@mr-aftab-ahmad-khan/depguard-cli 0.1.0

package/dist/cli.cjs

@@ -0,0 +1,679 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/cli.ts
+var import_commander = require("commander");
+
+// src/scanner.ts
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+var import_node_os2 = require("os");
+
+// src/scoring.ts
+var SEVERITY_ORDER = {
+  info: 0,
+  low: 1,
+  medium: 2,
+  high: 3,
+  critical: 4
+};
+function maxSeverity(findings) {
+  let worst = "info";
+  for (const f of findings) {
+    if (SEVERITY_ORDER[f.severity] > SEVERITY_ORDER[worst]) worst = f.severity;
+  }
+  return worst;
+}
+function severityAtLeast(a, b) {
+  return SEVERITY_ORDER[a] >= SEVERITY_ORDER[b];
+}
+function scoreInstallScript(script) {
+  const reasons = [];
+  let score = 0;
+  const lower = script.toLowerCase();
+  if (/(curl|wget)\s+[^|]+\|\s*(sh|bash|zsh|node)/i.test(script)) {
+    score += 5;
+    reasons.push("curl/wget piped to a shell or node");
+  }
+  if (/\bbase64\b/.test(lower) && /\b(eval|exec)\b/.test(lower)) {
+    score += 5;
+    reasons.push("base64 combined with eval/exec");
+  }
+  if (/\bnew\s+Function\s*\(/.test(script)) {
+    score += 3;
+    reasons.push("dynamic `new Function()` invocation");
+  }
+  if (/process\.env(\.|\[)/.test(script)) {
+    score += 2;
+    reasons.push("reads process.env at install time");
+  }
+  if (/https?:\/\/(?!registry\.npmjs\.org|nodejs\.org|github\.com)[^\s'"`]+/i.test(script)) {
+    score += 3;
+    reasons.push("network call to a non-trusted domain");
+  }
+  if (/[A-Za-z0-9+/]{200,}={0,2}/.test(script)) {
+    score += 3;
+    reasons.push("very long opaque token (possible obfuscation)");
+  }
+  if (script.length > 300 && !script.includes("\n")) {
+    score += 2;
+    reasons.push("obfuscated one-liner > 300 chars");
+  }
+  return { score: Math.min(score, 10), reasons };
+}
+function levenshtein(a, b) {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+  const prev = new Array(b.length + 1);
+  const curr = new Array(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    for (let j = 1; j <= b.length; j++) {
+      const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+      curr[j] = Math.min(curr[j - 1] + 1, prev[j] + 1, prev[j - 1] + cost);
+    }
+    for (let j = 0; j <= b.length; j++) prev[j] = curr[j];
+  }
+  return prev[b.length];
+}
+function findTyposquatCandidate(name, topPackages) {
+  if (topPackages.includes(name)) return void 0;
+  for (const top of topPackages) {
+    if (Math.abs(top.length - name.length) > 2) continue;
+    const dist = levenshtein(name, top);
+    if (dist > 0 && dist <= 2) return top;
+  }
+  return void 0;
+}
+
+// src/registry.ts
+var import_node_fs = require("fs");
+var import_node_os = require("os");
+var import_node_path = require("path");
+var CACHE_DIR = (0, import_node_path.join)((0, import_node_os.homedir)(), ".depguard", "cache");
+function cacheFile(name) {
+  const safe = name.replace(/[^a-zA-Z0-9._-]/g, "_");
+  return (0, import_node_path.join)(CACHE_DIR, `${safe}.json`);
+}
+function readCache(name) {
+  const file = cacheFile(name);
+  if (!(0, import_node_fs.existsSync)(file)) return void 0;
+  try {
+    const entry = JSON.parse((0, import_node_fs.readFileSync)(file, "utf8"));
+    if (entry.expiresAt > Date.now()) return entry.data;
+  } catch {
+    return void 0;
+  }
+  return void 0;
+}
+function writeCache(name, data, ttlMs) {
+  if (!(0, import_node_fs.existsSync)(CACHE_DIR)) (0, import_node_fs.mkdirSync)(CACHE_DIR, { recursive: true });
+  const entry = { expiresAt: Date.now() + ttlMs, data };
+  (0, import_node_fs.writeFileSync)(cacheFile(name), JSON.stringify(entry), "utf8");
+}
+async function fetchPackument(name, opts = {}) {
+  const ttl = opts.ttlMs ?? 60 * 60 * 1e3;
+  const cached = readCache(name);
+  if (cached) return cached;
+  const fetcher = opts.fetcher ?? globalThis.fetch;
+  if (!fetcher) return void 0;
+  try {
+    const res = await fetcher(`https://registry.npmjs.org/${encodeURIComponent(name).replace("%40", "@")}`);
+    if (!res.ok) return void 0;
+    const data = await res.json();
+    writeCache(name, data, ttl);
+    return data;
+  } catch {
+    return void 0;
+  }
+}
+
+// src/top-packages.ts
+var TOP_PACKAGES = [
+  "react",
+  "react-dom",
+  "next",
+  "vue",
+  "svelte",
+  "angular",
+  "lodash",
+  "axios",
+  "express",
+  "fastify",
+  "koa",
+  "hono",
+  "moment",
+  "date-fns",
+  "dayjs",
+  "luxon",
+  "typescript",
+  "ts-node",
+  "tsx",
+  "tsup",
+  "esbuild",
+  "webpack",
+  "vite",
+  "rollup",
+  "parcel",
+  "babel",
+  "eslint",
+  "prettier",
+  "jest",
+  "vitest",
+  "mocha",
+  "chai",
+  "sinon",
+  "ava",
+  "cypress",
+  "playwright",
+  "puppeteer",
+  "redux",
+  "zustand",
+  "jotai",
+  "mobx",
+  "recoil",
+  "rxjs",
+  "graphql",
+  "apollo-client",
+  "apollo-server",
+  "prisma",
+  "drizzle-orm",
+  "kysely",
+  "knex",
+  "typeorm",
+  "sequelize",
+  "mongoose",
+  "pg",
+  "mysql2",
+  "sqlite3",
+  "better-sqlite3",
+  "redis",
+  "ioredis",
+  "bullmq",
+  "kafkajs",
+  "amqplib",
+  "socket.io",
+  "ws",
+  "uws",
+  "polka",
+  "fastify",
+  "h3",
+  "commander",
+  "yargs",
+  "minimist",
+  "inquirer",
+  "prompts",
+  "ora",
+  "chalk",
+  "picocolors",
+  "kleur",
+  "boxen",
+  "cli-table3",
+  "figlet",
+  "fs-extra",
+  "fast-glob",
+  "glob",
+  "globby",
+  "rimraf",
+  "del",
+  "execa",
+  "shelljs",
+  "cross-env",
+  "dotenv",
+  "joi",
+  "yup",
+  "zod",
+  "ajv",
+  "valibot",
+  "superstruct",
+  "io-ts",
+  "class-validator",
+  "passport",
+  "jsonwebtoken",
+  "jose",
+  "bcrypt",
+  "bcryptjs",
+  "argon2",
+  "uuid",
+  "nanoid",
+  "ulid",
+  "cuid",
+  "shortid",
+  "ms",
+  "humanize-duration",
+  "pluralize",
+  "marked",
+  "remark",
+  "rehype",
+  "showdown",
+  "turndown",
+  "cheerio",
+  "jsdom",
+  "playwright-core",
+  "node-fetch",
+  "got",
+  "ky",
+  "openai",
+  "anthropic",
+  "ai",
+  "@modelcontextprotocol/sdk",
+  "langchain",
+  "llamaindex",
+  "tiktoken",
+  "gpt-3-encoder",
+  "tailwindcss",
+  "postcss",
+  "autoprefixer",
+  "sass",
+  "stylus",
+  "less",
+  "styled-components",
+  "@emotion/react",
+  "@emotion/styled",
+  "framer-motion",
+  "react-router-dom",
+  "react-query",
+  "@tanstack/react-query",
+  "swr",
+  "trpc",
+  "@trpc/server",
+  "@trpc/client",
+  "winston",
+  "pino",
+  "bunyan",
+  "morgan",
+  "debug",
+  "sharp",
+  "jimp",
+  "canvas",
+  "puppeteer-core",
+  "playwright-chromium",
+  "exceljs",
+  "xlsx",
+  "pdfkit",
+  "pdf-lib",
+  "pdfmake",
+  "node-cron",
+  "agenda",
+  "bull",
+  "node-schedule",
+  "@sentry/node",
+  "@sentry/browser",
+  "@sentry/react",
+  "stripe",
+  "@stripe/stripe-js",
+  "twilio",
+  "nodemailer",
+  "resend",
+  "aws-sdk",
+  "@aws-sdk/client-s3",
+  "@aws-sdk/client-dynamodb",
+  "googleapis",
+  "firebase",
+  "firebase-admin",
+  "supabase",
+  "@supabase/supabase-js",
+  "mongodb",
+  "mongoose",
+  "elasticsearch",
+  "@elastic/elasticsearch",
+  "puppeteer-extra",
+  "playwright-extra",
+  "discord.js",
+  "telegraf",
+  "node-telegram-bot-api",
+  "slack-sdk",
+  "@slack/web-api",
+  "fast-xml-parser",
+  "xml2js",
+  "yaml",
+  "toml",
+  "ini",
+  "msgpack-lite",
+  "protobufjs",
+  "grpc",
+  "@grpc/grpc-js"
+];
+
+// src/scanner.ts
+function readJsonSafe(file) {
+  try {
+    return JSON.parse((0, import_node_fs2.readFileSync)(file, "utf8"));
+  } catch {
+    return void 0;
+  }
+}
+function findInstalled(root, depth) {
+  const nm = (0, import_node_path2.join)(root, "node_modules");
+  if (!(0, import_node_fs2.existsSync)(nm)) return [];
+  const out = [];
+  const visited = /* @__PURE__ */ new Set();
+  const walk = (dir, level) => {
+    if (visited.has(dir)) return;
+    visited.add(dir);
+    if (!(0, import_node_fs2.existsSync)(dir)) return;
+    for (const entry of (0, import_node_fs2.readdirSync)(dir)) {
+      if (entry.startsWith(".")) continue;
+      const pkgDir = (0, import_node_path2.join)(dir, entry);
+      try {
+        const stat = (0, import_node_fs2.statSync)(pkgDir);
+        if (!stat.isDirectory()) continue;
+      } catch {
+        continue;
+      }
+      if (entry.startsWith("@")) {
+        for (const sub of (0, import_node_fs2.readdirSync)(pkgDir)) {
+          handle((0, import_node_path2.join)(pkgDir, sub), `${entry}/${sub}`, level);
+        }
+      } else {
+        handle(pkgDir, entry, level);
+      }
+    }
+  };
+  const handle = (pkgDir, name, level) => {
+    const pj = readJsonSafe((0, import_node_path2.join)(pkgDir, "package.json"));
+    if (!pj) return;
+    out.push({
+      name: pj.name ?? name,
+      version: pj.version ?? "0.0.0",
+      dir: pkgDir,
+      pkgJson: pj
+    });
+    if (depth === "all" && (0, import_node_fs2.existsSync)((0, import_node_path2.join)(pkgDir, "node_modules"))) {
+      walk((0, import_node_path2.join)(pkgDir, "node_modules"), level + 1);
+    }
+  };
+  walk(nm, 0);
+  return out;
+}
+function loadBaseline() {
+  const file = (0, import_node_path2.join)((0, import_node_os2.homedir)(), ".depguard", "baseline.json");
+  if (!(0, import_node_fs2.existsSync)(file)) return {};
+  try {
+    return JSON.parse((0, import_node_fs2.readFileSync)(file, "utf8"));
+  } catch {
+    return {};
+  }
+}
+var INSTALL_SCRIPT_FIELDS = ["preinstall", "install", "postinstall", "preuninstall", "preprepare", "prepare"];
+function scriptFindings(pkg) {
+  const findings = [];
+  const scripts = pkg.pkgJson.scripts ?? {};
+  for (const field of INSTALL_SCRIPT_FIELDS) {
+    const src = scripts[field];
+    if (!src) continue;
+    const { score, reasons } = scoreInstallScript(src);
+    if (score === 0) continue;
+    const severity = score >= 8 ? "critical" : score >= 5 ? "high" : score >= 3 ? "medium" : "low";
+    findings.push({
+      rule: `install-script:${field}`,
+      severity,
+      message: `${field} script is suspicious (${reasons.join("; ")})`,
+      score
+    });
+  }
+  return findings;
+}
+function maintainerFindings(pkg, packument, baseline) {
+  if (!packument?.maintainers) return [];
+  const now = packument.maintainers.map((m) => m.name).sort();
+  const known = baseline[pkg.name]?.maintainers;
+  if (!known) return [];
+  const added = now.filter((m) => !known.includes(m));
+  if (added.length === 0) return [];
+  return [{
+    rule: "maintainer-change",
+    severity: "high",
+    message: `New maintainer(s) added since baseline: ${added.join(", ")}`,
+    score: 6
+  }];
+}
+function versionAnomalyFindings(pkg, packument) {
+  if (!packument?.time) return [];
+  const out = [];
+  const time = packument.time;
+  const versions = Object.keys(time).filter((k) => k !== "created" && k !== "modified");
+  const sevenDays = 7 * 24 * 60 * 60 * 1e3;
+  const major = /* @__PURE__ */ new Map();
+  for (const v of versions) {
+    const m = /^(\d+)\./.exec(v);
+    if (!m) continue;
+    const key = Number(m[1]);
+    const arr = major.get(key) ?? [];
+    arr.push(v);
+    major.set(key, arr);
+  }
+  const keys = [...major.keys()].sort((a, b) => a - b);
+  for (let i = 1; i < keys.length; i++) {
+    const prev = keys[i - 1];
+    const cur = keys[i];
+    const prevReleases = major.get(prev).map((v) => Date.parse(time[v] ?? "")).filter(Number.isFinite);
+    const curReleases = major.get(cur).map((v) => Date.parse(time[v] ?? "")).filter(Number.isFinite);
+    if (prevReleases.length === 0 || curReleases.length === 0) continue;
+    const lastPrev = Math.max(...prevReleases);
+    const firstCur = Math.min(...curReleases);
+    if (firstCur - lastPrev < sevenDays) {
+      out.push({
+        rule: "version-anomaly",
+        severity: "medium",
+        message: `Major bump v${prev} \u2192 v${cur} within 7 days (potential takeover)`,
+        score: 4
+      });
+    }
+  }
+  const created = Date.parse(time.created ?? "");
+  if (Number.isFinite(created) && Date.now() - created < 30 * 24 * 60 * 60 * 1e3) {
+    out.push({
+      rule: "young-package",
+      severity: "low",
+      message: "Package was first published less than 30 days ago",
+      score: 2
+    });
+  }
+  return out;
+}
+function typosquatFindings(name) {
+  const sug = findTyposquatCandidate(name, TOP_PACKAGES);
+  if (!sug) return [];
+  return [{
+    rule: "typosquat",
+    severity: "critical",
+    message: `Name closely resembles "${sug}" \u2014 likely typosquat`,
+    score: 10
+  }];
+}
+async function scan(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const depth = options.scanDepth ?? "all";
+  const ignore = new Set(options.ignore ?? []);
+  const baseline = loadBaseline();
+  const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const packages = [];
+  const installed = findInstalled(cwd, depth).filter((p) => !ignore.has(p.name));
+  for (const pkg of installed) {
+    const findings = [];
+    findings.push(...scriptFindings(pkg));
+    findings.push(...typosquatFindings(pkg.name));
+    if (options.network !== false) {
+      const packument = await fetchPackument(pkg.name, { ttlMs: options.cacheTTL ?? 60 * 60 * 1e3 });
+      findings.push(...maintainerFindings(pkg, packument, baseline));
+      findings.push(...versionAnomalyFindings(pkg, packument));
+    }
+    if (findings.length === 0) continue;
+    packages.push({
+      name: pkg.name,
+      version: pkg.version,
+      worstSeverity: maxSeverity(findings),
+      totalScore: findings.reduce((s, f) => s + f.score, 0),
+      findings
+    });
+  }
+  packages.sort((a, b) => b.totalScore - a.totalScore);
+  return {
+    packages,
+    scannedAt: startedAt,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    totalPackages: installed.length
+  };
+}
+async function audit(name) {
+  const packument = await fetchPackument(name);
+  if (!packument) return void 0;
+  const findings = [];
+  findings.push(...typosquatFindings(name));
+  return {
+    name,
+    version: packument["dist-tags"]?.latest ?? "0.0.0",
+    worstSeverity: maxSeverity(findings),
+    totalScore: findings.reduce((s, f) => s + f.score, 0),
+    findings
+  };
+}
+
+// src/format.ts
+var import_picocolors = __toESM(require("picocolors"), 1);
+var sevColor = {
+  info: import_picocolors.default.gray,
+  low: import_picocolors.default.blue,
+  medium: import_picocolors.default.yellow,
+  high: import_picocolors.default.magenta,
+  critical: import_picocolors.default.red
+};
+function formatReport(result) {
+  if (result.packages.length === 0) {
+    return import_picocolors.default.green(`\u2713 No risk findings across ${result.totalPackages} packages`);
+  }
+  const lines = [];
+  lines.push(import_picocolors.default.bold(`depguard report \u2014 ${result.packages.length} package(s) with findings (of ${result.totalPackages} scanned)`));
+  for (const p of result.packages) {
+    lines.push("");
+    lines.push(`  ${sevColor[p.worstSeverity](p.worstSeverity.toUpperCase())}  ${import_picocolors.default.bold(p.name)}@${p.version}  score=${p.totalScore}`);
+    for (const f of p.findings) {
+      lines.push(`    - ${sevColor[f.severity](f.severity)}  ${f.rule}: ${f.message}`);
+    }
+  }
+  return lines.join("\n");
+}
+function formatJson(result) {
+  return JSON.stringify(result, null, 2);
+}
+function formatPackage(p) {
+  const lines = [];
+  lines.push(`${sevColor[p.worstSeverity](p.worstSeverity.toUpperCase())}  ${import_picocolors.default.bold(p.name)}@${p.version}  score=${p.totalScore}`);
+  for (const f of p.findings) {
+    lines.push(`  - ${sevColor[f.severity](f.severity)}  ${f.rule}: ${f.message}`);
+  }
+  return lines.join("\n");
+}
+
+// src/config.ts
+var import_node_fs3 = require("fs");
+var import_node_path3 = require("path");
+function loadConfig(cwd) {
+  const file = (0, import_node_path3.join)(cwd, ".depguardrc.json");
+  if (!(0, import_node_fs3.existsSync)(file)) return {};
+  try {
+    return JSON.parse((0, import_node_fs3.readFileSync)(file, "utf8"));
+  } catch {
+    return {};
+  }
+}
+
+// src/baseline.ts
+var import_node_fs4 = require("fs");
+var import_node_path4 = require("path");
+var import_node_os3 = require("os");
+var BASELINE_DIR = (0, import_node_path4.join)((0, import_node_os3.homedir)(), ".depguard");
+var BASELINE_FILE = (0, import_node_path4.join)(BASELINE_DIR, "baseline.json");
+function saveBaseline(b) {
+  if (!(0, import_node_fs4.existsSync)(BASELINE_DIR)) (0, import_node_fs4.mkdirSync)(BASELINE_DIR, { recursive: true });
+  (0, import_node_fs4.writeFileSync)(BASELINE_FILE, JSON.stringify(b, null, 2) + "\n", "utf8");
+}
+function collectMaintainersFromDisk(cwd) {
+  const baseline = {};
+  const nm = (0, import_node_path4.join)(cwd, "node_modules");
+  if (!(0, import_node_fs4.existsSync)(nm)) return baseline;
+  for (const entry of (0, import_node_fs4.readdirSync)(nm)) {
+    if (entry.startsWith(".")) continue;
+    const dir = (0, import_node_path4.join)(nm, entry);
+    try {
+      const pkg = JSON.parse((0, import_node_fs4.readFileSync)((0, import_node_path4.join)(dir, "package.json"), "utf8"));
+      if (pkg.name && pkg.version) {
+        baseline[pkg.name] = {
+          maintainers: (pkg.maintainers ?? []).map((m) => m.name).sort(),
+          version: pkg.version
+        };
+      }
+    } catch {
+    }
+  }
+  return baseline;
+}
+
+// src/cli.ts
+var program = new import_commander.Command();
+program.name("depguard").description("Supply-chain security scanner for npm projects").option("--cwd <path>", "Working directory", process.cwd());
+program.command("scan", { isDefault: true }).description("Scan the current project's installed packages").option("--fail-on <severity>", "Exit 1 when any finding \u2265 severity").option("--format <fmt>", "Output format: pretty | json", "pretty").option("--no-network", "Skip registry calls").option("--depth <depth>", "direct | all", "all").action(async (opts) => {
+  const cwd = program.opts().cwd;
+  const cfg = loadConfig(cwd);
+  const failOn = opts.failOn ?? cfg.failOn;
+  const result = await scan({
+    cwd,
+    ignore: cfg.ignore ?? [],
+    network: opts.network !== false,
+    scanDepth: opts.depth ?? cfg.scanDepth ?? "all",
+    ...cfg.cacheTTL !== void 0 ? { cacheTTL: cfg.cacheTTL } : {}
+  });
+  process.stdout.write(opts.format === "json" ? formatJson(result) : formatReport(result));
+  process.stdout.write("\n");
+  if (failOn) {
+    const hit = result.packages.some((p) => severityAtLeast(p.worstSeverity, failOn));
+    if (hit) process.exit(1);
+  }
+});
+program.command("baseline").description("Save current installed maintainers as the trusted baseline").action(() => {
+  const cwd = program.opts().cwd;
+  const baseline = collectMaintainersFromDisk(cwd);
+  saveBaseline(baseline);
+  process.stdout.write(`depguard: baseline saved (${Object.keys(baseline).length} packages)
+`);
+});
+program.command("audit <package>").description("Audit a single package by name").action(async (name) => {
+  const result = await audit(name);
+  if (!result) {
+    process.stderr.write(`depguard: could not fetch metadata for "${name}"
+`);
+    process.exit(1);
+  }
+  process.stdout.write(formatPackage(result) + "\n");
+});
+program.parseAsync(process.argv).catch((err) => {
+  process.stderr.write(`depguard: ${err instanceof Error ? err.message : String(err)}
+`);
+  process.exit(1);
+});
+//# sourceMappingURL=cli.cjs.map