@lateos/npm-scan 0.18.3 → 1.1.0

package/backend/detectors/cve-2026-48710-badhost/findings.js

@@ -8,11 +8,14 @@ const REFERENCES = [
   'https://osv.dev/vulnerability/PYSEC-2026-161',
 ];
 
-const MITIGATION_NOTE = 'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
+const MITIGATION_NOTE =
+  'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
 
-const DEPENDENCY_REMEDIATION = 'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
+const DEPENDENCY_REMEDIATION =
+  'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
 
-const CODE_REMEDIATION = 'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
+const CODE_REMEDIATION =
+  'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
 
 function makeFinding(overrides = {}) {
   return {
@@ -52,7 +55,8 @@ export function directDependencyUnpinnedFinding() {
     confidence: 'HIGH',
     source: 'direct-dependency-unpinned',
     title: `${NICKNAME}: Starlette unpinned`,
-    description: 'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
+    description:
+      'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
     remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
     file: null,
     line: null,

package/backend/detectors/cve-2026-48710-badhost/index.js

@@ -2,7 +2,7 @@ import { scanFiles } from './manifest.js';
 import { scanTransitive } from './transitive.js';
 import { scanCodePatterns } from './codePattern.js';
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const targetFiles = allFiles || files;
 
   const manifestFindings = scanFiles(targetFiles);

package/backend/detectors/cve-2026-48710-badhost/manifest.js

@@ -2,10 +2,14 @@ import { directDependencyFinding, directDependencyUnpinnedFinding } from './find
 
 function parseReqTxtLine(line) {
   const trimmed = line.trim();
-  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) return null;
+  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+    return null;
+  }
   const idx = trimmed.indexOf('#');
   const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
-  if (!spec || !spec.startsWith('starlette')) return null;
+  if (!spec || !spec.startsWith('starlette')) {
+    return null;
+  }
 
   const eqIdx = spec.indexOf('==');
   const geIdx = spec.indexOf('>=');
@@ -22,7 +26,9 @@ function parseReqTxtLine(line) {
     const lower = parts[0]?.trim();
     const upper = parts[1]?.trim();
     let specStr = `>=${lower}`;
-    if (upper && upper.startsWith('<')) specStr += `,${upper}`;
+    if (upper && upper.startsWith('<')) {
+      specStr += `,${upper}`;
+    }
     return { name: 'starlette', version: lower, specifier: specStr };
   }
   if (tildeIdx >= 0) {
@@ -36,9 +42,17 @@ function parseReqTxtLine(line) {
   }
 
   const rest = spec.slice('starlette'.length).trim();
-  if (!rest) return { name: 'starlette', version: null, specifier: null };
+  if (!rest) {
+    return { name: 'starlette', version: null, specifier: null };
+  }
 
-  if (!rest.includes('=') && !rest.includes('<') && !rest.includes('>') && !rest.includes('~') && !rest.includes('!')) {
+  if (
+    !rest.includes('=') &&
+    !rest.includes('<') &&
+    !rest.includes('>') &&
+    !rest.includes('~') &&
+    !rest.includes('!')
+  ) {
     return { name: 'starlette', version: rest, specifier: rest };
   }
 
@@ -49,13 +63,17 @@ export function parseRequirementsTxt(content) {
   const lines = content.split('\n');
   for (const line of lines) {
     const result = parseReqTxtLine(line);
-    if (result) return result;
+    if (result) {
+      return result;
+    }
   }
   return null;
 }
 
 function parsePEP440(versionStr) {
-  if (!versionStr) return null;
+  if (!versionStr) {
+    return null;
+  }
   const clean = versionStr.trim().replace(/^v/, '');
   const parts = clean.split('.');
   return {
@@ -66,24 +84,38 @@ function parsePEP440(versionStr) {
 }
 
 function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
+  if (!a) {
+    return 1;
+  }
+  if (!b) {
+    return -1;
+  }
+  if (a.major !== b.major) {
+    return a.major - b.major;
+  }
+  if (a.minor !== b.minor) {
+    return a.minor - b.minor;
+  }
   return a.patch - b.patch;
 }
 
 const STARLETTE_SAFE = parsePEP440('1.0.1');
 
 function isVulnerable(version) {
-  if (!version) return true;
+  if (!version) {
+    return true;
+  }
   const parsed = parsePEP440(version);
-  if (!parsed) return true;
+  if (!parsed) {
+    return true;
+  }
   return compareVersions(parsed, STARLETTE_SAFE) < 0;
 }
 
 function findStarletteInTOML(obj) {
-  if (!obj || typeof obj !== 'object') return null;
+  if (!obj || typeof obj !== 'object') {
+    return null;
+  }
 
   const sectionPaths = ['dependencies', 'project.dependencies', 'tool.poetry.dependencies'];
   for (const path of sectionPaths) {
@@ -91,13 +123,18 @@ function findStarletteInTOML(obj) {
     let ptr = obj;
     let found = true;
     for (const p of parts) {
-      if (!ptr || typeof ptr !== 'object') { found = false; break; }
+      if (!ptr || typeof ptr !== 'object') {
+        found = false;
+        break;
+      }
       ptr = ptr[p];
     }
-    if (!found || !ptr || typeof ptr !== 'object') continue;
+    if (!found || !ptr || typeof ptr !== 'object') {
+      continue;
+    }
     for (const [key, val] of Object.entries(ptr)) {
       if (key === 'starlette' || key === '"starlette"') {
-        const version = typeof val === 'string' ? val : (val?.version || null);
+        const version = typeof val === 'string' ? val : val?.version || null;
         const specifier = typeof val === 'string' ? val : null;
         return { name: 'starlette', version, specifier };
       }
@@ -112,28 +149,41 @@ function parseTomlSimple(content) {
 
   for (const line of content.split('\n')) {
     const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
+    if (!trimmed || trimmed.startsWith('#')) {
+      continue;
+    }
     const sectionMatch = trimmed.match(/^\[([^\]]+)\]$/);
     if (sectionMatch) {
       const parts = sectionMatch[1].split('.');
       let ptr = result;
       for (const p of parts) {
         const key = p.replace(/^"(.*)"$/, '$1').trim();
-        if (!ptr[key]) ptr[key] = {};
+        if (!ptr[key]) {
+          ptr[key] = {};
+        }
         ptr = ptr[key];
       }
       currentSection = ptr;
       continue;
     }
     const kvMatch = trimmed.match(/^([^=]+)=\s*(.+)$/);
-    if (!kvMatch) continue;
+    if (!kvMatch) {
+      continue;
+    }
     const key = kvMatch[1].trim().replace(/^"(.*)"$/, '$1');
     let val = kvMatch[2].trim();
     if (val.startsWith('"') && val.endsWith('"')) {
       val = val.slice(1, -1);
     } else if (val.startsWith("'") && val.endsWith("'")) {
       val = val.slice(1, -1);
-    } else if (val.startsWith('^') || val.startsWith('~') || val.startsWith('>') || val.startsWith('<') || val.startsWith('=') || val.startsWith('!')) {
+    } else if (
+      val.startsWith('^') ||
+      val.startsWith('~') ||
+      val.startsWith('>') ||
+      val.startsWith('<') ||
+      val.startsWith('=') ||
+      val.startsWith('!')
+    ) {
       val = val.replace(/"/g, '');
     }
     currentSection[key] = val;
@@ -166,7 +216,9 @@ function parsePoetryLockEntry(content) {
     }
     if (inStarlette && trimmed.startsWith('version = ')) {
       const match = trimmed.match(/version\s*=\s*["'](.+?)["']/);
-      if (match) version = match[1];
+      if (match) {
+        version = match[1];
+      }
     }
     if (inStarlette && trimmed.startsWith('[[package]]') && trimmed !== '[[package]]') {
       break;
@@ -204,12 +256,16 @@ export function parsePipfile(content) {
 
 function parseSetupPyContent(content) {
   const match = content.match(/install_requires\s*=\s*\[([^\]]+)\]/s);
-  if (!match) return null;
+  if (!match) {
+    return null;
+  }
   const block = match[1];
-  const lines = block.split(',').map(l => l.trim().replace(/["']/g, ''));
+  const lines = block.split(',').map((l) => l.trim().replace(/["']/g, ''));
   for (const line of lines) {
     const clean = line.trim();
-    if (!clean) continue;
+    if (!clean) {
+      continue;
+    }
     if (clean.startsWith('starlette')) {
       const eqIdx = clean.indexOf('==');
       const geIdx = clean.indexOf('>=');
@@ -217,11 +273,24 @@ function parseSetupPyContent(content) {
       const ltIdx = clean.indexOf('<');
       let version = null;
       let specifier = null;
-      if (eqIdx >= 0) { version = clean.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-      else if (geIdx >= 0) { version = clean.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-      else if (tildeIdx >= 0) { version = clean.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-      else if (ltIdx >= 0) { version = clean.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-      else if (clean === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+      if (eqIdx >= 0) {
+        version = clean.slice(eqIdx + 2).trim();
+        specifier = `==${version}`;
+      } else if (geIdx >= 0) {
+        version = clean
+          .slice(geIdx + 2)
+          .split(',')[0]
+          .trim();
+        specifier = `>=${version}`;
+      } else if (tildeIdx >= 0) {
+        version = clean.slice(tildeIdx + 2).trim();
+        specifier = `~=${version}`;
+      } else if (ltIdx >= 0) {
+        version = clean.slice(ltIdx + 1).trim();
+        specifier = `<${version}`;
+      } else if (clean === 'starlette') {
+        return { name: 'starlette', version: null, specifier: null };
+      }
       return { name: 'starlette', version, specifier };
     }
   }
@@ -242,7 +311,9 @@ function parseSetupCfgContent(content) {
       continue;
     }
     if (inInstallRequires) {
-      if (trimmed.startsWith('[')) break;
+      if (trimmed.startsWith('[')) {
+        break;
+      }
       if (trimmed.startsWith('starlette')) {
         const eqIdx = trimmed.indexOf('==');
         const geIdx = trimmed.indexOf('>=');
@@ -250,11 +321,24 @@ function parseSetupCfgContent(content) {
         const ltIdx = trimmed.indexOf('<');
         let version = null;
         let specifier = null;
-        if (eqIdx >= 0) { version = trimmed.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-        else if (geIdx >= 0) { version = trimmed.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-        else if (tildeIdx >= 0) { version = trimmed.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-        else if (ltIdx >= 0) { version = trimmed.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-        else if (trimmed === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+        if (eqIdx >= 0) {
+          version = trimmed.slice(eqIdx + 2).trim();
+          specifier = `==${version}`;
+        } else if (geIdx >= 0) {
+          version = trimmed
+            .slice(geIdx + 2)
+            .split(',')[0]
+            .trim();
+          specifier = `>=${version}`;
+        } else if (tildeIdx >= 0) {
+          version = trimmed.slice(tildeIdx + 2).trim();
+          specifier = `~=${version}`;
+        } else if (ltIdx >= 0) {
+          version = trimmed.slice(ltIdx + 1).trim();
+          specifier = `<${version}`;
+        } else if (trimmed === 'starlette') {
+          return { name: 'starlette', version: null, specifier: null };
+        }
         if (trimmed.startsWith('starlette')) {
           return { name: 'starlette', version, specifier };
         }
@@ -271,9 +355,11 @@ export function parseSetupCfg(content) {
 export function scanFiles(allFiles) {
   const findings = [];
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     let result = null;
@@ -292,7 +378,9 @@ export function scanFiles(allFiles) {
       result = parseSetupCfg(content);
     }
 
-    if (!result) continue;
+    if (!result) {
+      continue;
+    }
 
     if (result.version === null && result.specifier === null) {
       findings.push(directDependencyUnpinnedFinding());

package/backend/detectors/cve-2026-48710-badhost/transitive.js

@@ -1,5 +1,12 @@
 import { transitiveDependencyFinding } from './findings.js';
-import { parseRequirementsTxt, parsePyprojectToml, parsePoetryLock, parsePipfile, parseSetupPy, parseSetupCfg } from './manifest.js';
+import {
+  parseRequirementsTxt,
+  parsePyprojectToml,
+  parsePoetryLock,
+  parsePipfile,
+  parseSetupPy,
+  parseSetupCfg,
+} from './manifest.js';
 
 const TIER_1_PACKAGES = [
   'fastapi',
@@ -22,29 +29,41 @@ const TIER_2_PACKAGES = [
 ];
 
 function normalizePkgName(name) {
-  return name.replace(/["'\[\]]/g, '').trim().toLowerCase();
+  return name
+    .replace(/["'[\]]/g, '')
+    .trim()
+    .toLowerCase();
 }
 
 function findPackagesInManifests(allFiles) {
   const packages = new Set();
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
-    let deps = [];
+    const deps = [];
 
     if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
       const lines = content.split('\n');
       for (const line of lines) {
         const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+          continue;
+        }
         const idx = trimmed.indexOf('#');
         const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
         const eqIdx = spec.indexOf('==');
         const geIdx = spec.indexOf('>=');
-        const name = eqIdx >= 0 ? spec.slice(0, eqIdx).trim() : (geIdx >= 0 ? spec.slice(0, geIdx).trim() : spec);
+        const name =
+          eqIdx >= 0
+            ? spec.slice(0, eqIdx).trim()
+            : geIdx >= 0
+              ? spec.slice(0, geIdx).trim()
+              : spec;
         if (name && !name.includes('=') && !name.includes('<') && !name.includes('>')) {
           deps.push(normalizePkgName(name));
         }
@@ -52,11 +71,17 @@ function findPackagesInManifests(allFiles) {
     } else if (path === 'pyproject.toml') {
       try {
         const obj = JSON.parse(content);
-        const allDeps = { ...(obj?.tool?.poetry?.dependencies || {}), ...(obj?.dependencies || {}), ...(obj?.['dev-dependencies'] || {}) };
+        const allDeps = {
+          ...(obj?.tool?.poetry?.dependencies || {}),
+          ...(obj?.dependencies || {}),
+          ...(obj?.['dev-dependencies'] || {}),
+        };
         for (const key of Object.keys(allDeps)) {
           deps.push(normalizePkgName(key));
         }
-      } catch {}
+      } catch {
+        /* ignore parse errors */
+      }
     } else if (path === 'poetry.lock') {
       const pattern = /name\s*=\s*["']([^"']+)["']/g;
       let m;
@@ -69,18 +94,24 @@ function findPackagesInManifests(allFiles) {
         for (const key of Object.keys(obj?.packages || {})) {
           deps.push(normalizePkgName(key));
         }
-      } catch {}
+      } catch {
+        /* ignore parse errors */
+      }
+    }
+    for (const dep of deps) {
+      packages.add(dep);
     }
-    for (const dep of deps) packages.add(dep);
   }
 
   return packages;
 }
 
 function hasStarlettePin(allFiles) {
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     let result = null;
@@ -99,10 +130,14 @@ function hasStarlettePin(allFiles) {
     }
 
     if (result) {
-      if (result.version === null && result.specifier === null) return false;
+      if (result.version === null && result.specifier === null) {
+        return false;
+      }
       const parsed = parsePEP440(result.version);
       const safe = parsePEP440('1.0.1');
-      if (parsed && compareVersions(parsed, safe) >= 0) return true;
+      if (parsed && compareVersions(parsed, safe) >= 0) {
+        return true;
+      }
     }
   }
 
@@ -110,7 +145,9 @@ function hasStarlettePin(allFiles) {
 }
 
 function parsePEP440(versionStr) {
-  if (!versionStr) return null;
+  if (!versionStr) {
+    return null;
+  }
   const clean = versionStr.trim().replace(/^v/, '');
   const parts = clean.split('.');
   return {
@@ -121,21 +158,33 @@ function parsePEP440(versionStr) {
 }
 
 function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
+  if (!a) {
+    return 1;
+  }
+  if (!b) {
+    return -1;
+  }
+  if (a.major !== b.major) {
+    return a.major - b.major;
+  }
+  if (a.minor !== b.minor) {
+    return a.minor - b.minor;
+  }
   return a.patch - b.patch;
 }
 
 export function scanTransitive(allFiles) {
   const findings = [];
 
-  if (!allFiles || allFiles.length === 0) return findings;
+  if (!allFiles || allFiles.length === 0) {
+    return findings;
+  }
 
   const packages = findPackagesInManifests(allFiles);
 
-  if (hasStarlettePin(allFiles)) return findings;
+  if (hasStarlettePin(allFiles)) {
+    return findings;
+  }
 
   const handled = new Set();
 
@@ -147,7 +196,9 @@ export function scanTransitive(allFiles) {
         if (version) {
           const parsed = parsePEP440(version);
           const safeFastapi = parsePEP440('0.116.0');
-          if (parsed && compareVersions(parsed, safeFastapi) >= 0) continue;
+          if (parsed && compareVersions(parsed, safeFastapi) >= 0) {
+            continue;
+          }
         }
       }
       findings.push(transitiveDependencyFinding(pkg, 1));
@@ -157,7 +208,9 @@ export function scanTransitive(allFiles) {
 
   if (findings.length === 0) {
     for (const pkg of packages) {
-      if (handled.has(pkg)) continue;
+      if (handled.has(pkg)) {
+        continue;
+      }
       if (TIER_2_PACKAGES.includes(pkg)) {
         findings.push(transitiveDependencyFinding(pkg, 2));
         break;
@@ -169,18 +222,24 @@ export function scanTransitive(allFiles) {
 }
 
 function findFastapiVersion(allFiles) {
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
     if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
       const lines = content.split('\n');
       for (const line of lines) {
         const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+          continue;
+        }
         if (trimmed.startsWith('fastapi')) {
           const eqIdx = trimmed.indexOf('==');
-          if (eqIdx >= 0) return trimmed.slice(eqIdx + 2).trim();
+          if (eqIdx >= 0) {
+            return trimmed.slice(eqIdx + 2).trim();
+          }
         }
       }
     }