@lateos/npm-scan 1.0.0 → 1.1.0

package/backend/detectors/cve-2026-48710-badhost/transitive.js

@@ -1,5 +1,12 @@
 import { transitiveDependencyFinding } from './findings.js';
-import { parseRequirementsTxt, parsePyprojectToml, parsePoetryLock, parsePipfile, parseSetupPy, parseSetupCfg } from './manifest.js';
+import {
+  parseRequirementsTxt,
+  parsePyprojectToml,
+  parsePoetryLock,
+  parsePipfile,
+  parseSetupPy,
+  parseSetupCfg,
+} from './manifest.js';
 
 const TIER_1_PACKAGES = [
   'fastapi',
@@ -22,29 +29,41 @@ const TIER_2_PACKAGES = [
 ];
 
 function normalizePkgName(name) {
-  return name.replace(/["'\[\]]/g, '').trim().toLowerCase();
+  return name
+    .replace(/["'[\]]/g, '')
+    .trim()
+    .toLowerCase();
 }
 
 function findPackagesInManifests(allFiles) {
   const packages = new Set();
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
-    let deps = [];
+    const deps = [];
 
     if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
       const lines = content.split('\n');
       for (const line of lines) {
         const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+          continue;
+        }
         const idx = trimmed.indexOf('#');
         const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
         const eqIdx = spec.indexOf('==');
         const geIdx = spec.indexOf('>=');
-        const name = eqIdx >= 0 ? spec.slice(0, eqIdx).trim() : (geIdx >= 0 ? spec.slice(0, geIdx).trim() : spec);
+        const name =
+          eqIdx >= 0
+            ? spec.slice(0, eqIdx).trim()
+            : geIdx >= 0
+              ? spec.slice(0, geIdx).trim()
+              : spec;
         if (name && !name.includes('=') && !name.includes('<') && !name.includes('>')) {
           deps.push(normalizePkgName(name));
         }
@@ -52,11 +71,17 @@ function findPackagesInManifests(allFiles) {
     } else if (path === 'pyproject.toml') {
       try {
         const obj = JSON.parse(content);
-        const allDeps = { ...(obj?.tool?.poetry?.dependencies || {}), ...(obj?.dependencies || {}), ...(obj?.['dev-dependencies'] || {}) };
+        const allDeps = {
+          ...(obj?.tool?.poetry?.dependencies || {}),
+          ...(obj?.dependencies || {}),
+          ...(obj?.['dev-dependencies'] || {}),
+        };
         for (const key of Object.keys(allDeps)) {
           deps.push(normalizePkgName(key));
         }
-      } catch {}
+      } catch {
+        /* ignore parse errors */
+      }
     } else if (path === 'poetry.lock') {
       const pattern = /name\s*=\s*["']([^"']+)["']/g;
       let m;
@@ -69,18 +94,24 @@ function findPackagesInManifests(allFiles) {
         for (const key of Object.keys(obj?.packages || {})) {
           deps.push(normalizePkgName(key));
         }
-      } catch {}
+      } catch {
+        /* ignore parse errors */
+      }
+    }
+    for (const dep of deps) {
+      packages.add(dep);
     }
-    for (const dep of deps) packages.add(dep);
   }
 
   return packages;
 }
 
 function hasStarlettePin(allFiles) {
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     let result = null;
@@ -99,10 +130,14 @@ function hasStarlettePin(allFiles) {
     }
 
     if (result) {
-      if (result.version === null && result.specifier === null) return false;
+      if (result.version === null && result.specifier === null) {
+        return false;
+      }
       const parsed = parsePEP440(result.version);
       const safe = parsePEP440('1.0.1');
-      if (parsed && compareVersions(parsed, safe) >= 0) return true;
+      if (parsed && compareVersions(parsed, safe) >= 0) {
+        return true;
+      }
     }
   }
 
@@ -110,7 +145,9 @@ function hasStarlettePin(allFiles) {
 }
 
 function parsePEP440(versionStr) {
-  if (!versionStr) return null;
+  if (!versionStr) {
+    return null;
+  }
   const clean = versionStr.trim().replace(/^v/, '');
   const parts = clean.split('.');
   return {
@@ -121,21 +158,33 @@ function parsePEP440(versionStr) {
 }
 
 function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
+  if (!a) {
+    return 1;
+  }
+  if (!b) {
+    return -1;
+  }
+  if (a.major !== b.major) {
+    return a.major - b.major;
+  }
+  if (a.minor !== b.minor) {
+    return a.minor - b.minor;
+  }
   return a.patch - b.patch;
 }
 
 export function scanTransitive(allFiles) {
   const findings = [];
 
-  if (!allFiles || allFiles.length === 0) return findings;
+  if (!allFiles || allFiles.length === 0) {
+    return findings;
+  }
 
   const packages = findPackagesInManifests(allFiles);
 
-  if (hasStarlettePin(allFiles)) return findings;
+  if (hasStarlettePin(allFiles)) {
+    return findings;
+  }
 
   const handled = new Set();
 
@@ -147,7 +196,9 @@ export function scanTransitive(allFiles) {
         if (version) {
           const parsed = parsePEP440(version);
           const safeFastapi = parsePEP440('0.116.0');
-          if (parsed && compareVersions(parsed, safeFastapi) >= 0) continue;
+          if (parsed && compareVersions(parsed, safeFastapi) >= 0) {
+            continue;
+          }
         }
       }
       findings.push(transitiveDependencyFinding(pkg, 1));
@@ -157,7 +208,9 @@ export function scanTransitive(allFiles) {
 
   if (findings.length === 0) {
     for (const pkg of packages) {
-      if (handled.has(pkg)) continue;
+      if (handled.has(pkg)) {
+        continue;
+      }
       if (TIER_2_PACKAGES.includes(pkg)) {
         findings.push(transitiveDependencyFinding(pkg, 2));
         break;
@@ -169,18 +222,24 @@ export function scanTransitive(allFiles) {
 }
 
 function findFastapiVersion(allFiles) {
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
     if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
       const lines = content.split('\n');
       for (const line of lines) {
         const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+          continue;
+        }
         if (trimmed.startsWith('fastapi')) {
           const eqIdx = trimmed.indexOf('==');
-          if (eqIdx >= 0) return trimmed.slice(eqIdx + 2).trim();
+          if (eqIdx >= 0) {
+            return trimmed.slice(eqIdx + 2).trim();
+          }
         }
       }
     }

package/backend/detectors/hf-impersonation/index.js

@@ -2,7 +2,7 @@ import { KNOWN_HF_ORGS } from './known-orgs.js';
 import { jaroWinkler } from './jaro-winkler.js';
 import { simhash, similarity as simhashSimilarity } from './simhash.js';
 
-const HF_URL_PATTERN = /(?:huggingface\.co|hf\.co)\/([^\/\s"'>]+)\/([^\/\s"'>]+)/g;
+const HF_URL_PATTERN = /(?:huggingface\.co|hf\.co)\/([^/\s"'>]+)\/([^/\s"'>]+)/g;
 const FROM_PRETRAINED_PATTERN = /from_pretrained\(\s*["']([^"']+\/[^"']+)["']/g;
 const HUB_DOWNLOAD_SINGLE = /hub\.download\(\s*["']([^"']+\/[^"']+)["']/g;
 const HUB_DOWNLOAD_DOUBLE = /hub\.download\(\s*["']([^"']+)["']\s*,\s*["']([^"']+)["']/g;
@@ -11,9 +11,15 @@ const LIFECYCLE_SCRIPTS = new Set(['postinstall', 'prepare', 'install']);
 const API_BASE = 'https://huggingface.co';
 
 const SEVERITY_SCORE = { none: 0, low: 1, medium: 2, high: 3, critical: 4 };
-const SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
-
-const HF_ARTIFACT_LIBS = new Set(['transformers', 'diffusers', 'sentence-transformers', 'gguf', 'safetensors']);
+const _SEVERITY_LABELS = ['none', 'low', 'medium', 'high', 'critical'];
+
+const HF_ARTIFACT_LIBS = new Set([
+  'transformers',
+  'diffusers',
+  'sentence-transformers',
+  'gguf',
+  'safetensors',
+]);
 const SUSPICIOUS_EXTENSIONS = /\.(exe|msi|bat|ps1|dll)$/i;
 
 const _cache = new Map();
@@ -24,12 +30,12 @@ function severityIndex(sev) {
   return SEVERITY_SCORE[sev] || 0;
 }
 
-function maxSeverity(a, b) {
+function _maxSeverity(a, b) {
   return severityIndex(a) >= severityIndex(b) ? a : b;
 }
 
 function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
+  return new Promise((r) => setTimeout(r, ms));
 }
 
 async function fetchWithCache(url) {
@@ -81,12 +87,16 @@ async function fetchReadme(url) {
       const retryAfter = parseInt(res.headers.get('Retry-After') || '5', 10);
       await sleep(retryAfter * 1000);
       const retryRes = await fetch(url);
-      if (!retryRes.ok) return null;
+      if (!retryRes.ok) {
+        return null;
+      }
       const text = await retryRes.text();
       _cache.set(url, { data: text, fetchedAt: Date.now() });
       return text;
     }
-    if (!res.ok) return null;
+    if (!res.ok) {
+      return null;
+    }
     const text = await res.text();
     _cache.set(url, { data: text, fetchedAt: Date.now() });
     return text;
@@ -115,7 +125,9 @@ function extractHFTuples(pkgJson, allFiles) {
   const scripts = pkgJson?.scripts || {};
   let m;
   for (const [hook, script] of Object.entries(scripts)) {
-    if (typeof script !== 'string') continue;
+    if (typeof script !== 'string') {
+      continue;
+    }
 
     HF_URL_PATTERN.lastIndex = 0;
     while ((m = HF_URL_PATTERN.exec(script)) !== null) {
@@ -152,7 +164,9 @@ function extractHFTuples(pkgJson, allFiles) {
 
   if (allFiles) {
     for (const file of allFiles) {
-      if (!file.path?.match(/\.(js|ts|jsx|tsx|mjs|cjs)$/i)) continue;
+      if (!file.path?.match(/\.(js|ts|jsx|tsx|mjs|cjs)$/i)) {
+        continue;
+      }
       const content = typeof file.content === 'string' ? file.content : '';
 
       HF_URL_PATTERN.lastIndex = 0;
@@ -180,7 +194,15 @@ function extractHFTuples(pkgJson, allFiles) {
   return { tuples, postinstallFetchFlag };
 }
 
-function buildHFOrgSpoofFinding(referencedRepo, org, canonicalOrg, similarityScore, postinstallFetchFlag, tags, hfMeta) {
+function buildHFOrgSpoofFinding(
+  referencedRepo,
+  org,
+  canonicalOrg,
+  similarityScore,
+  postinstallFetchFlag,
+  tags,
+  hfMeta
+) {
   const finding = {
     id: 'HF_ORG_SPOOF',
     severity: 'high',
@@ -207,16 +229,22 @@ function buildHFOrgSpoofFinding(referencedRepo, org, canonicalOrg, similaritySco
 async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
   const newFindings = [];
 
-  for (const [referencedRepo, { org, canonicalOrg, similarityScore, finding }] of orgsToCheck) {
+  for (const [
+    referencedRepo,
+    { org, canonicalOrg, similarityScore: _similarityScore, finding: _finding },
+  ] of orgsToCheck) {
     const tags = [];
     let hfMeta = null;
 
     const modelUrl = `${API_BASE}/api/models/${referencedRepo}`;
-    const canonicalUrl = canonicalOrg.org !== org ? `${API_BASE}/api/models/${canonicalOrg.org}/${referencedRepo.split('/')[1]}` : null;
+    const canonicalUrl =
+      canonicalOrg.org !== org
+        ? `${API_BASE}/api/models/${canonicalOrg.org}/${referencedRepo.split('/')[1]}`
+        : null;
     const userUrl = `${API_BASE}/api/users/${org}`;
 
     const spoofedModel = await fetchWithCache(modelUrl);
-    const canonicalModel = canonicalUrl ? await fetchWithCache(canonicalUrl) : null;
+    const _canonicalModel = canonicalUrl ? await fetchWithCache(canonicalUrl) : null;
     const userData = await fetchWithCache(userUrl);
 
     // Org age check for NEW_ORG tag
@@ -235,7 +263,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     // README clone check
     if (canonicalOrg.org !== org) {
       const readmeSpoof = await fetchReadme(`${API_BASE}/${referencedRepo}/resolve/main/README.md`);
-      const readmeCanonical = await fetchReadme(`${API_BASE}/${canonicalOrg.org}/${referencedRepo.split('/')[1]}/resolve/main/README.md`);
+      const readmeCanonical = await fetchReadme(
+        `${API_BASE}/${canonicalOrg.org}/${referencedRepo.split('/')[1]}/resolve/main/README.md`
+      );
 
       if (readmeSpoof && readmeCanonical) {
         const fp1 = simhash(readmeSpoof);
@@ -260,7 +290,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
             tags: [],
             ipiClass: 'SUPPLY_CHAIN',
           };
-          if (hfMeta) readmeFinding.hfMeta = hfMeta;
+          if (hfMeta) {
+            readmeFinding.hfMeta = hfMeta;
+          }
           newFindings.push(readmeFinding);
         }
       }
@@ -288,7 +320,9 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
               tags: [],
               ipiClass: 'SUPPLY_CHAIN',
             };
-            if (hfMeta) artifactFinding.hfMeta = hfMeta;
+            if (hfMeta) {
+              artifactFinding.hfMeta = hfMeta;
+            }
             newFindings.push(artifactFinding);
             break;
           }
@@ -297,12 +331,16 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     }
 
     // Apply NEW_ORG and POSTINSTALL_FETCH tags to all findings for this repo
-    const repoSpoofFindings = spoofFindings.filter(f => f.referencedRepo === referencedRepo);
+    const repoSpoofFindings = spoofFindings.filter((f) => f.referencedRepo === referencedRepo);
     for (const sf of repoSpoofFindings) {
       if (tags.length > 0) {
-        if (!sf.tags) sf.tags = [];
+        if (!sf.tags) {
+          sf.tags = [];
+        }
         for (const t of tags) {
-          if (!sf.tags.includes(t)) sf.tags.push(t);
+          if (!sf.tags.includes(t)) {
+            sf.tags.push(t);
+          }
         }
       }
       if (hfMeta) {
@@ -312,9 +350,13 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     for (const nf of newFindings) {
       if (nf.referencedRepo === referencedRepo) {
         if (tags.length > 0) {
-          if (!nf.tags) nf.tags = [];
+          if (!nf.tags) {
+            nf.tags = [];
+          }
           for (const t of tags) {
-            if (!nf.tags.includes(t)) nf.tags.push(t);
+            if (!nf.tags.includes(t)) {
+              nf.tags.push(t);
+            }
           }
         }
       }
@@ -326,14 +368,18 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
     const allStage2Findings = [...spoofFindings, ...newFindings];
     const escalatedRepos = new Set();
     for (const f of allStage2Findings) {
-      if (f.referencedRepo) escalatedRepos.add(f.referencedRepo);
+      if (f.referencedRepo) {
+        escalatedRepos.add(f.referencedRepo);
+      }
     }
     for (const f of allStage2Findings) {
       if (escalatedRepos.has(f.referencedRepo)) {
         if (severityIndex(f.severity) < severityIndex('critical')) {
           f.severity = 'critical';
         }
-        if (!f.tags) f.tags = [];
+        if (!f.tags) {
+          f.tags = [];
+        }
         if (!f.tags.includes('POSTINSTALL_ESCALATED')) {
           f.tags.push('POSTINSTALL_ESCALATED');
         }
@@ -344,10 +390,12 @@ async function runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag) {
   return newFindings;
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const { tuples, postinstallFetchFlag } = extractHFTuples(pkgJson, allFiles || files);
 
-  if (tuples.size === 0) return [];
+  if (tuples.size === 0) {
+    return [];
+  }
 
   // Stage 1: org spoof detection (local only)
   const spoofFindings = [];
@@ -355,19 +403,34 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
 
   for (const tuple of tuples) {
     const parts = tuple.split('/');
-    if (parts.length < 2) continue;
+    if (parts.length < 2) {
+      continue;
+    }
     const org = parts[0];
 
     const canonicalOrg = findClosestOrg(org);
-    if (!canonicalOrg.org) continue;
-    if (org.toLowerCase() === canonicalOrg.org.toLowerCase()) continue;
+    if (!canonicalOrg.org) {
+      continue;
+    }
+    if (org.toLowerCase() === canonicalOrg.org.toLowerCase()) {
+      continue;
+    }
 
-    const finding = buildHFOrgSpoofFinding(tuple, org, canonicalOrg, canonicalOrg.score, postinstallFetchFlag, []);
+    const finding = buildHFOrgSpoofFinding(
+      tuple,
+      org,
+      canonicalOrg,
+      canonicalOrg.score,
+      postinstallFetchFlag,
+      []
+    );
     spoofFindings.push(finding);
     orgsToCheck.push([tuple, { org, canonicalOrg, similarityScore: canonicalOrg.score, finding }]);
   }
 
-  if (spoofFindings.length === 0) return [];
+  if (spoofFindings.length === 0) {
+    return [];
+  }
 
   // Stage 2: network checks
   const stage2Findings = await runStage2(spoofFindings, orgsToCheck, postinstallFetchFlag);

package/backend/detectors/hf-impersonation/jaro-winkler.js

@@ -1,7 +1,12 @@
 export function jaroWinkler(s1, s2) {
-  if (s1 === s2) return 1;
-  const len1 = s1.length, len2 = s2.length;
-  if (len1 === 0 || len2 === 0) return 0;
+  if (s1 === s2) {
+    return 1;
+  }
+  const len1 = s1.length,
+    len2 = s2.length;
+  if (len1 === 0 || len2 === 0) {
+    return 0;
+  }
 
   const matchDist = Math.floor(Math.max(len1, len2) / 2) - 1;
   const matches1 = new Array(len1).fill(false);
@@ -12,8 +17,12 @@ export function jaroWinkler(s1, s2) {
     const start = Math.max(0, i - matchDist);
     const end = Math.min(len2, i + matchDist + 1);
     for (let j = start; j < end; j++) {
-      if (matches2[j]) continue;
-      if (s1[i] !== s2[j]) continue;
+      if (matches2[j]) {
+        continue;
+      }
+      if (s1[i] !== s2[j]) {
+        continue;
+      }
       matches1[i] = true;
       matches2[j] = true;
       matches++;
@@ -21,13 +30,22 @@ export function jaroWinkler(s1, s2) {
     }
   }
 
-  if (matches === 0) return 0;
+  if (matches === 0) {
+    return 0;
+  }
 
-  let transpositions = 0, k = 0;
+  let transpositions = 0,
+    k = 0;
   for (let i = 0; i < len1; i++) {
-    if (!matches1[i]) continue;
-    while (!matches2[k]) k++;
-    if (s1[i] !== s2[k]) transpositions++;
+    if (!matches1[i]) {
+      continue;
+    }
+    while (!matches2[k]) {
+      k++;
+    }
+    if (s1[i] !== s2[k]) {
+      transpositions++;
+    }
     k++;
   }
 
@@ -36,8 +54,11 @@ export function jaroWinkler(s1, s2) {
   let prefix = 0;
   const maxPrefix = Math.min(4, len1, len2);
   for (let i = 0; i < maxPrefix; i++) {
-    if (s1[i] === s2[i]) prefix++;
-    else break;
+    if (s1[i] === s2[i]) {
+      prefix++;
+    } else {
+      break;
+    }
   }
 
   return jaro + prefix * 0.1 * (1 - jaro);

package/backend/detectors/hf-impersonation/known-orgs.js

@@ -1,5 +1,17 @@
 export const KNOWN_HF_ORGS = [
-  'openai', 'meta-llama', 'mistralai', 'google', 'microsoft',
-  'stabilityai', 'EleutherAI', 'huggingface', 'tiiuae', 'cohere',
-  'anthropic', 'deepseek-ai', 'Qwen', 'NousResearch', 'teknium',
+  'openai',
+  'meta-llama',
+  'mistralai',
+  'google',
+  'microsoft',
+  'stabilityai',
+  'EleutherAI',
+  'huggingface',
+  'tiiuae',
+  'cohere',
+  'anthropic',
+  'deepseek-ai',
+  'Qwen',
+  'NousResearch',
+  'teknium',
 ];

package/backend/detectors/hf-impersonation/simhash.js

@@ -1,7 +1,7 @@
 function hashToken(str) {
   let hash = 5381;
   for (let i = 0; i < str.length; i++) {
-    hash = ((hash << 5) + hash) + str.charCodeAt(i);
+    hash = (hash << 5) + hash + str.charCodeAt(i);
     hash = hash & hash;
   }
   return hash >>> 0;
@@ -25,7 +25,7 @@ export function simhash(text) {
   let fingerprint = 0n;
   for (let i = 0; i < 64; i++) {
     if (v[i] > 0) {
-      fingerprint |= (1n << BigInt(i));
+      fingerprint |= 1n << BigInt(i);
     }
   }
   return fingerprint;