@lockhawk/core 0.2.5 → 0.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -1,12 +1,12 @@
1
1
  # @lockhawk/core
2
2
 
3
- The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk) lockfile
4
- parsing, dependency-graph building, [OSV.dev](https://osv.dev) matching, CVSS v3/v4 scoring, and
5
- report generation (table, JSON, SARIF, JUnit, HTML).
3
+ The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk): lockfile parsing,
4
+ dependency graph building, [OSV.dev](https://osv.dev) matching, CVSS v3 and v4 scoring, and report
5
+ generation (table, JSON, SARIF, JUnit, HTML).
6
6
 
7
7
  > **Most people want the CLI, not this package.** To scan a project, use
8
- > [`lockhawk`](https://www.npmjs.com/package/lockhawk) `npx lockhawk scan`. Install
9
- > `@lockhawk/core` only if you're building a tool on top of the engine.
8
+ > [`lockhawk`](https://www.npmjs.com/package/lockhawk) and run `npx lockhawk scan`. Install
9
+ > `@lockhawk/core` only if you are building a tool on top of the engine.
10
10
 
11
11
  ## Install
12
12
 
@@ -24,8 +24,8 @@ console.log(result.summary, result.findings);
24
24
  ```
25
25
 
26
26
  `scan()` reads the project's lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`),
27
- resolves the full dependency tree (including transitive dependencies), queries OSV.dev offline
28
- from a cached database or online via the batch API and returns scored, de-duplicated findings.
27
+ resolves the full dependency tree including transitive dependencies, queries OSV.dev (offline from a
28
+ cached database or online via the batch API), and returns scored, de-duplicated findings.
29
29
 
30
30
  ## Documentation
31
31
 
package/dist/index.d.ts CHANGED
@@ -390,6 +390,8 @@ interface OnlineClientOptions {
390
390
  noCache?: boolean;
391
391
  cacheTtlHours?: number;
392
392
  retries?: number;
393
+ /** Per-request network timeout in milliseconds (default 15s). */
394
+ timeoutMs?: number;
393
395
  }
394
396
  /**
395
397
  * Online OSV source. Queries the batch endpoint by package *name only* — never
@@ -546,20 +548,16 @@ declare function toSarif(result: ScanResult): SarifLog;
546
548
  /** Stringified SARIF log. */
547
549
  declare function toSarifString(result: ScanResult): string;
548
550
 
551
+ /** Placeholder the report UI shell embeds so we can inject scan data at scan time. */
552
+ declare const DATA_MARKER = "<!--LOCKHAWK_DATA-->";
549
553
  /**
550
- * Produce a self-contained HTML report for a scan result.
551
- *
552
- * The page is fully server-rendered: no client-side JavaScript, no embedded
553
- * data blob, no external resources (fonts included). Every dynamic value is
554
- * HTML-escaped, the layout flows within a width-constrained container, and long
555
- * advisory text lives in a collapsed, contained block — so the report cannot
556
- * overflow the viewport or render attacker-controlled advisory text as live
557
- * markup. Copy affordances use CSS `user-select: all` (one click selects a whole
558
- * command/version) rather than a clipboard script, preserving the no-JS model.
554
+ * Produce a self-contained HTML report. When given the built report-UI `shell`
555
+ * (M6), the scan data is injected into it; otherwise a dependency-free fallback
556
+ * template is rendered so `--format html` always works.
559
557
  */
560
- declare function toHtml(result: ScanResult): string;
558
+ declare function toHtml(result: ScanResult, shell?: string): string;
561
559
 
562
560
  /** Render a scan result as JUnit XML (one failed test per finding). */
563
561
  declare function toJunit(result: ScanResult): string;
564
562
 
565
- export { AutoSource, type CvssResult, type DatabaseInfo, type DepNode, type DepScope, type DependencyGraph, type DetectedLockfile, type Finding, type FindingsOptions, LockfileError, OfflineDbMissingError, type OfflineMeta, OfflineSource, type OnlineClientOptions, OnlineSource, type OsvAffected, OsvClient, OsvDatabase, type OsvEvent, type OsvRange, type OsvReference, type OsvSeverity, type OsvVulnerability, type PackageManager, type PackageRef, type PkgKey, type RawGraph, type RawNode, type ResolvedSource, type RootManifest, SEVERITY_RANK, SHARD_BUCKETS, type SarifLog, type ScanOptions, type ScanResult, type ScanStats, type ScanSummary, type Severity, type SeverityInfo, type SourceMode, type SourceOptions, TOOL, type UnscannablePackage, type UpdateResult, type VulnMatch, type VulnSource, buildDependencyGraph, buildFindings, canonicalId, createSource, dedupeVulnerabilities, detectLockfile, isVersionAffected, levelFromLabel, levelFromScore, loadAdvisoriesForPackages, loadDependencyGraph, nearestFix, offlineDbDir, offlineMetaPath, parseLockfile, pkgKey, readOfflineMeta, readRootManifest, resolveCacheDir, resolveSeverity, rootLabel, scan, scoreFromVector, severityAtLeast, shardBucket, shortestPath, shouldFail, toHtml, toJson, toJunit, toSarif, toSarifString, uniqueScannablePackages, updateOfflineDatabase, vulnerabilityAffects };
563
+ export { AutoSource, type CvssResult, DATA_MARKER, type DatabaseInfo, type DepNode, type DepScope, type DependencyGraph, type DetectedLockfile, type Finding, type FindingsOptions, LockfileError, OfflineDbMissingError, type OfflineMeta, OfflineSource, type OnlineClientOptions, OnlineSource, type OsvAffected, OsvClient, OsvDatabase, type OsvEvent, type OsvRange, type OsvReference, type OsvSeverity, type OsvVulnerability, type PackageManager, type PackageRef, type PkgKey, type RawGraph, type RawNode, type ResolvedSource, type RootManifest, SEVERITY_RANK, SHARD_BUCKETS, type SarifLog, type ScanOptions, type ScanResult, type ScanStats, type ScanSummary, type Severity, type SeverityInfo, type SourceMode, type SourceOptions, TOOL, type UnscannablePackage, type UpdateResult, type VulnMatch, type VulnSource, buildDependencyGraph, buildFindings, canonicalId, createSource, dedupeVulnerabilities, detectLockfile, isVersionAffected, levelFromLabel, levelFromScore, loadAdvisoriesForPackages, loadDependencyGraph, nearestFix, offlineDbDir, offlineMetaPath, parseLockfile, pkgKey, readOfflineMeta, readRootManifest, resolveCacheDir, resolveSeverity, rootLabel, scan, scoreFromVector, severityAtLeast, shardBucket, shortestPath, shouldFail, toHtml, toJson, toJunit, toSarif, toSarifString, uniqueScannablePackages, updateOfflineDatabase, vulnerabilityAffects };