@lateos/npm-scan 1.0.0 → 1.1.1

package/backend/detectors/axios-poisoning/index.js

@@ -7,47 +7,58 @@ const RULE_SEVERITY = { D1: 'critical', D2: 'critical', D3: 'critical' };
 const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info', 'none'];
 
 function highestSeverity(severities) {
-  for (const s of SEVERITY_ORDER) if (severities.includes(s)) return s;
+  for (const s of SEVERITY_ORDER) {
+    if (severities.includes(s)) {
+      return s;
+    }
+  }
   return 'none';
 }
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const pkgName = pkgJson?.name || 'unknown';
   const pkgVersion = pkgJson?.version || '0.0.0';
   const fileList = allFiles || files || [];
 
   const d1Result = scanVersionBlocklist(pkgJson);
   if (d1Result.stopCondition) {
-    const evidence = attachProvenance({
-      rule: 'AXS-VER-001',
-      campaign: 'AXIOS_POISONING',
-      triggeredChecks: ['D1'],
-      matchedVersion: d1Result.matchedVersion,
-      action: 'BLOCK_IMMEDIATELY',
-      remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
-    }, {
-      ruleId: 'AXS-VER-001',
-      ruleName: 'Compromised Axios Version Fingerprinting',
-      severity: 'CRITICAL',
-      campaignName: 'Axios Registry Poisoning',
-      pkgName,
-      pkgVersion,
-      triggered: true,
-      severity: 'critical',
-      indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
-      ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
-      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-    });
+    const evidence = attachProvenance(
+      {
+        rule: 'AXS-VER-001',
+        campaign: 'AXIOS_POISONING',
+        triggeredChecks: ['D1'],
+        matchedVersion: d1Result.matchedVersion,
+        action: 'BLOCK_IMMEDIATELY',
+        remediation: `Upgrade to axios@1.14.2 or later, or use pinned safe version`,
+      },
+      {
+        ruleId: 'AXS-VER-001',
+        ruleName: 'Compromised Axios Version Fingerprinting',
+        campaignName: 'Axios Registry Poisoning',
+        pkgName,
+        pkgVersion,
+        triggered: true,
+        severity: 'critical',
+        indicators: [{ type: 'known_malicious_version', value: `${pkgName}@${pkgVersion}` }],
+        ruleProvenanceUrl:
+          'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/d1-version-fingerprint.js',
+        campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+      }
+    );
 
-    return [{
-      id: 'AXIOS_POISONING',
-      severity: 'critical',
-      title: 'Axios Registry Poisoning campaign',
-      description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
-      evidence: JSON.stringify(evidence),
-      mitigation: d1Result.reason ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.` : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
-      stopCondition: true,
-    }];
+    return [
+      {
+        id: 'AXIOS_POISONING',
+        severity: 'critical',
+        title: 'Axios Registry Poisoning campaign',
+        description: `HALT: ${pkgName}@${pkgVersion} is a known compromised version in the Axios registry poisoning campaign. Block install immediately.`,
+        evidence: JSON.stringify(evidence),
+        mitigation: d1Result.reason
+          ? `BLOCK IMMEDIATELY. ${d1Result.reason}. Upgrade to axios@1.14.2 or later, or use pinned safe version.`
+          : 'BLOCK IMMEDIATELY. Upgrade to a safe version.',
+        stopCondition: true,
+      },
+    ];
   }
 
   const d2Result = scanDecoyDependency(pkgJson);
@@ -59,36 +70,42 @@ export async function scan(pkgJson, files = [], registryMeta = null, allFiles =
     .filter(([_, r]) => r.triggered)
     .map(([id]) => id);
 
-  if (triggered.length === 0) return [];
+  if (triggered.length === 0) {
+    return [];
+  }
 
-  const severity = highestSeverity(triggered.map(id => RULE_SEVERITY[id]));
+  const severity = highestSeverity(triggered.map((id) => RULE_SEVERITY[id]));
 
-  const evidence = attachProvenance({
-    campaign: 'AXIOS_POISONING',
-    triggeredChecks: triggered,
-    details: Object.fromEntries(
-      Object.entries(results).filter(([_, r]) => r.triggered)
-    ),
-  }, {
-    ruleId: 'AXIOS_POISONING',
-    ruleName: 'Axios Registry Poisoning Detection',
-    severity: severity.toUpperCase(),
-    campaignName: 'Axios Registry Poisoning',
-    pkgName,
-    pkgVersion,
-    triggered: true,
-    severity,
-    indicators: triggered.map(id => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
-    ruleProvenanceUrl: 'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
-    campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
-  });
+  const evidence = attachProvenance(
+    {
+      campaign: 'AXIOS_POISONING',
+      triggeredChecks: triggered,
+      details: Object.fromEntries(Object.entries(results).filter(([_, r]) => r.triggered)),
+    },
+    {
+      ruleId: 'AXIOS_POISONING',
+      ruleName: 'Axios Registry Poisoning Detection',
+      campaignName: 'Axios Registry Poisoning',
+      pkgName,
+      pkgVersion,
+      triggered: true,
+      severity,
+      indicators: triggered.map((id) => ({ type: `rule_${id}`, value: RULE_SEVERITY[id] })),
+      ruleProvenanceUrl:
+        'https://github.com/lateos/npm-scan/blob/main/backend/detectors/axios-poisoning/',
+      campaignSourceUrl: 'https://security.researcher.org/supply-chain-report',
+    }
+  );
 
-  return [{
-    id: 'AXIOS_POISONING',
-    severity,
-    title: 'Axios Registry Poisoning campaign',
-    description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
-    evidence: JSON.stringify(evidence),
-    mitigation: 'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
-  }];
+  return [
+    {
+      id: 'AXIOS_POISONING',
+      severity,
+      title: 'Axios Registry Poisoning campaign',
+      description: `${triggered.length} signal(s): ${triggered.join(', ')}`,
+      evidence: JSON.stringify(evidence),
+      mitigation:
+        'If decoy dependency detected: verify all axios dependencies are legitimate. If RAT payload detected: run full malware scan on the system, rotate all credentials, check for unauthorized network connections. Upgrade to axios@1.14.2+ or pin to a known safe version.',
+    },
+  ];
 }

package/backend/detectors/config/thresholds.js

@@ -11,7 +11,8 @@ export default {
   'TIER1-VERSION-ANOMALY': {
     flag_threshold: 72,
     warn_threshold: 60,
-    notes: 'Sentinel patterns (99.99.99/11.11.11/10.10.10) always flag at 92 regardless of threshold',
+    notes:
+      'Sentinel patterns (99.99.99/11.11.11/10.10.10) always flag at 92 regardless of threshold',
   },
   'TIER1-OBFUSCATION-HEURISTICS': {
     flag_threshold: 75,
@@ -21,7 +22,8 @@ export default {
   'TIER1-BINARY-EMBED': {
     flag_threshold: 80,
     warn_threshold: 65,
-    notes: 'High threshold justified; platform-specific binary sets are rare in legitimate packages',
+    notes:
+      'High threshold justified; platform-specific binary sets are rare in legitimate packages',
   },
   'TIER1-LIFECYCLE-HOOK': {
     flag_threshold: 65,
@@ -36,7 +38,8 @@ export default {
   'TIER1-TYPOSQUAT': {
     flag_threshold: 85,
     warn_threshold: 70,
-    notes: 'Calibrated to 85 post-FP analysis on top 1,000 packages; 46 edit-distance=1 FPs eliminated at this threshold',
+    notes:
+      'Calibrated to 85 post-FP analysis on top 1,000 packages; 46 edit-distance=1 FPs eliminated at this threshold',
   },
   'TIER1-METADATA-SPOOF': {
     flag_threshold: 70,
@@ -63,4 +66,46 @@ export default {
     warn_threshold: 70,
     notes: 'Placeholder; threshold TBD when API stabilizes',
   },
+  'TIER1-SELF-PROPAGATION': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    burst_window_minutes: 60,
+    min_packages_burst: 3,
+    identical_payload_weight: 40,
+    notes: 'D10: Detects burst republish patterns (Miasma campaign)',
+  },
+  'TIER1-ENCRYPTED-C2': {
+    flag_threshold: 70,
+    warn_threshold: 50,
+    known_c2_endpoints: [
+      'filev2.getsession.org',
+      'api.signal.org',
+      '*.briarproject.org',
+      'api.ricochet.im',
+    ],
+    onion_pattern_weight: 30,
+    encoded_url_weight: 35,
+    env_var_c2_weight: 40,
+    notes: 'D11: Detects Session/Oxen, Signal, Briar, Tor C2 channels',
+  },
+  'TIER1-TRANSITIVE-DEPS': {
+    flag_threshold: 80,
+    warn_threshold: 50,
+    new_package_days: 7,
+    unknown_depth_weight: 45,
+    typosquat_depth_weight: 50,
+    different_maintainer_weight: 35,
+    notes: 'D12: Deep dependency tree analysis for injection attacks',
+  },
+  'TIER1-MAINTAINER-COMPROMISE': {
+    flag_threshold: 75,
+    warn_threshold: 60,
+    velocity_burst_multiplier: 5,
+    burst_window_hours: 24,
+    min_velocity_baseline: 0.5,
+    duplicate_version_weight: 40,
+    unusual_timing_weight: 25,
+    cross_package_burst_weight: 50,
+    notes: 'D13: Version velocity anomaly and maintainer compromise detection',
+  },
 };

package/backend/detectors/cve-2026-48710-badhost/codePattern.js

@@ -11,11 +11,12 @@ const AUTH_CONTEXT_PATHS = [
 ];
 
 const URL_PATH_PATTERN = /request\.url\.path|req\.url\.path|self\.request\.url\.path/g;
-const SCOPE_PATH_PATTERN = /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
+const SCOPE_PATH_PATTERN =
+  /request\.scope\s*\[\s*["']path["']\s*\]|request\.scope\.get\s*\(\s*["']path["']\s*\)/g;
 
 function hasAuthContext(filePath) {
   const lower = filePath.toLowerCase();
-  return AUTH_CONTEXT_PATHS.some(ctx => lower.includes(ctx));
+  return AUTH_CONTEXT_PATHS.some((ctx) => lower.includes(ctx));
 }
 
 function findFunctionBoundaries(lines) {
@@ -34,7 +35,13 @@ function findFunctionBoundaries(lines) {
       currentFn = defMatch[1];
       fnBodyStart = i;
       indent = line.length - line.trimStart().length;
-    } else if (currentFn && line.trim() && line.length - line.trimStart().length <= indent && !line.trim().startsWith('#') && !line.trim().startsWith('@')) {
+    } else if (
+      currentFn &&
+      line.trim() &&
+      line.length - line.trimStart().length <= indent &&
+      !line.trim().startsWith('#') &&
+      !line.trim().startsWith('@')
+    ) {
       functions.push({ name: currentFn, startLine: fnBodyStart, endLine: i - 1 });
       currentFn = null;
     }
@@ -48,7 +55,9 @@ function findFunctionBoundaries(lines) {
 
 function hasScopePathInFunction(lines, fnStart, fnEnd) {
   for (let i = fnStart; i <= fnEnd && i < lines.length; i++) {
-    if (SCOPE_PATH_PATTERN.test(lines[i])) return true;
+    if (SCOPE_PATH_PATTERN.test(lines[i])) {
+      return true;
+    }
   }
   return false;
 }
@@ -56,11 +65,15 @@ function hasScopePathInFunction(lines, fnStart, fnEnd) {
 export function scanCodePatterns(allFiles) {
   const findings = [];
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
-    if (!path.endsWith('.py')) continue;
+    if (!path.endsWith('.py')) {
+      continue;
+    }
 
     const lines = content.split('\n');
     const isAuthContext = hasAuthContext(path);
@@ -82,14 +95,18 @@ export function scanCodePatterns(allFiles) {
       let m;
       while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
         const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
+        if (suppressedLines.has(lineNumber)) {
+          continue;
+        }
         findings.push(codePatternAuthFinding(path, lineNumber));
       }
     } else {
       let m;
       while ((m = URL_PATH_PATTERN.exec(content)) !== null) {
         const lineNumber = content.slice(0, m.index).split('\n').length;
-        if (suppressedLines.has(lineNumber)) continue;
+        if (suppressedLines.has(lineNumber)) {
+          continue;
+        }
         findings.push(codePatternInfoFinding(path, lineNumber));
       }
     }

package/backend/detectors/cve-2026-48710-badhost/findings.js

@@ -8,11 +8,14 @@ const REFERENCES = [
   'https://osv.dev/vulnerability/PYSEC-2026-161',
 ];
 
-const MITIGATION_NOTE = 'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
+const MITIGATION_NOTE =
+  'Partial mitigation: Cloudflare and AWS ALB reject malformed Host headers for properly proxied deployments. Direct uvicorn/hypercorn/daphne/granian exposure with no reverse proxy in front is highest risk.';
 
-const DEPENDENCY_REMEDIATION = 'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
+const DEPENDENCY_REMEDIATION =
+  'Upgrade starlette to >= 1.0.1. If starlette is inherited transitively through fastapi, vllm, litellm, or an MCP server package, upgrade the top-level package to a version that pins starlette >= 1.0.1. Verify with: pip show starlette.';
 
-const CODE_REMEDIATION = 'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
+const CODE_REMEDIATION =
+  'Replace request.url.path with request.scope["path"] for all security-sensitive decisions (auth checks, path allowlists, rate limiting gates). The reconstructed request.url is influenced by the unvalidated Host header in Starlette < 1.0.1.';
 
 function makeFinding(overrides = {}) {
   return {
@@ -52,7 +55,8 @@ export function directDependencyUnpinnedFinding() {
     confidence: 'HIGH',
     source: 'direct-dependency-unpinned',
     title: `${NICKNAME}: Starlette unpinned`,
-    description: 'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
+    description:
+      'Starlette is declared with no version constraint — assume vulnerable to CVE-2026-48710 (BadHost) until pinned to >= 1.0.1.',
     remediation: `${DEPENDENCY_REMEDIATION} ${MITIGATION_NOTE}`,
     file: null,
     line: null,

package/backend/detectors/cve-2026-48710-badhost/index.js

@@ -2,7 +2,7 @@ import { scanFiles } from './manifest.js';
 import { scanTransitive } from './transitive.js';
 import { scanCodePatterns } from './codePattern.js';
 
-export async function scan(pkgJson, files = [], registryMeta = null, allFiles = null) {
+export async function scan(pkgJson, files = [], _registryMeta = null, allFiles = null) {
   const targetFiles = allFiles || files;
 
   const manifestFindings = scanFiles(targetFiles);

package/backend/detectors/cve-2026-48710-badhost/manifest.js

@@ -2,10 +2,14 @@ import { directDependencyFinding, directDependencyUnpinnedFinding } from './find
 
 function parseReqTxtLine(line) {
   const trimmed = line.trim();
-  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) return null;
+  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) {
+    return null;
+  }
   const idx = trimmed.indexOf('#');
   const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
-  if (!spec || !spec.startsWith('starlette')) return null;
+  if (!spec || !spec.startsWith('starlette')) {
+    return null;
+  }
 
   const eqIdx = spec.indexOf('==');
   const geIdx = spec.indexOf('>=');
@@ -22,7 +26,9 @@ function parseReqTxtLine(line) {
     const lower = parts[0]?.trim();
     const upper = parts[1]?.trim();
     let specStr = `>=${lower}`;
-    if (upper && upper.startsWith('<')) specStr += `,${upper}`;
+    if (upper && upper.startsWith('<')) {
+      specStr += `,${upper}`;
+    }
     return { name: 'starlette', version: lower, specifier: specStr };
   }
   if (tildeIdx >= 0) {
@@ -36,9 +42,17 @@ function parseReqTxtLine(line) {
   }
 
   const rest = spec.slice('starlette'.length).trim();
-  if (!rest) return { name: 'starlette', version: null, specifier: null };
+  if (!rest) {
+    return { name: 'starlette', version: null, specifier: null };
+  }
 
-  if (!rest.includes('=') && !rest.includes('<') && !rest.includes('>') && !rest.includes('~') && !rest.includes('!')) {
+  if (
+    !rest.includes('=') &&
+    !rest.includes('<') &&
+    !rest.includes('>') &&
+    !rest.includes('~') &&
+    !rest.includes('!')
+  ) {
     return { name: 'starlette', version: rest, specifier: rest };
   }
 
@@ -49,13 +63,17 @@ export function parseRequirementsTxt(content) {
   const lines = content.split('\n');
   for (const line of lines) {
     const result = parseReqTxtLine(line);
-    if (result) return result;
+    if (result) {
+      return result;
+    }
   }
   return null;
 }
 
 function parsePEP440(versionStr) {
-  if (!versionStr) return null;
+  if (!versionStr) {
+    return null;
+  }
   const clean = versionStr.trim().replace(/^v/, '');
   const parts = clean.split('.');
   return {
@@ -66,24 +84,38 @@ function parsePEP440(versionStr) {
 }
 
 function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
+  if (!a) {
+    return 1;
+  }
+  if (!b) {
+    return -1;
+  }
+  if (a.major !== b.major) {
+    return a.major - b.major;
+  }
+  if (a.minor !== b.minor) {
+    return a.minor - b.minor;
+  }
   return a.patch - b.patch;
 }
 
 const STARLETTE_SAFE = parsePEP440('1.0.1');
 
 function isVulnerable(version) {
-  if (!version) return true;
+  if (!version) {
+    return true;
+  }
   const parsed = parsePEP440(version);
-  if (!parsed) return true;
+  if (!parsed) {
+    return true;
+  }
   return compareVersions(parsed, STARLETTE_SAFE) < 0;
 }
 
 function findStarletteInTOML(obj) {
-  if (!obj || typeof obj !== 'object') return null;
+  if (!obj || typeof obj !== 'object') {
+    return null;
+  }
 
   const sectionPaths = ['dependencies', 'project.dependencies', 'tool.poetry.dependencies'];
   for (const path of sectionPaths) {
@@ -91,13 +123,18 @@ function findStarletteInTOML(obj) {
     let ptr = obj;
     let found = true;
     for (const p of parts) {
-      if (!ptr || typeof ptr !== 'object') { found = false; break; }
+      if (!ptr || typeof ptr !== 'object') {
+        found = false;
+        break;
+      }
       ptr = ptr[p];
     }
-    if (!found || !ptr || typeof ptr !== 'object') continue;
+    if (!found || !ptr || typeof ptr !== 'object') {
+      continue;
+    }
     for (const [key, val] of Object.entries(ptr)) {
       if (key === 'starlette' || key === '"starlette"') {
-        const version = typeof val === 'string' ? val : (val?.version || null);
+        const version = typeof val === 'string' ? val : val?.version || null;
         const specifier = typeof val === 'string' ? val : null;
         return { name: 'starlette', version, specifier };
       }
@@ -112,28 +149,41 @@ function parseTomlSimple(content) {
 
   for (const line of content.split('\n')) {
     const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
+    if (!trimmed || trimmed.startsWith('#')) {
+      continue;
+    }
     const sectionMatch = trimmed.match(/^\[([^\]]+)\]$/);
     if (sectionMatch) {
       const parts = sectionMatch[1].split('.');
       let ptr = result;
       for (const p of parts) {
         const key = p.replace(/^"(.*)"$/, '$1').trim();
-        if (!ptr[key]) ptr[key] = {};
+        if (!ptr[key]) {
+          ptr[key] = {};
+        }
         ptr = ptr[key];
       }
       currentSection = ptr;
       continue;
     }
     const kvMatch = trimmed.match(/^([^=]+)=\s*(.+)$/);
-    if (!kvMatch) continue;
+    if (!kvMatch) {
+      continue;
+    }
     const key = kvMatch[1].trim().replace(/^"(.*)"$/, '$1');
     let val = kvMatch[2].trim();
     if (val.startsWith('"') && val.endsWith('"')) {
       val = val.slice(1, -1);
     } else if (val.startsWith("'") && val.endsWith("'")) {
       val = val.slice(1, -1);
-    } else if (val.startsWith('^') || val.startsWith('~') || val.startsWith('>') || val.startsWith('<') || val.startsWith('=') || val.startsWith('!')) {
+    } else if (
+      val.startsWith('^') ||
+      val.startsWith('~') ||
+      val.startsWith('>') ||
+      val.startsWith('<') ||
+      val.startsWith('=') ||
+      val.startsWith('!')
+    ) {
       val = val.replace(/"/g, '');
     }
     currentSection[key] = val;
@@ -166,7 +216,9 @@ function parsePoetryLockEntry(content) {
     }
     if (inStarlette && trimmed.startsWith('version = ')) {
       const match = trimmed.match(/version\s*=\s*["'](.+?)["']/);
-      if (match) version = match[1];
+      if (match) {
+        version = match[1];
+      }
     }
     if (inStarlette && trimmed.startsWith('[[package]]') && trimmed !== '[[package]]') {
       break;
@@ -204,12 +256,16 @@ export function parsePipfile(content) {
 
 function parseSetupPyContent(content) {
   const match = content.match(/install_requires\s*=\s*\[([^\]]+)\]/s);
-  if (!match) return null;
+  if (!match) {
+    return null;
+  }
   const block = match[1];
-  const lines = block.split(',').map(l => l.trim().replace(/["']/g, ''));
+  const lines = block.split(',').map((l) => l.trim().replace(/["']/g, ''));
   for (const line of lines) {
     const clean = line.trim();
-    if (!clean) continue;
+    if (!clean) {
+      continue;
+    }
     if (clean.startsWith('starlette')) {
       const eqIdx = clean.indexOf('==');
       const geIdx = clean.indexOf('>=');
@@ -217,11 +273,24 @@ function parseSetupPyContent(content) {
       const ltIdx = clean.indexOf('<');
       let version = null;
       let specifier = null;
-      if (eqIdx >= 0) { version = clean.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-      else if (geIdx >= 0) { version = clean.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-      else if (tildeIdx >= 0) { version = clean.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-      else if (ltIdx >= 0) { version = clean.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-      else if (clean === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+      if (eqIdx >= 0) {
+        version = clean.slice(eqIdx + 2).trim();
+        specifier = `==${version}`;
+      } else if (geIdx >= 0) {
+        version = clean
+          .slice(geIdx + 2)
+          .split(',')[0]
+          .trim();
+        specifier = `>=${version}`;
+      } else if (tildeIdx >= 0) {
+        version = clean.slice(tildeIdx + 2).trim();
+        specifier = `~=${version}`;
+      } else if (ltIdx >= 0) {
+        version = clean.slice(ltIdx + 1).trim();
+        specifier = `<${version}`;
+      } else if (clean === 'starlette') {
+        return { name: 'starlette', version: null, specifier: null };
+      }
       return { name: 'starlette', version, specifier };
     }
   }
@@ -242,7 +311,9 @@ function parseSetupCfgContent(content) {
       continue;
     }
     if (inInstallRequires) {
-      if (trimmed.startsWith('[')) break;
+      if (trimmed.startsWith('[')) {
+        break;
+      }
       if (trimmed.startsWith('starlette')) {
         const eqIdx = trimmed.indexOf('==');
         const geIdx = trimmed.indexOf('>=');
@@ -250,11 +321,24 @@ function parseSetupCfgContent(content) {
         const ltIdx = trimmed.indexOf('<');
         let version = null;
         let specifier = null;
-        if (eqIdx >= 0) { version = trimmed.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-        else if (geIdx >= 0) { version = trimmed.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-        else if (tildeIdx >= 0) { version = trimmed.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-        else if (ltIdx >= 0) { version = trimmed.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-        else if (trimmed === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+        if (eqIdx >= 0) {
+          version = trimmed.slice(eqIdx + 2).trim();
+          specifier = `==${version}`;
+        } else if (geIdx >= 0) {
+          version = trimmed
+            .slice(geIdx + 2)
+            .split(',')[0]
+            .trim();
+          specifier = `>=${version}`;
+        } else if (tildeIdx >= 0) {
+          version = trimmed.slice(tildeIdx + 2).trim();
+          specifier = `~=${version}`;
+        } else if (ltIdx >= 0) {
+          version = trimmed.slice(ltIdx + 1).trim();
+          specifier = `<${version}`;
+        } else if (trimmed === 'starlette') {
+          return { name: 'starlette', version: null, specifier: null };
+        }
         if (trimmed.startsWith('starlette')) {
           return { name: 'starlette', version, specifier };
         }
@@ -271,9 +355,11 @@ export function parseSetupCfg(content) {
 export function scanFiles(allFiles) {
   const findings = [];
 
-  for (const file of (allFiles || [])) {
+  for (const file of allFiles || []) {
     const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
+    if (!content) {
+      continue;
+    }
     const path = file.path || '';
 
     let result = null;
@@ -292,7 +378,9 @@ export function scanFiles(allFiles) {
       result = parseSetupCfg(content);
     }
 
-    if (!result) continue;
+    if (!result) {
+      continue;
+    }
 
     if (result.version === null && result.specifier === null) {
       findings.push(directDependencyUnpinnedFinding());