@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/lockfile.js

@@ -1,5 +1,5 @@
 import { readFileSync } from 'fs';
-import { resolve, dirname } from 'path';
+import { resolve as _resolve, dirname as _dirname } from 'path';
 import yaml from 'js-yaml';
 
 export function parseLockfile(filePath, options = {}) {
@@ -32,17 +32,19 @@ export function parseLockfile(filePath, options = {}) {
 
     return parseNpmLockfile(content, filePath);
   } catch (e) {
-    throw new Error(`Failed to parse lockfile: ${e.message}`);
+    throw new Error(`Failed to parse lockfile: ${e.message}`, { cause: e });
   }
 }
 
-function parseNpmLockfile(content, filePath) {
+function parseNpmLockfile(content, _filePath) {
   const lockfile = JSON.parse(content);
   const packages = [];
 
   if (lockfile.packages) {
     for (const [key, pkg] of Object.entries(lockfile.packages)) {
-      if (key === '') continue;
+      if (key === '') {
+        continue;
+      }
       const name = pkg.name || key.replace(/^node_modules\//, '').replace(/^[^/]+\//, '');
       packages.push({
         name,
@@ -54,7 +56,7 @@ function parseNpmLockfile(content, filePath) {
         dev: pkg.dev || false,
         optional: pkg.optional || false,
         scripts: pkg.scripts || {},
-        dependencies: pkg.dependencies || {}
+        dependencies: pkg.dependencies || {},
       });
     }
   }
@@ -68,22 +70,23 @@ function parseNpmLockfile(content, filePath) {
       version: rootDeps.version || 'unknown',
       dependencies: rootDeps.dependencies || {},
       devDependencies: rootDeps.devDependencies || {},
-      peerDependencies: rootDeps.peerDependencies || {}
-    }
+      peerDependencies: rootDeps.peerDependencies || {},
+    },
   };
 }
 
-function parseYarnLockfile(content, filePath) {
+function parseYarnLockfile(content, _filePath) {
   const packages = [];
   const lines = content.split('\n');
   let i = 0;
   const n = lines.length;
 
-  const MULTI_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*,\s*"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
+  const MULTI_ENTRY_RE =
+    /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*,\s*"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
   const SINGLE_ENTRY_RE = /^"?([\w@./-]+)@(\^?[\w.+\-~]+)"?\s*:\s*$/;
 
   while (i < n) {
-    let line = lines[i].trimEnd();
+    const line = lines[i].trimEnd();
 
     let specs = [];
 
@@ -93,7 +96,7 @@ function parseYarnLockfile(content, filePath) {
     if (multiMatch) {
       specs = [
         { name: multiMatch[1], specVersion: multiMatch[2] },
-        { name: multiMatch[3], specVersion: multiMatch[4] }
+        { name: multiMatch[3], specVersion: multiMatch[4] },
       ];
     } else if (singleMatch) {
       specs = [{ name: singleMatch[1], specVersion: singleMatch[2] }];
@@ -125,26 +128,37 @@ function parseYarnLockfile(content, filePath) {
 
         if (bodyTrim.startsWith('version ')) {
           const vMatch = bodyTrim.match(/^version ['"]([^'"]+)['"]/);
-          if (vMatch) version = vMatch[1];
+          if (vMatch) {
+            version = vMatch[1];
+          }
         } else if (bodyTrim.match(/^\s*resolved\s+(.+)/)) {
           const rMatch = bodyTrim.match(/^\s*resolved\s+(.+)/);
           if (rMatch) {
             resolved = rMatch[1].trim().replace(/^['"]|['"]$/g, '');
             if (resolved.startsWith('https://registry.yarnpkg.com/')) {
-              resolved = resolved.replace('https://registry.yarnpkg.com/', 'https://registry.npmjs.org/');
+              resolved = resolved.replace(
+                'https://registry.yarnpkg.com/',
+                'https://registry.npmjs.org/'
+              );
             }
           }
         } else if (bodyTrim.startsWith('integrity ')) {
           integrity = bodyTrim.replace('integrity ', '').trim();
         } else if (bodyTrim.startsWith('dependencies')) {
           const m = bodyTrim.match(/^dependencies\s+(.*)/);
-          if (m) parseDepList(m[1], dependencies);
+          if (m) {
+            parseDepList(m[1], dependencies);
+          }
         } else if (bodyTrim.startsWith('optionalDependencies')) {
           const m = bodyTrim.match(/^optionalDependencies\s+(.*)/);
-          if (m) parseDepList(m[1], optionalDependencies);
+          if (m) {
+            parseDepList(m[1], optionalDependencies);
+          }
         } else if (bodyTrim.startsWith('peerDependencies')) {
           const m = bodyTrim.match(/^peerDependencies\s+(.*)/);
-          if (m) parseDepList(m[1], peerDependencies);
+          if (m) {
+            parseDepList(m[1], peerDependencies);
+          }
         } else if (bodyTrim.match(/^\s*dev\s+(true|false)$/)) {
           dev = bodyTrim.includes('true');
         } else if (bodyTrim.match(/^\s*optional\s+(true|false)$/)) {
@@ -166,7 +180,7 @@ function parseYarnLockfile(content, filePath) {
           optional,
           scripts: {},
           dependencies,
-          optionalDependencies
+          optionalDependencies,
         });
       }
     } else {
@@ -192,14 +206,16 @@ function parseYarnLockfile(content, filePath) {
       version: 'unknown',
       dependencies: rootDeps,
       devDependencies: rootDevDeps,
-      peerDependencies: {}
-    }
+      peerDependencies: {},
+    },
   };
 }
 
 function parseDepList(str, dest) {
   const cleaned = str.replace(/^[[\]]/g, '').trim();
-  if (!cleaned) return;
+  if (!cleaned) {
+    return;
+  }
   const re = /([\w@./-]+)\s+\^?([\w@./-]+)/g;
   let m;
   while ((m = re.exec(cleaned)) !== null) {
@@ -207,14 +223,16 @@ function parseDepList(str, dest) {
   }
 }
 
-function parsePnpmLockfile(content, filePath) {
+function parsePnpmLockfile(content, _filePath) {
   const lockfile = yaml.load(content);
   const packages = [];
 
   if (lockfile.packages) {
     for (const [key, pkg] of Object.entries(lockfile.packages)) {
       const nameMatch = key.match(/^\/(.+?)@([^@/]+)$/);
-      if (!nameMatch) continue;
+      if (!nameMatch) {
+        continue;
+      }
       const name = nameMatch[1];
       const version = nameMatch[2];
 
@@ -237,7 +255,7 @@ function parsePnpmLockfile(content, filePath) {
         optional: pkg.optional || false,
         scripts: pkg.hasBundledMedia ? { bundled: true } : {},
         dependencies: pkg.dependencies || {},
-        optionalDependencies: pkg.optionalDependencies || {}
+        optionalDependencies: pkg.optionalDependencies || {},
       });
     }
   }
@@ -257,8 +275,8 @@ function parsePnpmLockfile(content, filePath) {
       version: lockfile.lockfileVersion ? 'unknown' : 'unknown',
       dependencies: rootDepsMap,
       devDependencies: rootDevDepsMap,
-      peerDependencies: rootPeerDepsMap
-    }
+      peerDependencies: rootPeerDepsMap,
+    },
   };
 }
 
@@ -282,7 +300,7 @@ export function checkMaliciousPatterns(pkg) {
         severity: 'high',
         title: 'Typosquat detected',
         description: `Package name "${pkg.name}" is similar to popular packages`,
-        evidence: `similar to ${pattern.source}`
+        evidence: `similar to ${pattern.source}`,
       });
     }
   }
@@ -307,21 +325,25 @@ export function analyzeDependencyGraph(lockfileData) {
             severity: 'high',
             title: 'Transitive propagation (worm)',
             description: `Package "${pkg.name}" depends on peer "${peerName}@${peerVersion}" - potential worm propagation chain`,
-            evidence: `peer dep chain: ${pkg.name} -> ${peerName}`
+            evidence: `peer dep chain: ${pkg.name} -> ${peerName}`,
           });
         }
       }
     }
 
-    if (pkg.dependencies && typeof pkg.dependencies === 'object' && Object.keys(pkg.dependencies).length > 5) {
-      const transitiveCount = Object.keys(pkg.dependencies).filter(k => k.includes('/')).length;
+    if (
+      pkg.dependencies &&
+      typeof pkg.dependencies === 'object' &&
+      Object.keys(pkg.dependencies).length > 5
+    ) {
+      const transitiveCount = Object.keys(pkg.dependencies).filter((k) => k.includes('/')).length;
       if (transitiveCount > 3) {
         findings.push({
           id: 'ATK-011',
           severity: 'medium',
           title: 'Transitive propagation (worm)',
           description: `Package "${pkg.name}" has excessive transitive dependencies (${transitiveCount} scoped)`,
-          evidence: `heavy transitive dep chain: ${pkg.name}`
+          evidence: `heavy transitive dep chain: ${pkg.name}`,
         });
       }
     }
@@ -332,7 +354,7 @@ export function analyzeDependencyGraph(lockfileData) {
         severity: 'low',
         title: 'Transitive propagation (worm)',
         description: `Package "${pkg.name}" has excessive optional dependencies (${Object.keys(pkg.optionalDependencies).length})`,
-        evidence: `optional dep chain: ${pkg.name} -> [${Object.keys(pkg.optionalDependencies).slice(0, 3).join(', ')}, ...]`
+        evidence: `optional dep chain: ${pkg.name} -> [${Object.keys(pkg.optionalDependencies).slice(0, 3).join(', ')}, ...]`,
       });
     }
   }
@@ -342,8 +364,8 @@ export function analyzeDependencyGraph(lockfileData) {
 
 export function generateLockfileReport(lockfileData) {
   const total = lockfileData.packages.length;
-  const dev = lockfileData.packages.filter(p => p.dev).length;
-  const optional = lockfileData.packages.filter(p => p.optional).length;
+  const dev = lockfileData.packages.filter((p) => p.dev).length;
+  const optional = lockfileData.packages.filter((p) => p.optional).length;
 
   const findings = [];
 
@@ -363,12 +385,14 @@ export function generateLockfileReport(lockfileData) {
     optionalDependencies: optional,
     lockfileVersion: lockfileData.version,
     findings,
-    riskScore: calculateRiskScore(findings)
+    riskScore: calculateRiskScore(findings),
   };
 }
 
 function calculateRiskScore(findings) {
-  if (!findings.length) return '0.0';
+  if (!findings.length) {
+    return '0.0';
+  }
   const weights = { critical: 10, high: 7, medium: 4, low: 2, info: 0.5 };
   const maxSeverity = findings.reduce((max, f) => {
     const w = weights[f.severity] || 0;
@@ -377,4 +401,4 @@ function calculateRiskScore(findings) {
   const countBonus = Math.min(findings.length * 0.3, 3);
   const score = Math.min(maxSeverity + countBonus, 10);
   return score.toFixed(1);
-}
+}

package/backend/pdf.js

@@ -1,7 +1,12 @@
 import { PDFDocument, StandardFonts, rgb } from 'pdf-lib';
 
 const SEV_ORDER = ['critical', 'high', 'medium', 'low'];
-const SEV_COLORS = { critical: rgb(0.8, 0.2, 0.2), high: rgb(0.75, 0.15, 0.15), medium: rgb(0.9, 0.5, 0.1), low: rgb(0.8, 0.7, 0.1) };
+const SEV_COLORS = {
+  critical: rgb(0.8, 0.2, 0.2),
+  high: rgb(0.75, 0.15, 0.15),
+  medium: rgb(0.9, 0.5, 0.1),
+  low: rgb(0.8, 0.7, 0.1),
+};
 
 const NIST_SR_MAP = {
   'ATK-001': { control: 'SR-3.1', title: 'Malicious code detection' },
@@ -29,24 +34,34 @@ function wrapText(text, font, size, maxWidth) {
   for (const word of words) {
     const test = current ? current + ' ' + word : word;
     if (font.widthOfTextAtSize(test, size) > maxWidth) {
-      if (current) lines.push(current);
+      if (current) {
+        lines.push(current);
+      }
       current = word;
     } else {
       current = test;
     }
   }
-  if (current) lines.push(current);
+  if (current) {
+    lines.push(current);
+  }
   return lines;
 }
 
-function drawTableRow(page, font, columns, y, colWidths, fontSize, isHeader) {
+function _drawTableRow(page, font, columns, y, colWidths, fontSize, _isHeader) {
   let x = MARGIN;
   const rowH = fontSize + 6;
   for (let i = 0; i < columns.length; i++) {
     const text = columns[i];
     const lines = wrapText(text, font, fontSize, colWidths[i] - 4);
     for (let j = 0; j < lines.length; j++) {
-      page.drawText(lines[j], { x: x + 2, y: y - (j * fontSize) - 2, size: fontSize, font, color: rgb(0, 0, 0) });
+      page.drawText(lines[j], {
+        x: x + 2,
+        y: y - j * fontSize - 2,
+        size: fontSize,
+        font,
+        color: rgb(0, 0, 0),
+      });
     }
     x += colWidths[i];
   }
@@ -55,7 +70,12 @@ function drawTableRow(page, font, columns, y, colWidths, fontSize, isHeader) {
 
 function drawPageHeader(page, font, text, y) {
   page.drawText(text, { x: MARGIN, y, size: 14, font, color: rgb(0.2, 0.2, 0.2) });
-  page.drawLine({ start: { x: MARGIN, y: y - 4 }, end: { x: PAGE_W - MARGIN, y: y - 4 }, thickness: 1, color: rgb(0.7, 0.7, 0.7) });
+  page.drawLine({
+    start: { x: MARGIN, y: y - 4 },
+    end: { x: PAGE_W - MARGIN, y: y - 4 },
+    thickness: 1,
+    color: rgb(0.7, 0.7, 0.7),
+  });
   return y - 20;
 }
 
@@ -68,8 +88,10 @@ export async function generatePDF(scans) {
   const sevCounts = { critical: 0, high: 0, medium: 0, low: 0 };
   let totalFindings = 0;
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      if (sevCounts[f.severity] !== undefined) sevCounts[f.severity]++;
+    for (const f of s.findings || []) {
+      if (sevCounts[f.severity] !== undefined) {
+        sevCounts[f.severity]++;
+      }
       totalFindings++;
     }
   }
@@ -80,20 +102,41 @@ export async function generatePDF(scans) {
 
   page.drawText('npm-scan Report', { x: MARGIN, y, size: 24, font: boldFont, color: rgb(0, 0, 0) });
   y -= 30;
-  page.drawText(`Generated: ${new Date().toISOString()}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  page.drawText(`Generated: ${new Date().toISOString()}`, {
+    x: MARGIN,
+    y,
+    size: 10,
+    font,
+    color: rgb(0.4, 0.4, 0.4),
+  });
   y -= 14;
-  page.drawText(`Version: ${version}  |  Packages scanned: ${scans.length}  |  Total findings: ${totalFindings}`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+  page.drawText(
+    `Version: ${version}  |  Packages scanned: ${scans.length}  |  Total findings: ${totalFindings}`,
+    { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) }
+  );
   y -= 30;
 
   // Severity summary
-  page.drawText('Severity Summary', { x: MARGIN, y, size: 14, font: boldFont, color: rgb(0, 0, 0) });
+  page.drawText('Severity Summary', {
+    x: MARGIN,
+    y,
+    size: 14,
+    font: boldFont,
+    color: rgb(0, 0, 0),
+  });
   y -= 20;
 
   for (const sev of SEV_ORDER) {
     const count = sevCounts[sev] || 0;
     const color = SEV_COLORS[sev] || rgb(0, 0, 0);
     page.drawCircle({ x: MARGIN + 6, y: y - 4, size: 4, color });
-    page.drawText(`${sev}: ${count}`, { x: MARGIN + 16, y: y - 8, size: 11, font, color: rgb(0, 0, 0) });
+    page.drawText(`${sev}: ${count}`, {
+      x: MARGIN + 16,
+      y: y - 8,
+      size: 11,
+      font,
+      color: rgb(0, 0, 0),
+    });
     y -= 18;
   }
 
@@ -102,15 +145,33 @@ export async function generatePDF(scans) {
   // Per-package summary
   for (const s of scans) {
     const findings = s.findings || [];
-    if (y < MARGIN + 60) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+    if (y < MARGIN + 60) {
+      page = doc.addPage([PAGE_W, PAGE_H]);
+      y = PAGE_H - MARGIN;
+    }
 
-    page.drawText(`${s.package_name}@${s.version || 'unknown'}`, { x: MARGIN, y, size: 12, font: boldFont, color: rgb(0, 0, 0) });
+    page.drawText(`${s.package_name}@${s.version || 'unknown'}`, {
+      x: MARGIN,
+      y,
+      size: 12,
+      font: boldFont,
+      color: rgb(0, 0, 0),
+    });
     y -= 16;
-    page.drawText(`  ${findings.length} findings`, { x: MARGIN, y, size: 10, font, color: rgb(0.4, 0.4, 0.4) });
+    page.drawText(`  ${findings.length} findings`, {
+      x: MARGIN,
+      y,
+      size: 10,
+      font,
+      color: rgb(0.4, 0.4, 0.4),
+    });
     y -= 14;
 
     for (const f of findings) {
-      if (y < MARGIN + 20) { page = doc.addPage([PAGE_W, PAGE_H]); y = PAGE_H - MARGIN; }
+      if (y < MARGIN + 20) {
+        page = doc.addPage([PAGE_W, PAGE_H]);
+        y = PAGE_H - MARGIN;
+      }
       const sevColor = SEV_COLORS[f.severity] || rgb(0, 0, 0);
       page.drawCircle({ x: MARGIN + 3, y: y + 2, size: 3, color: sevColor });
       const line = `${f.atk_id || f.id}  ${f.severity}  ${(f.description || f.title || '').slice(0, 70)}`;
@@ -136,8 +197,8 @@ export async function generatePDF(scans) {
   }
   y -= 16;
 
-  lineLoop: for (const s of scans) {
-    for (const f of (s.findings || [])) {
+  for (const s of scans) {
+    for (const f of s.findings || []) {
       if (y < MARGIN + 20) {
         page = doc.addPage([PAGE_W, PAGE_H]);
         y = PAGE_H - MARGIN;
@@ -156,10 +217,12 @@ export async function generatePDF(scans) {
       let maxLines = 1;
       for (let i = 0; i < rowData.length; i++) {
         const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
-        if (lines.length > maxLines) maxLines = lines.length;
+        if (lines.length > maxLines) {
+          maxLines = lines.length;
+        }
       }
 
-      if (y - (maxLines * 11) < MARGIN) {
+      if (y - maxLines * 11 < MARGIN) {
         page = doc.addPage([PAGE_W, PAGE_H]);
         y = PAGE_H - MARGIN;
         y = drawPageHeader(page, boldFont, 'All Findings (continued)', y);
@@ -172,14 +235,19 @@ export async function generatePDF(scans) {
         const lines = wrapText(rowData[i], font, 9, colWidths[i] - 4);
         for (let j = 0; j < lines.length; j++) {
           const color = i === 1 && SEV_COLORS[f.severity] ? SEV_COLORS[f.severity] : rgb(0, 0, 0);
-          page.drawText(lines[j], { x: x + 2, y: rowY - (j * 11) - 2, size: 9, font, color });
+          page.drawText(lines[j], { x: x + 2, y: rowY - j * 11 - 2, size: 9, font, color });
         }
         x += colWidths[i];
       }
 
       const lineY = rowY + 2;
-      page.drawLine({ start: { x: MARGIN, y: lineY }, end: { x: PAGE_W - MARGIN, y: lineY }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
-      y = rowY - (maxLines * 11) - 4;
+      page.drawLine({
+        start: { x: MARGIN, y: lineY },
+        end: { x: PAGE_W - MARGIN, y: lineY },
+        thickness: 0.5,
+        color: rgb(0.85, 0.85, 0.85),
+      });
+      y = rowY - maxLines * 11 - 4;
     }
   }
 
@@ -200,9 +268,11 @@ export async function generatePDF(scans) {
 
   const atkMap = {};
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const key = f.atk_id || f.id;
-      if (!atkMap[key]) atkMap[key] = [];
+      if (!atkMap[key]) {
+        atkMap[key] = [];
+      }
       atkMap[key].push(f);
     }
   }
@@ -228,16 +298,25 @@ export async function generatePDF(scans) {
       x += rowWidths[i];
     }
 
-    page.drawLine({ start: { x: MARGIN, y: y + 4 }, end: { x: PAGE_W - MARGIN, y: y + 4 }, thickness: 0.5, color: rgb(0.85, 0.85, 0.85) });
+    page.drawLine({
+      start: { x: MARGIN, y: y + 4 },
+      end: { x: PAGE_W - MARGIN, y: y + 4 },
+      thickness: 0.5,
+      color: rgb(0.85, 0.85, 0.85),
+    });
     y -= 18;
   }
 
   // Footer
   const pages = doc.getPages();
   for (const p of pages) {
-    const { width } = p.getSize();
+    const { width: _width } = p.getSize();
     p.drawText(`npm-scan v${version} | Apache-2.0 + Commons Clause`, {
-      x: MARGIN, y: 20, size: 8, font, color: rgb(0.6, 0.6, 0.6),
+      x: MARGIN,
+      y: 20,
+      size: 8,
+      font,
+      color: rgb(0.6, 0.6, 0.6),
     });
   }