npm - @ktpartners/dgs-platform - Versions diffs - 3.0.4 → 3.3.0 - Mend

@ktpartners/dgs-platform 3.0.4 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (115) hide show

package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-expected.md ADDED Viewed

@@ -0,0 +1,186 @@
+---
+type: "package-scan"
+date: "2026-04-18"
+tool: "mixed"
+snyk_org: null
+repos_scanned: 3
+critical: 1
+high: 1
+medium: 2
+low: 0
+duration: 5
+findings:
+  - id: "pkg-001"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "high"
+    resource_id: "lodash@4.17.15"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Command Injection in lodash"
+    description: "Versions of lodash prior to 4.17.21 are vulnerable to Command Injection."
+    remediation: "upgrade to lodash@4.17.21"
+    reference: "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
+    cve: "CVE-2021-23337"
+    cvss: 7.2
+    dependency_chain:
+      - "api@1.0.0"
+      - "lodash@4.17.15"
+    chain_available: true
+    direct_or_transitive: "direct"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-002"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "medium"
+    resource_id: "gpl-licensed-dep@2.0.0"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Prototype Pollution in gpl-licensed-dep"
+    description: |-
+      Multi-line
+      description with
+      embedded newlines.
+    remediation: null
+    reference: "https://example.com/advisory"
+    cve: null
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "transitive"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-002-lic"
+    test_source: "package-scan"
+    gap_type: "dependency-licence"
+    severity: "high"
+    resource_id: "gpl-licensed-dep@2.0.0"
+    repo: "api"
+    manifest_path: "packages/api/package.json"
+    title: "Restrictive licence: GPL-3.0"
+    description: "Package gpl-licensed-dep@2.0.0 is licensed under GPL-3.0. Using this dependency may impose copyleft obligations on your project."
+    remediation: "Review licence compatibility or replace with a permissive-licensed alternative."
+    reference: null
+    cve: null
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "transitive"
+    tool: "snyk"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-003"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "medium"
+    resource_id: "requests@2.25.0"
+    repo: "worker"
+    manifest_path: null
+    title: "Unintended leak of Proxy-Authorization header"
+    description: "Requests is a HTTP library."
+    remediation: "pip install requests==2.31.0"
+    reference: null
+    cve: "CVE-2023-32681"
+    cvss: null
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: null
+    tool: "pip-audit"
+    introduced_in_commit: null
+    introduced_in_plan: null
+  - id: "pkg-004"
+    test_source: "package-scan"
+    gap_type: "dependency-security"
+    severity: "critical"
+    resource_id: "express"
+    repo: "_product_root"
+    manifest_path: null
+    title: "express Critical vulnerability"
+    description: null
+    remediation: null
+    reference: "https://github.com/advisories/GHSA-xxxx"
+    cve: null
+    cvss: 9.8
+    dependency_chain: null
+    chain_available: false
+    direct_or_transitive: "direct"
+    tool: "npm-audit"
+    introduced_in_commit: null
+    introduced_in_plan: null
+---
+# Package Scan Report
+## Summary
+| Repo | Ecosystem | Tool | .snyk policy | Critical | High | Medium | Low | Status |
+|------|-----------|------|--------------|----------|------|--------|-----|--------|
+| api | node | snyk | — | 0 | 1 | 1 | 0 | ok |
+| worker | python | pip-audit | — | 0 | 0 | 1 | 0 | ok |
+| _product_root | node | npm-audit | — | 1 | 0 | 0 | 0 | ok |
+## Licence Compliance
+> Licence scan incomplete -- use Snyk for full coverage.
+## Critical
+### _product_root: express — express Critical vulnerability
+- **CVE:** unavailable
+- **CVSS:** 9.8
+- **Tool:** npm-audit
+- **Manifest:** repo root
+- **Direct/Transitive:** direct
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** no upgrade path available — manual review required
+- **Reference:** https://github.com/advisories/GHSA-xxxx
+- **Introduced in:** unknown
+## High
+### api: lodash@4.17.15 — Command Injection in lodash
+- **CVE:** CVE-2021-23337
+- **CVSS:** 7.2
+- **Tool:** snyk
+- **Manifest:** `packages/api/package.json`
+- **Direct/Transitive:** direct
+- **Dependency chain:** api@1.0.0 → lodash@4.17.15
+- **Fix:** upgrade to lodash@4.17.21
+- **Reference:** https://snyk.io/vuln/SNYK-JS-LODASH-1040724
+- **Introduced in:** unknown
+> Versions of lodash prior to 4.17.21 are vulnerable to Command Injection.
+## Medium
+### api: gpl-licensed-dep@2.0.0 — Prototype Pollution in gpl-licensed-dep
+- **CVE:** unavailable
+- **CVSS:** unavailable
+- **Tool:** snyk
+- **Manifest:** `packages/api/package.json`
+- **Direct/Transitive:** transitive
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** no upgrade path available — manual review required
+- **Reference:** https://example.com/advisory
+- **Introduced in:** unknown
+> Multi-line
+> description with
+> embedded newlines.
+### worker: requests@2.25.0 — Unintended leak of Proxy-Authorization header
+- **CVE:** CVE-2023-32681
+- **CVSS:** unavailable
+- **Tool:** pip-audit
+- **Manifest:** repo root
+- **Direct/Transitive:** unknown
+- **Dependency chain:** unavailable (chain_available: false — recommend Snyk for full chain analysis)
+- **Fix:** pip install requests==2.31.0
+- **Reference:** unavailable
+- **Introduced in:** unknown
+> Requests is a HTTP library.

package/deliver-great-systems/bin/lib/fixtures/package-scan/gate-parity-runresult.json ADDED Viewed

@@ -0,0 +1,235 @@
+{
+  "exit_code": 0,
+  "tool_per_target": {
+    "api": "snyk",
+    "worker": "pip-audit",
+    "_product_root": "npm-audit"
+  },
+  "repo_results": [
+    {
+      "repo": "api",
+      "ecosystem": "node",
+      "tool_used": "snyk",
+      "outcome": "ok",
+      "durationMs": 2400,
+      "findings": [
+        {
+          "id": "pkg-001",
+          "tool": "snyk",
+          "ecosystem": "node",
+          "repo": "api",
+          "manifest_path": "packages/api/package.json",
+          "package_name": "lodash",
+          "installed_version": "4.17.15",
+          "vulnerability": {
+            "cve": "CVE-2021-23337",
+            "title": "Command Injection in lodash",
+            "description": "Versions of lodash prior to 4.17.21 are vulnerable to Command Injection.",
+            "reference_url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
+          },
+          "severity": "high",
+          "cvss_score": 7.2,
+          "cvss_vector": null,
+          "direct_or_transitive": "direct",
+          "dependency_chain": [
+            { "name": "api", "version": "1.0.0" },
+            { "name": "lodash", "version": "4.17.15" }
+          ],
+          "chain_available": true,
+          "fix_version": "4.17.21",
+          "remediation": "upgrade to lodash@4.17.21",
+          "licence": null
+        },
+        {
+          "id": "pkg-002",
+          "tool": "snyk",
+          "ecosystem": "node",
+          "repo": "api",
+          "manifest_path": "packages/api/package.json",
+          "package_name": "gpl-licensed-dep",
+          "installed_version": "2.0.0",
+          "vulnerability": {
+            "cve": null,
+            "title": "Prototype Pollution in gpl-licensed-dep",
+            "description": "Multi-line\ndescription with\nembedded newlines.",
+            "reference_url": "https://example.com/advisory"
+          },
+          "severity": "moderate",
+          "cvss_score": null,
+          "cvss_vector": null,
+          "direct_or_transitive": "transitive",
+          "dependency_chain": null,
+          "chain_available": false,
+          "fix_version": null,
+          "remediation": null,
+          "licence": "GPL-3.0"
+        }
+      ]
+    },
+    {
+      "repo": "worker",
+      "ecosystem": "python",
+      "tool_used": "pip-audit",
+      "outcome": "ok",
+      "durationMs": 1800,
+      "findings": [
+        {
+          "id": "pkg-003",
+          "tool": "pip-audit",
+          "ecosystem": "python",
+          "repo": "worker",
+          "manifest_path": null,
+          "package_name": "requests",
+          "installed_version": "2.25.0",
+          "vulnerability": {
+            "cve": "CVE-2023-32681",
+            "title": "Unintended leak of Proxy-Authorization header",
+            "description": "Requests is a HTTP library.",
+            "reference_url": null
+          },
+          "severity": null,
+          "cvss_score": null,
+          "cvss_vector": null,
+          "direct_or_transitive": null,
+          "dependency_chain": null,
+          "chain_available": false,
+          "fix_version": "2.31.0",
+          "remediation": "pip install requests==2.31.0"
+        }
+      ]
+    },
+    {
+      "repo": "_product_root",
+      "ecosystem": "node",
+      "tool_used": "npm-audit",
+      "outcome": "ok",
+      "durationMs": 900,
+      "findings": [
+        {
+          "id": "pkg-004",
+          "tool": "npm-audit",
+          "ecosystem": "node",
+          "repo": "_product_root",
+          "manifest_path": null,
+          "package_name": "express",
+          "installed_version": "",
+          "vulnerability": {
+            "cve": null,
+            "title": "express Critical vulnerability",
+            "description": null,
+            "reference_url": "https://github.com/advisories/GHSA-xxxx"
+          },
+          "severity": "critical",
+          "cvss_score": 9.8,
+          "cvss_vector": null,
+          "direct_or_transitive": "direct",
+          "dependency_chain": null,
+          "chain_available": false,
+          "fix_version": null,
+          "remediation": null
+        }
+      ]
+    }
+  ],
+  "findings": [
+    {
+      "id": "pkg-001",
+      "tool": "snyk",
+      "ecosystem": "node",
+      "repo": "api",
+      "manifest_path": "packages/api/package.json",
+      "package_name": "lodash",
+      "installed_version": "4.17.15",
+      "vulnerability": {
+        "cve": "CVE-2021-23337",
+        "title": "Command Injection in lodash",
+        "description": "Versions of lodash prior to 4.17.21 are vulnerable to Command Injection.",
+        "reference_url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724"
+      },
+      "severity": "high",
+      "cvss_score": 7.2,
+      "cvss_vector": null,
+      "direct_or_transitive": "direct",
+      "dependency_chain": [
+        { "name": "api", "version": "1.0.0" },
+        { "name": "lodash", "version": "4.17.15" }
+      ],
+      "chain_available": true,
+      "fix_version": "4.17.21",
+      "remediation": "upgrade to lodash@4.17.21",
+      "licence": null
+    },
+    {
+      "id": "pkg-002",
+      "tool": "snyk",
+      "ecosystem": "node",
+      "repo": "api",
+      "manifest_path": "packages/api/package.json",
+      "package_name": "gpl-licensed-dep",
+      "installed_version": "2.0.0",
+      "vulnerability": {
+        "cve": null,
+        "title": "Prototype Pollution in gpl-licensed-dep",
+        "description": "Multi-line\ndescription with\nembedded newlines.",
+        "reference_url": "https://example.com/advisory"
+      },
+      "severity": "moderate",
+      "cvss_score": null,
+      "cvss_vector": null,
+      "direct_or_transitive": "transitive",
+      "dependency_chain": null,
+      "chain_available": false,
+      "fix_version": null,
+      "remediation": null,
+      "licence": "GPL-3.0"
+    },
+    {
+      "id": "pkg-003",
+      "tool": "pip-audit",
+      "ecosystem": "python",
+      "repo": "worker",
+      "manifest_path": null,
+      "package_name": "requests",
+      "installed_version": "2.25.0",
+      "vulnerability": {
+        "cve": "CVE-2023-32681",
+        "title": "Unintended leak of Proxy-Authorization header",
+        "description": "Requests is a HTTP library.",
+        "reference_url": null
+      },
+      "severity": null,
+      "cvss_score": null,
+      "cvss_vector": null,
+      "direct_or_transitive": null,
+      "dependency_chain": null,
+      "chain_available": false,
+      "fix_version": "2.31.0",
+      "remediation": "pip install requests==2.31.0"
+    },
+    {
+      "id": "pkg-004",
+      "tool": "npm-audit",
+      "ecosystem": "node",
+      "repo": "_product_root",
+      "manifest_path": null,
+      "package_name": "express",
+      "installed_version": "",
+      "vulnerability": {
+        "cve": null,
+        "title": "express Critical vulnerability",
+        "description": null,
+        "reference_url": "https://github.com/advisories/GHSA-xxxx"
+      },
+      "severity": "critical",
+      "cvss_score": 9.8,
+      "cvss_vector": null,
+      "direct_or_transitive": "direct",
+      "dependency_chain": null,
+      "chain_available": false,
+      "fix_version": null,
+      "remediation": null
+    }
+  ],
+  "skipped": [],
+  "diagnostics": []
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/govulncheck-import.json ADDED Viewed

@@ -0,0 +1,3 @@
+{"message":{"type":"osv","osv":{"id":"GO-2023-1878","summary":"Improper input validation in golang.org/x/net","details":"Uncontrolled recursion in golang.org/x/net/html can cause a denial of service.","aliases":["CVE-2023-3978"],"references":[{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2023-1878"},{"type":"FIX","url":"https://go.dev/cl/514896"}]}}}
+{"message":{"type":"finding","finding":{"osv":"GO-2023-1878","fixed_version":"v0.13.0","trace":[{"module":"example.com/myapp","version":"v0.1.0"},{"module":"golang.org/x/net","version":"v0.12.0","function":"html.Parse"}]}}}
+{"message":{"type":"finding","finding":{"osv":"GO-2023-1878","fixed_version":"v0.13.0","trace":[{"module":"golang.org/x/net","version":"v0.12.0","function":"html.Tokenize"}]}}}

package/deliver-great-systems/bin/lib/fixtures/package-scan/npm-audit-v10.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "auditReportVersion": 2,
+  "vulnerabilities": {
+    "lodash": {
+      "name": "lodash",
+      "severity": "high",
+      "isDirect": false,
+      "via": [
+        {
+          "source": 1523,
+          "name": "lodash",
+          "dependency": "lodash",
+          "title": "Prototype Pollution in lodash",
+          "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
+          "severity": "high",
+          "cwe": ["CWE-1321"],
+          "cvss": {
+            "score": 7.4,
+            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+          },
+          "range": "<4.17.21"
+        }
+      ],
+      "effects": [],
+      "range": "<4.17.21",
+      "nodes": ["node_modules/lodash"],
+      "fixAvailable": {
+        "name": "lodash",
+        "version": "4.17.21",
+        "isSemVerMajor": false
+      }
+    }
+  },
+  "metadata": {
+    "vulnerabilities": { "info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1 }
+  }
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-clean.json ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "results": []
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/osv-vulns.json ADDED Viewed

@@ -0,0 +1,77 @@
+{
+  "results": [
+    {
+      "source": {
+        "path": "packages/api/package-lock.json",
+        "type": "lockfile"
+      },
+      "packages": [
+        {
+          "package": {
+            "name": "lodash",
+            "version": "4.17.20",
+            "ecosystem": "npm"
+          },
+          "vulnerabilities": [
+            {
+              "id": "GHSA-p6mc-m468-83gw",
+              "summary": "Prototype Pollution in lodash",
+              "details": "Versions of lodash prior to 4.17.21 are vulnerable to prototype pollution.",
+              "aliases": ["CVE-2020-8203"],
+              "severity": [
+                { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }
+              ],
+              "references": [
+                { "type": "WEB", "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" }
+              ],
+              "affected": [
+                {
+                  "package": { "name": "lodash", "ecosystem": "npm" },
+                  "ranges": [
+                    {
+                      "type": "SEMVER",
+                      "events": [
+                        { "introduced": "0" },
+                        { "fixed": "4.17.21" }
+                      ]
+                    }
+                  ],
+                  "versions": ["4.17.20"]
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "package": {
+            "name": "minimist",
+            "version": "1.2.0",
+            "ecosystem": "npm"
+          },
+          "vulnerabilities": [
+            {
+              "id": "GHSA-vh95-rmgr-6w4m",
+              "summary": "Prototype Pollution in minimist",
+              "details": "minimist before 1.2.3 is vulnerable.",
+              "aliases": ["CVE-2020-7598"],
+              "severity": [
+                { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }
+              ],
+              "references": [
+                { "type": "WEB", "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" }
+              ],
+              "affected": [
+                {
+                  "package": { "name": "minimist", "ecosystem": "npm" },
+                  "ranges": [
+                    { "type": "SEMVER", "events": [{ "introduced": "0" }, { "fixed": "1.2.3" }] }
+                  ]
+                }
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/pip-audit-requirements.json ADDED Viewed

@@ -0,0 +1,28 @@
+{
+  "dependencies": [
+    {
+      "name": "requests",
+      "version": "2.20.0",
+      "vulns": [
+        {
+          "id": "GHSA-x84v-xcm2-53pg",
+          "fix_versions": ["2.20.1", "2.21.0"],
+          "description": "Requests before 2.20.0 sends an HTTP Authorization header to an http URI upon redirect.",
+          "aliases": ["CVE-2018-18074"]
+        }
+      ]
+    },
+    {
+      "name": "urllib3",
+      "version": "1.24.1",
+      "vulns": [
+        {
+          "id": "PYSEC-2019-132",
+          "fix_versions": ["1.24.2"],
+          "description": "urllib3 before 1.24.2 does not remove the Authorization header on cross-origin redirects.",
+          "aliases": ["CVE-2019-11324"]
+        }
+      ]
+    }
+  ]
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-lodash.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "ok": false,
+  "targetFile": "package.json",
+  "projectName": "your-app",
+  "displayTargetFile": "package.json",
+  "foundProjectCount": 1,
+  "vulnerabilities": [
+    {
+      "id": "SNYK-JS-LODASH-590103",
+      "title": "Prototype Pollution",
+      "description": "lodash is vulnerable to prototype pollution via zipObjectDeep.",
+      "packageName": "lodash",
+      "version": "4.17.20",
+      "severity": "critical",
+      "cvssScore": 9.8,
+      "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+      "identifiers": {
+        "CVE": ["CVE-2020-8203"],
+        "CWE": ["CWE-1321"]
+      },
+      "from": ["your-app@1.0.0", "auth-lib@2.3.1", "lodash@4.17.20"],
+      "upgradePath": [false, "auth-lib@2.3.2", "lodash@4.17.21"],
+      "fixedIn": ["4.17.21"],
+      "isUpgradable": true,
+      "isPatchable": false,
+      "url": "https://snyk.io/vuln/SNYK-JS-LODASH-590103",
+      "license": "MIT"
+    }
+  ]
+}

package/deliver-great-systems/bin/lib/fixtures/package-scan/snyk-workspaces.json ADDED Viewed

@@ -0,0 +1,55 @@
+{
+  "ok": false,
+  "projects": [
+    {
+      "targetFile": "packages/api/package.json",
+      "projectName": "api",
+      "vulnerabilities": [
+        {
+          "id": "SNYK-JS-LODASH-590103",
+          "title": "Prototype Pollution",
+          "packageName": "lodash",
+          "version": "4.17.20",
+          "severity": "critical",
+          "cvssScore": 9.8,
+          "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+          "identifiers": { "CVE": ["CVE-2020-8203"] },
+          "from": ["api@1.0.0", "lodash@4.17.20"],
+          "upgradePath": [false, "lodash@4.17.21"],
+          "fixedIn": ["4.17.21"],
+          "isUpgradable": true
+        },
+        {
+          "id": "SNYK-JS-MINIMIST-559764",
+          "title": "Prototype Pollution",
+          "packageName": "minimist",
+          "version": "1.2.0",
+          "severity": "medium",
+          "cvssScore": 5.6,
+          "identifiers": { "CVE": ["CVE-2020-7598"] },
+          "from": ["api@1.0.0", "mkdirp@0.5.1", "minimist@1.2.0"],
+          "fixedIn": ["1.2.3"],
+          "isUpgradable": true
+        }
+      ]
+    },
+    {
+      "targetFile": "packages/web/package.json",
+      "projectName": "web",
+      "vulnerabilities": [
+        {
+          "id": "SNYK-JS-AXIOS-1038255",
+          "title": "Server-Side Request Forgery",
+          "packageName": "axios",
+          "version": "0.21.0",
+          "severity": "high",
+          "cvssScore": 7.5,
+          "identifiers": { "CVE": ["CVE-2020-28168"] },
+          "from": ["web@1.0.0", "axios@0.21.0"],
+          "fixedIn": ["0.21.1"],
+          "isUpgradable": true
+        }
+      ]
+    }
+  ]
+}

package/deliver-great-systems/bin/lib/frontmatter.cjs CHANGED Viewed

@@ -251,7 +251,7 @@ function parseMustHavesBlock(content, blockName) {
 const FRONTMATTER_SCHEMAS = {
   plan: { required: ['phase', 'plan', 'type', 'wave', 'depends_on', 'files_modified', 'autonomous', 'must_haves'] },
-  summary: { required: ['phase', 'plan', 'subsystem', 'tags', 'duration', 'completed', 'requirements-completed'] },
+  summary: { required: ['phase', 'plan', 'subsystem', 'tags', 'duration', 'completed', 'requirements_completed'] },
   verification: { required: ['phase', 'verified', 'status', 'score'] },
 };