@lockhawk/core 0.2.4 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,12 +1,12 @@
1
1
  # @lockhawk/core
2
2
 
3
- The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk) lockfile
4
- parsing, dependency-graph building, [OSV.dev](https://osv.dev) matching, CVSS v3/v4 scoring, and
5
- report generation (table, JSON, SARIF, JUnit, HTML).
3
+ The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk): lockfile parsing,
4
+ dependency graph building, [OSV.dev](https://osv.dev) matching, CVSS v3 and v4 scoring, and report
5
+ generation (table, JSON, SARIF, JUnit, HTML).
6
6
 
7
7
  > **Most people want the CLI, not this package.** To scan a project, use
8
- > [`lockhawk`](https://www.npmjs.com/package/lockhawk) `npx lockhawk scan`. Install
9
- > `@lockhawk/core` only if you're building a tool on top of the engine.
8
+ > [`lockhawk`](https://www.npmjs.com/package/lockhawk) and run `npx lockhawk scan`. Install
9
+ > `@lockhawk/core` only if you are building a tool on top of the engine.
10
10
 
11
11
  ## Install
12
12
 
@@ -24,8 +24,8 @@ console.log(result.summary, result.findings);
24
24
  ```
25
25
 
26
26
  `scan()` reads the project's lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`),
27
- resolves the full dependency tree (including transitive dependencies), queries OSV.dev offline
28
- from a cached database or online via the batch API and returns scored, de-duplicated findings.
27
+ resolves the full dependency tree including transitive dependencies, queries OSV.dev (offline from a
28
+ cached database or online via the batch API), and returns scored, de-duplicated findings.
29
29
 
30
30
  ## Documentation
31
31
 
package/dist/index.d.ts CHANGED
@@ -390,18 +390,23 @@ interface OnlineClientOptions {
390
390
  noCache?: boolean;
391
391
  cacheTtlHours?: number;
392
392
  retries?: number;
393
+ /** Per-request network timeout in milliseconds (default 15s). */
394
+ timeoutMs?: number;
393
395
  }
394
396
  /**
395
- * Online OSV source. Uses the batch endpoint (which returns only matched ids)
396
- * then hydrates each unique id to a full record caching records by id so
397
- * repeat scans do no network work. All matching is re-validated downstream by
398
- * `buildFindings`, so this client only has to gather candidate records.
397
+ * Online OSV source. Queries the batch endpoint by package *name only* never
398
+ * pinning an installed version so OSV returns every advisory naming each
399
+ * package; lockhawk's own range matcher (`buildFindings` `vulnerabilityAffects`)
400
+ * then decides what actually affects the installed version. Delegating the
401
+ * version match to OSV's server would cap coverage at OSV's matcher; doing it
402
+ * locally makes coverage depend only on lockhawk (and mirrors the offline path).
403
+ * Hydrated records are cached by id so repeat scans do no network work.
399
404
  */
400
405
  declare class OsvClient {
401
406
  private readonly opts;
402
407
  private readonly limit;
403
408
  constructor(opts: OnlineClientOptions);
404
- /** Fetch advisories affecting the given packages, keyed by package name. */
409
+ /** Fetch advisories naming the given packages, keyed by package name. */
405
410
  fetchAdvisories(packages: PackageRef[]): Promise<Map<string, OsvVulnerability[]>>;
406
411
  private queryBatch;
407
412
  private hydrate;