@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/cra.js

@@ -1,32 +1,124 @@
 export function generateCRA(scans) {
   const atkMap = {};
   for (const s of scans) {
-    for (const f of (s.findings || [])) {
+    for (const f of s.findings || []) {
       const key = f.atk_id || f.id;
-      if (!atkMap[key]) atkMap[key] = [];
+      if (!atkMap[key]) {
+        atkMap[key] = [];
+      }
       atkMap[key].push({ ...f, package_name: s.package_name, version: s.version });
     }
   }
 
   const CRA_ARTICLES = [
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-001', desc: 'Lifecycle hooks used for insecure defaults' },
-    { article: 'Art. 7', title: 'Secure by default configuration', atkId: 'ATK-010', desc: 'Anti-analysis in default state' },
-    { article: 'Art. 10(1)', title: 'Vulnerability disclosure', atkId: 'ATK-008', desc: 'Tarball integrity prevents disclosure accuracy' },
-    { article: 'Art. 10(2)', title: 'Known vulnerability reporting', atkId: 'ATK-006', desc: 'Dependency confusion undermines visibility' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-008', desc: 'Integrity of SBOM entries must be verified' },
-    { article: 'Art. 11', title: 'Software Bill of Materials', atkId: 'ATK-006', desc: 'SBOM must reflect actual dependency graph' },
-    { article: 'Annex I(1.1)', title: 'No known exploitable vulnerabilities', atkId: 'ATK-009', desc: 'Conditional triggers may activate known vulns' },
-    { article: 'Annex I(1.3)', title: 'Least privilege', atkId: 'ATK-003', desc: 'Credential harvesting violates least privilege' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-002', desc: 'Obfuscation increases attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-004', desc: 'Persistence mechanisms expand attack surface' },
-    { article: 'Annex I(1.5)', title: 'Limited attack surface', atkId: 'ATK-005', desc: 'Network exfiltration expands attack surface' },
-    { article: 'Annex I(2.1)', title: 'Protection against unauthorized access', atkId: 'ATK-003', desc: 'Credential harvesting enables unauthorized access' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-008', desc: 'Tarball tampering violates data integrity' },
-    { article: 'Annex I(2.3)', title: 'Data integrity', atkId: 'ATK-011', desc: 'Propagation attacks compromise data integrity' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-009', desc: 'Conditional triggers evade incident detection' },
-    { article: 'Annex I(3.2)', title: 'Incident detection and reporting', atkId: 'ATK-010', desc: 'Sandbox evasion defeats incident detection' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-011', desc: 'Propagation requires SC monitoring' },
-    { article: 'Annex I(3.3)', title: 'Supply chain security monitoring', atkId: 'ATK-007', desc: 'Typosquatting undermines SC trust' },
+    {
+      article: 'Art. 7',
+      title: 'Secure by default configuration',
+      atkId: 'ATK-001',
+      desc: 'Lifecycle hooks used for insecure defaults',
+    },
+    {
+      article: 'Art. 7',
+      title: 'Secure by default configuration',
+      atkId: 'ATK-010',
+      desc: 'Anti-analysis in default state',
+    },
+    {
+      article: 'Art. 10(1)',
+      title: 'Vulnerability disclosure',
+      atkId: 'ATK-008',
+      desc: 'Tarball integrity prevents disclosure accuracy',
+    },
+    {
+      article: 'Art. 10(2)',
+      title: 'Known vulnerability reporting',
+      atkId: 'ATK-006',
+      desc: 'Dependency confusion undermines visibility',
+    },
+    {
+      article: 'Art. 11',
+      title: 'Software Bill of Materials',
+      atkId: 'ATK-008',
+      desc: 'Integrity of SBOM entries must be verified',
+    },
+    {
+      article: 'Art. 11',
+      title: 'Software Bill of Materials',
+      atkId: 'ATK-006',
+      desc: 'SBOM must reflect actual dependency graph',
+    },
+    {
+      article: 'Annex I(1.1)',
+      title: 'No known exploitable vulnerabilities',
+      atkId: 'ATK-009',
+      desc: 'Conditional triggers may activate known vulns',
+    },
+    {
+      article: 'Annex I(1.3)',
+      title: 'Least privilege',
+      atkId: 'ATK-003',
+      desc: 'Credential harvesting violates least privilege',
+    },
+    {
+      article: 'Annex I(1.5)',
+      title: 'Limited attack surface',
+      atkId: 'ATK-002',
+      desc: 'Obfuscation increases attack surface',
+    },
+    {
+      article: 'Annex I(1.5)',
+      title: 'Limited attack surface',
+      atkId: 'ATK-004',
+      desc: 'Persistence mechanisms expand attack surface',
+    },
+    {
+      article: 'Annex I(1.5)',
+      title: 'Limited attack surface',
+      atkId: 'ATK-005',
+      desc: 'Network exfiltration expands attack surface',
+    },
+    {
+      article: 'Annex I(2.1)',
+      title: 'Protection against unauthorized access',
+      atkId: 'ATK-003',
+      desc: 'Credential harvesting enables unauthorized access',
+    },
+    {
+      article: 'Annex I(2.3)',
+      title: 'Data integrity',
+      atkId: 'ATK-008',
+      desc: 'Tarball tampering violates data integrity',
+    },
+    {
+      article: 'Annex I(2.3)',
+      title: 'Data integrity',
+      atkId: 'ATK-011',
+      desc: 'Propagation attacks compromise data integrity',
+    },
+    {
+      article: 'Annex I(3.2)',
+      title: 'Incident detection and reporting',
+      atkId: 'ATK-009',
+      desc: 'Conditional triggers evade incident detection',
+    },
+    {
+      article: 'Annex I(3.2)',
+      title: 'Incident detection and reporting',
+      atkId: 'ATK-010',
+      desc: 'Sandbox evasion defeats incident detection',
+    },
+    {
+      article: 'Annex I(3.3)',
+      title: 'Supply chain security monitoring',
+      atkId: 'ATK-011',
+      desc: 'Propagation requires SC monitoring',
+    },
+    {
+      article: 'Annex I(3.3)',
+      title: 'Supply chain security monitoring',
+      atkId: 'ATK-007',
+      desc: 'Typosquatting undermines SC trust',
+    },
   ];
 
   let rows = '';
@@ -66,4 +158,4 @@ th { background: #161b22; }
 ${body}
 <p class="meta">EU Cyber Resilience Act (Regulation 2023/2841) mapped to ATK findings.</p>
 </body></html>`;
-}
+}

package/backend/db.js

@@ -11,8 +11,12 @@ let db = null;
 let initPromise = null;
 
 async function ensureInit() {
-  if (db) return;
-  if (initPromise) return initPromise;
+  if (db) {
+    return;
+  }
+  if (initPromise) {
+    return initPromise;
+  }
   initPromise = (async () => {
     const SQL = await initSqlJs();
     if (fs.existsSync(DB_PATH)) {
@@ -29,7 +33,9 @@ async function ensureInit() {
 
 function queryAll(sql, params = []) {
   const stmt = db.prepare(sql);
-  if (params.length) stmt.bind(params);
+  if (params.length) {
+    stmt.bind(params);
+  }
   const rows = [];
   while (stmt.step()) {
     rows.push(stmt.getAsObject());
@@ -43,7 +49,7 @@ function queryOne(sql, params = []) {
 }
 
 function lastId() {
-  const r = db.exec("SELECT last_insert_rowid()");
+  const r = db.exec('SELECT last_insert_rowid()');
   return Number(r[0].values[0][0]);
 }
 
@@ -53,9 +59,11 @@ function persist() {
 
 export async function saveScan(pkgName, version = 'latest', findings = []) {
   await ensureInit();
-  db.run("INSERT INTO scans (package_name, version) VALUES (?, ?)", [pkgName, version]);
+  db.run('INSERT INTO scans (package_name, version) VALUES (?, ?)', [pkgName, version]);
   const scanId = lastId();
-  const stmt = db.prepare("INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)");
+  const stmt = db.prepare(
+    'INSERT INTO findings (scan_id, atk_id, severity, description, evidence) VALUES (?, ?, ?, ?, ?)'
+  );
   for (const f of findings) {
     stmt.run([scanId, f.id, f.severity, f.title || f.description, f.evidence || '']);
   }
@@ -66,17 +74,17 @@ export async function saveScan(pkgName, version = 'latest', findings = []) {
 
 export async function getRecentScans(limit = 10) {
   await ensureInit();
-  return queryAll("SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?", [limit]);
+  return queryAll('SELECT * FROM scans ORDER BY scanned_at DESC LIMIT ?', [limit]);
 }
 
 export async function getFindings(scanId) {
   await ensureInit();
-  return queryAll("SELECT * FROM findings WHERE scan_id = ?", [scanId]);
+  return queryAll('SELECT * FROM findings WHERE scan_id = ?', [scanId]);
 }
 
 export async function getScan(scanId) {
   await ensureInit();
-  return queryOne("SELECT * FROM scans WHERE id = ?", [scanId]);
+  return queryOne('SELECT * FROM scans WHERE id = ?', [scanId]);
 }
 
 export async function close() {
@@ -86,4 +94,4 @@ export async function close() {
     db = null;
     initPromise = null;
   }
-}
+}

package/backend/detectors/atk-001-lifecycle.js

@@ -1,18 +1,18 @@
-export async function scan(pkgJson, files = []) {
+export async function scan(pkgJson, _files = []) {
   const findings = [];
   const scripts = pkgJson.scripts || {};
-  const suspicious = Object.keys(scripts).filter(s => /pre|post|install/i.test(s));
+  const suspicious = Object.keys(scripts).filter((s) => /pre|post|install/i.test(s));
   if (suspicious.length) {
-    const content = suspicious.map(s => scripts[s]).join(' ');
+    const content = suspicious.map((s) => scripts[s]).join(' ');
     if (/curl|wget|sh |bash |\.sh|exfil|steal|pwn|c2|pastebin/i.test(content)) {
       findings.push({
         id: 'ATK-001',
         severity: 'high',
         title: 'Malicious lifecycle scripts',
         description: 'Suspicious install hooks',
-        evidence: suspicious.join(', ')
+        evidence: suspicious.join(', '),
       });
     }
   }
   return findings;
-}
+}

package/backend/detectors/atk-002-obfusc.js

@@ -1,12 +1,43 @@
-const DIST_BUILD_PATTERNS = [/\/dist\//, /\/build\//, /\/bundle/, /\/min\//, /\.min\.js$/, /\.bundled?\.js$/];
-const TEST_FIXTURE_PATTERNS = [/\/test\//, /\/tests\//, /\/__tests__\//, /\/spec\//, /\.test\.js$/, /\.spec\.js$/, /fixtures?/];
+const DIST_BUILD_PATTERNS = [
+  /\/dist\//,
+  /\/build\//,
+  /\/bundle/,
+  /\/min\//,
+  /\.min\.js$/,
+  /\.bundled?\.js$/,
+];
+const TEST_FIXTURE_PATTERNS = [
+  /\/test\//,
+  /\/tests\//,
+  /\/__tests__\//,
+  /\/spec\//,
+  /\.test\.js$/,
+  /\.spec\.js$/,
+  /fixtures?/,
+];
 const KNOWN_SAFE_DOMAINS = [
-  'registry.npmjs.org', 'cdn.jsdelivr.net', 'unpkg.com', 'cdn.skypack.dev',
-  'esm.sh', 'deno.land', 'raw.githubusercontent.com', 'github.com',
-  'npmjs.com', 'nodejs.org', 'v8.dev', 'typescriptlang.org'
+  'registry.npmjs.org',
+  'cdn.jsdelivr.net',
+  'unpkg.com',
+  'cdn.skypack.dev',
+  'esm.sh',
+  'deno.land',
+  'raw.githubusercontent.com',
+  'github.com',
+  'npmjs.com',
+  'nodejs.org',
+  'v8.dev',
+  'typescriptlang.org',
 ];
 
-const LIFECYCLE_SCRIPT_NAMES = ['install', 'postinstall', 'preinstall', 'prepare', 'prepack', 'postpack'];
+const LIFECYCLE_SCRIPT_NAMES = [
+  'install',
+  'postinstall',
+  'preinstall',
+  'prepare',
+  'prepack',
+  'postpack',
+];
 
 function extractUrlDomain(code) {
   const urlMatch = code.match(/https?:\/\/([^/'"\s]+)/);
@@ -14,22 +45,26 @@ function extractUrlDomain(code) {
 }
 
 function isDistOrBuild(filePath) {
-  return DIST_BUILD_PATTERNS.some(p => p.test(filePath));
+  return DIST_BUILD_PATTERNS.some((p) => p.test(filePath));
 }
 
 function isTestOrFixture(filePath) {
-  return TEST_FIXTURE_PATTERNS.some(p => p.test(filePath));
+  return TEST_FIXTURE_PATTERNS.some((p) => p.test(filePath));
 }
 
 function isKnownSafeDomain(domain) {
-  if (!domain) return false;
-  return KNOWN_SAFE_DOMAINS.some(safe => domain === safe || domain.endsWith('.' + safe));
+  if (!domain) {
+    return false;
+  }
+  return KNOWN_SAFE_DOMAINS.some((safe) => domain === safe || domain.endsWith('.' + safe));
 }
 
 function locateLine(code, pattern) {
   const lines = code.split('\n');
   for (let i = 0; i < lines.length; i++) {
-    if (pattern.test(lines[i])) return i + 1;
+    if (pattern.test(lines[i])) {
+      return i + 1;
+    }
   }
   return null;
 }
@@ -40,65 +75,96 @@ function decodePreview(code) {
     try {
       const decoded = atob(b64Match[1]);
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   const hexMatch = code.match(/Buffer\.from\(['"]([0-9a-fA-F]+)['"],\s*['"]hex['"]\)/);
   if (hexMatch) {
     try {
       const decoded = Buffer.from(hexMatch[1], 'hex').toString();
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   const btoaMatch = code.match(/btoa\(['"]([A-Za-z0-9+/=]{10,})['"]\)/);
   if (btoaMatch) {
     try {
       const decoded = atob(btoaMatch[1]);
       return decoded.length > 80 ? decoded.slice(0, 80) + '...' : decoded;
-    } catch {}
+    } catch {
+      /* ignore decode errors */
+    }
   }
-  
+
   return null;
 }
 
 function detectEncodingType(code) {
-  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) return 'hex';
-  if (/atob\(/.test(code)) return 'base64';
-  if (/btoa\(/.test(code)) return 'base64';
-  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) return 'base64';
-  if (/String\.fromCharCode\(/.test(code)) return 'charcode';
-  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) return 'double-base64';
+  if (/Buffer\.from\(['"][0-9a-fA-F]+['"],\s*['"]hex['"]\)/.test(code)) {
+    return 'hex';
+  }
+  if (/atob\(/.test(code)) {
+    return 'base64';
+  }
+  if (/btoa\(/.test(code)) {
+    return 'base64';
+  }
+  if (/Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code)) {
+    return 'base64';
+  }
+  if (/String\.fromCharCode\(/.test(code)) {
+    return 'charcode';
+  }
+  if (/btoa\(.*btoa\(|atob\(.*atob\(/.test(code)) {
+    return 'double-base64';
+  }
   return 'unknown';
 }
 
 function isFileInLifecycleScript(filePath, pkgJson) {
-  if (!pkgJson?.scripts) return false;
-  
+  if (!pkgJson?.scripts) {
+    return false;
+  }
+
   const scripts = pkgJson.scripts;
   const fileName = filePath.split('/').pop();
-  const normalizedPath = filePath.replace(/^node_modules\//, '').replace(/^dist\//, '').replace(/^build\//, '');
-  
+  const normalizedPath = filePath
+    .replace(/^node_modules\//, '')
+    .replace(/^dist\//, '')
+    .replace(/^build\//, '');
+
   for (const scriptName of LIFECYCLE_SCRIPT_NAMES) {
     const scriptValue = scripts[scriptName];
-    if (!scriptValue) continue;
-    
-    if (scriptValue.includes(filePath)) return true;
-    if (scriptValue.includes(fileName)) return true;
-    if (scriptValue.includes(normalizedPath)) return true;
-    
+    if (!scriptValue) {
+      continue;
+    }
+
+    if (scriptValue.includes(filePath)) {
+      return true;
+    }
+    if (scriptValue.includes(fileName)) {
+      return true;
+    }
+    if (scriptValue.includes(normalizedPath)) {
+      return true;
+    }
+
     const scriptFileMatch = scriptValue.match(/[^\s'"]+\.js$/);
-    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) return true;
+    if (scriptFileMatch && filePath.endsWith(scriptFileMatch[0])) {
+      return true;
+    }
   }
-  
+
   return false;
 }
 
 function isLikelyLifecycleFileName(filePath) {
   const name = filePath.split('/').pop().replace(/\.js$/, '');
-  return LIFECYCLE_SCRIPT_NAMES.includes(name) || 
-         name === 'setup' || 
-         name === 'install-helper';
+  return LIFECYCLE_SCRIPT_NAMES.includes(name) || name === 'setup' || name === 'install-helper';
 }
 
 function createEvidence(code, filePath, pattern, pkgJson) {
@@ -106,8 +172,9 @@ function createEvidence(code, filePath, pattern, pkgJson) {
   const line = locateLine(code, pattern);
   const decodedPreview = decodePreview(code);
   const destinationHost = extractUrlDomain(code);
-  const lifecycleHook = isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
-  
+  const lifecycleHook =
+    isFileInLifecycleScript(filePath, pkgJson) || isLikelyLifecycleFileName(filePath);
+
   return {
     file: filePath,
     line: line,
@@ -121,7 +188,7 @@ function createEvidence(code, filePath, pattern, pkgJson) {
 export async function scan(pkgJson, files = []) {
   const findings = [];
   const pkgName = pkgJson?.name || '';
-  const selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
+  const _selfName = pkgName.replace(/^@/, '').replace(/\//, '-');
 
   for (const f of files) {
     const code = f.content;
@@ -137,15 +204,23 @@ export async function scan(pkgJson, files = []) {
     if (hasEval) {
       const hexDecode = /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"]/.test(code);
       const b64Decode = /atob\(|Buffer\.from\([A-Za-z0-9+/=]{10,}/.test(code);
-      const b64UrlDecode = /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
+      const b64UrlDecode =
+        /try\s*\{[^}]*atob\s*\(/s.test(code) || /btoa\(.*\)\s*[^;]*\.replace\(/s.test(code);
 
       if (hexDecode || b64Decode || b64UrlDecode) {
-        const evidence = createEvidence(code, filePath, /eval\(|new Function\(|\bFunction\('/, pkgJson);
+        const evidence = createEvidence(
+          code,
+          filePath,
+          /eval\(|new Function\(|\bFunction\('/,
+          pkgJson
+        );
         findings.push({
           id: 'ATK-002',
           severity: 'medium',
           title: 'Obfuscated payload',
-          description: hexDecode ? 'Eval with hex-decoded payload' : 'Eval with base64-decoded payload',
+          description: hexDecode
+            ? 'Eval with hex-decoded payload'
+            : 'Eval with base64-decoded payload',
           evidence: evidence,
           context: {
             file_path: filePath,
@@ -184,8 +259,12 @@ export async function scan(pkgJson, files = []) {
       }
     }
 
-    if (/atob\(|Buffer\.from/.test(code) && /url|fetch|curl|http\.request|https\.request/.test(code)) {
-      const isNetworkObfusc = /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
+    if (
+      /atob\(|Buffer\.from/.test(code) &&
+      /url|fetch|curl|http\.request|https\.request/.test(code)
+    ) {
+      const isNetworkObfusc =
+        /atob\(.*(https?:\/\/|\\x|http).*\)/s.test(code) ||
         /Buffer\.from\(['"`][0-9a-f]+['"`],\s*['"]hex['"].*fetch\(|fetch\(.*atob\(/s.test(code);
       if (isNetworkObfusc) {
         const evidence = createEvidence(code, filePath, /atob\(|Buffer\.from/, pkgJson);
@@ -259,4 +338,4 @@ export async function scan(pkgJson, files = []) {
   }
 
   return findings;
-}
+}

package/backend/detectors/atk-003-creds.js

@@ -1,14 +1,18 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(code)) {
+  const code = files.map((f) => f.content).join('\n');
+  if (
+    /process\.env\.(NPM_TOKEN|GIT_TOKEN|AWS_SECRET|AWS_ACCESS|SSH_KEY)|\.npmrc|\.ssh\/id_rsa|readFile.*\.ssh/.test(
+      code
+    )
+  ) {
     findings.push({
       id: 'ATK-003',
       severity: 'high',
       title: 'Credential harvesting',
       description: 'Env vars or .npmrc/SSH key access',
-      evidence: 'credential pattern match'
+      evidence: 'credential pattern match',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-004-persist.js

@@ -1,14 +1,14 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
+  const code = files.map((f) => f.content).join('\n');
   if (/mkdir.*(\.vscode|\.claude|\.cursor)/.test(code)) {
     findings.push({
       id: 'ATK-004',
       severity: 'high',
       title: 'Persistence via editor configs',
       description: 'Creates .vscode/.claude/.cursor dirs',
-      evidence: 'mkdir pattern match'
+      evidence: 'mkdir pattern match',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-005-exfil.js

@@ -1,14 +1,18 @@
 export async function scan(pkgJson, files = []) {
   const findings = [];
-  const code = files.map(f => f.content).join('\n');
-  if (/curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(code.toLowerCase())) {
+  const code = files.map((f) => f.content).join('\n');
+  if (
+    /curl.*(-d|--data|--data-binary)|github\.com\/.*keys|pastebin|dns\.resolve.*\.com|exfil/.test(
+      code.toLowerCase()
+    )
+  ) {
     findings.push({
       id: 'ATK-005',
       severity: 'critical',
       title: 'Network exfiltration',
       description: 'Suspicious network calls: curl data exfil, pastebin, dns tunneling',
-      evidence: 'network exfil pattern'
+      evidence: 'network exfil pattern',
     });
   }
   return findings;
-}
+}

package/backend/detectors/atk-006-depconf.js

@@ -1,15 +1,15 @@
 export async function scan(pkgJson) {
   const findings = [];
   const deps = { ...pkgJson.dependencies, ...pkgJson.devDependencies };
-  const squat = Object.keys(deps).filter(d => /squat|confus|typo/i.test(d.toLowerCase()));
+  const squat = Object.keys(deps).filter((d) => /squat|confus|typo/i.test(d.toLowerCase()));
   if (squat.length) {
     findings.push({
       id: 'ATK-006',
       severity: 'medium',
       title: 'Dependency confusion',
       description: 'Suspicious dependency names',
-      evidence: squat.join(', ')
+      evidence: squat.join(', '),
     });
   }
   return findings;
-}
+}