npm - @nexus_js/audit - Versions diffs - 0.7.0 → 0.7.2 - Mend

@nexus_js/audit 0.7.0 → 0.7.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/engine.d.ts +62 -0
package/dist/engine.d.ts.map +1 -0
package/dist/engine.js +261 -0
package/dist/engine.js.map +1 -0
package/{src/index.ts → dist/index.d.ts} +5 -27
package/dist/index.d.ts.map +1 -0
package/dist/index.js +16 -0
package/dist/index.js.map +1 -0
package/dist/override.d.ts +80 -0
package/dist/override.d.ts.map +1 -0
package/dist/override.js +127 -0
package/dist/override.js.map +1 -0
package/dist/scanner.d.ts +53 -0
package/dist/scanner.d.ts.map +1 -0
package/dist/scanner.js +115 -0
package/dist/scanner.js.map +1 -0
package/dist/supply-chain.d.ts +59 -0
package/dist/supply-chain.d.ts.map +1 -0
package/dist/supply-chain.js +257 -0
package/dist/supply-chain.js.map +1 -0
package/package.json +17 -4
package/src/engine.ts +0 -322
package/src/override.ts +0 -168
package/src/scanner.ts +0 -169
package/src/supply-chain.ts +0 -316

package/dist/scanner.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+/**
+ * Nexus Package Scanner — reads package.json and coordinates audits.
+ *
+ * Combines:
+ *  - CVE scanning via OSV (engine.ts)
+ *  - Supply chain risk via npm registry (supply-chain.ts)
+ *  - Override policy validation (override.ts)
+ *
+ * Entry point for both the CLI and the Vite plugin.
+ */
+import { filterVulnerable, type AuditResult, type VulnSeverity } from './engine.js';
+import { type SupplyChainResult } from './supply-chain.js';
+import { formatOverrides, type AllowVulnerableConfig } from './override.js';
+export type { AuditResult, VulnSeverity, SupplyChainResult, AllowVulnerableConfig };
+export { filterVulnerable };
+export interface ScanOptions {
+    root: string;
+    /** Include devDependencies in the scan (default: false) */
+    includeDev?: boolean;
+    /** Supply chain guard (default: true) */
+    supplyChain?: boolean;
+    /** Override exceptions from nexus.config.ts security.allowVulnerable */
+    allowVulnerable?: AllowVulnerableConfig;
+    /**
+     * If true, critical CVEs that are not overridden will throw (for build-time blocking).
+     * If false, they are reported but don't throw.
+     */
+    failOnCritical?: boolean;
+    /** Minimum severity to report (default: 'low') */
+    minSeverity?: VulnSeverity;
+}
+export interface ScanResult {
+    scannedPackages: number;
+    vulnerable: AuditResult[];
+    supplyChain: Map<string, SupplyChainResult>;
+    overrideStatus: ReturnType<typeof formatOverrides>;
+    blockedPackages: string[];
+    durationMs: number;
+}
+/**
+ * Full dependency scan: CVE + supply chain + override validation.
+ * This is the core function called by both `nexus audit` and the Vite plugin.
+ */
+export declare function scanProject(opts: ScanOptions): Promise<ScanResult>;
+export declare class NexusSecurityError extends Error {
+    readonly blockedPackages: string[];
+    readonly vulnerable: AuditResult[];
+    constructor(message: string, blockedPackages: string[], vulnerable: AuditResult[]);
+}
+export { auditPackage } from './engine.js';
+export { checkSupplyChain } from './supply-chain.js';
+export { validateOverride, findOverride } from './override.js';
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,EAAqB,gBAAgB,EAAE,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AACvG,OAAO,EAAqB,KAAK,iBAAiB,EAAE,MAAuC,mBAAmB,CAAC;AAC/G,OAAO,EAAkC,eAAe,EAAE,KAAK,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE5G,YAAY,EAAE,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,CAAC;AACpF,OAAO,EAAE,gBAAgB,EAAE,CAAC;AAI5B,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAkB,MAAM,CAAC;IAC7B,2DAA2D;IAC3D,UAAU,CAAC,EAAW,OAAO,CAAC;IAC9B,yCAAyC;IACzC,WAAW,CAAC,EAAU,OAAO,CAAC;IAC9B,wEAAwE;IACxE,eAAe,CAAC,EAAM,qBAAqB,CAAC;IAC5C;;;OAGG;IACH,cAAc,CAAC,EAAO,OAAO,CAAC;IAC9B,kDAAkD;IAClD,WAAW,CAAC,EAAU,YAAY,CAAC;CACpC;AAED,MAAM,WAAW,UAAU;IACzB,eAAe,EAAK,MAAM,CAAC;IAC3B,UAAU,EAAU,WAAW,EAAE,CAAC;IAClC,WAAW,EAAS,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACnD,cAAc,EAAM,UAAU,CAAC,OAAO,eAAe,CAAC,CAAC;IACvD,eAAe,EAAK,MAAM,EAAE,CAAC;IAC7B,UAAU,EAAU,MAAM,CAAC;CAC5B;AAID;;;GAGG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CA8FxE;AAID,qBAAa,kBAAmB,SAAQ,KAAK;aAGzB,eAAe,EAAE,MAAM,EAAE;aACzB,UAAU,EAAE,WAAW,EAAE;gBAFzC,OAAO,EAAE,MAAM,EACC,eAAe,EAAE,MAAM,EAAE,EACzB,UAAU,EAAE,WAAW,EAAE;CAK5C;AAID,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC"}

package/dist/scanner.js ADDED Viewed

@@ -0,0 +1,115 @@
+/**
+ * Nexus Package Scanner — reads package.json and coordinates audits.
+ *
+ * Combines:
+ *  - CVE scanning via OSV (engine.ts)
+ *  - Supply chain risk via npm registry (supply-chain.ts)
+ *  - Override policy validation (override.ts)
+ *
+ * Entry point for both the CLI and the Vite plugin.
+ */
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { auditDependencies, filterVulnerable } from './engine.js';
+import { auditSupplyChain } from './supply-chain.js';
+import { findOverride, formatOverrides } from './override.js';
+export { filterVulnerable };
+// ── Main scanner ──────────────────────────────────────────────────────────────
+/**
+ * Full dependency scan: CVE + supply chain + override validation.
+ * This is the core function called by both `nexus audit` and the Vite plugin.
+ */
+export async function scanProject(opts) {
+    const t0 = Date.now();
+    // Read package.json
+    const pkgPath = join(opts.root, 'package.json');
+    let pkgJson;
+    try {
+        pkgJson = JSON.parse(await readFile(pkgPath, 'utf-8'));
+    }
+    catch {
+        throw new Error(`[Nexus Audit] Cannot read package.json at ${pkgPath}`);
+    }
+    // Collect deps
+    const deps = {
+        ...pkgJson.dependencies,
+        ...(opts.includeDev ? pkgJson.devDependencies : {}),
+    };
+    const scannedPackages = Object.keys(deps).length;
+    // Parallel: CVE scan + supply chain scan
+    const [cveResults, scResults] = await Promise.all([
+        auditDependencies(deps),
+        opts.supplyChain !== false ? auditSupplyChain(deps) : Promise.resolve(new Map()),
+    ]);
+    const vulnerable = filterVulnerable(cveResults);
+    // Override policy validation
+    const overrides = opts.allowVulnerable ?? {};
+    const overrideStats = formatOverrides(overrides);
+    const blockedPackages = [];
+    const SORDER = { critical: 0, high: 1, medium: 2, low: 3, unknown: 4 };
+    const minSev = opts.minSeverity ?? 'low';
+    for (const result of vulnerable) {
+        for (const vuln of result.vulns) {
+            if (SORDER[vuln.severity] > SORDER[minSev])
+                continue;
+            if (vuln.severity !== 'critical' && vuln.severity !== 'high')
+                continue;
+            // Check if there's a valid override
+            const overrideResult = findOverride(result.package, vuln.id, overrides)
+                ?? findOverride(result.package, vuln.aliases[0] ?? '', overrides);
+            if (overrideResult?.valid) {
+                // Override is active — report but don't block
+                continue;
+            }
+            if (!overrideResult || overrideResult.expired) {
+                // No override or expired → block
+                if (!blockedPackages.includes(result.package)) {
+                    blockedPackages.push(result.package);
+                }
+            }
+        }
+    }
+    const scanResult = {
+        scannedPackages,
+        vulnerable,
+        supplyChain: scResults,
+        overrideStatus: overrideStats,
+        blockedPackages,
+        durationMs: Date.now() - t0,
+    };
+    // Throw for build-time blocking
+    if (opts.failOnCritical && blockedPackages.length > 0) {
+        const details = blockedPackages
+            .map((pkg) => {
+            const r = cveResults.get(pkg);
+            const topVuln = r?.vulns[0];
+            return topVuln
+                ? `  "${pkg}" — ${topVuln.id} (${topVuln.severity.toUpperCase()}): ${topVuln.summary}`
+                : `  "${pkg}"`;
+        })
+            .join('\n');
+        throw new NexusSecurityError(`[Nexus Security] 🛑 BUILD BLOCKED — ${blockedPackages.length} critical/high CVE${blockedPackages.length > 1 ? 's' : ''} detected:\n\n` +
+            `${details}\n\n` +
+            `Options:\n` +
+            `  1. Run \`nexus fix\` to automatically update to patched versions\n` +
+            `  2. Add a time-limited override in nexus.config.ts (security.allowVulnerable)\n` +
+            `  3. Run \`nexus audit\` for full details and suggested fixes`, blockedPackages, vulnerable);
+    }
+    return scanResult;
+}
+// ── Error class ───────────────────────────────────────────────────────────────
+export class NexusSecurityError extends Error {
+    blockedPackages;
+    vulnerable;
+    constructor(message, blockedPackages, vulnerable) {
+        super(message);
+        this.blockedPackages = blockedPackages;
+        this.vulnerable = vulnerable;
+        this.name = 'NexusSecurityError';
+    }
+}
+// ── Single-package audit (for Vite plugin import hook) ───────────────────────
+export { auditPackage } from './engine.js';
+export { checkSupplyChain } from './supply-chain.js';
+export { validateOverride, findOverride } from './override.js';
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAU,WAAW,CAAC;AAErC,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAuC,MAAM,aAAa,CAAC;AACvG,OAAO,EAAE,gBAAgB,EAA2B,MAAuC,mBAAmB,CAAC;AAC/G,OAAO,EAAE,YAAY,EAAoB,eAAe,EAA8B,MAAM,eAAe,CAAC;AAG5G,OAAO,EAAE,gBAAgB,EAAE,CAAC;AA8B5B,iFAAiF;AAEjF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAiB;IACjD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEtB,oBAAoB;IACpB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAChD,IAAI,OAA4F,CAAC;IACjG,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAmB,CAAC;IAC3E,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,6CAA6C,OAAO,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,eAAe;IACf,MAAM,IAAI,GAA2B;QACnC,GAAG,OAAO,CAAC,YAAY;QACvB,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,CAAC;KACpD,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;IAEjD,yCAAyC;IACzC,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,iBAAiB,CAAC,IAAI,CAAC;QACvB,IAAI,CAAC,WAAW,KAAK,KAAK,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,GAAG,EAA6B,CAAC;KAC5G,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAEhD,6BAA6B;IAC7B,MAAM,SAAS,GAAO,IAAI,CAAC,eAAe,IAAI,EAAE,CAAC;IACjD,MAAM,aAAa,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,eAAe,GAAa,EAAE,CAAC;IAErC,MAAM,MAAM,GAAiC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACrG,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC;IAEzC,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YAChC,IAAI,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;gBAAE,SAAS;YAErD,IAAI,IAAI,CAAC,QAAQ,KAAK,UAAU,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM;gBAAE,SAAS;YAEvE,oCAAoC;YACpC,MAAM,cAAc,GAAG,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,CAAC;mBAClE,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,SAAS,CAAC,CAAC;YAEpE,IAAI,cAAc,EAAE,KAAK,EAAE,CAAC;gBAC1B,8CAA8C;gBAC9C,SAAS;YACX,CAAC;YAED,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,OAAO,EAAE,CAAC;gBAC9C,iCAAiC;gBACjC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC9C,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBACvC,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAe;QAC7B,eAAe;QACf,UAAU;QACV,WAAW,EAAE,SAAS;QACtB,cAAc,EAAE,aAAa;QAC7B,eAAe;QACf,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE;KAC5B,CAAC;IAEF,gCAAgC;IAChC,IAAI,IAAI,CAAC,cAAc,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,eAAe;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACX,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC9B,MAAM,OAAO,GAAG,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;YAC5B,OAAO,OAAO;gBACZ,CAAC,CAAC,MAAM,GAAG,OAAO,OAAO,CAAC,EAAE,KAAK,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,OAAO,CAAC,OAAO,EAAE;gBACtF,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC;QACnB,CAAC,CAAC;aACD,IAAI,CAAC,IAAI,CAAC,CAAC;QAEd,MAAM,IAAI,kBAAkB,CAC1B,uCAAuC,eAAe,CAAC,MAAM,qBAAqB,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,gBAAgB;YACvI,GAAG,OAAO,MAAM;YAChB,YAAY;YACZ,sEAAsE;YACtE,kFAAkF;YAClF,+DAA+D,EAC/D,eAAe,EACf,UAAU,CACX,CAAC;IACJ,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,iFAAiF;AAEjF,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IACA;IAHlB,YACE,OAAe,EACC,eAAyB,EACzB,UAAyB;QAEzC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,oBAAe,GAAf,eAAe,CAAU;QACzB,eAAU,GAAV,UAAU,CAAe;QAGzC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED,gFAAgF;AAEhF,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC"}

package/dist/supply-chain.d.ts ADDED Viewed

@@ -0,0 +1,59 @@
+/**
+ * Nexus Supply Chain Guard.
+ *
+ * Uses the public npm registry API to detect signs of supply chain compromise:
+ *
+ *  1. SINGLE MAINTAINER — one compromised account = full package control
+ *  2. RECENT MAINTAINER CHANGE — new owner in last 90 days (account takeover pattern)
+ *  3. NEWLY PUBLISHED POPULAR NAME — typosquatting / dependency confusion
+ *  4. ABANDONED PACKAGE — no updates in 2+ years but still widely imported
+ *  5. RAPID VERSION BUMP — many versions published in a short time (malware injection)
+ *  6. OWNER TRANSFER — package ownership changed (acquisition or takeover)
+ *
+ * What we CANNOT check (npm considers it private):
+ *  - Whether individual maintainers have MFA/2FA enabled
+ *    (npm Team policy requires it for popular packages as of 2022, but status is not in the API)
+ *
+ * Risk score: 0 (safe) → 100 (critical risk)
+ * Threshold: ≥60 = warn, ≥80 = block in hardened mode
+ *
+ * npm registry API:
+ *   GET https://registry.npmjs.org/{package}       → full metadata
+ *   GET https://registry.npmjs.org/{package}/latest → latest version only
+ */
+export type SupplyChainRiskLevel = 'safe' | 'low' | 'medium' | 'high' | 'critical';
+export interface SupplyChainFlag {
+    code: string;
+    title: string;
+    description: string;
+    riskPoints: number;
+}
+export interface SupplyChainResult {
+    package: string;
+    riskScore: number;
+    riskLevel: SupplyChainRiskLevel;
+    flags: SupplyChainFlag[];
+    maintainers: string[];
+    latestVersion: string;
+    firstPublished: string;
+    lastPublished: string;
+    totalVersions: number;
+    cached: boolean;
+    stale: boolean;
+    checkedAt: number;
+}
+/**
+ * Analyzes a package for supply chain risk signals using the npm registry.
+ *
+ * Does NOT check individual MFA status (not in npm public API).
+ * DOES check: maintainer count, age, version velocity, abandonment.
+ */
+export declare function checkSupplyChain(pkg: string): Promise<SupplyChainResult>;
+/**
+ * Checks supply chain risk for all packages in a dependency map.
+ * Returns only packages with riskLevel >= 'medium'.
+ */
+export declare function auditSupplyChain(deps: Record<string, string>): Promise<Map<string, SupplyChainResult>>;
+/** Note about MFA status — shown in audit output for transparency */
+export declare const MFA_NOTE: string;
+//# sourceMappingURL=supply-chain.d.ts.map

package/dist/supply-chain.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"supply-chain.d.ts","sourceRoot":"","sources":["../src/supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAYH,MAAM,MAAM,oBAAoB,GAAG,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAS,MAAM,CAAC;IACpB,KAAK,EAAQ,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAG,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAO,MAAM,CAAC;IACrB,SAAS,EAAK,MAAM,CAAC;IACrB,SAAS,EAAK,oBAAoB,CAAC;IACnC,KAAK,EAAS,eAAe,EAAE,CAAC;IAChC,WAAW,EAAG,MAAM,EAAE,CAAC;IACvB,aAAa,EAAC,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAG,MAAM,CAAC;IACvB,aAAa,EAAG,MAAM,CAAC;IACvB,MAAM,EAAQ,OAAO,CAAC;IACtB,KAAK,EAAS,OAAO,CAAC;IACtB,SAAS,EAAK,MAAM,CAAC;CACtB;AA8KD;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA2C9E;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC3B,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC,CAqBzC;AAED,qEAAqE;AACrE,eAAO,MAAM,QAAQ,QAIgC,CAAC"}

package/dist/supply-chain.js ADDED Viewed

@@ -0,0 +1,257 @@
+/**
+ * Nexus Supply Chain Guard.
+ *
+ * Uses the public npm registry API to detect signs of supply chain compromise:
+ *
+ *  1. SINGLE MAINTAINER — one compromised account = full package control
+ *  2. RECENT MAINTAINER CHANGE — new owner in last 90 days (account takeover pattern)
+ *  3. NEWLY PUBLISHED POPULAR NAME — typosquatting / dependency confusion
+ *  4. ABANDONED PACKAGE — no updates in 2+ years but still widely imported
+ *  5. RAPID VERSION BUMP — many versions published in a short time (malware injection)
+ *  6. OWNER TRANSFER — package ownership changed (acquisition or takeover)
+ *
+ * What we CANNOT check (npm considers it private):
+ *  - Whether individual maintainers have MFA/2FA enabled
+ *    (npm Team policy requires it for popular packages as of 2022, but status is not in the API)
+ *
+ * Risk score: 0 (safe) → 100 (critical risk)
+ * Threshold: ≥60 = warn, ≥80 = block in hardened mode
+ *
+ * npm registry API:
+ *   GET https://registry.npmjs.org/{package}       → full metadata
+ *   GET https://registry.npmjs.org/{package}/latest → latest version only
+ */
+import { readFile, writeFile, mkdir } from 'node:fs/promises';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+const REGISTRY = 'https://registry.npmjs.org';
+const CACHE_DIR = join(homedir(), '.nexus', 'cache', 'npm-meta');
+const CACHE_TTL_MS = 6 * 60 * 60 * 1_000; // 6h (changes more frequently than CVEs)
+// ── Cache ─────────────────────────────────────────────────────────────────────
+async function ensureDir() {
+    try {
+        await mkdir(CACHE_DIR, { recursive: true });
+    }
+    catch { /* exists */ }
+}
+function cacheKey(pkg) {
+    return pkg.replace(/\//g, '__').replace(/@/g, '_at_');
+}
+async function readNpmCache(pkg) {
+    try {
+        const raw = await readFile(join(CACHE_DIR, `${cacheKey(pkg)}.json`), 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+async function writeNpmCache(pkg, result) {
+    await ensureDir();
+    try {
+        await writeFile(join(CACHE_DIR, `${cacheKey(pkg)}.json`), JSON.stringify({ result, expiresAt: Date.now() + CACHE_TTL_MS }, null, 2));
+    }
+    catch { /* non-fatal */ }
+}
+// ── Fetch ─────────────────────────────────────────────────────────────────────
+async function fetchNpmMeta(pkg) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 10_000);
+    try {
+        const res = await fetch(`${REGISTRY}/${encodeURIComponent(pkg)}`, {
+            headers: { accept: 'application/vnd.npm.install-v1+json, application/json' },
+            signal: controller.signal,
+        });
+        if (!res.ok)
+            return null;
+        return await res.json();
+    }
+    catch {
+        return null;
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+// ── Risk analysis ─────────────────────────────────────────────────────────────
+function daysBetween(a, b = new Date().toISOString()) {
+    return Math.floor((new Date(b).getTime() - new Date(a).getTime()) / (1000 * 60 * 60 * 24));
+}
+function analyzeRisk(meta) {
+    const flags = [];
+    let score = 0;
+    const maintainerCount = meta.maintainers?.length ?? 0;
+    const versions = Object.keys(meta.versions ?? {});
+    const timeEntries = Object.entries(meta.time ?? {})
+        .filter(([k]) => !['created', 'modified'].includes(k))
+        .sort(([, a], [, b]) => new Date(a).getTime() - new Date(b).getTime());
+    const firstPublished = meta.time['created'] ?? timeEntries[0]?.[1] ?? '';
+    const lastPublished = meta.time['modified'] ?? timeEntries[timeEntries.length - 1]?.[1] ?? '';
+    const daysOld = firstPublished ? daysBetween(firstPublished) : 0;
+    const daysSinceUpdate = lastPublished ? daysBetween(lastPublished) : 0;
+    // ① Single maintainer
+    if (maintainerCount === 1) {
+        const pts = 25;
+        score += pts;
+        flags.push({
+            code: 'SINGLE_MAINTAINER',
+            title: 'Single maintainer',
+            description: `This package has only 1 maintainer. A compromised account means full control over all releases.`,
+            riskPoints: pts,
+        });
+    }
+    else if (maintainerCount === 0) {
+        const pts = 35;
+        score += pts;
+        flags.push({
+            code: 'NO_MAINTAINER',
+            title: 'No maintainers listed',
+            description: 'No maintainers found in registry metadata — package may be abandoned or orphaned.',
+            riskPoints: pts,
+        });
+    }
+    // ② Recently created (< 30 days old) — typosquatting / dependency confusion window
+    if (daysOld < 30 && daysOld > 0) {
+        const pts = 30;
+        score += pts;
+        flags.push({
+            code: 'NEWLY_PUBLISHED',
+            title: `Published ${daysOld} day${daysOld === 1 ? '' : 's'} ago`,
+            description: 'Very new packages are high-risk for typosquatting and dependency confusion attacks. Verify the name carefully.',
+            riskPoints: pts,
+        });
+    }
+    // ③ Abandoned — last update > 2 years
+    if (daysSinceUpdate > 730 && versions.length > 0) {
+        const years = (daysSinceUpdate / 365).toFixed(1);
+        const pts = 20;
+        score += pts;
+        flags.push({
+            code: 'ABANDONED',
+            title: `Not updated in ${years} years`,
+            description: 'Abandoned packages accumulate unpatched CVEs and may not work with current Node.js versions.',
+            riskPoints: pts,
+        });
+    }
+    // ④ Rapid version publishing — many versions in a short window (injection pattern)
+    const recentVersions = timeEntries.filter(([, ts]) => daysBetween(ts) < 7);
+    if (recentVersions.length >= 5) {
+        const pts = 35;
+        score += pts;
+        flags.push({
+            code: 'RAPID_VERSIONS',
+            title: `${recentVersions.length} versions published in the last 7 days`,
+            description: 'Rapid version publishing is a known pattern for malware injection — attackers publish many versions to slip through automated scanners.',
+            riskPoints: pts,
+        });
+    }
+    // ⑤ Recent maintainer churn — if many versions published very recently from fresh pkg
+    const last30DayVersions = timeEntries.filter(([, ts]) => daysBetween(ts) < 30).length;
+    if (daysOld < 180 && last30DayVersions > 10) {
+        const pts = 20;
+        score += pts;
+        flags.push({
+            code: 'OWNERSHIP_CHURN',
+            title: 'High version churn on a new package',
+            description: `${last30DayVersions} versions in the last 30 days on a package less than 6 months old — possible account takeover or automated malware distribution.`,
+            riskPoints: pts,
+        });
+    }
+    // ⑥ Very few total versions for a package > 1 year old (abandoned, low quality)
+    if (versions.length <= 2 && daysOld > 365) {
+        const pts = 10;
+        score += pts;
+        flags.push({
+            code: 'LOW_ACTIVITY',
+            title: 'Very few versions for an old package',
+            description: 'Package has barely been maintained. May have unaddressed bugs or security issues.',
+            riskPoints: pts,
+        });
+    }
+    return { flags, score: Math.min(100, score) };
+}
+function scoreToLevel(score) {
+    if (score >= 80)
+        return 'critical';
+    if (score >= 60)
+        return 'high';
+    if (score >= 35)
+        return 'medium';
+    if (score >= 15)
+        return 'low';
+    return 'safe';
+}
+// ── Public API ────────────────────────────────────────────────────────────────
+/**
+ * Analyzes a package for supply chain risk signals using the npm registry.
+ *
+ * Does NOT check individual MFA status (not in npm public API).
+ * DOES check: maintainer count, age, version velocity, abandonment.
+ */
+export async function checkSupplyChain(pkg) {
+    const cached = await readNpmCache(pkg);
+    const now = Date.now();
+    if (cached && now < cached.expiresAt) {
+        return { ...cached.result, cached: true, stale: false };
+    }
+    const meta = await fetchNpmMeta(pkg);
+    if (!meta) {
+        if (cached)
+            return { ...cached.result, cached: true, stale: true };
+        return {
+            package: pkg, riskScore: 0, riskLevel: 'safe', flags: [],
+            maintainers: [], latestVersion: 'unknown',
+            firstPublished: '', lastPublished: '', totalVersions: 0,
+            cached: false, stale: false, checkedAt: now,
+        };
+    }
+    const { flags, score } = analyzeRisk(meta);
+    const versions = Object.keys(meta.versions ?? {});
+    const timeEntries = Object.entries(meta.time ?? {})
+        .filter(([k]) => !['created', 'modified'].includes(k))
+        .sort(([, a], [, b]) => new Date(a).getTime() - new Date(b).getTime());
+    const result = {
+        package: meta.name ?? pkg,
+        riskScore: score,
+        riskLevel: scoreToLevel(score),
+        flags,
+        maintainers: (meta.maintainers ?? []).map((m) => m.name),
+        latestVersion: meta['dist-tags']?.latest ?? versions[versions.length - 1] ?? 'unknown',
+        firstPublished: meta.time['created'] ?? timeEntries[0]?.[1] ?? '',
+        lastPublished: meta.time['modified'] ?? timeEntries[timeEntries.length - 1]?.[1] ?? '',
+        totalVersions: versions.length,
+        cached: false,
+        stale: false,
+        checkedAt: now,
+    };
+    await writeNpmCache(pkg, result);
+    return result;
+}
+/**
+ * Checks supply chain risk for all packages in a dependency map.
+ * Returns only packages with riskLevel >= 'medium'.
+ */
+export async function auditSupplyChain(deps) {
+    const results = new Map();
+    const packages = Object.keys(deps);
+    const BATCH = 8;
+    for (let i = 0; i < packages.length; i += BATCH) {
+        const batch = packages.slice(i, i + BATCH);
+        const settled = await Promise.allSettled(batch.map(async (pkg) => {
+            const result = await checkSupplyChain(pkg);
+            return [pkg, result];
+        }));
+        for (const s of settled) {
+            if (s.status === 'fulfilled' && s.value[1].riskLevel !== 'safe') {
+                results.set(s.value[0], s.value[1]);
+            }
+        }
+    }
+    return results;
+}
+/** Note about MFA status — shown in audit output for transparency */
+export const MFA_NOTE = 'npm requires MFA for maintainers of packages with >500 weekly downloads as of 2022, ' +
+    'but individual MFA status is not publicly exposed by the registry API. ' +
+    'Use `npm access list collaborators {package}` with appropriate permissions ' +
+    'to view maintainer details for your own packages.';
+//# sourceMappingURL=supply-chain.js.map

package/dist/supply-chain.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"supply-chain.js","sourceRoot":"","sources":["../src/supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAC9D,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAElC,MAAM,QAAQ,GAAO,4BAA4B,CAAC;AAClD,MAAM,SAAS,GAAM,IAAI,CAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AACpE,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC,yCAAyC;AAoCnF,iFAAiF;AAEjF,KAAK,UAAU,SAAS;IACtB,IAAI,CAAC;QAAC,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW;IAC3B,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;QAC9E,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqD,CAAC;IAC7E,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,CAAC;IAAC,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,MAAyB;IACjE,MAAM,SAAS,EAAE,CAAC;IAClB,IAAI,CAAC;QACH,MAAM,SAAS,CACb,IAAI,CAAC,SAAS,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EACxC,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAC1E,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;AAC7B,CAAC;AAED,iFAAiF;AAEjF,KAAK,UAAU,YAAY,CAAC,GAAW;IACrC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,OAAO,GAAM,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,EAAE;YAChE,OAAO,EAAE,EAAE,MAAM,EAAE,uDAAuD,EAAE;YAC5E,MAAM,EAAG,UAAU,CAAC,MAAM;SAC3B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,MAAM,GAAG,CAAC,IAAI,EAAa,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,OAAO,CAAC,CAAC;IACxB,CAAC;AACH,CAAC;AAED,iFAAiF;AAEjF,SAAS,WAAW,CAAC,CAAS,EAAE,IAAY,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;IAClE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,WAAW,CAAC,IAAa;IAChC,MAAM,KAAK,GAAsB,EAAE,CAAC;IACpC,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAU,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,WAAW,GAAO,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;SACpD,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;SACrD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAEzE,MAAM,cAAc,GAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAK,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3E,MAAM,aAAa,GAAK,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChG,MAAM,OAAO,GAAW,cAAc,CAAC,CAAC,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,eAAe,GAAG,aAAa,CAAE,CAAC,CAAC,WAAW,CAAC,aAAa,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC;IAEzE,sBAAsB;IACtB,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,mBAAmB;YAChC,KAAK,EAAQ,mBAAmB;YAChC,WAAW,EAAE,iGAAiG;YAC9G,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,eAAe;YAC5B,KAAK,EAAQ,uBAAuB;YACpC,WAAW,EAAE,mFAAmF;YAChG,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,mFAAmF;IACnF,IAAI,OAAO,GAAG,EAAE,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,iBAAiB;YAC9B,KAAK,EAAQ,aAAa,OAAO,OAAO,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,MAAM;YACtE,WAAW,EAAE,gHAAgH;YAC7H,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,IAAI,eAAe,GAAG,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjD,MAAM,KAAK,GAAG,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjD,MAAM,GAAG,GAAK,EAAE,CAAC;QACjB,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,WAAW;YACxB,KAAK,EAAQ,kBAAkB,KAAK,QAAQ;YAC5C,WAAW,EAAE,8FAA8F;YAC3G,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,mFAAmF;IACnF,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3E,IAAI,cAAc,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,gBAAgB;YAC7B,KAAK,EAAQ,GAAG,cAAc,CAAC,MAAM,wCAAwC;YAC7E,WAAW,EAAE,yIAAyI;YACtJ,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,sFAAsF;IACtF,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;IACtF,IAAI,OAAO,GAAG,GAAG,IAAI,iBAAiB,GAAG,EAAE,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,iBAAiB;YAC9B,KAAK,EAAQ,qCAAqC;YAClD,WAAW,EAAE,GAAG,iBAAiB,kIAAkI;YACnK,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,gFAAgF;IAChF,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,IAAI,OAAO,GAAG,GAAG,EAAE,CAAC;QAC1C,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,KAAK,IAAI,GAAG,CAAC;QACb,KAAK,CAAC,IAAI,CAAC;YACT,IAAI,EAAS,cAAc;YAC3B,KAAK,EAAQ,sCAAsC;YACnD,WAAW,EAAE,mFAAmF;YAChG,UAAU,EAAG,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,QAAQ,CAAC;IACjC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,iFAAiF;AAEjF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,GAAW;IAChD,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,GAAG,GAAM,IAAI,CAAC,GAAG,EAAE,CAAC;IAE1B,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC;IAC1D,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;IAErC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,IAAI,MAAM;YAAE,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;QACnE,OAAO;YACL,OAAO,EAAO,GAAG,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE;YAC7D,WAAW,EAAE,EAAE,EAAE,aAAa,EAAE,SAAS;YACzC,cAAc,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,aAAa,EAAE,CAAC;YACvD,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG;SAC5C,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAW,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAQ,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;SACrD,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;SACrD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;IAEzE,MAAM,MAAM,GAAsB;QAChC,OAAO,EAAQ,IAAI,CAAC,IAAI,IAAI,GAAG;QAC/B,SAAS,EAAM,KAAK;QACpB,SAAS,EAAM,YAAY,CAAC,KAAK,CAAC;QAClC,KAAK;QACL,WAAW,EAAI,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;QAC1D,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,EAAE,MAAM,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,SAAS;QACtF,cAAc,EAAE,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE;QACjE,aAAa,EAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE;QACvF,aAAa,EAAG,QAAQ,CAAC,MAAM;QAC/B,MAAM,EAAG,KAAK;QACd,KAAK,EAAI,KAAK;QACd,SAAS,EAAE,GAAG;KACf,CAAC;IAEF,MAAM,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACjC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAA4B;IAE5B,MAAM,OAAO,GAAI,IAAI,GAAG,EAA6B,CAAC;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,KAAK,GAAM,CAAC,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACtB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,EAAE,MAAM,CAAgC,CAAC;QACtD,CAAC,CAAC,CACH,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,KAAK,MAAM,EAAE,CAAC;gBAChE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,qEAAqE;AACrE,MAAM,CAAC,MAAM,QAAQ,GACnB,sFAAsF;IACtF,yEAAyE;IACzE,6EAA6E;IAC7E,mDAAmD,CAAC"}

package/package.json CHANGED Viewed

@@ -1,11 +1,15 @@
 {
   "name": "@nexus_js/audit",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "description": "Nexus Dependency Auditor — OSV CVE scanning, offline cache, supply chain risk analysis, and build-time blocking",
   "type": "module",
-  "main": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "exports": {
-    ".": "./src/index.ts"
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
   },
   "keywords": [
     "nexus",
@@ -32,12 +36,21 @@
   "bugs": {
     "url": "https://github.com/bierfor/nexus/issues"
   },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.5.0"
+  },
   "files": [
-    "src",
+    "dist",
     "README.md"
   ],
   "publishConfig": {
     "access": "public",
     "registry": "https://registry.npmjs.org/"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "dev": "tsc -p tsconfig.json --watch",
+    "clean": "rm -rf dist"
   }
 }