@lateos/npm-scan 0.16.4 → 0.17.0

package/backend/fetch.js

@@ -1,176 +1,176 @@
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import { extract } from 'tar';
-import zlib from 'zlib';
-import { Readable } from 'stream';
-import { pipeline } from 'stream/promises';
-
-export async function fetchPackage(target, options = {}) {
-  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
-  let name, version;
-  
-  if (target.startsWith('@')) {
-    const lastAt = target.lastIndexOf('@');
-    name = target.slice(0, lastAt);
-    version = target.slice(lastAt + 1);
-    if (!version) version = undefined;
-  } else {
-    const idx = target.indexOf('@');
-    name = idx > -1 ? target.slice(0, idx) : target;
-    version = idx > -1 ? target.slice(idx + 1) : undefined;
-  }
-  
-  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
-
-  if (cacheDir) {
-    const cached = getFromCache(cacheDir, target, cacheTTL);
-    if (cached) {
-      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
-      return { ...(await extractTarball(cached, tmpDir)), meta: null };
-    }
-  }
-
-  const metaRes = await fetch(`https://registry.npmjs.org${endpoint}`);
-  const meta = await metaRes.json();
-
-  if (!metaRes.ok || !meta.dist?.tarball) {
-    throw new Error(`Package '${target}' not found on npm (${metaRes.status})`);
-  }
-
-  const tarUrl = meta.dist.tarball;
-  const tarRes = await fetch(tarUrl);
-  const buffer = Buffer.from(await tarRes.arrayBuffer());
-  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
-
-  // Save to cache if enabled
-  if (cacheDir) {
-    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
-  }
-
-  const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
-  return { ...(await extractTarball(buffer, tmpDir)), meta };
-}
-
-function getFromCache(cacheDir, target, ttl) {
-  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
-  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
-  
-  try {
-    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
-    
-    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
-    const age = (Date.now() - meta.timestamp) / 1000;
-    
-    if (age > ttl) {
-      fs.unlinkSync(cachePath);
-      fs.unlinkSync(metaPath);
-      return null;
-    }
-    
-    return fs.readFileSync(cachePath);
-  } catch {
-    return null;
-  }
-}
-
-function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
-  try {
-    if (!fs.existsSync(cacheDir)) {
-      fs.mkdirSync(cacheDir, { recursive: true });
-    }
-    
-    // Prune if needed
-    pruneCache(cacheDir, maxSize);
-    
-    const safeName = target.replace('/', '-');
-    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
-    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
-    
-    fs.writeFileSync(cachePath, buffer);
-    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
-  } catch (e) {
-    // Cache write failure - continue without caching
-  }
-}
-
-function pruneCache(cacheDir, maxSize) {
-  try {
-    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
-    let totalSize = 0;
-    const fileInfos = [];
-    
-    for (const f of files) {
-      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
-      const tarFile = f.replace('.meta.json', '.tgz');
-      const size = meta.size || 0;
-      totalSize += size;
-      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
-    }
-    
-    if (totalSize > maxSize) {
-      // Sort by oldest first and remove until under limit
-      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
-      for (const info of fileInfos) {
-        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
-        try {
-          fs.unlinkSync(path.join(cacheDir, info.tarFile));
-          fs.unlinkSync(path.join(cacheDir, info.metaFile));
-          totalSize -= info.size;
-        } catch {}
-      }
-    }
-  } catch {
-    // Prune failure - ignore
-  }
-}
-
-export async function scanLocalTarball(filePath) {
-  const buffer = fs.readFileSync(filePath);
-  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
-  return await extractTarball(buffer, tmpDir);
-}
-
-async function extractTarball(buffer, tmpDir) {
-  fs.mkdirSync(tmpDir, { recursive: true });
-
-  const stream = Readable.from(buffer);
-  await pipeline(
-    stream,
-    zlib.createGunzip(),
-    extract({ cwd: tmpDir, strip: 1 })
-  );
-
-  const pkgPath = path.join(tmpDir, 'package.json');
-  const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
-  const pkgJson = JSON.parse(pkgJsonStr);
-
-  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
-    path: p,
-    content: fs.readFileSync(p, 'utf8')
-  }));
-
-  const allFiles = walkFiles(tmpDir, '').map(p => ({
-    path: p,
-    content: fs.readFileSync(p, 'utf8')
-  }));
-
-  return { pkgJson, jsFiles, allFiles, tmpDir };
-}
-
-function walkFiles(dir, ext) {
-  const results = [];
-  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-    const full = path.join(dir, entry.name);
-    if (entry.isDirectory() && entry.name !== 'node_modules') {
-      results.push(...walkFiles(full, ext));
-    } else if (entry.isFile() && full.endsWith(ext)) {
-      results.push(full);
-    }
-  }
-  return results;
-}
-
-export function cleanup(tmpDir) {
-  fs.rmSync(tmpDir, { recursive: true, force: true });
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { extract } from 'tar';
+import zlib from 'zlib';
+import { Readable } from 'stream';
+import { pipeline } from 'stream/promises';
+
+export async function fetchPackage(target, options = {}) {
+  const { cacheDir, cacheTTL = 604800, cacheMaxSize = 1000000000 } = options;
+  let name, version;
+  
+  if (target.startsWith('@')) {
+    const lastAt = target.lastIndexOf('@');
+    name = target.slice(0, lastAt);
+    version = target.slice(lastAt + 1);
+    if (!version) version = undefined;
+  } else {
+    const idx = target.indexOf('@');
+    name = idx > -1 ? target.slice(0, idx) : target;
+    version = idx > -1 ? target.slice(idx + 1) : undefined;
+  }
+  
+  const endpoint = version ? `/${encodeURIComponent(name)}/${version}` : `/${encodeURIComponent(name)}/latest`;
+
+  if (cacheDir) {
+    const cached = getFromCache(cacheDir, target, cacheTTL);
+    if (cached) {
+      const tmpDir = path.join(os.tmpdir(), 'npm-scan-cache-' + Date.now());
+      return { ...(await extractTarball(cached, tmpDir)), meta: null };
+    }
+  }
+
+  const metaRes = await fetch(`https://registry.npmjs.org${endpoint}`);
+  const meta = await metaRes.json();
+
+  if (!metaRes.ok || !meta.dist?.tarball) {
+    throw new Error(`Package '${target}' not found on npm (${metaRes.status})`);
+  }
+
+  const tarUrl = meta.dist.tarball;
+  const tarRes = await fetch(tarUrl);
+  const buffer = Buffer.from(await tarRes.arrayBuffer());
+  if (buffer.length > 500 * 1024 * 1024) throw new Error('Tarball too large');
+
+  // Save to cache if enabled
+  if (cacheDir) {
+    saveToCache(cacheDir, target, buffer, cacheTTL, cacheMaxSize);
+  }
+
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-' + Date.now());
+  return { ...(await extractTarball(buffer, tmpDir)), meta };
+}
+
+function getFromCache(cacheDir, target, ttl) {
+  const cachePath = path.join(cacheDir, `${target.replace('/', '-')}.tgz`);
+  const metaPath = path.join(cacheDir, `${target.replace('/', '-')}.meta.json`);
+  
+  try {
+    if (!fs.existsSync(cachePath) || !fs.existsSync(metaPath)) return null;
+    
+    const meta = JSON.parse(fs.readFileSync(metaPath, 'utf8'));
+    const age = (Date.now() - meta.timestamp) / 1000;
+    
+    if (age > ttl) {
+      fs.unlinkSync(cachePath);
+      fs.unlinkSync(metaPath);
+      return null;
+    }
+    
+    return fs.readFileSync(cachePath);
+  } catch {
+    return null;
+  }
+}
+
+function saveToCache(cacheDir, target, buffer, ttl, maxSize) {
+  try {
+    if (!fs.existsSync(cacheDir)) {
+      fs.mkdirSync(cacheDir, { recursive: true });
+    }
+    
+    // Prune if needed
+    pruneCache(cacheDir, maxSize);
+    
+    const safeName = target.replace('/', '-');
+    const cachePath = path.join(cacheDir, `${safeName}.tgz`);
+    const metaPath = path.join(cacheDir, `${safeName}.meta.json`);
+    
+    fs.writeFileSync(cachePath, buffer);
+    fs.writeFileSync(metaPath, JSON.stringify({ timestamp: Date.now(), size: buffer.length }));
+  } catch (e) {
+    // Cache write failure - continue without caching
+  }
+}
+
+function pruneCache(cacheDir, maxSize) {
+  try {
+    const files = fs.readdirSync(cacheDir).filter(f => f.endsWith('.meta.json'));
+    let totalSize = 0;
+    const fileInfos = [];
+    
+    for (const f of files) {
+      const meta = JSON.parse(fs.readFileSync(path.join(cacheDir, f), 'utf8'));
+      const tarFile = f.replace('.meta.json', '.tgz');
+      const size = meta.size || 0;
+      totalSize += size;
+      fileInfos.push({ tarFile, metaFile: f, timestamp: meta.timestamp, size });
+    }
+    
+    if (totalSize > maxSize) {
+      // Sort by oldest first and remove until under limit
+      fileInfos.sort((a, b) => a.timestamp - b.timestamp);
+      for (const info of fileInfos) {
+        if (totalSize <= maxSize * 0.8) break; // Leave 20% margin
+        try {
+          fs.unlinkSync(path.join(cacheDir, info.tarFile));
+          fs.unlinkSync(path.join(cacheDir, info.metaFile));
+          totalSize -= info.size;
+        } catch {}
+      }
+    }
+  } catch {
+    // Prune failure - ignore
+  }
+}
+
+export async function scanLocalTarball(filePath) {
+  const buffer = fs.readFileSync(filePath);
+  const tmpDir = path.join(os.tmpdir(), 'npm-scan-local-' + Date.now());
+  return await extractTarball(buffer, tmpDir);
+}
+
+async function extractTarball(buffer, tmpDir) {
+  fs.mkdirSync(tmpDir, { recursive: true });
+
+  const stream = Readable.from(buffer);
+  await pipeline(
+    stream,
+    zlib.createGunzip(),
+    extract({ cwd: tmpDir, strip: 1 })
+  );
+
+  const pkgPath = path.join(tmpDir, 'package.json');
+  const pkgJsonStr = fs.readFileSync(pkgPath, 'utf8');
+  const pkgJson = JSON.parse(pkgJsonStr);
+
+  const jsFiles = walkFiles(tmpDir, '.js').map(p => ({
+    path: p,
+    content: fs.readFileSync(p, 'utf8')
+  }));
+
+  const allFiles = walkFiles(tmpDir, '').map(p => ({
+    path: p,
+    content: fs.readFileSync(p, 'utf8')
+  }));
+
+  return { pkgJson, jsFiles, allFiles, tmpDir };
+}
+
+function walkFiles(dir, ext) {
+  const results = [];
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory() && entry.name !== 'node_modules') {
+      results.push(...walkFiles(full, ext));
+    } else if (entry.isFile() && full.endsWith(ext)) {
+      results.push(full);
+    }
+  }
+  return results;
+}
+
+export function cleanup(tmpDir) {
+  fs.rmSync(tmpDir, { recursive: true, force: true });
 }

package/backend/index.js

@@ -1,4 +1,4 @@
-export default {
-  version: '0.1.0',
-  description: 'npm-scan - Supply chain security for npm'
-};
+export default {
+  version: '0.1.0',
+  description: 'npm-scan - Supply chain security for npm'
+};

package/backend/license.js

@@ -1,90 +1,90 @@
-import { createHmac, timingSafeEqual } from 'crypto';
-
-const HMAC_KEY = process.env.NPM_SCAN_LICENSE_SECRET || 'npm-scan-default-dev-key';
-
-const FEATURE_TIERS = {
-  community: [],
-  premium: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm'],
-  enterprise: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm', 'sso', 'audit-logs', 'pg-backend', 'kubernetes'],
-};
-
-const ALL_FEATURES = Object.values(FEATURE_TIERS).flat();
-const ALLOWED_UNLOCKED = ['sbom', 'nist-html', 'html-report', 'sqlite'];
-
-function generateSignature(payload) {
-  return createHmac('sha256', HMAC_KEY).update(JSON.stringify(payload)).digest('hex');
-}
-
-export function generateKey(edition, options = {}) {
-  const payload = {
-    edition,
-    issued: new Date().toISOString(),
-    exp: options.expiresAt || null,
-    seats: options.seats || 1,
-    org: options.org || null,
-  };
-  const sig = generateSignature(payload);
-  const encoded = Buffer.from(JSON.stringify(payload)).toString('base64url');
-  return `npm-scan-${edition}-${encoded}.${sig}`;
-}
-
-export function validateLicense(key, feature = '*') {
-  if (!key) {
-    throw new Error('No license key provided');
-  }
-
-  if (feature === 'scan' || ALLOWED_UNLOCKED.includes(feature)) {
-    return { edition: 'community', features: ALL_FEATURES };
-  }
-
-  const parts = key.split('-');
-  if (parts.length < 4 || !key.includes('.')) {
-    throw new Error('Invalid license key format');
-  }
-
-  const edition = parts[2];
-  const encodedPayload = parts.slice(3).join('-').split('.')[0];
-  const sig = key.split('.')[1];
-
-  let payload;
-  try {
-    payload = JSON.parse(Buffer.from(encodedPayload, 'base64url').toString('utf8'));
-  } catch {
-    throw new Error('Invalid license key payload');
-  }
-
-  const expectedSig = generateSignature(payload);
-  const sigBuf = Buffer.from(sig, 'hex');
-  const expectedBuf = Buffer.from(expectedSig, 'hex');
-  if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) {
-    throw new Error('Invalid license key signature');
-  }
-
-  if (payload.exp && new Date(payload.exp) < new Date()) {
-    throw new Error('License key expired');
-  }
-
-  const allowed = FEATURE_TIERS[edition];
-  if (!allowed) {
-    throw new Error(`Unknown license edition: ${edition}`);
-  }
-
-  if (feature !== '*' && !allowed.includes(feature) && !ALLOWED_UNLOCKED.includes(feature)) {
-    throw new Error(`Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`);
-  }
-
-  return { edition, features: allowed, ...payload };
-}
-
-export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICENSE_KEY) {
-  try {
-    if (!licenseKey) {
-      const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
-      if (unlocked) return true;
-    }
-    validateLicense(licenseKey, feature);
-    return true;
-  } catch {
-    return false;
-  }
+import { createHmac, timingSafeEqual } from 'crypto';
+
+const HMAC_KEY = process.env.NPM_SCAN_LICENSE_SECRET || 'npm-scan-default-dev-key';
+
+const FEATURE_TIERS = {
+  community: [],
+  premium: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm'],
+  enterprise: ['sandbox', 'siem', 'cra', 'nist-pdf', 'rest-api', 'webhooks', 'helm', 'sso', 'audit-logs', 'pg-backend', 'kubernetes'],
+};
+
+const ALL_FEATURES = Object.values(FEATURE_TIERS).flat();
+const ALLOWED_UNLOCKED = ['sbom', 'nist-html', 'html-report', 'sqlite'];
+
+function generateSignature(payload) {
+  return createHmac('sha256', HMAC_KEY).update(JSON.stringify(payload)).digest('hex');
+}
+
+export function generateKey(edition, options = {}) {
+  const payload = {
+    edition,
+    issued: new Date().toISOString(),
+    exp: options.expiresAt || null,
+    seats: options.seats || 1,
+    org: options.org || null,
+  };
+  const sig = generateSignature(payload);
+  const encoded = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  return `npm-scan-${edition}-${encoded}.${sig}`;
+}
+
+export function validateLicense(key, feature = '*') {
+  if (!key) {
+    throw new Error('No license key provided');
+  }
+
+  if (feature === 'scan' || ALLOWED_UNLOCKED.includes(feature)) {
+    return { edition: 'community', features: ALL_FEATURES };
+  }
+
+  const parts = key.split('-');
+  if (parts.length < 4 || !key.includes('.')) {
+    throw new Error('Invalid license key format');
+  }
+
+  const edition = parts[2];
+  const encodedPayload = parts.slice(3).join('-').split('.')[0];
+  const sig = key.split('.')[1];
+
+  let payload;
+  try {
+    payload = JSON.parse(Buffer.from(encodedPayload, 'base64url').toString('utf8'));
+  } catch {
+    throw new Error('Invalid license key payload');
+  }
+
+  const expectedSig = generateSignature(payload);
+  const sigBuf = Buffer.from(sig, 'hex');
+  const expectedBuf = Buffer.from(expectedSig, 'hex');
+  if (sigBuf.length !== expectedBuf.length || !timingSafeEqual(sigBuf, expectedBuf)) {
+    throw new Error('Invalid license key signature');
+  }
+
+  if (payload.exp && new Date(payload.exp) < new Date()) {
+    throw new Error('License key expired');
+  }
+
+  const allowed = FEATURE_TIERS[edition];
+  if (!allowed) {
+    throw new Error(`Unknown license edition: ${edition}`);
+  }
+
+  if (feature !== '*' && !allowed.includes(feature) && !ALLOWED_UNLOCKED.includes(feature)) {
+    throw new Error(`Feature "${feature}" requires ${edition === 'community' ? 'premium' : 'enterprise'} license`);
+  }
+
+  return { edition, features: allowed, ...payload };
+}
+
+export function isFeatureEnabled(feature, licenseKey = process.env.NPM_SCAN_LICENSE_KEY) {
+  try {
+    if (!licenseKey) {
+      const unlocked = feature === 'scan' || ALLOWED_UNLOCKED.includes(feature);
+      if (unlocked) return true;
+    }
+    validateLicense(licenseKey, feature);
+    return true;
+  } catch {
+    return false;
+  }
 }