@matthesketh/fleet 1.8.1 → 1.11.1

package/dist/core/backup/totp.js

@@ -0,0 +1,116 @@
+import { createHmac, randomBytes, timingSafeEqual } from 'node:crypto';
+const B32 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';
+function base32Encode(buf) {
+    let bits = 0;
+    let value = 0;
+    let out = '';
+    for (const byte of buf) {
+        value = (value << 8) | byte;
+        bits += 8;
+        while (bits >= 5) {
+            out += B32[(value >>> (bits - 5)) & 31];
+            bits -= 5;
+        }
+    }
+    if (bits > 0)
+        out += B32[(value << (5 - bits)) & 31];
+    return out;
+}
+function base32Decode(s) {
+    const clean = s.replace(/=+$/, '').toUpperCase().replace(/\s/g, '');
+    let bits = 0;
+    let value = 0;
+    const out = [];
+    for (const c of clean) {
+        const idx = B32.indexOf(c);
+        if (idx === -1)
+            throw new Error(`invalid base32 char: ${c}`);
+        value = (value << 5) | idx;
+        bits += 5;
+        if (bits >= 8) {
+            out.push((value >>> (bits - 8)) & 0xff);
+            bits -= 8;
+        }
+    }
+    return Buffer.from(out);
+}
+function hotp(secret, counter) {
+    const buf = Buffer.alloc(8);
+    buf.writeBigUInt64BE(BigInt(counter));
+    const hmac = createHmac('sha1', secret).update(buf).digest();
+    const offset = hmac[hmac.length - 1] & 0x0f;
+    const bin = ((hmac[offset] & 0x7f) << 24) |
+        ((hmac[offset + 1] & 0xff) << 16) |
+        ((hmac[offset + 2] & 0xff) << 8) |
+        (hmac[offset + 3] & 0xff);
+    return (bin % 1_000_000).toString().padStart(6, '0');
+}
+function timingSafeEqualStr(a, b) {
+    const ba = Buffer.from(a);
+    const bb = Buffer.from(b);
+    if (ba.length !== bb.length)
+        return false;
+    return timingSafeEqual(ba, bb);
+}
+/** new random 20-byte secret, base32-encoded for authenticator apps. */
+export function generateSecret() {
+    return base32Encode(randomBytes(20));
+}
+/** the 6-digit TOTP code for a base32 secret at a given epoch-ms time. */
+export function totpCode(secretB32, atMs = Date.now()) {
+    const counter = Math.floor(atMs / 1000 / 30);
+    return hotp(base32Decode(secretB32), counter);
+}
+/** true if `code` is valid for the secret within a +/-1 step window. */
+export function verifyTotp(secretB32, code, atMs = Date.now()) {
+    if (!/^\d{6}$/.test(code))
+        return false;
+    const secret = base32Decode(secretB32);
+    const counter = Math.floor(atMs / 1000 / 30);
+    for (let w = -1; w <= 1; w++) {
+        if (timingSafeEqualStr(hotp(secret, counter + w), code))
+            return true;
+    }
+    return false;
+}
+/** otpauth:// enrolment URI — paste into 1Password or an authenticator app. */
+export function totpUri(secretB32, label, issuer) {
+    const l = encodeURIComponent(label);
+    const i = encodeURIComponent(issuer);
+    return `otpauth://totp/${i}:${l}?secret=${secretB32}&issuer=${i}&period=30&digits=6&algorithm=SHA1`;
+}
+function b64url(buf) {
+    return buf.toString('base64').replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function b64urlDecode(s) {
+    return Buffer.from(s.replace(/-/g, '+').replace(/_/g, '/'), 'base64');
+}
+/** signs a session payload as `<body>.<hmac>` (hmac-sha256). */
+export function signSession(payload, secret) {
+    const body = b64url(Buffer.from(JSON.stringify(payload)));
+    const sig = b64url(createHmac('sha256', secret).update(body).digest());
+    return `${body}.${sig}`;
+}
+/** verifies a session cookie; returns the payload or null if invalid/expired. */
+export function verifySession(cookie, secret, nowMs = Date.now()) {
+    const parts = cookie.split('.');
+    if (parts.length !== 2)
+        return null;
+    const [body, sig] = parts;
+    const expected = b64url(createHmac('sha256', secret).update(body).digest());
+    if (!timingSafeEqualStr(sig, expected))
+        return null;
+    let payload;
+    try {
+        payload = JSON.parse(b64urlDecode(body).toString('utf-8'));
+    }
+    catch {
+        return null;
+    }
+    if (payload === null || typeof payload !== 'object')
+        return null;
+    const exp = payload.exp;
+    if (typeof exp !== 'number' || exp < nowMs)
+        return null;
+    return { exp };
+}

package/dist/core/backup/types.d.ts

@@ -0,0 +1,70 @@
+export type Retention = {
+    hourly?: number;
+    daily?: number;
+    weekly?: number;
+    monthly?: number;
+    yearly?: number;
+};
+export type Schedule = 'hourly' | '*-*-* 00/3:00:00' | '*-*-* 00/6:00:00' | '*-*-* 00/12:00:00' | 'daily' | 'weekly';
+export type DumpType = 'postgres' | 'mysql' | 'mongo' | 'redis';
+export interface DumpHook {
+    type: DumpType;
+    container: string;
+    /** for postgres/mysql: database name. for mongo: optional db filter. for redis: ignored. */
+    db?: string;
+    /** literal user value passed to the dump tool. takes precedence over userEnv.
+     *  defaults sensibly per type (postgres: $POSTGRES_USER, mysql: root, mongo: root). */
+    user?: string;
+    /** port the db listens on inside the container. only used for redis (which
+     *  has a default of 6379 but glitchtip et al re-bind to non-standard ports). */
+    port?: number;
+    /** path inside the container that holds the password (docker secrets pattern).
+     *  preferred over passwordEnv because shared-* containers use _FILE secrets. */
+    passwordFile?: string;
+    /** shell command executed on the HOST (outside the container) whose stdout
+     *  becomes the password. used when the secret lives in a host .env file that
+     *  was consumed by docker-compose at startup but is no longer present in
+     *  the container. fleet runs as root so it can read those files. */
+    passwordHostCommand?: string;
+    /** env var name in the container that holds the user. legacy. */
+    userEnv?: string;
+    /** env var name in the container that holds the password. legacy. */
+    passwordEnv?: string;
+}
+export interface AppBackupConfig {
+    /** the app name as known to fleet (or `system`, `root-home`, `user-home` for pseudo-apps). */
+    app: string;
+    /** systemd OnCalendar expression. */
+    schedule: Schedule;
+    /** filesystem paths to include. */
+    paths: string[];
+    /** glob patterns to exclude. */
+    exclude: string[];
+    /** named docker volumes to dump alongside fs paths. */
+    volumes?: string[];
+    /** db dump to run before snapshot. */
+    preDump?: DumpHook;
+    /** post-snapshot cmd to run inside the host (rare). */
+    postHook?: string;
+    /** retention policy applied after every snapshot via restic forget --prune. */
+    retention: Retention;
+    /** disable: skip this app entirely. */
+    disabled?: boolean;
+}
+export interface SnapshotInfo {
+    id: string;
+    shortId: string;
+    time: string;
+    hostname: string;
+    paths: string[];
+    tags: string[];
+    sizeBytes?: number;
+}
+export interface RepoStats {
+    totalSize: number;
+    totalFileCount: number;
+    snapshotCount: number;
+}
+export declare const PSEUDO_APPS: readonly ["system", "root-home", "user-home", "shared-postgres", "shared-mysql", "shared-mongodb"];
+export type PseudoApp = typeof PSEUDO_APPS[number];
+export declare function isPseudoApp(name: string): name is PseudoApp;

package/dist/core/backup/types.js

@@ -0,0 +1,7 @@
+export const PSEUDO_APPS = [
+    'system', 'root-home', 'user-home',
+    'shared-postgres', 'shared-mysql', 'shared-mongodb',
+];
+export function isPseudoApp(name) {
+    return PSEUDO_APPS.includes(name);
+}

package/dist/core/backup/unlock.d.ts

@@ -0,0 +1,19 @@
+import { FleetError } from '../errors.js';
+/** absolute path to the age recipient public key. */
+export declare function agePubPath(): string;
+/** systemd credstore entry holding the age identity. */
+export declare function ageKeyCred(): string;
+/** absolute path to the age unlock helper script. */
+export declare function unlockScript(): string;
+export declare class UnlockError extends FleetError {
+}
+/** path to the per-app age-encrypted restic password file. */
+export declare function vaultPath(app: string): string;
+/** path the running fleet binary points restic at as RESTIC_PASSWORD_COMMAND. */
+export declare function passwordCommandFor(app: string): string;
+/** returns the age public key (the recipient we encrypt restic passwords to). */
+export declare function readPubKey(): string;
+/** generate a random base64 password and age-encrypt it to the vault file. */
+export declare function generateAndStorePassword(app: string): void;
+/** read+decrypt the restic password for an app (held in memory only). */
+export declare function fetchPassword(app: string): string;

package/dist/core/backup/unlock.js

@@ -0,0 +1,69 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { requireEnv } from '../env.js';
+import { FleetError } from '../errors.js';
+import { execSafe } from '../exec.js';
+import { backupVaultDir } from './config.js';
+/** absolute path to the age recipient public key. */
+export function agePubPath() { return requireEnv('FLEET_BACKUP_AGE_PUB'); }
+/** systemd credstore entry holding the age identity. */
+export function ageKeyCred() { return requireEnv('FLEET_BACKUP_AGE_KEY_CRED'); }
+/** absolute path to the age unlock helper script. */
+export function unlockScript() { return requireEnv('FLEET_BACKUP_UNLOCK_SCRIPT'); }
+export class UnlockError extends FleetError {
+}
+/** path to the per-app age-encrypted restic password file. */
+export function vaultPath(app) {
+    return join(backupVaultDir(), `${app}.age`);
+}
+/** path the running fleet binary points restic at as RESTIC_PASSWORD_COMMAND. */
+export function passwordCommandFor(app) {
+    return `/usr/local/sbin/fleet-restic-app-key.sh ${app}`;
+}
+/** returns the age public key (the recipient we encrypt restic passwords to). */
+export function readPubKey() {
+    const pubPath = agePubPath();
+    if (!existsSync(pubPath)) {
+        throw new UnlockError(`age public key not found at ${pubPath}. run fleet backup init.`);
+    }
+    const r = execSafe('cat', [pubPath], { timeout: 2_000 });
+    if (!r.ok)
+        throw new UnlockError(`failed reading ${pubPath}: ${r.stderr}`);
+    const pub = r.stdout.trim();
+    if (!pub.startsWith('age1'))
+        throw new UnlockError(`malformed age pubkey at ${pubPath}`);
+    return pub;
+}
+/** generate a random base64 password and age-encrypt it to the vault file. */
+export function generateAndStorePassword(app) {
+    const dir = backupVaultDir();
+    if (!existsSync(dir)) {
+        execSafe('mkdir', ['-p', '--mode=700', dir], { timeout: 2_000 });
+    }
+    const pub = readPubKey();
+    // pipe: openssl rand -base64 48 | tr -d \n | age -e -r <pub> > vault
+    const out = vaultPath(app);
+    const r = execSafe('sh', ['-c', `openssl rand -base64 48 | tr -d '\\n' | age -e -r ${pub} > ${shellEscape(out)} && chmod 600 ${shellEscape(out)}`], { timeout: 10_000 });
+    if (!r.ok)
+        throw new UnlockError(`vault write failed: ${r.stderr}`);
+}
+/** read+decrypt the restic password for an app (held in memory only). */
+export function fetchPassword(app) {
+    if (!existsSync(vaultPath(app))) {
+        throw new UnlockError(`no vault entry for app ${app}. run: fleet backup init ${app}`);
+    }
+    const keyCred = ageKeyCred();
+    if (!existsSync(keyCred)) {
+        throw new UnlockError(`age key credential not found at ${keyCred}. setup incomplete.`);
+    }
+    const r = execSafe('sh', ['-c', `${shellEscape(unlockScript())} | age -d -i /dev/stdin ${shellEscape(vaultPath(app))}`], { timeout: 5_000 });
+    if (!r.ok)
+        throw new UnlockError(`password decrypt failed: ${r.stderr}`);
+    const pass = r.stdout;
+    if (!pass)
+        throw new UnlockError(`decrypted password empty`);
+    return pass;
+}
+function shellEscape(s) {
+    return `'${s.replace(/'/g, "'\\''")}'`;
+}

package/dist/core/boot-refresh.d.ts

@@ -33,7 +33,7 @@ export type BuildResult = {
     reason: 'build-failed';
 };
 export declare function buildIfStale(app: AppEntry, currentHead: string): BuildResult;
-export declare function recordBuiltCommit(appName: string, commit: string): void;
+export declare function recordBuiltCommit(appName: string, commit: string): Promise<void>;
 export declare const KILL_SWITCH = "/etc/fleet/no-auto-refresh";
 export declare const DEFAULT_WALL_CLOCK_MS = 900000;
 export type RefreshResult = {

package/dist/core/boot-refresh.js

@@ -1,7 +1,7 @@
 import { existsSync } from 'node:fs';
 import { isGitRepo, getGitStatus } from './git.js';
 import { execGit } from './exec.js';
-import { load, save } from './registry.js';
+import { withRegistry } from './registry.js';
 import { composeBuild } from './docker.js';
 export function preflight(projectRoot) {
     if (!isGitRepo(projectRoot))
@@ -53,13 +53,14 @@ export function buildIfStale(app, currentHead) {
         return { ok: false, reason: 'build-failed' };
     return { ok: true, built: true };
 }
-export function recordBuiltCommit(appName, commit) {
-    const reg = load();
-    const i = reg.apps.findIndex(a => a.name === appName);
-    if (i < 0)
-        return;
-    reg.apps[i] = { ...reg.apps[i], lastBuiltCommit: commit };
-    save(reg);
+export async function recordBuiltCommit(appName, commit) {
+    await withRegistry(reg => {
+        const i = reg.apps.findIndex(a => a.name === appName);
+        if (i < 0)
+            return reg;
+        reg.apps[i] = { ...reg.apps[i], lastBuiltCommit: commit };
+        return reg;
+    });
 }
 export const KILL_SWITCH = '/etc/fleet/no-auto-refresh';
 function killSwitchPath() {
@@ -80,7 +81,7 @@ async function doRefresh(app) {
     if (!build.ok)
         return { kind: 'failed-safe', step: 'build', detail: build.reason };
     if (build.built)
-        recordBuiltCommit(app.name, ff.newHead);
+        await recordBuiltCommit(app.name, ff.newHead);
     if (!ff.changed && !build.built)
         return { kind: 'no-change', head: ff.newHead };
     return { kind: 'refreshed', head: ff.newHead, built: build.built };

package/dist/core/deps/actors/pr-creator.d.ts

@@ -2,13 +2,15 @@ import type { AppEntry } from '../../registry.js';
 import type { Finding } from '../types.js';
 export interface VersionBump {
     file: string;
-    search: string;
+    searchRegex: RegExp;
     replace: string;
 }
 export declare function generateVersionBump(finding: Finding): VersionBump | null;
 export declare function buildPrBody(findings: Finding[]): string;
-export declare function createDepsPr(app: AppEntry, findings: Finding[], dryRun: boolean): {
+export interface CreateDepsPrResult {
     branch: string;
     bumps: VersionBump[];
     prUrl?: string;
-};
+    error?: string;
+}
+export declare function createDepsPr(app: AppEntry, findings: Finding[], dryRun: boolean): CreateDepsPrResult;

package/dist/core/deps/actors/pr-creator.js

@@ -1,34 +1,41 @@
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { execSafe } from '../../exec.js';
+import { getGitStatus } from '../../git.js';
+function escapeRegex(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 export function generateVersionBump(finding) {
     if (!finding.fixable || !finding.package || !finding.currentVersion || !finding.latestVersion) {
         return null;
     }
+    const escName = escapeRegex(finding.package);
+    const escCurrent = escapeRegex(finding.currentVersion);
     switch (finding.source) {
         case 'npm':
             return {
                 file: 'package.json',
-                search: `"${finding.package}": "${finding.currentVersion}"`,
-                replace: `"${finding.package}": "${finding.latestVersion}"`,
+                // capture optional leading range operator (^, ~, >=, <=, >, <, =) so it survives the rewrite
+                searchRegex: new RegExp(`("${escName}"\\s*:\\s*")([\\^~>=<]*)${escCurrent}(")`),
+                replace: `$1$2${finding.latestVersion}$3`,
             };
         case 'composer':
             return {
                 file: 'composer.json',
-                search: `"${finding.package}": "${finding.currentVersion}"`,
-                replace: `"${finding.package}": "${finding.latestVersion}"`,
+                searchRegex: new RegExp(`("${escName}"\\s*:\\s*")([\\^~>=<]*)${escCurrent}(")`),
+                replace: `$1$2${finding.latestVersion}$3`,
             };
         case 'pip':
             return {
                 file: 'requirements.txt',
-                search: `${finding.package}==${finding.currentVersion}`,
-                replace: `${finding.package}==${finding.latestVersion}`,
+                searchRegex: new RegExp(`(${escName}==)${escCurrent}\\b`),
+                replace: `$1${finding.latestVersion}`,
             };
         case 'docker-image':
             return {
                 file: 'Dockerfile',
-                search: `${finding.package}:${finding.currentVersion}`,
-                replace: `${finding.package}:${finding.latestVersion}`,
+                searchRegex: new RegExp(`(${escName}:)${escCurrent}\\b`),
+                replace: `$1${finding.latestVersion}`,
             };
         default:
             return null;
@@ -74,25 +81,71 @@ export function createDepsPr(app, findings, dryRun) {
     if (dryRun) {
         return { branch, bumps };
     }
+    // Working-tree precheck: refuse to operate on a dirty repo. Otherwise the
+    // checkout/pull below can fail mid-way and leave the repo in a partial state,
+    // or worse, run on stale content.
+    const status = getGitStatus(app.composePath);
+    if (!status.initialised) {
+        return { branch: '', bumps: [], error: `${app.composePath} is not a git repo` };
+    }
+    if (!status.clean) {
+        return {
+            branch: '',
+            bumps: [],
+            error: `working tree at ${app.composePath} is dirty (${status.staged} staged, ${status.modified} modified, ${status.untracked} untracked) — commit or stash before running deps fix`,
+        };
+    }
     const sshEnv = process.env.SSH_AUTH_SOCK ? { SSH_AUTH_SOCK: process.env.SSH_AUTH_SOCK } : {};
-    execSafe('git', ['checkout', 'develop'], { cwd: app.composePath });
-    execSafe('git', ['pull'], { cwd: app.composePath, env: sshEnv });
-    execSafe('git', ['checkout', '-b', branch], { cwd: app.composePath });
+    const checkoutDevelop = execSafe('git', ['checkout', 'develop'], { cwd: app.composePath });
+    if (!checkoutDevelop.ok) {
+        return { branch: '', bumps: [], error: `git checkout develop failed: ${checkoutDevelop.stderr}` };
+    }
+    const pull = execSafe('git', ['pull'], { cwd: app.composePath, env: sshEnv });
+    if (!pull.ok) {
+        return { branch: '', bumps: [], error: `git pull failed: ${pull.stderr}` };
+    }
+    const checkoutBranch = execSafe('git', ['checkout', '-b', branch], { cwd: app.composePath });
+    if (!checkoutBranch.ok) {
+        return { branch: '', bumps: [], error: `git checkout -b ${branch} failed: ${checkoutBranch.stderr}` };
+    }
+    // Apply each bump and track which files actually changed.
+    const changedFiles = new Set();
     for (const bump of bumps) {
         const filePath = join(app.composePath, bump.file);
         if (!existsSync(filePath))
             continue;
-        let content = readFileSync(filePath, 'utf-8');
-        content = content.replace(bump.search, bump.replace);
-        writeFileSync(filePath, content);
+        const before = readFileSync(filePath, 'utf-8');
+        const after = before.replace(bump.searchRegex, bump.replace);
+        if (after !== before) {
+            writeFileSync(filePath, after);
+            changedFiles.add(bump.file);
+        }
+    }
+    // Range mismatch / unknown file content / nothing to update — abort before
+    // committing or pushing so we never open an empty PR.
+    if (changedFiles.size === 0) {
+        return {
+            branch: '',
+            bumps: [],
+            error: `no files changed: regex did not match any of ${[...new Set(bumps.map(b => b.file))].join(', ')}; the manifest may already be at the target version, or the version range syntax is unsupported`,
+        };
+    }
+    const files = [...changedFiles];
+    const add = execSafe('git', ['add', ...files], { cwd: app.composePath });
+    if (!add.ok) {
+        return { branch: '', bumps: [], error: `git add failed: ${add.stderr}` };
     }
-    const files = [...new Set(bumps.map(b => b.file))];
-    execSafe('git', ['add', ...files], { cwd: app.composePath });
     const commitMsg = bumps.length === 1
         ? `chore(deps): update ${fixable[0].package} from ${fixable[0].currentVersion} to ${fixable[0].latestVersion}`
         : `chore(deps): update ${bumps.length} dependencies`;
-    execSafe('git', ['commit', '-m', commitMsg], { cwd: app.composePath });
-    execSafe('git', ['push', '-u', 'origin', branch], { cwd: app.composePath, env: sshEnv });
+    const commit = execSafe('git', ['commit', '-m', commitMsg], { cwd: app.composePath });
+    if (!commit.ok) {
+        return { branch: '', bumps: [], error: `git commit failed: ${commit.stderr}` };
+    }
+    const push = execSafe('git', ['push', '-u', 'origin', branch], { cwd: app.composePath, env: sshEnv });
+    if (!push.ok) {
+        return { branch: '', bumps: [], error: `git push failed: ${push.stderr}` };
+    }
     if (!app.gitRepo)
         return { branch, bumps };
     const prBody = buildPrBody(fixable);

package/dist/core/deps/collectors/fetch-with-timeout.d.ts

@@ -0,0 +1,7 @@
+/**
+ * fetch wrapper that aborts after `timeoutMs`.
+ *
+ * Used by collectors that hit third-party HTTP services (OSV, npm registry).
+ * Without this, a hung peer would stall an entire scan indefinitely.
+ */
+export declare function fetchWithTimeout(url: string, init?: RequestInit, timeoutMs?: number): Promise<Response>;

package/dist/core/deps/collectors/fetch-with-timeout.js

@@ -0,0 +1,16 @@
+/**
+ * fetch wrapper that aborts after `timeoutMs`.
+ *
+ * Used by collectors that hit third-party HTTP services (OSV, npm registry).
+ * Without this, a hung peer would stall an entire scan indefinitely.
+ */
+export async function fetchWithTimeout(url, init = {}, timeoutMs = 10_000) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        return await fetch(url, { ...init, signal: controller.signal });
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}

package/dist/core/deps/collectors/npm.js

@@ -1,6 +1,8 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { severityFromVersionDelta } from '../severity.js';
+import { fetchWithTimeout } from './fetch-with-timeout.js';
+const NPM_REGISTRY_TIMEOUT_MS = 10_000;
 export class NpmCollector {
     overrides;
     type = 'npm';
@@ -37,7 +39,7 @@ export class NpmCollector {
     async checkPackage(appName, name, currentRaw) {
         const current = currentRaw.replace(/^[^\d]*/, '');
         try {
-            const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
+            const res = await fetchWithTimeout(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`, {}, NPM_REGISTRY_TIMEOUT_MS);
             if (!res.ok)
                 return null;
             const data = await res.json();

package/dist/core/deps/collectors/vulnerability.d.ts

@@ -2,6 +2,14 @@ import type { AppEntry } from '../../registry.js';
 import type { Collector, Finding } from '../types.js';
 export declare class VulnerabilityCollector implements Collector {
     type: "vulnerability";
+    private skipRegexes;
+    /**
+     * @param osvSkipPatterns regex strings matched against bare package names.
+     * Matching packages are NOT sent to OSV (https://api.osv.dev), which is a
+     * third-party service. This prevents leaking private/internal package
+     * manifests to a third party.
+     */
+    constructor(osvSkipPatterns?: string[]);
     detect(appPath: string): boolean;
     collect(app: AppEntry): Promise<Finding[]>;
     private extractPackages;

package/dist/core/deps/collectors/vulnerability.js

@@ -1,8 +1,29 @@
 import { readFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { severityFromCvss } from '../severity.js';
+import { fetchWithTimeout } from './fetch-with-timeout.js';
+const OSV_TIMEOUT_MS = 10_000;
 export class VulnerabilityCollector {
     type = 'vulnerability';
+    skipRegexes;
+    /**
+     * @param osvSkipPatterns regex strings matched against bare package names.
+     * Matching packages are NOT sent to OSV (https://api.osv.dev), which is a
+     * third-party service. This prevents leaking private/internal package
+     * manifests to a third party.
+     */
+    constructor(osvSkipPatterns = []) {
+        this.skipRegexes = osvSkipPatterns
+            .map(p => {
+            try {
+                return new RegExp(p);
+            }
+            catch {
+                return null;
+            }
+        })
+            .filter((r) => r !== null);
+    }
     detect(appPath) {
         return (existsSync(join(appPath, 'package.json')) ||
             existsSync(join(appPath, 'composer.json')) ||
@@ -63,18 +84,26 @@ export class VulnerabilityCollector {
             }
             catch { /* skip */ }
         }
+        // Filter out packages that match any configured skip pattern. OSV is a
+        // third-party service (api.osv.dev, operated by Google), so the request
+        // payload is the package name + version. Internal/private package names
+        // would otherwise be exfiltrated. The default config skips the user's
+        // own npm scope.
+        if (this.skipRegexes.length > 0) {
+            return packages.filter(p => !this.skipRegexes.some(rx => rx.test(p.name)));
+        }
         return packages;
     }
     async queryOsv(appName, pkg) {
         try {
-            const res = await fetch('https://api.osv.dev/v1/query', {
+            const res = await fetchWithTimeout('https://api.osv.dev/v1/query', {
                 method: 'POST',
                 headers: { 'Content-Type': 'application/json' },
                 body: JSON.stringify({
                     version: pkg.version,
                     package: { name: pkg.name, ecosystem: pkg.ecosystem },
                 }),
-            });
+            }, OSV_TIMEOUT_MS);
             if (!res.ok)
                 return [];
             const data = await res.json();

package/dist/core/deps/config.js

@@ -21,6 +21,12 @@ export function defaultConfig() {
             minorVersionBehind: 'medium',
             patchVersionBehind: 'low',
         },
+        // Skip OSV lookups for the user's own npm scope by default — OSV is a
+        // third-party service (Google) and sending internal package names there
+        // leaks the proprietary dependency manifest. Backwards compat: if an
+        // existing deps-config.json is missing this field, mergeConfig fills it
+        // in from these defaults.
+        osvSkipPatterns: ['^@matthesketh/'],
     };
 }
 export function mergeConfig(base, overrides) {

package/dist/core/deps/scanner.js

@@ -14,7 +14,7 @@ export function createCollectors(config) {
         new DockerImageCollector(config.severityOverrides),
         new DockerRunningCollector(config.severityOverrides),
         new EolCollector(config.severityOverrides.eolDaysWarning),
-        new VulnerabilityCollector(),
+        new VulnerabilityCollector(config.osvSkipPatterns),
         new GitHubPrCollector(),
     ];
 }

package/dist/core/deps/types.d.ts

@@ -48,6 +48,14 @@ export interface DepsConfig {
         minorVersionBehind: Severity;
         patchVersionBehind: Severity;
     };
+    /**
+     * Regex strings (matched against bare package name) of packages that must
+     * NOT be queried against OSV (https://api.osv.dev). OSV is a third-party
+     * service operated by Google; sending private/internal package names there
+     * leaks the proprietary dependency manifest. Default skips the user's own
+     * npm scope.
+     */
+    osvSkipPatterns: string[];
 }
 export interface DepsCache {
     version: 1;

package/dist/core/env.d.ts

@@ -0,0 +1,3 @@
+/** returns a required env var, or throws a clear error. use for secrets,
+ *  keys and credential paths where a silent default would be dangerous. */
+export declare function requireEnv(name: string): string;