npm - @ngxtm/devkit - Versions diffs - 3.0.2 → 3.1.0 - Mend

@ngxtm/devkit 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (827) hide show

package/skills/codebase-cleanup-deps-audit/resources/implementation-playbook.md ADDED Viewed

@@ -0,0 +1,766 @@
+# Dependency Audit and Security Analysis Implementation Playbook
+This file contains detailed patterns, checklists, and code samples referenced by the skill.
+## Instructions
+### 1. Dependency Discovery
+Scan and inventory all project dependencies:
+**Multi-Language Detection**
+```python
+import os
+import json
+import toml
+import yaml
+from pathlib import Path
+class DependencyDiscovery:
+    def __init__(self, project_path):
+        self.project_path = Path(project_path)
+        self.dependency_files = {
+            'npm': ['package.json', 'package-lock.json', 'yarn.lock'],
+            'python': ['requirements.txt', 'Pipfile', 'Pipfile.lock', 'pyproject.toml', 'poetry.lock'],
+            'ruby': ['Gemfile', 'Gemfile.lock'],
+            'java': ['pom.xml', 'build.gradle', 'build.gradle.kts'],
+            'go': ['go.mod', 'go.sum'],
+            'rust': ['Cargo.toml', 'Cargo.lock'],
+            'php': ['composer.json', 'composer.lock'],
+            'dotnet': ['*.csproj', 'packages.config', 'project.json']
+        }
+    def discover_all_dependencies(self):
+        """
+        Discover all dependencies across different package managers
+        """
+        dependencies = {}
+        # NPM/Yarn dependencies
+        if (self.project_path / 'package.json').exists():
+            dependencies['npm'] = self._parse_npm_dependencies()
+        # Python dependencies
+        if (self.project_path / 'requirements.txt').exists():
+            dependencies['python'] = self._parse_requirements_txt()
+        elif (self.project_path / 'Pipfile').exists():
+            dependencies['python'] = self._parse_pipfile()
+        elif (self.project_path / 'pyproject.toml').exists():
+            dependencies['python'] = self._parse_pyproject_toml()
+        # Go dependencies
+        if (self.project_path / 'go.mod').exists():
+            dependencies['go'] = self._parse_go_mod()
+        return dependencies
+    def _parse_npm_dependencies(self):
+        """
+        Parse NPM package.json and lock files
+        """
+        with open(self.project_path / 'package.json', 'r') as f:
+            package_json = json.load(f)
+        deps = {}
+        # Direct dependencies
+        for dep_type in ['dependencies', 'devDependencies', 'peerDependencies']:
+            if dep_type in package_json:
+                for name, version in package_json[dep_type].items():
+                    deps[name] = {
+                        'version': version,
+                        'type': dep_type,
+                        'direct': True
+                    }
+        # Parse lock file for exact versions
+        if (self.project_path / 'package-lock.json').exists():
+            with open(self.project_path / 'package-lock.json', 'r') as f:
+                lock_data = json.load(f)
+                self._parse_npm_lock(lock_data, deps)
+        return deps
+```
+**Dependency Tree Analysis**
+```python
+def build_dependency_tree(dependencies):
+    """
+    Build complete dependency tree including transitive dependencies
+    """
+    tree = {
+        'root': {
+            'name': 'project',
+            'version': '1.0.0',
+            'dependencies': {}
+        }
+    }
+    def add_dependencies(node, deps, visited=None):
+        if visited is None:
+            visited = set()
+        for dep_name, dep_info in deps.items():
+            if dep_name in visited:
+                # Circular dependency detected
+                node['dependencies'][dep_name] = {
+                    'circular': True,
+                    'version': dep_info['version']
+                }
+                continue
+            visited.add(dep_name)
+            node['dependencies'][dep_name] = {
+                'version': dep_info['version'],
+                'type': dep_info.get('type', 'runtime'),
+                'dependencies': {}
+            }
+            # Recursively add transitive dependencies
+            if 'dependencies' in dep_info:
+                add_dependencies(
+                    node['dependencies'][dep_name],
+                    dep_info['dependencies'],
+                    visited.copy()
+                )
+    add_dependencies(tree['root'], dependencies)
+    return tree
+```
+### 2. Vulnerability Scanning
+Check dependencies against vulnerability databases:
+**CVE Database Check**
+```python
+import requests
+from datetime import datetime
+class VulnerabilityScanner:
+    def __init__(self):
+        self.vulnerability_apis = {
+            'npm': 'https://registry.npmjs.org/-/npm/v1/security/advisories/bulk',
+            'pypi': 'https://pypi.org/pypi/{package}/json',
+            'rubygems': 'https://rubygems.org/api/v1/gems/{package}.json',
+            'maven': 'https://ossindex.sonatype.org/api/v3/component-report'
+        }
+    def scan_vulnerabilities(self, dependencies):
+        """
+        Scan dependencies for known vulnerabilities
+        """
+        vulnerabilities = []
+        for package_name, package_info in dependencies.items():
+            vulns = self._check_package_vulnerabilities(
+                package_name,
+                package_info['version'],
+                package_info.get('ecosystem', 'npm')
+            )
+            if vulns:
+                vulnerabilities.extend(vulns)
+        return self._analyze_vulnerabilities(vulnerabilities)
+    def _check_package_vulnerabilities(self, name, version, ecosystem):
+        """
+        Check specific package for vulnerabilities
+        """
+        if ecosystem == 'npm':
+            return self._check_npm_vulnerabilities(name, version)
+        elif ecosystem == 'pypi':
+            return self._check_python_vulnerabilities(name, version)
+        elif ecosystem == 'maven':
+            return self._check_java_vulnerabilities(name, version)
+    def _check_npm_vulnerabilities(self, name, version):
+        """
+        Check NPM package vulnerabilities
+        """
+        # Using npm audit API
+        response = requests.post(
+            'https://registry.npmjs.org/-/npm/v1/security/advisories/bulk',
+            json={name: [version]}
+        )
+        vulnerabilities = []
+        if response.status_code == 200:
+            data = response.json()
+            if name in data:
+                for advisory in data[name]:
+                    vulnerabilities.append({
+                        'package': name,
+                        'version': version,
+                        'severity': advisory['severity'],
+                        'title': advisory['title'],
+                        'cve': advisory.get('cves', []),
+                        'description': advisory['overview'],
+                        'recommendation': advisory['recommendation'],
+                        'patched_versions': advisory['patched_versions'],
+                        'published': advisory['created']
+                    })
+        return vulnerabilities
+```
+**Severity Analysis**
+```python
+def analyze_vulnerability_severity(vulnerabilities):
+    """
+    Analyze and prioritize vulnerabilities by severity
+    """
+    severity_scores = {
+        'critical': 9.0,
+        'high': 7.0,
+        'moderate': 4.0,
+        'low': 1.0
+    }
+    analysis = {
+        'total': len(vulnerabilities),
+        'by_severity': {
+            'critical': [],
+            'high': [],
+            'moderate': [],
+            'low': []
+        },
+        'risk_score': 0,
+        'immediate_action_required': []
+    }
+    for vuln in vulnerabilities:
+        severity = vuln['severity'].lower()
+        analysis['by_severity'][severity].append(vuln)
+        # Calculate risk score
+        base_score = severity_scores.get(severity, 0)
+        # Adjust score based on factors
+        if vuln.get('exploit_available', False):
+            base_score *= 1.5
+        if vuln.get('publicly_disclosed', True):
+            base_score *= 1.2
+        if 'remote_code_execution' in vuln.get('description', '').lower():
+            base_score *= 2.0
+        vuln['risk_score'] = base_score
+        analysis['risk_score'] += base_score
+        # Flag immediate action items
+        if severity in ['critical', 'high'] or base_score > 8.0:
+            analysis['immediate_action_required'].append({
+                'package': vuln['package'],
+                'severity': severity,
+                'action': f"Update to {vuln['patched_versions']}"
+            })
+    # Sort by risk score
+    for severity in analysis['by_severity']:
+        analysis['by_severity'][severity].sort(
+            key=lambda x: x.get('risk_score', 0),
+            reverse=True
+        )
+    return analysis
+```
+### 3. License Compliance
+Analyze dependency licenses for compatibility:
+**License Detection**
+```python
+class LicenseAnalyzer:
+    def __init__(self):
+        self.license_compatibility = {
+            'MIT': ['MIT', 'BSD', 'Apache-2.0', 'ISC'],
+            'Apache-2.0': ['Apache-2.0', 'MIT', 'BSD'],
+            'GPL-3.0': ['GPL-3.0', 'GPL-2.0'],
+            'BSD-3-Clause': ['BSD-3-Clause', 'MIT', 'Apache-2.0'],
+            'proprietary': []
+        }
+        self.license_restrictions = {
+            'GPL-3.0': 'Copyleft - requires source code disclosure',
+            'AGPL-3.0': 'Strong copyleft - network use requires source disclosure',
+            'proprietary': 'Cannot be used without explicit license',
+            'unknown': 'License unclear - legal review required'
+        }
+    def analyze_licenses(self, dependencies, project_license='MIT'):
+        """
+        Analyze license compatibility
+        """
+        issues = []
+        license_summary = {}
+        for package_name, package_info in dependencies.items():
+            license_type = package_info.get('license', 'unknown')
+            # Track license usage
+            if license_type not in license_summary:
+                license_summary[license_type] = []
+            license_summary[license_type].append(package_name)
+            # Check compatibility
+            if not self._is_compatible(project_license, license_type):
+                issues.append({
+                    'package': package_name,
+                    'license': license_type,
+                    'issue': f'Incompatible with project license {project_license}',
+                    'severity': 'high',
+                    'recommendation': self._get_license_recommendation(
+                        license_type,
+                        project_license
+                    )
+                })
+            # Check for restrictive licenses
+            if license_type in self.license_restrictions:
+                issues.append({
+                    'package': package_name,
+                    'license': license_type,
+                    'issue': self.license_restrictions[license_type],
+                    'severity': 'medium',
+                    'recommendation': 'Review usage and ensure compliance'
+                })
+        return {
+            'summary': license_summary,
+            'issues': issues,
+            'compliance_status': 'FAIL' if issues else 'PASS'
+        }
+```
+**License Report**
+```markdown
+## License Compliance Report
+### Summary
+- **Project License**: MIT
+- **Total Dependencies**: 245
+- **License Issues**: 3
+- **Compliance Status**: ⚠️ REVIEW REQUIRED
+### License Distribution
+| License | Count | Packages |
+|---------|-------|----------|
+| MIT | 180 | express, lodash, ... |
+| Apache-2.0 | 45 | aws-sdk, ... |
+| BSD-3-Clause | 15 | ... |
+| GPL-3.0 | 3 | [ISSUE] package1, package2, package3 |
+| Unknown | 2 | [ISSUE] mystery-lib, old-package |
+### Compliance Issues
+#### High Severity
+1. **GPL-3.0 Dependencies**
+   - Packages: package1, package2, package3
+   - Issue: GPL-3.0 is incompatible with MIT license
+   - Risk: May require open-sourcing your entire project
+   - Recommendation:
+     - Replace with MIT/Apache licensed alternatives
+     - Or change project license to GPL-3.0
+#### Medium Severity
+2. **Unknown Licenses**
+   - Packages: mystery-lib, old-package
+   - Issue: Cannot determine license compatibility
+   - Risk: Potential legal exposure
+   - Recommendation:
+     - Contact package maintainers
+     - Review source code for license information
+     - Consider replacing with known alternatives
+```
+### 4. Outdated Dependencies
+Identify and prioritize dependency updates:
+**Version Analysis**
+```python
+def analyze_outdated_dependencies(dependencies):
+    """
+    Check for outdated dependencies
+    """
+    outdated = []
+    for package_name, package_info in dependencies.items():
+        current_version = package_info['version']
+        latest_version = fetch_latest_version(package_name, package_info['ecosystem'])
+        if is_outdated(current_version, latest_version):
+            # Calculate how outdated
+            version_diff = calculate_version_difference(current_version, latest_version)
+            outdated.append({
+                'package': package_name,
+                'current': current_version,
+                'latest': latest_version,
+                'type': version_diff['type'],  # major, minor, patch
+                'releases_behind': version_diff['count'],
+                'age_days': get_version_age(package_name, current_version),
+                'breaking_changes': version_diff['type'] == 'major',
+                'update_effort': estimate_update_effort(version_diff),
+                'changelog': fetch_changelog(package_name, current_version, latest_version)
+            })
+    return prioritize_updates(outdated)
+def prioritize_updates(outdated_deps):
+    """
+    Prioritize updates based on multiple factors
+    """
+    for dep in outdated_deps:
+        score = 0
+        # Security updates get highest priority
+        if dep.get('has_security_fix', False):
+            score += 100
+        # Major version updates
+        if dep['type'] == 'major':
+            score += 20
+        elif dep['type'] == 'minor':
+            score += 10
+        else:
+            score += 5
+        # Age factor
+        if dep['age_days'] > 365:
+            score += 30
+        elif dep['age_days'] > 180:
+            score += 20
+        elif dep['age_days'] > 90:
+            score += 10
+        # Number of releases behind
+        score += min(dep['releases_behind'] * 2, 20)
+        dep['priority_score'] = score
+        dep['priority'] = 'critical' if score > 80 else 'high' if score > 50 else 'medium'
+    return sorted(outdated_deps, key=lambda x: x['priority_score'], reverse=True)
+```
+### 5. Dependency Size Analysis
+Analyze bundle size impact:
+**Bundle Size Impact**
+```javascript
+// Analyze NPM package sizes
+const analyzeBundleSize = async (dependencies) => {
+    const sizeAnalysis = {
+        totalSize: 0,
+        totalGzipped: 0,
+        packages: [],
+        recommendations: []
+    };
+    for (const [packageName, info] of Object.entries(dependencies)) {
+        try {
+            // Fetch package stats
+            const response = await fetch(
+                `https://bundlephobia.com/api/size?package=${packageName}@${info.version}`
+            );
+            const data = await response.json();
+            const packageSize = {
+                name: packageName,
+                version: info.version,
+                size: data.size,
+                gzip: data.gzip,
+                dependencyCount: data.dependencyCount,
+                hasJSNext: data.hasJSNext,
+                hasSideEffects: data.hasSideEffects
+            };
+            sizeAnalysis.packages.push(packageSize);
+            sizeAnalysis.totalSize += data.size;
+            sizeAnalysis.totalGzipped += data.gzip;
+            // Size recommendations
+            if (data.size > 1000000) { // 1MB
+                sizeAnalysis.recommendations.push({
+                    package: packageName,
+                    issue: 'Large bundle size',
+                    size: `${(data.size / 1024 / 1024).toFixed(2)} MB`,
+                    suggestion: 'Consider lighter alternatives or lazy loading'
+                });
+            }
+        } catch (error) {
+            console.error(`Failed to analyze ${packageName}:`, error);
+        }
+    }
+    // Sort by size
+    sizeAnalysis.packages.sort((a, b) => b.size - a.size);
+    // Add top offenders
+    sizeAnalysis.topOffenders = sizeAnalysis.packages.slice(0, 10);
+    return sizeAnalysis;
+};
+```
+### 6. Supply Chain Security
+Check for dependency hijacking and typosquatting:
+**Supply Chain Checks**
+```python
+def check_supply_chain_security(dependencies):
+    """
+    Perform supply chain security checks
+    """
+    security_issues = []
+    for package_name, package_info in dependencies.items():
+        # Check for typosquatting
+        typo_check = check_typosquatting(package_name)
+        if typo_check['suspicious']:
+            security_issues.append({
+                'type': 'typosquatting',
+                'package': package_name,
+                'severity': 'high',
+                'similar_to': typo_check['similar_packages'],
+                'recommendation': 'Verify package name spelling'
+            })
+        # Check maintainer changes
+        maintainer_check = check_maintainer_changes(package_name)
+        if maintainer_check['recent_changes']:
+            security_issues.append({
+                'type': 'maintainer_change',
+                'package': package_name,
+                'severity': 'medium',
+                'details': maintainer_check['changes'],
+                'recommendation': 'Review recent package changes'
+            })
+        # Check for suspicious patterns
+        if contains_suspicious_patterns(package_info):
+            security_issues.append({
+                'type': 'suspicious_behavior',
+                'package': package_name,
+                'severity': 'high',
+                'patterns': package_info['suspicious_patterns'],
+                'recommendation': 'Audit package source code'
+            })
+    return security_issues
+def check_typosquatting(package_name):
+    """
+    Check if package name might be typosquatting
+    """
+    common_packages = [
+        'react', 'express', 'lodash', 'axios', 'webpack',
+        'babel', 'jest', 'typescript', 'eslint', 'prettier'
+    ]
+    for legit_package in common_packages:
+        distance = levenshtein_distance(package_name.lower(), legit_package)
+        if 0 < distance <= 2:  # Close but not exact match
+            return {
+                'suspicious': True,
+                'similar_packages': [legit_package],
+                'distance': distance
+            }
+    return {'suspicious': False}
+```
+### 7. Automated Remediation
+Generate automated fixes:
+**Update Scripts**
+```bash
+#!/bin/bash
+# Auto-update dependencies with security fixes
+echo "🔒 Security Update Script"
+echo "========================"
+# NPM/Yarn updates
+if [ -f "package.json" ]; then
+    echo "📦 Updating NPM dependencies..."
+    # Audit and auto-fix
+    npm audit fix --force
+    # Update specific vulnerable packages
+    npm update package1@^2.0.0 package2@~3.1.0
+    # Run tests
+    npm test
+    if [ $? -eq 0 ]; then
+        echo "✅ NPM updates successful"
+    else
+        echo "❌ Tests failed, reverting..."
+        git checkout package-lock.json
+    fi
+fi
+# Python updates
+if [ -f "requirements.txt" ]; then
+    echo "🐍 Updating Python dependencies..."
+    # Create backup
+    cp requirements.txt requirements.txt.backup
+    # Update vulnerable packages
+    pip-compile --upgrade-package package1 --upgrade-package package2
+    # Test installation
+    pip install -r requirements.txt --dry-run
+    if [ $? -eq 0 ]; then
+        echo "✅ Python updates successful"
+    else
+        echo "❌ Update failed, reverting..."
+        mv requirements.txt.backup requirements.txt
+    fi
+fi
+```
+**Pull Request Generation**
+```python
+def generate_dependency_update_pr(updates):
+    """
+    Generate PR with dependency updates
+    """
+    pr_body = f"""
+## 🔒 Dependency Security Update
+This PR updates {len(updates)} dependencies to address security vulnerabilities and outdated packages.
+### Security Fixes ({sum(1 for u in updates if u['has_security'])})
+| Package | Current | Updated | Severity | CVE |
+|---------|---------|---------|----------|-----|
+"""
+    for update in updates:
+        if update['has_security']:
+            pr_body += f"| {update['package']} | {update['current']} | {update['target']} | {update['severity']} | {', '.join(update['cves'])} |\n"
+    pr_body += """
+### Other Updates
+| Package | Current | Updated | Type | Age |
+|---------|---------|---------|------|-----|
+"""
+    for update in updates:
+        if not update['has_security']:
+            pr_body += f"| {update['package']} | {update['current']} | {update['target']} | {update['type']} | {update['age_days']} days |\n"
+    pr_body += """
+### Testing
+- [ ] All tests pass
+- [ ] No breaking changes identified
+- [ ] Bundle size impact reviewed
+### Review Checklist
+- [ ] Security vulnerabilities addressed
+- [ ] License compliance maintained
+- [ ] No unexpected dependencies added
+- [ ] Performance impact assessed
+cc @security-team
+"""
+    return {
+        'title': f'chore(deps): Security update for {len(updates)} dependencies',
+        'body': pr_body,
+        'branch': f'deps/security-update-{datetime.now().strftime("%Y%m%d")}',
+        'labels': ['dependencies', 'security']
+    }
+```
+### 8. Monitoring and Alerts
+Set up continuous dependency monitoring:
+**GitHub Actions Workflow**
+```yaml
+name: Dependency Audit
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Daily
+  push:
+    paths:
+      - 'package*.json'
+      - 'requirements.txt'
+      - 'Gemfile*'
+      - 'go.mod'
+  workflow_dispatch:
+jobs:
+  security-audit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Run NPM Audit
+      if: hashFiles('package.json')
+      run: |
+        npm audit --json > npm-audit.json
+        if [ $(jq '.vulnerabilities.total' npm-audit.json) -gt 0 ]; then
+          echo "::error::Found $(jq '.vulnerabilities.total' npm-audit.json) vulnerabilities"
+          exit 1
+        fi
+    - name: Run Python Safety Check
+      if: hashFiles('requirements.txt')
+      run: |
+        pip install safety
+        safety check --json > safety-report.json
+    - name: Check Licenses
+      run: |
+        npx license-checker --json > licenses.json
+        python scripts/check_license_compliance.py
+    - name: Create Issue for Critical Vulnerabilities
+      if: failure()
+      uses: actions/github-script@v6
+      with:
+        script: |
+          const audit = require('./npm-audit.json');
+          const critical = audit.vulnerabilities.critical;
+          if (critical > 0) {
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `🚨 ${critical} critical vulnerabilities found`,
+              body: 'Dependency audit found critical vulnerabilities. See workflow run for details.',
+              labels: ['security', 'dependencies', 'critical']
+            });
+          }
+```
+## Output Format
+1. **Executive Summary**: High-level risk assessment and action items
+2. **Vulnerability Report**: Detailed CVE analysis with severity ratings
+3. **License Compliance**: Compatibility matrix and legal risks
+4. **Update Recommendations**: Prioritized list with effort estimates
+5. **Supply Chain Analysis**: Typosquatting and hijacking risks
+6. **Remediation Scripts**: Automated update commands and PR generation
+7. **Size Impact Report**: Bundle size analysis and optimization tips
+8. **Monitoring Setup**: CI/CD integration for continuous scanning
+Focus on actionable insights that help maintain secure, compliant, and efficient dependency management.