@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/vsix-scan/detectors/activation-event-risk.js

@@ -1,17 +1,26 @@
 const ACTIVATION_RISK_MATRIX = {
   '*': { base: 'critical', label: 'Wildcard (all files)' },
-  'onStartupFinished': { base: 'high', label: 'Startup finished' },
+  onStartupFinished: { base: 'high', label: 'Startup finished' },
   'workspaceContains:**/*': { base: 'high', label: 'Workspace contains wildcard' },
-  'workspaceContains': { base: 'high', label: 'Workspace contains' },
+  workspaceContains: { base: 'high', label: 'Workspace contains' },
   'onCommand:*': { base: 'low', label: 'Any command' },
 };
 
 const DEFAULT_BASE_RISK = 'medium';
 
 const ESCALATION_KEYWORDS = [
-  'npx', 'bun', 'curl', 'wget', 'fetch(',
-  'exec(', 'spawn(', 'execSync', 'spawnSync',
-  'child_process', 'shell: true', 'detached: true',
+  'npx',
+  'bun',
+  'curl',
+  'wget',
+  'fetch(',
+  'exec(',
+  'spawn(',
+  'execSync',
+  'spawnSync',
+  'child_process',
+  'shell: true',
+  'detached: true',
 ];
 
 const BUNDLED_BUN_PATTERN = /bun|runtime/;
@@ -20,7 +29,11 @@ const SIZE_DELTA_THRESHOLD = 400 * 1024;
 
 const SHELL_CMDS = ['npx', 'bun', 'curl', 'wget', 'exec', 'spawn', 'execSync'];
 
-export async function checkActivationEventRisk(extensionManifest, versionHistory = [], priorVersions = []) {
+export async function checkActivationEventRisk(
+  extensionManifest,
+  versionHistory = [],
+  priorVersions = []
+) {
   const signals = [];
 
   const activationEvents = extensionManifest?.activationEvents || [];
@@ -32,7 +45,7 @@ export async function checkActivationEventRisk(extensionManifest, versionHistory
   const riskLabels = ['none', 'low', 'medium', 'high', 'critical'];
   const riskValues = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
 
-  let worstEvent = null;
+  let _worstEvent = null;
   const why = [];
 
   for (const event of activationEvents) {
@@ -41,29 +54,31 @@ export async function checkActivationEventRisk(extensionManifest, versionHistory
       const baseIdx = riskValues[risk.base] || riskValues[DEFAULT_BASE_RISK];
       if (baseIdx > maxBaseRisk) {
         maxBaseRisk = baseIdx;
-        worstEvent = event;
+        _worstEvent = event;
       }
     } else if (event.includes('*') && event !== 'onCommand:*') {
       const baseIdx = riskValues['high'];
       if (baseIdx > maxBaseRisk) {
         maxBaseRisk = baseIdx;
-        worstEvent = event;
+        _worstEvent = event;
       }
     }
   }
 
   const contributes = extensionManifest?.contributes || {};
   const commands = contributes?.commands || [];
-  const cmdTitles = commands.map(c => (c.title || '').toLowerCase()).join(' ');
+  const cmdTitles = commands.map((c) => (c.title || '').toLowerCase()).join(' ');
 
   const bundledDeps = extensionManifest?.bundledDependencies || [];
   const bundledStr = Array.isArray(bundledDeps) ? bundledDeps.join(' ') : '';
 
-  const hasShellKeyword = SHELL_CMDS.some(cmd => cmdTitles.includes(cmd));
+  const hasShellKeyword = SHELL_CMDS.some((cmd) => cmdTitles.includes(cmd));
   const hasBunBundled = BUNDLED_BUN_PATTERN.test(bundledStr);
 
   const activationEventsStr = activationEvents.join(' ');
-  const hasShellInActivationContext = ESCALATION_KEYWORDS.some(kw => activationEventsStr.toLowerCase().includes(kw.toLowerCase()));
+  const hasShellInActivationContext = ESCALATION_KEYWORDS.some((kw) =>
+    activationEventsStr.toLowerCase().includes(kw.toLowerCase())
+  );
 
   let escalateToCritical = false;
 
@@ -74,22 +89,22 @@ export async function checkActivationEventRisk(extensionManifest, versionHistory
 
   if (versionHistory.length >= 2) {
     const sizes = versionHistory
-      .filter(v => v.assetSize)
-      .map(v => v.assetSize)
+      .filter((v) => v.assetSize)
+      .map((v) => v.assetSize)
       .sort((a, b) => b - a);
 
-    if (sizes.length >= 2 && (sizes[0] - sizes[sizes.length - 1]) > SIZE_DELTA_THRESHOLD) {
+    if (sizes.length >= 2 && sizes[0] - sizes[sizes.length - 1] > SIZE_DELTA_THRESHOLD) {
       escalateToCritical = true;
       why.push(`HIGH activation event + version size delta > ${SIZE_DELTA_THRESHOLD} bytes`);
     }
   }
 
   const priorActivationEvents = priorVersions
-    .filter(v => v.activationEvents)
-    .flatMap(v => v.activationEvents);
+    .filter((v) => v.activationEvents)
+    .flatMap((v) => v.activationEvents);
 
   if (priorActivationEvents.length > 0) {
-    const newEvents = activationEvents.filter(e => !priorActivationEvents.includes(e));
+    const newEvents = activationEvents.filter((e) => !priorActivationEvents.includes(e));
     if (newEvents.length > 0) {
       why.push(`First-time activation event(s) added: ${newEvents.join(', ')}`);
       if (!escalateToCritical && maxBaseRisk >= riskValues['high']) {
@@ -103,7 +118,9 @@ export async function checkActivationEventRisk(extensionManifest, versionHistory
     riskLevel = 'critical';
   }
 
-  if (!riskLevel) return { triggered: false, signals: [], riskLevel: null, why: [] };
+  if (!riskLevel) {
+    return { triggered: false, signals: [], riskLevel: null, why: [] };
+  }
 
   signals.push({
     type: 'ACTIVATION_EVENT_RISK',

package/backend/vsix-scan/detectors/burst-publish.js

@@ -4,12 +4,14 @@ export async function checkBurstPublish(versionHistory, config = {}) {
   const hotPullMinutes = config.hotPullMinutes ?? 20;
 
   const entries = versionHistory
-    .filter(v => v.publishedAt)
-    .map(v => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
-    .filter(e => !Number.isNaN(e.time))
+    .filter((v) => v.publishedAt)
+    .map((v) => ({ version: v.version, time: new Date(v.publishedAt).getTime() }))
+    .filter((e) => !Number.isNaN(e.time))
     .sort((a, b) => a.time - b.time);
 
-  if (entries.length < threshold) return { triggered: false };
+  if (entries.length < threshold) {
+    return { triggered: false };
+  }
 
   const windowMs = windowMinutes * 60 * 1000;
   let burstFound = false;
@@ -21,14 +23,14 @@ export async function checkBurstPublish(versionHistory, config = {}) {
   for (let i = 0; i < entries.length; i++) {
     const start = entries[i].time;
     const end = start + windowMs;
-    const inWindow = entries.filter(e => e.time >= start && e.time <= end);
+    const inWindow = entries.filter((e) => e.time >= start && e.time <= end);
 
     if (inWindow.length >= threshold) {
       burstFound = true;
       burstWindowStart = new Date(start).toISOString();
       burstWindowEnd = new Date(end).toISOString();
       burstVersionCount = inWindow.length;
-      burstVersions = inWindow.map(e => e.version);
+      burstVersions = inWindow.map((e) => e.version);
       break;
     }
   }
@@ -45,7 +47,12 @@ export async function checkBurstPublish(versionHistory, config = {}) {
   return {
     triggered: burstFound || hotPullDetected,
     burstWindow: burstFound
-      ? { start: burstWindowStart, end: burstWindowEnd, versionCount: burstVersionCount, versions: burstVersions }
+      ? {
+          start: burstWindowStart,
+          end: burstWindowEnd,
+          versionCount: burstVersionCount,
+          versions: burstVersions,
+        }
       : null,
     hotPullDetected,
   };

package/backend/vsix-scan/detectors/exfil-pattern.js

@@ -35,7 +35,9 @@ const ANTI_ANALYSIS_PATTERNS = [
 ];
 
 function truncateSnippet(str, maxLen = 200) {
-  if (!str || str.length <= maxLen) return str || '';
+  if (!str || str.length <= maxLen) {
+    return str || '';
+  }
   return str.slice(0, maxLen) + '...';
 }
 
@@ -46,14 +48,16 @@ export async function checkExfilPattern(extensionFiles = []) {
 
   for (const file of extensionFiles) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     for (const cp of CREDENTIAL_FILE_PATTERNS) {
       const match = content.match(cp);
       if (match) {
         const snippet = truncateSnippet(match[0]);
-        if (!exfilPatterns.some(e => e.includes(snippet))) {
+        if (!exfilPatterns.some((e) => e.includes(snippet))) {
           exfilPatterns.push(`${path}: ${snippet}`);
           signals.push({ type: 'CREDENTIAL_FILE_TARGET', pattern: cp.source, file: path });
         }

package/backend/vsix-scan/detectors/known-ioc.js

@@ -11,7 +11,9 @@ const __dirname = dirname(__filename);
 const IOC_PATH = join(__dirname, '..', 'vsix-iocs.json');
 
 function loadIOCData() {
-  if (iocsLoaded) return iocsData;
+  if (iocsLoaded) {
+    return iocsData;
+  }
   iocsLoaded = true;
   try {
     iocsData = JSON.parse(readFileSync(IOC_PATH, 'utf8'));
@@ -32,9 +34,17 @@ export function reloadIOCData() {
   return loadIOCData();
 }
 
-export async function checkKnownIOC(extensionId, version, publisherAccount, orphanCommits = [], versionHistory = []) {
+export async function checkKnownIOC(
+  extensionId,
+  version,
+  publisherAccount,
+  orphanCommits = [],
+  versionHistory = []
+) {
   const data = loadIOCData();
-  if (!data) return { triggered: false, matches: [] };
+  if (!data) {
+    return { triggered: false, matches: [] };
+  }
 
   const matches = [];
   const iocs = data.iocs || [];
@@ -43,7 +53,11 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
     switch (ioc.type) {
       case 'extensionId': {
         if (ioc.value === extensionId) {
-          if (!ioc.maliciousVersions || ioc.maliciousVersions.length === 0 || ioc.maliciousVersions.includes(version)) {
+          if (
+            !ioc.maliciousVersions ||
+            ioc.maliciousVersions.length === 0 ||
+            ioc.maliciousVersions.includes(version)
+          ) {
             matches.push({
               type: 'extensionId',
               value: extensionId,
@@ -60,9 +74,10 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
 
       case 'publisherAccount': {
         if (ioc.value === publisherAccount) {
-          const pubTime = versionHistory.length > 0
-            ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
-            : null;
+          const pubTime =
+            versionHistory.length > 0
+              ? new Date(versionHistory[versionHistory.length - 1]?.publishedAt).getTime()
+              : null;
 
           const windowStart = new Date(ioc.compromiseWindowStart).getTime();
           const windowEnd = ioc.compromiseWindowEnd
@@ -84,7 +99,7 @@ export async function checkKnownIOC(extensionId, version, publisherAccount, orph
 
       case 'orphanCommitHash': {
         for (const commit of orphanCommits) {
-          if (ioc.value === commit || (ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL')) {
+          if (ioc.value === commit || ioc.value === 'PLACEHOLDER_UPDATE_FROM_THREAT_INTEL') {
             continue;
           }
           if (ioc.value && commit && ioc.value.toLowerCase() === commit.toLowerCase()) {

package/backend/vsix-scan/detectors/orphan-commit-fetch.js

@@ -1,10 +1,13 @@
-const GITHUB_COMMIT_SHA_PATTERN = /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
+const GITHUB_COMMIT_SHA_PATTERN =
+  /api\.github\.com\/repos\/[^/]+\/[^/]+\/git\/commits\/[a-f0-9]{40}/;
 const NPX_GIT_URL_PATTERN = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
 const MCP_KEYWORDS = ['mcp', 'model-context-protocol', 'claude', 'setup', 'init'];
-const EXTERNAL_FETCH_PATTERN = /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
-const NON_NPMJS_FETCH = /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
+const _EXTERNAL_FETCH_PATTERN =
+  /(?:https?:\/\/)[^\s"')\]]+(?:\.com|\.io|\.org|\.dev|\.app|\.net)[^\s"')\]]*/;
+const NON_NPMJS_FETCH =
+  /(?:fetch|curl|wget)\s*\(?\s*["']https?:\/\/(?!(?:.*npmjs\.org|.*npm\.js\.org|.*github\.com))[^"']+/;
 const BUN_PATTERNS = [/bun\s+install/, /install\s+.*bun/, /\bbunx\b/, /\.bun\/bin\//];
-const NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
+const _NPX_GIT_SHORT = /npx\s+.*github\.com.*#[a-f0-9]{8,}/;
 
 export async function checkOrphanCommitFetch(extensionFiles = []) {
   const signals = [];
@@ -12,7 +15,9 @@ export async function checkOrphanCommitFetch(extensionFiles = []) {
 
   for (const file of extensionFiles) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     if (GITHUB_COMMIT_SHA_PATTERN.test(content)) {
@@ -39,8 +44,7 @@ export async function checkOrphanCommitFetch(extensionFiles = []) {
       }
     }
 
-    const hasMCPKeywords = MCP_KEYWORDS.some(kw =>
-        new RegExp(`\\b${kw}\\b`, 'i').test(content));
+    const hasMCPKeywords = MCP_KEYWORDS.some((kw) => new RegExp(`\\b${kw}\\b`, 'i').test(content));
     const hasExternalFetch = NON_NPMJS_FETCH.test(content);
 
     if (hasMCPKeywords && hasExternalFetch) {

package/backend/vsix-scan/detectors/publisher-anomaly.js

@@ -1,24 +1,33 @@
-export async function checkPublisherAnomaly(extensionMetadata, publisherProfile, versionHistory, config = {}) {
+export async function checkPublisherAnomaly(
+  extensionMetadata,
+  publisherProfile,
+  versionHistory,
+  config = {}
+) {
   const signals = [];
 
-  const crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
-  const crossNamespaceDays = config.crossNamespaceDays ?? 14;
+  const _crossNamespaceThreshold = config.crossNamespaceThreshold ?? 3;
+  const _crossNamespaceDays = config.crossNamespaceDays ?? 14;
   const newAccountAgeDays = config.newAccountAgeDays ?? 30;
   const highInstallThreshold = config.highInstallThreshold ?? 100000;
   const addPublishWindowMinutes = config.addPublishWindowMinutes ?? 15;
 
   const versions = versionHistory || [];
-  if (versions.length === 0) return { triggered: false, signals: [] };
+  if (versions.length === 0) {
+    return { triggered: false, signals: [] };
+  }
 
-  const publishers = [...new Set(versions.map(v => v.publishedBy).filter(Boolean))];
-  if (publishers.length === 0) return { triggered: false, signals: [] };
+  const publishers = [...new Set(versions.map((v) => v.publishedBy).filter(Boolean))];
+  if (publishers.length === 0) {
+    return { triggered: false, signals: [] };
+  }
 
   const sortedVersions = [...versions]
-    .filter(v => v.publishedAt)
+    .filter((v) => v.publishedAt)
     .sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
 
   const extPublisher = publishers[0];
-  const allSame = publishers.every(p => p === extPublisher);
+  const allSame = publishers.every((p) => p === extPublisher);
 
   if (!allSame) {
     for (const pub of publishers) {
@@ -32,13 +41,18 @@ export async function checkPublisherAnomaly(extensionMetadata, publisherProfile,
     }
   }
 
-  const extInstallCount = extensionMetadata?.statistics?.find(s => s.statisticName === 'install')?.value || 0;
+  const extInstallCount =
+    extensionMetadata?.statistics?.find((s) => s.statisticName === 'install')?.value || 0;
 
   const extAgeDays = publisherProfile?.dateCreated
     ? (Date.now() - new Date(publisherProfile.dateCreated).getTime()) / (1000 * 60 * 60 * 24)
     : null;
 
-  if (extAgeDays !== null && extAgeDays < newAccountAgeDays && extInstallCount >= highInstallThreshold) {
+  if (
+    extAgeDays !== null &&
+    extAgeDays < newAccountAgeDays &&
+    extInstallCount >= highInstallThreshold
+  ) {
     signals.push({
       type: 'NEW_ACCOUNT_HIGH_INSTALL',
       accountAgeDays: Math.round(extAgeDays),

package/backend/vsix-scan/index.js

@@ -4,18 +4,32 @@ import { checkActivationEventRisk } from './detectors/activation-event-risk.js';
 import { checkOrphanCommitFetch } from './detectors/orphan-commit-fetch.js';
 import { checkKnownIOC } from './detectors/known-ioc.js';
 import { checkExfilPattern } from './detectors/exfil-pattern.js';
-import { getExtensionMetadata, getVersionHistory, getPublisherProfile, getOpenVsxMetadata, getOpenVsxVersionHistory } from './marketplace-client.js';
-
-const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
+import {
+  getExtensionMetadata,
+  getVersionHistory,
+  getPublisherProfile,
+  getOpenVsxMetadata as _getOpenVsxMetadata,
+  getOpenVsxVersionHistory,
+} from './marketplace-client.js';
+
+const _SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
 const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
 
 export async function vsixScan(extensionId, options = {}) {
   const { publisherId, extensionName } = parseExtensionId(extensionId);
 
-  const marketplaceMeta = options.marketplaceMeta || (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
-  const marketplaceVersions = options.marketplaceVersions || (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
-  const openVsxVersions = options.openVsxVersions || (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
-  const publisherProfile = options.publisherProfile || (options.skipNetwork ? null : await getPublisherProfile(publisherId));
+  const marketplaceMeta =
+    options.marketplaceMeta ||
+    (options.skipNetwork ? null : await getExtensionMetadata(publisherId, extensionName));
+  const marketplaceVersions =
+    options.marketplaceVersions ||
+    (marketplaceMeta ? await getVersionHistory(publisherId, extensionName) : []);
+  const openVsxVersions =
+    options.openVsxVersions ||
+    (options.skipNetwork ? [] : await getOpenVsxVersionHistory(publisherId, extensionName));
+  const publisherProfile =
+    options.publisherProfile ||
+    (options.skipNetwork ? null : await getPublisherProfile(publisherId));
 
   const allVersions = mergeVersionHistories(marketplaceVersions, openVsxVersions);
   const manifest = options.manifest || extractManifest(marketplaceMeta, extensionId);
@@ -25,7 +39,7 @@ export async function vsixScan(extensionId, options = {}) {
   const activationResult = await checkActivationEventRisk(
     manifest,
     allVersions,
-    options.priorVersions || [],
+    options.priorVersions || []
   );
 
   const burstResult = await checkBurstPublish(allVersions, config);
@@ -34,50 +48,82 @@ export async function vsixScan(extensionId, options = {}) {
     manifest || {},
     publisherProfile || {},
     allVersions,
-    config,
+    config
   );
 
   const orphanResult = await checkOrphanCommitFetch(options.extensionFiles || []);
 
   const iocResult = await checkKnownIOC(
     extensionId,
-    options.version || (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
+    options.version ||
+      (allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown'),
     publisherId,
     orphanResult.signals
-      .filter(s => s.type === 'ORPHAN_COMMIT_GITHUB_API')
-      .map(s => s.indicator),
-    allVersions,
+      .filter((s) => s.type === 'ORPHAN_COMMIT_GITHUB_API')
+      .map((s) => s.indicator),
+    allVersions
   );
 
   const exfilResult = await checkExfilPattern(options.extensionFiles || []);
 
   const triggeredSignals = [];
-  if (burstResult.triggered) triggeredSignals.push('VSIX_BURST_PUBLISH');
-  if (publisherResult.triggered) triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
-  if (activationResult.triggered) triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
-  if (orphanResult.triggered) triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
-  if (iocResult.triggered) triggeredSignals.push('VSIX_KNOWN_IOC');
-  if (exfilResult.triggered) triggeredSignals.push('VSIX_EXFIL_PATTERN');
+  if (burstResult.triggered) {
+    triggeredSignals.push('VSIX_BURST_PUBLISH');
+  }
+  if (publisherResult.triggered) {
+    triggeredSignals.push('VSIX_PUBLISHER_ANOMALY');
+  }
+  if (activationResult.triggered) {
+    triggeredSignals.push('VSIX_ACTIVATION_EVENT_RISK');
+  }
+  if (orphanResult.triggered) {
+    triggeredSignals.push('VSIX_ORPHAN_COMMIT_FETCH');
+  }
+  if (iocResult.triggered) {
+    triggeredSignals.push('VSIX_KNOWN_IOC');
+  }
+  if (exfilResult.triggered) {
+    triggeredSignals.push('VSIX_EXFIL_PATTERN');
+  }
 
-  if (triggeredSignals.length === 0) return [];
+  if (triggeredSignals.length === 0) {
+    return [];
+  }
 
   const registryLabels = [];
-  if (marketplaceVersions.length > 0) registryLabels.push('marketplace');
-  if (openVsxVersions.length > 0) registryLabels.push('open-vsx');
+  if (marketplaceVersions.length > 0) {
+    registryLabels.push('marketplace');
+  }
+  if (openVsxVersions.length > 0) {
+    registryLabels.push('open-vsx');
+  }
 
   const maxSeverity = triggeredSignals.reduce((max, s) => {
-    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') return Math.max(max, 4);
-    if (s === 'VSIX_BURST_PUBLISH' || s === 'VSIX_PUBLISHER_ANOMALY' || s === 'VSIX_EXFIL_PATTERN') return Math.max(max, 3);
-    if (s === 'VSIX_ACTIVATION_EVENT_RISK') return Math.max(max, 3);
+    if (s === 'VSIX_KNOWN_IOC' || s === 'VSIX_ORPHAN_COMMIT_FETCH') {
+      return Math.max(max, 4);
+    }
+    if (
+      s === 'VSIX_BURST_PUBLISH' ||
+      s === 'VSIX_PUBLISHER_ANOMALY' ||
+      s === 'VSIX_EXFIL_PATTERN'
+    ) {
+      return Math.max(max, 3);
+    }
+    if (s === 'VSIX_ACTIVATION_EVENT_RISK') {
+      return Math.max(max, 3);
+    }
     return max;
   }, 0);
 
   const finalSeverity = SEVERITY_LABELS[maxSeverity] || 'high';
 
-  const latestVersion = allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
+  const latestVersion =
+    allVersions.length > 0 ? allVersions[allVersions.length - 1].version : 'unknown';
   let exposureWindowMinutes = null;
   if (burstResult.hotPullDetected && allVersions.length >= 2) {
-    const sorted = [...allVersions].sort((a, b) => new Date(b.publishedAt) - new Date(a.publishedAt));
+    const sorted = [...allVersions].sort(
+      (a, b) => new Date(b.publishedAt) - new Date(a.publishedAt)
+    );
     const gap = (new Date(sorted[0].publishedAt) - new Date(sorted[1].publishedAt)) / (1000 * 60);
     exposureWindowMinutes = Math.round(gap);
   }
@@ -92,7 +138,9 @@ export async function vsixScan(extensionId, options = {}) {
     hotPullDetected: burstResult.hotPullDetected,
     publisherSignals: publisherResult.triggered ? publisherResult.signals : null,
     activationEvents: manifest?.activationEvents || null,
-    activationRisk: activationResult.triggered ? { riskLevel: activationResult.riskLevel, why: activationResult.why } : null,
+    activationRisk: activationResult.triggered
+      ? { riskLevel: activationResult.riskLevel, why: activationResult.why }
+      : null,
     orphanCommitIndicators: orphanResult.triggered ? orphanResult.indicators : null,
     iocMatches: iocResult.triggered ? iocResult.matches : null,
     exfilPatterns: exfilResult.triggered ? exfilResult.exfilPatterns : null,
@@ -101,14 +149,16 @@ export async function vsixScan(extensionId, options = {}) {
 
   const remediationGuidance = buildRemediation(triggeredSignals, extensionId);
 
-  return [{
-    id: 'VSIX_SCAN',
-    severity: finalSeverity,
-    title: `VS Code extension risk: ${extensionId}`,
-    description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: remediationGuidance,
-  }];
+  return [
+    {
+      id: 'VSIX_SCAN',
+      severity: finalSeverity,
+      title: `VS Code extension risk: ${extensionId}`,
+      description: `${triggeredSignals.length} signal(s): ${triggeredSignals.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation: remediationGuidance,
+    },
+  ];
 }
 
 function parseExtensionId(id) {
@@ -135,7 +185,7 @@ function mergeVersionHistories(marketplace, openVsx) {
       seen.add(v.version);
       merged.push({ ...v, registries: ['open-vsx'] });
     } else {
-      const existing = merged.find(m => m.version === v.version);
+      const existing = merged.find((m) => m.version === v.version);
       if (existing) {
         existing.registries.push('open-vsx');
       }
@@ -145,14 +195,20 @@ function mergeVersionHistories(marketplace, openVsx) {
   return merged.sort((a, b) => new Date(a.publishedAt) - new Date(b.publishedAt));
 }
 
-function extractManifest(marketplaceMeta, extensionId) {
-  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) return {};
+function extractManifest(marketplaceMeta, _extensionId) {
+  if (!marketplaceMeta?.results?.[0]?.extensions?.[0]) {
+    return {};
+  }
   const ext = marketplaceMeta.results[0].extensions[0];
   const manifestStr = ext.galleryApiUrl || ext.manifest;
-  if (!manifestStr) return {};
+  if (!manifestStr) {
+    return {};
+  }
 
   try {
-    if (typeof manifestStr === 'object') return manifestStr;
+    if (typeof manifestStr === 'object') {
+      return manifestStr;
+    }
     return JSON.parse(manifestStr);
   } catch {
     return {};