npm - @merupatel/reachable - Versions diffs - 1.0.4 → 1.0.6 - Mend

@merupatel/reachable 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,17 @@
+## [1.0.6](https://github.com/Meru143/reachable/compare/v1.0.5...v1.0.6) (2026-04-04)
+### Bug Fixes
+* scope reachable audit to production dependencies ([3b1a280](https://github.com/Meru143/reachable/commit/3b1a2803dbbd44a5341f9e0ce2096b933e4756b5))
+## [1.0.5](https://github.com/Meru143/reachable/compare/v1.0.4...v1.0.5) (2026-03-20)
+### Bug Fixes
+* add cli demo and resolve wildcard aliases ([5c6a62d](https://github.com/Meru143/reachable/commit/5c6a62d2b191d9c78cfd1ad18253c977d82b76a8))
 ## [1.0.4](https://github.com/Meru143/reachable/compare/v1.0.3...v1.0.4) (2026-03-20)

package/README.md CHANGED Viewed

@@ -4,10 +4,20 @@
 ![npm](https://img.shields.io/npm/v/%40merupatel%2Freachable)
 ![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)
-`reachable` is a local-first CLI that answers the question developers ask after `npm audit`: is the vulnerable code path actually reachable from my application?
+`reachable` is a local-first CLI for JavaScript and TypeScript that answers the question developers ask after `npm audit`: is the vulnerable code path actually reachable from my application?
 It parses JavaScript and TypeScript with tree-sitter, builds a project call graph, queries OSV advisories, and reports whether the vulnerable symbol is reachable, unknown, or unreachable from your entry points.
+Live page: [merup.me/reachable](https://merup.me/reachable/)
+The point is not to replace package-level scanners. It is to rank the work that actually matters by asking the next question those tools cannot answer on their own: does your code reach the vulnerable symbol?
+![reachable CLI demo](docs/assets/reachable-demo.gif)
+- Cut false-positive dependency noise by separating `REACHABLE`, `UNKNOWN`, and `UNREACHABLE` findings.
+- Fail CI on code paths that actually matter instead of every advisory in the lockfile.
+- Run locally or in GitHub Actions without a hosted service, account, or API key.
 ## Why reachable?
 `npm audit` reports package-level risk. It does not know whether your code imports or calls the vulnerable function. That leads to noisy CI failures, broad dependency upgrade churn, and teams ignoring entire audit reports.
@@ -18,6 +28,14 @@ It parses JavaScript and TypeScript with tree-sitter, builds a project call grap
 - It separates `REACHABLE`, `UNKNOWN`, and `UNREACHABLE` findings so real risk rises to the top.
 - It works locally in CI without a hosted service, account, or API key.
+## Why Not Just `npm audit`?
+| Tool | Flags vulnerable packages | Checks whether your code reaches the vulnerable symbol | Local-first CLI |
+| --- | --- | --- | --- |
+| `reachable` | Yes | Yes | Yes |
+| `npm audit` | Yes | No | Yes |
+| Dependabot alerts | Yes | No | No |
 ## Installation
 ```bash

package/dist/cli/index.js CHANGED Viewed

@@ -209482,7 +209482,7 @@ function resolveAlias(importPath, cwd) {
     }
     const wildcardValue = match[1] ?? "";
     for (const target of targets) {
-      const substituted = target.replace("*", wildcardValue);
+      const substituted = target.split("*").join(wildcardValue);
       const absoluteTarget = import_node_path2.default.isAbsolute(substituted) ? substituted : import_node_path2.default.resolve(config.baseUrl, substituted);
       const resolved = resolveFileCandidate(absoluteTarget);
       if (resolved) {
@@ -209849,8 +209849,8 @@ var import_promises = require("timers/promises");
 // package.json
 var package_default = {
   name: "@merupatel/reachable",
-  version: "1.0.4",
-  description: "Dependency vulnerability reachability analyzer",
+  version: "1.0.6",
+  description: "Local-first vulnerability reachability CLI for JavaScript and TypeScript",
   bin: {
     reachable: "dist/cli/index.js"
   },
@@ -209878,10 +209878,22 @@ var package_default = {
   keywords: [
     "cli",
     "security",
-    "dependency",
+    "dependency-analysis",
     "reachability",
     "osv",
-    "audit"
+    "audit",
+    "nodejs",
+    "javascript",
+    "typescript",
+    "npm",
+    "vulnerability-scanner",
+    "static-analysis",
+    "devsecops",
+    "sast",
+    "sarif",
+    "github-actions",
+    "supply-chain-security",
+    "tree-sitter"
   ],
   author: "merupatel",
   license: "MIT",

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@merupatel/reachable",
-  "version": "1.0.4",
-  "description": "Dependency vulnerability reachability analyzer",
+  "version": "1.0.6",
+  "description": "Local-first vulnerability reachability CLI for JavaScript and TypeScript",
   "bin": {
     "reachable": "dist/cli/index.js"
   },
@@ -29,10 +29,22 @@
   "keywords": [
     "cli",
     "security",
-    "dependency",
+    "dependency-analysis",
     "reachability",
     "osv",
-    "audit"
+    "audit",
+    "nodejs",
+    "javascript",
+    "typescript",
+    "npm",
+    "vulnerability-scanner",
+    "static-analysis",
+    "devsecops",
+    "sast",
+    "sarif",
+    "github-actions",
+    "supply-chain-security",
+    "tree-sitter"
   ],
   "author": "merupatel",
   "license": "MIT",