@lateos/npm-scan 0.13.1 → 0.15.0

package/README.de.md

@@ -11,7 +11,7 @@
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **Moderne Lieferkettensicherheit für das npm-Ökosystem.**  
@@ -100,7 +100,7 @@ npx @lateos/npm-scan scan commander
 
 ```bash
 # Einmaligen Scan pullen und ausführen — kein Node.js oder npm erforderlich
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+docker run --rm lateos/npm-scan:cli scan lodash
 
 # Vollständige Pipeline mit persistentem Speicher und Compose
 docker compose --profile pipeline up -d

package/README.fr.md

@@ -11,7 +11,7 @@
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **Sécurité moderne de la chaîne d'approvisionnement pour l'écosystème npm.**  
@@ -100,7 +100,7 @@ npx @lateos/npm-scan scan commander
 
 ```bash
 # Tirez et exécutez un scan unique — pas de Node.js ni npm requis
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+docker run --rm lateos/npm-scan:cli scan lodash
 
 # Pipeline complet avec stockage persistant et Compose
 docker compose --profile pipeline up -d

package/README.ja.md

@@ -11,7 +11,7 @@
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **npmエコシステムのためのモダンなサプライチェーンセキュリティ。**  
@@ -100,7 +100,7 @@ npx @lateos/npm-scan scan commander
 
 ```bash
 # 単一スキャンをプルして実行 — Node.jsやnpmは不要
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+docker run --rm lateos/npm-scan:cli scan lodash
 
 # 永続ストレージとComposeを使用した完全パイプライン
 docker compose --profile pipeline up -d

package/README.md

@@ -3,9 +3,9 @@
 [![npm version](https://img.shields.io/npm/v/@lateos/npm-scan?style=flat-square)](https://www.npmjs.com/package/@lateos/npm-scan)
 [![License](https://img.shields.io/badge/license-Apache%202.0%20%2B%20Commons%20Clause-blue?style=flat-square)](LICENSING.md)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
-[![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Tests](https://img.shields.io/badge/tests-324%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Coverage](https://img.shields.io/badge/coverage-90%25-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
+[![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 [![中文](https://img.shields.io/badge/lang-zh--CN-red?style=flat-square)](https://github.com/lateos-ai/npm-scan/blob/main/README.zh.md)
@@ -71,6 +71,7 @@ Attackers have moved past simple typosquatting. They now ship **obfuscated prein
 | 🛡️ | **Zero telemetry** | No data leaves your machine. No cloud. No callbacks. |
 | 💾 | **Local scan history** | SQLite-backed persistence, zero external dependencies |
 | 🪝 | **Pre-commit hook** | Block threats before commit — one-liner install, scans `package-lock.json` changes |
+| 📎 | **Yarn + pnpm support** | `scan-lockfile` parses `yarn.lock` and `pnpm-lock.yaml` alongside `package-lock.json` |
 
 ---
 
@@ -102,7 +103,7 @@ npx @lateos/npm-scan scan commander
 
 ```bash
 # Pull and run a single scan — no Node.js or npm required
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+docker run --rm lateos/npm-scan:cli scan lodash
 
 # Full pipeline with persistent storage and Compose
 docker compose --profile pipeline up -d
@@ -190,12 +191,16 @@ npm-scan scan --file path/to/malicious-package.tgz
 ### Scan a lockfile
 
 ```bash
-# Scan the current project's dependencies
+# Scan the current project's dependencies (auto-detects npm/yarn/pnpm)
 npm-scan scan-lockfile
 
 # Scan a specific lockfile
 npm-scan scan-lockfile -f ./path/to/package-lock.json
 
+# Scan yarn.lock or pnpm-lock.yaml
+npm-scan scan-lockfile -f ./yarn.lock --yarn
+npm-scan scan-lockfile -f ./pnpm-lock.yaml --pnpm
+
 # Fail CI/CD on high or critical findings (exit code 1)
 npm-scan scan-lockfile --fail-on high
 
@@ -211,7 +216,7 @@ npm-scan scan-lockfile --watch
 # Watch with faster debounce (500ms) — great for dev workflows
 npm-scan scan-lockfile --watch --debounce 500
 
-# Watch monorepo (all package-lock.json files in workspace)
+# Watch monorepo (all lockfiles — npm/yarn/pnpm — in workspace)
 npm-scan scan-lockfile --watch --monorepo
 
 # Output only risk score (0-10) for dashboards/thresholds
@@ -686,8 +691,12 @@ node --test test/detectors-corpus.test.js
 - `test/detectors-corpus.test.js` — 33 malicious + 50 clean tarball integration (offline)
 - `test/fetch.test.js` — tarball extraction, temp directory cleanup
 - `test/policy-edge-cases.test.js` — edge cases in suppress, override, load validation
+- `test/policy.test.js` — policy YAML/JSON load, apply, suppress, severity override tests
 - `test/report-snapshots.test.js` — HTML/text/CRA/PDF format assertions
+- `test/report.test.js` — SARIF, CSV, STIG, risk score format tests
+- `test/lockfile.test.js` — npm/yarn/pnpm parser, auto-detect, ATK-007/011 lockfile tests
 - `test/cli.test.js` — commander integration tests (help, version, scan, report, error handling)
+- `test/cli-lockfile.test.js` — scan-lockfile CLI options, yarn/pnpm/monorepo/watch tests
 
 ### Need help?
 

package/README.zh.md

@@ -11,7 +11,7 @@
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen?style=flat-square)](package.json)
 [![Tests](https://img.shields.io/badge/tests-222%20passing-brightgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
 [![Coverage](https://img.shields.io/badge/coverage-85%25-yellowgreen?style=flat-square)](https://github.com/lateos-ai/npm-scan)
-[![Docker](https://img.shields.io/badge/docker-ghcr.io%2Flateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://github.com/lateos-ai/npm-scan/pkgs/container/npm-scan)
+[![Docker](https://img.shields.io/badge/docker-lateos%2Fnpm--scan-2496ED?style=flat-square&logo=docker)](https://hub.docker.com/r/lateos/npm-scan)
 [![Sigstore](https://img.shields.io/static/v1?label=Sigstore&message=Provenance&color=green&style=flat-square&logo=sigstore)](https://github.com/lateos-ai/npm-scan/actions/workflows/publish.yml)
 
 **适用于 npm 生态系统的现代供应链安全工具。**  
@@ -100,7 +100,7 @@ npx @lateos/npm-scan scan commander
 
 ```bash
 # 拉取并运行单次扫描 — 无需 Node.js 或 npm
-docker run --rm ghcr.io/lateos/npm-scan:cli scan lodash
+docker run --rm lateos/npm-scan:cli scan lodash
 
 # 使用持久化存储和 Compose 的完整流水线
 docker compose --profile pipeline up -d

package/backend/license.js

@@ -78,6 +78,10 @@ export function validateLicense(key, feature = '*') {
 
 export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICENSE_KEY) {
   try {
+    if (!licenseKey) {
+      const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
+      if (unlocked) return true;
+    }
     validateLicense(licenseKey, feature);
     return true;
   } catch {

package/backend/lockfile.js

@@ -1,47 +1,265 @@
 import { readFileSync } from 'fs';
 import { resolve, dirname } from 'path';
-import { fileURLToPath } from 'url';
+import yaml from 'js-yaml';
 
-export function parseLockfile(filePath) {
+export function parseLockfile(filePath, options = {}) {
+  const { autoDetect = false } = options;
   try {
     const content = readFileSync(filePath, 'utf8');
-    const lockfile = JSON.parse(content);
-    const packages = [];
+    const ext = filePath.split('.').pop().toLowerCase();
 
-    if (lockfile.packages) {
-      for (const [key, pkg] of Object.entries(lockfile.packages)) {
-        if (key === '') continue;
-        const name = pkg.name || key.replace(/^node_modules\//, '').replace(/^[^/]+\//, '');
+    if (ext === 'json' || ext === 'jsonc') {
+      return parseNpmLockfile(content, filePath);
+    }
+    if (ext === 'lock' && !autoDetect) {
+      return parseYarnLockfile(content, filePath);
+    }
+    if (ext === 'yaml' || ext === 'yml') {
+      return parsePnpmLockfile(content, filePath);
+    }
+
+    if (autoDetect) {
+      if (content.trimStart().startsWith('{')) {
+        return parseNpmLockfile(content, filePath);
+      }
+      if (content.includes('__metadata')) {
+        return parsePnpmLockfile(content, filePath);
+      }
+      if (content.includes('@npm:') || /^\s*"?[\w@/-]+['"]?\s*,\s*$/m.test(content)) {
+        return parseYarnLockfile(content, filePath);
+      }
+    }
+
+    return parseNpmLockfile(content, filePath);
+  } catch (e) {
+    throw new Error(`Failed to parse lockfile: ${e.message}`);
+  }
+}
+
+function parseNpmLockfile(content, filePath) {
+  const lockfile = JSON.parse(content);
+  const packages = [];
+
+  if (lockfile.packages) {
+    for (const [key, pkg] of Object.entries(lockfile.packages)) {
+      if (key === '') continue;
+      const name = pkg.name || key.replace(/^node_modules\//, '').replace(/^[^/]+\//, '');
+      packages.push({
+        name,
+        version: pkg.version || 'unknown',
+        resolved: pkg.resolved || '',
+        integrity: pkg.integrity || '',
+        path: key,
+        peerDeps: pkg.peerDependencies || {},
+        dev: pkg.dev || false,
+        optional: pkg.optional || false,
+        scripts: pkg.scripts || {},
+        dependencies: pkg.dependencies || {}
+      });
+    }
+  }
+
+  const rootDeps = lockfile.packages?.['node_modules/'] || {};
+  return {
+    version: lockfile.lockfileVersion,
+    packages,
+    root: {
+      name: rootDeps.name || 'unknown',
+      version: rootDeps.version || 'unknown',
+      dependencies: rootDeps.dependencies || {},
+      devDependencies: rootDeps.devDependencies || {},
+      peerDependencies: rootDeps.peerDependencies || {}
+    }
+  };
+}
+
+function parseYarnLockfile(content, filePath) {
+  const packages = [];
+  const lines = content.split('\n');
+  let i = 0;
+  const n = lines.length;
+
+  const MULTI_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*,\s*"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
+  const SINGLE_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
+
+  while (i < n) {
+    let line = lines[i].trimEnd();
+
+    let specs = [];
+
+    const multiMatch = line.match(MULTI_ENTRY_RE);
+    const singleMatch = line.match(SINGLE_ENTRY_RE);
+
+    if (multiMatch) {
+      specs = [
+        { name: multiMatch[1], specVersion: multiMatch[2] },
+        { name: multiMatch[3], specVersion: multiMatch[4] }
+      ];
+    } else if (singleMatch) {
+      specs = [{ name: singleMatch[1], specVersion: singleMatch[2] }];
+    }
+
+    if (specs.length > 0) {
+      let version = '';
+      let resolved = '';
+      let integrity = '';
+      const dependencies = {};
+      const optionalDependencies = {};
+      const peerDependencies = {};
+      let dev = false;
+      let optional = false;
+
+      i++;
+      while (i < n) {
+        const bodyLine = lines[i];
+        const bodyTrim = bodyLine.trimEnd();
+
+        if (bodyTrim === '' || bodyTrim.startsWith('#')) {
+          i++;
+          continue;
+        }
+
+        if (bodyTrim.endsWith(':') && !bodyLine.startsWith(' ')) {
+          break;
+        }
+
+        if (bodyTrim.startsWith('version ')) {
+          const vMatch = bodyTrim.match(/^version ['"]([^'"]+)['"]/);
+          if (vMatch) version = vMatch[1];
+        } else if (bodyTrim.match(/^\s*resolved\s+(.+)/)) {
+          const rMatch = bodyTrim.match(/^\s*resolved\s+(.+)/);
+          if (rMatch) {
+            resolved = rMatch[1].trim().replace(/^['"]|['"]$/g, '');
+            if (resolved.startsWith('https://registry.yarnpkg.com/')) {
+              resolved = resolved.replace('https://registry.yarnpkg.com/', 'https://registry.npmjs.org/');
+            }
+          }
+        } else if (bodyTrim.startsWith('integrity ')) {
+          integrity = bodyTrim.replace('integrity ', '').trim();
+        } else if (bodyTrim.startsWith('dependencies')) {
+          const m = bodyTrim.match(/^dependencies\s+(.*)/);
+          if (m) parseDepList(m[1], dependencies);
+        } else if (bodyTrim.startsWith('optionalDependencies')) {
+          const m = bodyTrim.match(/^optionalDependencies\s+(.*)/);
+          if (m) parseDepList(m[1], optionalDependencies);
+        } else if (bodyTrim.startsWith('peerDependencies')) {
+          const m = bodyTrim.match(/^peerDependencies\s+(.*)/);
+          if (m) parseDepList(m[1], peerDependencies);
+        } else if (bodyTrim.match(/^\s*dev\s+(true|false)$/)) {
+          dev = bodyTrim.includes('true');
+        } else if (bodyTrim.match(/^\s*optional\s+(true|false)$/)) {
+          optional = bodyTrim.includes('true');
+        }
+
+        i++;
+      }
+
+      for (const { name, specVersion } of specs) {
         packages.push({
           name,
-          version: pkg.version || 'unknown',
-          resolved: pkg.resolved || '',
-          integrity: pkg.integrity || '',
-          path: key,
-          peerDeps: pkg.peerDependencies || {},
-          dev: pkg.dev || false,
-          optional: pkg.optional || false,
-          scripts: pkg.scripts || {},
-          dependencies: pkg.dependencies || {}
+          version: version || specVersion,
+          resolved,
+          integrity,
+          path: `node_modules/${name}`,
+          peerDeps: peerDependencies,
+          dev,
+          optional,
+          scripts: {},
+          dependencies,
+          optionalDependencies
         });
       }
+    } else {
+      i++;
+    }
+  }
+
+  const rootDeps = {};
+  const rootDevDeps = {};
+
+  for (const pkg of packages) {
+    const topDeps = pkg.dev ? rootDevDeps : rootDeps;
+    for (const depName of Object.keys(pkg.dependencies)) {
+      topDeps[depName] = pkg.dependencies[depName];
     }
+  }
+
+  return {
+    version: 2,
+    packages,
+    root: {
+      name: 'root',
+      version: 'unknown',
+      dependencies: rootDeps,
+      devDependencies: rootDevDeps,
+      peerDependencies: {}
+    }
+  };
+}
+
+function parseDepList(str, dest) {
+  const cleaned = str.replace(/^[[\]]/g, '').trim();
+  if (!cleaned) return;
+  const re = /([\w@./-]+)\s+\^?([\w@./-]+)/g;
+  let m;
+  while ((m = re.exec(cleaned)) !== null) {
+    dest[m[1]] = m[2];
+  }
+}
 
-    const rootDeps = lockfile.packages?.['node_modules/'] || {};
-    return {
-      version: lockfile.lockfileVersion,
-      packages,
-      root: {
-        name: rootDeps.name || 'unknown',
-        version: rootDeps.version || 'unknown',
-        dependencies: rootDeps.dependencies || {},
-        devDependencies: rootDeps.devDependencies || {},
-        peerDependencies: rootDeps.peerDependencies || {}
+function parsePnpmLockfile(content, filePath) {
+  const lockfile = yaml.load(content);
+  const packages = [];
+
+  if (lockfile.packages) {
+    for (const [key, pkg] of Object.entries(lockfile.packages)) {
+      const nameMatch = key.match(/^\/(.+?)@([^@/]+)$/);
+      if (!nameMatch) continue;
+      const name = nameMatch[1];
+      const version = nameMatch[2];
+
+      const resolved = pkg.resolution?.url || '';
+      let integrity = '';
+      if (pkg.resolution?.integrity) {
+        integrity = pkg.resolution.integrity;
+      } else if (pkg.resolution?.sha512) {
+        integrity = `sha512-${pkg.resolution.sha512}`;
       }
-    };
-  } catch (e) {
-    throw new Error(`Failed to parse lockfile: ${e.message}`);
+
+      packages.push({
+        name,
+        version,
+        resolved,
+        integrity,
+        path: `node_modules/${name}`,
+        peerDeps: pkg.peerDependencies || {},
+        dev: pkg.dev || false,
+        optional: pkg.optional || false,
+        scripts: pkg.hasBundledMedia ? { bundled: true } : {},
+        dependencies: pkg.dependencies || {},
+        optionalDependencies: pkg.optionalDependencies || {}
+      });
+    }
   }
+
+  const rootDeps = lockfile.importers?.['.'] || lockfile.root || {};
+  const rootDepsMap = rootDeps.dependencies || {};
+  const rootDevDepsMap = rootDeps.devDependencies || {};
+  const rootPeerDepsMap = rootDeps.peerDependencies || {};
+
+  const version = lockfile.version || (lockfile.lockfileVersion ?? 6);
+
+  return {
+    version,
+    packages,
+    root: {
+      name: 'root',
+      version: lockfile.lockfileVersion ? 'unknown' : 'unknown',
+      dependencies: rootDepsMap,
+      devDependencies: rootDevDepsMap,
+      peerDependencies: rootPeerDepsMap
+    }
+  };
 }
 
 export function checkMaliciousPatterns(pkg) {
@@ -96,7 +314,7 @@ export function analyzeDependencyGraph(lockfileData) {
     }
 
     if (pkg.dependencies && typeof pkg.dependencies === 'object' && Object.keys(pkg.dependencies).length > 5) {
-      const transitiveCount = Object.keys(pkg.dependencies).filter(k => k.includes('scope')).length;
+      const transitiveCount = Object.keys(pkg.dependencies).filter(k => k.includes('/')).length;
       if (transitiveCount > 3) {
         findings.push({
           id: 'ATK-011',
@@ -107,6 +325,16 @@ export function analyzeDependencyGraph(lockfileData) {
         });
       }
     }
+
+    if (pkg.optionalDependencies && Object.keys(pkg.optionalDependencies).length > 10) {
+      findings.push({
+        id: 'ATK-011',
+        severity: 'low',
+        title: 'Transitive propagation (worm)',
+        description: `Package "${pkg.name}" has excessive optional dependencies (${Object.keys(pkg.optionalDependencies).length})`,
+        evidence: `optional dep chain: ${pkg.name} -> [${Object.keys(pkg.optionalDependencies).slice(0, 3).join(', ')}, ...]`
+      });
+    }
   }
 
   return findings;

package/cli/cli.js

@@ -163,7 +163,7 @@ program
 
 program
   .command('scan-lockfile')
-  .description('Scan package-lock.json')
+  .description('Scan package lockfile (npm/yarn/pnpm)')
   .option('-f, --file <path>', 'lockfile path', 'package-lock.json')
   .option('--fail-on <level>', 'Exit with code 1 if findings >= level (low|medium|high|critical)', 'none')
   .option('--csv [file]', 'Output CSV format to file or stdout')
@@ -171,43 +171,46 @@ program
   .option('--watch', 'Watch for changes and re-scan automatically')
   .option('--debounce <ms>', 'Debounce delay in ms before rescanning (default: 1000)', '1000')
   .option('--silent', 'Suppress stdout output (useful for piping)')
-  .option('--monorepo', 'Scan all package-lock.json files in workspace')
+  .option('--monorepo', 'Scan all lockfiles in workspace (auto-detect type)')
+  .option('--yarn', 'Force yarn.lock format')
+  .option('--pnpm', 'Force pnpm-lock.yaml format')
   .action(async (options) => {
     const silent = options.silent;
     const debounce = parseInt(options.debounce, 10) || 1000;
     const isWatch = options.watch;
     const isMonorepo = options.monorepo;
 
-    if (isWatch) {
-      if (isMonorepo) {
-        const lockfiles = await glob('**/package-lock.json', { ignore: 'node_modules/**' });
+      if (isWatch) {
+        if (isMonorepo) {
+          const lockfiles = await glob('**/{package-lock.json,yarn.lock,pnpm-lock.yaml}', { ignore: 'node_modules/**' });
 
-        if (!silent) {
-          console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode (monorepo) — ${lockfiles.length} lockfiles`);
-          console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
-        }
+          if (!silent) {
+            console.log(`\x1b[32m✔\x1b[0m npm-scan watch mode (monorepo) — ${lockfiles.length} lockfiles`);
+            console.log(`  Debounce: ${debounce}ms | Press Ctrl+C to stop\n`);
+          }
 
-        let timers = {};
-        for (const lf of lockfiles) {
-          if (!silent) console.log(`  Watching: ${lf}`);
-          const watcher = watch(lf, (eventType) => {
-            if (eventType !== 'change') return;
-            clearTimeout(timers[lf]);
-            timers[lf] = setTimeout(() => {
-              if (!silent) {
-                console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lf} changed — scanning...`);
-              }
-              try {
-                execSync(`node cli/cli.js scan-lockfile -f "${lf}" --fail-on ${options.failOn || 'high'} --silent`, { stdio: silent ? 'ignore' : 'inherit' });
-              } catch (e) {}
-            }, debounce);
-          });
-        }
+          let timers = {};
+          for (const lf of lockfiles) {
+            if (!silent) console.log(`  Watching: ${lf}`);
+            const watcher = watch(lf, (eventType) => {
+              if (eventType !== 'change') return;
+              clearTimeout(timers[lf]);
+              timers[lf] = setTimeout(() => {
+                if (!silent) {
+                  console.log(`\n\x1b[90m[${new Date().toLocaleTimeString()}]\x1b[0m ${lf} changed — scanning...`);
+                }
+                const lockType = lf.includes('yarn') ? '--yarn' : lf.includes('pnpm') ? '--pnpm' : '';
+                try {
+                  execSync(`node cli/cli.js scan-lockfile -f "${lf}" --fail-on ${options.failOn || 'high'} --silent ${lockType}`, { stdio: silent ? 'ignore' : 'inherit' });
+                } catch (e) {}
+              }, debounce);
+            });
+          }
 
-        process.on('SIGINT', () => {
-          if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
-          process.exit(0);
-        });
+          process.on('SIGINT', () => {
+            if (!silent) console.log('\n\x1b[33m✖\x1b[0m Stopped.');
+            process.exit(0);
+          });
       } else {
         const lockfile = options.file;
         let lastSize = 0;
@@ -242,7 +245,7 @@ program
 
         if (!silent) console.log(`\x1b[32m✔\x1b[0m Scanning lockfile: ${lockfile}`);
 
-        const lockfileData = parseLockfile(lockfile);
+        const lockfileData = parseLockfile(lockfile, { autoDetect: !options.yarn && !options.pnpm });
         const results = generateLockfileReport(lockfileData);
 
         if (!silent) {

package/deploy/helm/npm-scan/values.byoc.yaml

@@ -2,7 +2,7 @@
 # Deploy to your VPC: helm install -f values.byoc.yaml npm-scan ./
 
 image:
-  repository: ghcr.io/lateos/npm-scan
+  repository: lateos/npm-scan
   tag: "1.0.0"
 
 premium:

package/deploy/helm/npm-scan/values.yaml

@@ -2,7 +2,7 @@
 # Override per environment: helm install -f values-prod.yaml
 
 image:
-  repository: ghcr.io/lateos/npm-scan
+  repository: lateos/npm-scan
   tag: latest
   pullPolicy: Always
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lateos/npm-scan",
-  "version": "0.13.1",
+  "version": "0.15.0",
   "description": "Modern npm supply chain security scanner — detects obfuscated payloads, credential stealers, conditional triggers, sandbox evasion, and worm-like propagation. 11 attack types, SBOM, NIST/EU CRA compliance reporting.",
   "main": "backend/index.js",
   "bin": {
@@ -34,7 +34,9 @@
     "corpus": "node tests/corpus/run.js"
   },
   "lint-staged": {
-    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high"
+    "**/package{,-lock}.json": "node cli/cli.js scan-lockfile --fail-on high",
+    "**/yarn.lock": "node cli/cli.js scan-lockfile --fail-on high --yarn",
+    "**/pnpm-lock.yaml": "node cli/cli.js scan-lockfile --fail-on high --pnpm"
   },
   "publishConfig": {
     "access": "public"

package/test/fixtures/lockfiles/npm-lock.json

@@ -0,0 +1,69 @@
+{
+  "name": "test-project",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "packages": {
+    "": {
+      "name": "test-project",
+      "version": "1.0.0",
+      "dependencies": {
+        "lodash": "^4.17.21",
+        "axios": "^1.6.0"
+      },
+      "devDependencies": {
+        "@babel/core": "^7.23.0"
+      }
+    },
+    "node_modules/lodash": {
+      "name": "lodash",
+      "version": "4.17.21",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz",
+      "integrity": "sha512-v2kDEeDAnj4p1hhL6Ogrgu4BSWwg8cD2fRIouDAiqwu+iNl1IvyMex9jG9j8OpNp1zntnv/headququbit",
+      "dependencies": {}
+    },
+    "node_modules/axios": {
+      "name": "axios",
+      "version": "1.6.8",
+      "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz",
+      "integrity": "sha512-j2xvyqwsdd456789abcdef",
+      "dependencies": {
+        "form-data": "4.0.0",
+        "proxy-from-env": "1.1.0"
+      }
+    },
+    "node_modules/axios/node_modules/form-data": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
+      "integrity": "sha512-444567890123456"
+    },
+    "node_modules/@babel/core": {
+      "name": "@babel/core",
+      "version": "7.23.9",
+      "resolved": "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz",
+      "integrity": "sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==",
+      "dev": true,
+      "dependencies": {
+        "@babel/generator": "^7.23.6",
+        "@babel/parser": "^7.23.9"
+      }
+    },
+    "node_modules/reakt": {
+      "name": "reakt",
+      "version": "18.2.0",
+      "resolved": "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz",
+      "integrity": "sha-abcdabcd1234defghi",
+      "optional": true,
+      "dependencies": {}
+    },
+    "node_modules/express": {
+      "name": "express",
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz",
+      "integrity": "sha512-abcdabcd1234abcdefghi",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "body-parser": "1.20.2"
+      }
+    }
+  }
+}

package/test/fixtures/lockfiles/pnpm-lock.yaml

@@ -0,0 +1,118 @@
+lockfileVersion: "6.0"
+
+importers:
+  .:
+    dependencies:
+      lodash: "^4.17.21"
+      axios: "^1.6.0"
+    devDependencies:
+      "@babel/core": "^7.23.0"
+    optionalDependencies:
+      chalk: "^5.3.0"
+    peerDependencies:
+      react: ">=16"
+
+packages:
+  "/lodash@4.17.21":
+    resolution:
+      url: "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
+      sha512: X2xvyqwsdd456789abcdefghijk
+    dev: false
+    optional: false
+    dependencies: {}
+
+  "/axios@1.6.8":
+    resolution:
+      url: "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz"
+      sha512: j2xvyqwsdd456789abcdef
+    dev: false
+    optional: false
+    dependencies:
+      form-data: "4.0.0"
+      proxy-from-env: "1.1.0"
+
+  "/reakt@18.2.0":
+    resolution:
+      url: "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
+      sha512: abcdefghijk123456789
+    dev: false
+    optional: true
+    dependencies: []
+
+  "/@babel/core@7.23.9":
+    resolution:
+      url: "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
+      sha512: k2yVyqwsdd456789abcdefghij
+    dev: true
+    optional: false
+    dependencies:
+      "@babel/generator": "7.23.6"
+      "@babel/parser": "7.23.9"
+      "@babel/traverse": "7.23.9"
+      "@babel/types": "7.23.9"
+      convert-source-map: "2.0.0"
+      debug: "4.1.0"
+      gensync: "1.0.0-beta.2"
+      json5: "2.2.3"
+      semver: "6.3.1"
+
+  "/@babel/generator@7.23.6":
+    resolution:
+      url: "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
+      sha512: abcdefghijk12345678abcdef
+    dev: false
+    optional: false
+    dependencies:
+      "@babel/types": "7.23.6"
+      "@jridgewell/gen-mapping": "0.3.2"
+      "@jridgewell/trace-mapping": "0.3.17"
+      jsesc: "2.5.1"
+
+  "/expres@4.18.2":
+    resolution:
+      url: "https://registry.npmjs.org/expres-4.18.2.tgz"
+      sha512: abcdefghijk12345678
+    dev: false
+    optional: false
+    dependencies:
+      accepts: "1.3.8"
+      array-flatten: "1.1.1"
+      body-parser: "1.20.2"
+      content-disposition: "0.5.4"
+      content-type: "1.0.5"
+      cookie: "0.5.0"
+      cookie-signature: "1.0.6"
+      debug: "2.6.9"
+      depd: "2.0.0"
+      encodeurl: "1.0.2"
+      escape-html: "1.0.3"
+      etag: "1.8.1"
+      finalhandler: "1.2.0"
+      fresh: "0.5.2"
+      http-errors: "2.0.0"
+      merge-descriptors: "1.0.1"
+      methods: "1.1.2"
+      on-finished: "2.4.1"
+      parseurl: "1.3.3"
+      path-to-regexp: "0.1.7"
+      proxy-addr: "2.0.7"
+      qs: "6.11.0"
+      range-parser: "1.2.1"
+      safe-buffer: "5.2.1"
+      send: "0.18.0"
+      serve-static: "1.15.0"
+      setprototypeof: "1.2.0"
+      statuses: "2.0.1"
+      type-is: "1.6.18"
+      utils-merge: "1.0.1"
+      vary: "1.1.2"
+
+  "/my-scope-plugin@1.0.0":
+    resolution:
+      url: "https://registry.npmjs.org/my-scope-plugin/-/my-scope-plugin-1.0.0.tgz"
+      sha512: defghijk123456789abcdef
+    dev: false
+    optional: false
+    dependencies:
+      lodash: "4.17.21"
+      axios: "1.6.8"

package/test/fixtures/lockfiles/yarn.lock

@@ -0,0 +1,104 @@
+lodash@^4.17.21:
+  version "4.17.21"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.21.tgz"
+  integrity sha512-Vythumb
+  dependencies: {}
+  dev false
+  optional true
+
+axios@^1.6.0:
+  version "1.6.8"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz"
+  integrity sha-j2xvyqwsdd456789abcdef
+  dependencies:
+    form-data "4.0.0"
+    proxy-from-env "1.1.0"
+  dev false
+  optional false
+
+"@babel/core@^7.23.0", "@babel/core@^7.23.9":
+  version "7.23.9"
+  resolved "https://registry.yarnpkg.com/@babel/core/-/core-7.23.9.tgz"
+  integrity sha512-5q+M1iEJCOrGJs9NxzG3p3z7w2cJK/QuoRoI2pOJhtcNQjl9y7w6w4At5ZQHZdwqd+5N5G1lULu7I6pXVBw==
+  dependencies:
+    "@babel/generator" "^7.23.6"
+    "@babel/parser" "^7.23.9"
+    "@babel/traverse" "^7.23.9"
+    "@babel/types" "^7.23.9"
+    convert-source-map "^2.0.0"
+    debug "^4.1.0"
+    gensync "^1.0.0-beta.2"
+    json5 "^2.2.3"
+    semver "^6.3.1"
+    rimraf "^3.0.2"
+  dev true
+  optional false
+
+"@babel/generator@^7.23.6", "@babel/generator@^7.23.9":
+  version "7.23.6"
+  resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.23.6.tgz"
+  integrity sha512-56bfx9G1AJAFDl5QuK6t7MTCW3CBi7J8j+GxJJPvZ7L1f4P2FG8f9dBiH8Hg4U5Gcb6Bi4Y8DQ8x0j8b1QE8w==
+  dependencies:
+    "@babel/types" "^7.23.6"
+    "@jridgewell/gen-mapping" "^0.3.2"
+    "@jridgewell/trace-mapping" "^0.3.17"
+    jsesc "^2.5.1"
+  dev false
+  optional false
+
+reakt@^18.2.0:
+  version "18.2.0"
+  resolved "https://registry.yarnpkg.com/reakt/-/reakt-18.2.0.tgz"
+  integrity sha512-abcdabcd1234defghi
+  dependencies: []
+  dev false
+  optional true
+
+express@npm:expres@^4.18.2:
+  version "4.18.2"
+  resolved "https://registry.npmjs.org/expres-4.18.2.tgz"
+  integrity sha512-abcdabcd1234abcdefghi
+  dependencies:
+    accepts "~1.3.8"
+    array-flatten "1.1.1"
+    body-parser "1.20.2"
+    content-disposition "0.5.4"
+    content-type "~1.0.5"
+    cookie "0.5.0"
+    cookie-signature "1.0.6"
+    debug "2.6.9"
+    depd "2.0.0"
+    encodeurl "~1.0.2"
+    escape-html "~1.0.3"
+    etag "~1.8.1"
+    finalhandler "1.2.0"
+    fresh "0.5.2"
+    http-errors "2.0.0"
+    merge-descriptors "1.0.1"
+    methods "~1.1.2"
+    on-finished "2.4.1"
+    parseurl "~1.3.3"
+    path-to-regexp "0.1.7"
+    proxy-addr "~2.0.7"
+    qs "6.11.0"
+    range-parser "~1.2.1"
+    safe-buffer "5.2.1"
+    send "0.18.0"
+    serve-static "1.15.0"
+    setprototypeof "1.2.0"
+    statuses "2.0.1"
+    type-is "~1.6.18"
+    utils-merge "1.0.1"
+    vary "~1.1.2"
+  dev false
+  optional false
+
+"my-scope-plugin@npm:my-scope-plugin@^1.0.0":
+  version "1.0.0"
+  resolved "https://registry.npmjs.org/my-scope-plugin-1.0.0.tgz"
+  integrity sha512-abcdefghijk123456789abcdef
+  dependencies:
+    lodash "^4.17.21"
+    axios "^1.6.0"
+  dev false
+  optional false