|
+
## Explain Output
|
|
151
|
+
|
|
152
|
+
`codesentinel explain` uses the same risk-engine scoring model as `analyze` and adds structured explanation traces.
|
|
153
|
+
|
|
154
|
+
Text/markdown output includes:
|
|
155
|
+
|
|
156
|
+
- repository score and risk band (`low|moderate|high|very_high`)
|
|
157
|
+
- plain-language primary drivers
|
|
158
|
+
- concrete evidence values behind those drivers
|
|
159
|
+
- intersected signals (composite interaction terms)
|
|
160
|
+
- prioritized reduction actions
|
|
161
|
+
- per-target breakdowns (repository/file/module/dependency, depending on selection)
|
|
162
|
+
|
|
163
|
+
Filters:
|
|
164
|
+
|
|
165
|
+
- `--file <path>`: explain one file target.
|
|
166
|
+
- `--module <name>`: explain one module target.
|
|
167
|
+
- `--top <n>`: explain top `n` hotspot files (default behavior when no file/module is provided).
|
|
168
|
+
- `--format text|json|md`: render narrative text, full JSON payload, or markdown.
|
|
169
|
+
|
|
129
170
|
## Understanding Analyze Output
|
|
130
171
|
|
|
131
172
|
`codesentinel analyze` returns one JSON document with four top-level blocks:
|
|
@@ -201,12 +242,24 @@ For `external.dependencies`, each direct dependency now exposes three signal fie
|
|
|
201
242
|
- `inheritedRiskSignals`: signals propagated from transitive dependencies in its subtree.
|
|
202
243
|
- `riskSignals`: union of `ownRiskSignals` and `inheritedRiskSignals`.
|
|
203
244
|
|
|
245
|
+
Data source notes:
|
|
246
|
+
|
|
247
|
+
- Lockfile-first extraction supports `pnpm-lock.yaml`, `package-lock.json` / `npm-shrinkwrap.json`, `yarn.lock`, and `bun.lock`.
|
|
248
|
+
- If no lockfile is present, CodeSentinel attempts a bounded npm registry graph resolution from direct dependencies.
|
|
249
|
+
- npm weekly download metadata is fetched only for direct dependencies (not all transitive nodes).
|
|
250
|
+
|
|
204
251
|
Classification lists:
|
|
205
252
|
|
|
206
253
|
- `highRiskDependencies`: **production** direct packages classified from strong **own** signals (not inherited-only signals).
|
|
207
254
|
- `highRiskDevelopmentDependencies`: same classification model for direct development dependencies.
|
|
208
255
|
- `transitiveExposureDependencies`: direct packages carrying inherited transitive exposure signals.
|
|
209
256
|
|
|
257
|
+
Current high-risk rule for direct dependencies:
|
|
258
|
+
|
|
259
|
+
- mark high-risk if own signals include `abandoned`, or
|
|
260
|
+
- mark high-risk if at least two of own signals are in `{high_centrality, deep_chain, high_fanout}`, or
|
|
261
|
+
- mark high-risk if own signals include `single_maintainer` and the package is stale (>= half abandoned threshold) or has no recent repository activity signal.
|
|
262
|
+
|
|
210
263
|
Propagation policy is explicit and deterministic:
|
|
211
264
|
|
|
212
265
|
- `single_maintainer`: **not propagated**
|