@merupatel/reachable 1.0.3 → 1.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +14 -0
- package/README.md +15 -1
- package/dist/cli/index.d.cts +6 -0
- package/dist/cli/index.js +210949 -0
- package/dist/package.json +3 -0
- package/package.json +17 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,17 @@
|
|
|
1
|
+
## [1.0.5](https://github.com/Meru143/reachable/compare/v1.0.4...v1.0.5) (2026-03-20)
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
### Bug Fixes
|
|
5
|
+
|
|
6
|
+
* add cli demo and resolve wildcard aliases ([5c6a62d](https://github.com/Meru143/reachable/commit/5c6a62d2b191d9c78cfd1ad18253c977d82b76a8))
|
|
7
|
+
|
|
8
|
+
## [1.0.4](https://github.com/Meru143/reachable/compare/v1.0.3...v1.0.4) (2026-03-20)
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
### Bug Fixes
|
|
12
|
+
|
|
13
|
+
* build package before pack and publish ([6e35eea](https://github.com/Meru143/reachable/commit/6e35eeac938166ddbafbc33bae0f1b1767abedf2))
|
|
14
|
+
|
|
1
15
|
## [1.0.3](https://github.com/Meru143/reachable/compare/v1.0.2...v1.0.3) (2026-03-19)
|
|
2
16
|
|
|
3
17
|
|
package/README.md
CHANGED
|
@@ -4,10 +4,16 @@
|
|
|
4
4
|
|
|
5
5
|
|
|
6
6
|
|
|
7
|
-
`reachable` is a local-first CLI that answers the question developers ask after `npm audit`: is the vulnerable code path actually reachable from my application?
|
|
7
|
+
`reachable` is a local-first CLI for JavaScript and TypeScript that answers the question developers ask after `npm audit`: is the vulnerable code path actually reachable from my application?
|
|
8
8
|
|
|
9
9
|
It parses JavaScript and TypeScript with tree-sitter, builds a project call graph, queries OSV advisories, and reports whether the vulnerable symbol is reachable, unknown, or unreachable from your entry points.
|
|
10
10
|
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
- Cut false-positive dependency noise by separating `REACHABLE`, `UNKNOWN`, and `UNREACHABLE` findings.
|
|
14
|
+
- Fail CI on code paths that actually matter instead of every advisory in the lockfile.
|
|
15
|
+
- Run locally or in GitHub Actions without a hosted service, account, or API key.
|
|
16
|
+
|
|
11
17
|
## Why reachable?
|
|
12
18
|
|
|
13
19
|
`npm audit` reports package-level risk. It does not know whether your code imports or calls the vulnerable function. That leads to noisy CI failures, broad dependency upgrade churn, and teams ignoring entire audit reports.
|
|
@@ -18,6 +24,14 @@ It parses JavaScript and TypeScript with tree-sitter, builds a project call grap
|
|
|
18
24
|
- It separates `REACHABLE`, `UNKNOWN`, and `UNREACHABLE` findings so real risk rises to the top.
|
|
19
25
|
- It works locally in CI without a hosted service, account, or API key.
|
|
20
26
|
|
|
27
|
+
## Why Not Just `npm audit`?
|
|
28
|
+
|
|
29
|
+
| Tool | Flags vulnerable packages | Checks whether your code reaches the vulnerable symbol | Local-first CLI |
|
|
30
|
+
| --- | --- | --- | --- |
|
|
31
|
+
| `reachable` | Yes | Yes | Yes |
|
|
32
|
+
| `npm audit` | Yes | No | Yes |
|
|
33
|
+
| Dependabot alerts | Yes | No | No |
|
|
34
|
+
|
|
21
35
|
## Installation
|
|
22
36
|
|
|
23
37
|
```bash
|