@shopify/shop-minis-cli 0.3.11 → 0.3.12

package/scripts/audit-dependencies.ts

@@ -6,10 +6,12 @@
  *   npx tsx audit-dependencies.ts                          # Audit new dependencies from git diff
  */
 
-import {exec} from 'child_process'
+import {execFile} from 'child_process'
 import {promisify} from 'util'
 
-const execAsync = promisify(exec)
+import semver from 'semver'
+
+const execFileAsync = promisify(execFile)
 
 interface PackageInfo {
   package: string
@@ -19,45 +21,182 @@ interface PackageInfo {
   publishDate: string
 }
 
+type ChangeKind = 'added' | 'bumped'
+
+// OSV's `database_specific.severity` uses GHSA labels (LOW/MODERATE/HIGH/
+// CRITICAL). Some older OSV records (e.g. PYSEC) omit the field; those are
+// tracked as UNKNOWN.
+type Severity = 'CRITICAL' | 'HIGH' | 'MODERATE' | 'LOW' | 'UNKNOWN'
+
+const SEVERITY_ORDER: Severity[] = [
+  'CRITICAL',
+  'HIGH',
+  'MODERATE',
+  'LOW',
+  'UNKNOWN',
+]
+
+interface VulnerabilityRecord {
+  id: string
+  summary: string
+  severity: Severity
+}
+
 interface DependencyInfo {
   name: string
   version: string
+  kind: ChangeKind
+  previousVersion?: string
+}
+
+// Use Node's built-in fetch instead of shelling out to curl: keeps all input
+// (package names, URLs, POST bodies) out of `/bin/sh -c`, so a malicious diff
+// entry can't inject shell commands. 30s timeout per request via AbortSignal.
+const FETCH_TIMEOUT_MS = 30_000
+
+async function fetchJson(url: string, postBody?: unknown): Promise<any> {
+  let response: Response
+  try {
+    response = await fetch(url, {
+      method: postBody ? 'POST' : 'GET',
+      headers: postBody ? {'Content-Type': 'application/json'} : undefined,
+      body: postBody ? JSON.stringify(postBody) : undefined,
+      signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
+    })
+  } catch (error: any) {
+    throw new Error(`Network error fetching ${url}: ${error?.message || error}`)
+  }
+
+  if (!response.ok) {
+    const body = await response.text().catch(() => '')
+    throw new Error(
+      `Non-2xx response from ${url}: HTTP ${response.status}${
+        body ? ` — ${body.slice(0, 200)}` : ''
+      }`
+    )
+  }
+
+  const text = await response.text()
+  try {
+    return JSON.parse(text)
+  } catch (error: any) {
+    throw new Error(
+      `Invalid JSON from ${url}: ${error?.message || error} (body: ${text.slice(0, 200)})`
+    )
+  }
+}
+
+function normalizeSeverity(raw: unknown): Severity {
+  if (typeof raw !== 'string') return 'UNKNOWN'
+  const upper = raw.toUpperCase()
+  if (
+    upper === 'CRITICAL' ||
+    upper === 'HIGH' ||
+    upper === 'MODERATE' ||
+    upper === 'LOW'
+  ) {
+    return upper
+  }
+  return 'UNKNOWN'
+}
+
+// Convert an OSV `affected.ranges[]` entry to a semver range string. OSV uses
+// an event-stream representation: each "introduced" opens an interval, each
+// "fixed" or "last_affected" closes it. Returns null for unsupported types
+// (e.g. GIT ranges) or empty event lists.
+function osvRangeToSemver(range: any): string | null {
+  if (range?.type === 'GIT') return null
+  const events: any[] = Array.isArray(range?.events) ? range.events : []
+  const parts: string[] = []
+  let lower: string | null = null
+  for (const event of events) {
+    if (event.introduced !== undefined) {
+      lower = event.introduced === '0' ? null : event.introduced
+    } else if (event.fixed !== undefined) {
+      parts.push(`${lower ? `>=${lower} ` : ''}<${event.fixed}`)
+      lower = null
+    } else if (event.last_affected !== undefined) {
+      parts.push(`${lower ? `>=${lower} ` : ''}<=${event.last_affected}`)
+      lower = null
+    }
+  }
+  if (lower !== null) parts.push(`>=${lower}`)
+  if (
+    lower === null &&
+    parts.length === 0 &&
+    events.some(event => event.introduced)
+  ) {
+    // "introduced: 0" with no closer → all versions affected.
+    return '>=0.0.0-0'
+  }
+  return parts.length > 0 ? parts.join(' || ') : null
+}
+
+// True if `vuln` reports the given package as affected at `spec` (either an
+// exact version or a semver range). Used to drop OSV results that match the
+// package by name but only affect other versions.
+function osvAffectsSpec(vuln: any, packageName: string, spec: string): boolean {
+  const affectedEntries = Array.isArray(vuln?.affected) ? vuln.affected : []
+  const exact = semver.valid(spec)
+  for (const affected of affectedEntries) {
+    if (affected?.package?.name !== packageName) continue
+    const ecosystem = affected?.package?.ecosystem
+    if (ecosystem && ecosystem !== 'npm') continue
+
+    if (Array.isArray(affected.versions) && affected.versions.length > 0) {
+      if (exact) {
+        if (affected.versions.includes(exact)) return true
+      } else {
+        for (const version of affected.versions) {
+          if (semver.satisfies(version, spec)) return true
+        }
+      }
+    }
+
+    for (const range of affected.ranges || []) {
+      const vulnRange = osvRangeToSemver(range)
+      if (!vulnRange) continue
+      try {
+        if (exact) {
+          if (semver.satisfies(exact, vulnRange)) return true
+        } else if (semver.intersects(spec, vulnRange)) {
+          return true
+        }
+      } catch {
+        // bad range — fall through
+      }
+    }
+  }
+  return false
 }
 
 class PackageAuditor {
   private packageName: string
   private version: string
+  private kind: ChangeKind
+  private previousVersion?: string
   private riskScore = 0
   private riskFactors: string[] = []
-  private vulnerabilities: string[] = []
-
-  constructor(packageName: string, version = 'latest') {
+  private vulnerabilities: VulnerabilityRecord[] = []
+
+  constructor(
+    packageName: string,
+    version = 'latest',
+    kind: ChangeKind = 'added',
+    previousVersion?: string
+  ) {
     this.packageName = packageName
     this.version = version
+    this.kind = kind
+    this.previousVersion = previousVersion
   }
 
   private async fetchJson(url: string): Promise<any> {
-    try {
-      const {stdout} = await execAsync(`curl -s "${url}"`, {
-        maxBuffer: 1024 * 1024 * 10, // 10MB buffer for large NPM responses
-      })
-      return JSON.parse(stdout)
-    } catch (error) {
-      throw new Error(`Failed to fetch ${url}: ${error}`)
-    }
+    return fetchJson(url)
   }
 
   private async fetchPostJson(url: string, body: any): Promise<any> {
-    try {
-      const jsonBody = JSON.stringify(body)
-      const {stdout} = await execAsync(
-        `curl -s -X POST -H "Content-Type: application/json" -d '${jsonBody}' "${url}"`,
-        {maxBuffer: 1024 * 1024 * 10} // 10MB buffer for large responses
-      )
-      return JSON.parse(stdout)
-    } catch (error) {
-      throw new Error(`Failed to POST to ${url}: ${error}`)
-    }
+    return fetchJson(url, body)
   }
 
   private async fetchNpmData(): Promise<any> {
@@ -105,14 +244,22 @@ class PackageAuditor {
     }
   }
 
-  private async fetchDownloads(): Promise<number> {
+  // Returns null when the downloads endpoint is unreachable so the caller can
+  // skip adoption scoring rather than reject the audit. Downloads are
+  // telemetry, not a security signal — an npmjs.org outage shouldn't block
+  // safe allowlist changes when OSV (the real gate) is healthy.
+  private async fetchDownloads(): Promise<number | null> {
     try {
       const data = await this.fetchJson(
         `https://api.npmjs.org/downloads/point/last-week/${this.packageName}`
       )
       return data.downloads || 0
-    } catch {
-      return 0
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error)
+      console.error(
+        `⚠️ Download stats unavailable for ${this.packageName}: ${message}`
+      )
+      return null
     }
   }
 
@@ -149,67 +296,68 @@ class PackageAuditor {
   }
 
   private async checkPublicVulnerabilities(): Promise<void> {
-    const vulnerabilities: string[] = []
-    let totalVulnCount = 0
-
-    // 1. Check NPM Security Advisories (official, reliable)
-    try {
-      const auditData = await this.fetchJson(
-        `https://registry.npmjs.org/-/npm/v1/security/advisories/search?text=${this.packageName}`
-      )
-
-      if (auditData.objects && auditData.objects.length > 0) {
-        auditData.objects.forEach((advisory: any) => {
-          if (advisory.package_name === this.packageName) {
-            totalVulnCount++
-            vulnerabilities.push(`NPM: ${advisory.title}`)
-          }
-        })
-      }
-    } catch {
-      // NPM audit API might not be available
-    }
-
-    // 2. Check OSV (Google-maintained, comprehensive)
-    try {
-      const osvData = await this.fetchPostJson(`https://api.osv.dev/v1/query`, {
-        package: {name: this.packageName, ecosystem: 'npm'},
-      })
-
-      if (osvData.vulns && osvData.vulns.length > 0) {
-        osvData.vulns.forEach((vuln: any) => {
-          totalVulnCount++
-          vulnerabilities.push(
-            `OSV: ${vuln.id} - ${vuln.summary || 'Vulnerability'}`
-          )
-        })
-      }
-    } catch {
-      // OSV might not have data for this package
-    }
-
-    // 3. Check Snyk (industry standard, but may require auth)
-    try {
-      const snykData = await this.fetchJson(
-        `https://api.snyk.io/v1/test/npm/${this.packageName}/${this.version}`
-      )
+    // OSV is the single source of vulnerability data. Errors here propagate up
+    // so the script fails loudly rather than silently reporting "no vulns
+    // found" on a network blip.
+    //
+    // The NPM advisories search endpoint and the Snyk test endpoint were
+    // previously consulted here but were removed: NPM's endpoint returns
+    // HTTP 404 ("does not exist"), and Snyk requires an auth token that
+    // isn't provisioned in CI. Both silently returned zero results.
+    //
+    // Choice of OSV as sole source matches BumperBot's ADR 008-vulnerability-source.md
+    // in shop/world (OSV aggregates GHSA, so direct GHSA integration is dedup churn).
+    const osvData = await this.fetchPostJson(`https://api.osv.dev/v1/query`, {
+      package: {name: this.packageName, ecosystem: 'npm'},
+    })
+
+    if (!osvData?.vulns?.length) return
+
+    // OSV's query endpoint accepts an optional `version` field that would
+    // filter server-side, but `this.version` is often a constraint string
+    // (e.g. `^1.2.3`) coming from `allowed-dependencies.ts`, which OSV won't
+    // resolve. Instead query without a version and filter client-side using
+    // each vuln's `affected[].ranges` so a safe bump isn't rejected because
+    // some unrelated release of the same package is vulnerable.
+    const affectingVulns = osvData.vulns.filter((vuln: any) =>
+      osvAffectsSpec(vuln, this.packageName, this.version)
+    )
+    if (affectingVulns.length === 0) return
+
+    this.vulnerabilities = affectingVulns.map((vuln: any) => ({
+      id: vuln.id,
+      summary: vuln.summary || 'Vulnerability',
+      severity: normalizeSeverity(vuln.database_specific?.severity),
+    }))
+
+    const counts = this.severityCounts()
+    const summary = SEVERITY_ORDER.filter(sev => counts[sev] > 0)
+      .map(sev => `${counts[sev]} ${sev}`)
+      .join(', ')
+    this.riskFactors.push(
+      `${this.vulnerabilities.length} security vulnerabilities found (${summary})`
+    )
+    // Weighted by severity so a single CRITICAL trips REJECT (score > 49).
+    // Reject threshold is 50, so CRITICAL alone is enough; two HIGH or four
+    // MODERATE also reach it. Unweighted counts let a single CRITICAL slip
+    // through as APPROVE, which is the bug binks-code-reviewer flagged.
+    const weighted =
+      counts.CRITICAL * 50 + counts.HIGH * 25 + counts.MODERATE * 5 + counts.LOW
+    this.riskScore += Math.min(weighted, 100)
+  }
 
-      if (snykData.issues && snykData.issues.vulnerabilities) {
-        snykData.issues.vulnerabilities.forEach((vuln: any) => {
-          totalVulnCount++
-          vulnerabilities.push(`Snyk: ${vuln.title}`)
-        })
-      }
-    } catch {
-      // Snyk API might require auth or have rate limits - continue without it
+  private severityCounts(): Record<Severity, number> {
+    const counts: Record<Severity, number> = {
+      CRITICAL: 0,
+      HIGH: 0,
+      MODERATE: 0,
+      LOW: 0,
+      UNKNOWN: 0,
     }
-
-    // Calculate risk based on findings
-    if (totalVulnCount > 0) {
-      this.riskScore += Math.min(totalVulnCount * 5, 50)
-      this.riskFactors.push(`${totalVulnCount} security vulnerabilities found`)
-      this.vulnerabilities = vulnerabilities
+    for (const vuln of this.vulnerabilities) {
+      counts[vuln.severity]++
     }
+    return counts
   }
 
   private assessMaintenanceRisk(publishDate: string): void {
@@ -228,7 +376,11 @@ class PackageAuditor {
     }
   }
 
-  private assessAdoptionRisk(downloads: number): void {
+  private assessAdoptionRisk(downloads: number | null): void {
+    if (downloads === null) {
+      this.riskFactors.push('Download stats unavailable (not scored)')
+      return
+    }
     if (downloads < 1000) {
       this.riskScore += 25
       this.riskFactors.push('Low adoption (<1K downloads/week)')
@@ -250,18 +402,58 @@ class PackageAuditor {
     return '❌ REJECT'
   }
 
-  private generateReport(packageInfo: PackageInfo, downloads: number): void {
+  private getChangeLabel(): string {
+    if (this.kind === 'bumped' && this.previousVersion) {
+      return `🔁 Bumped from ${this.previousVersion}`
+    }
+    return '➕ Added'
+  }
+
+  // Sort vulns worst-first and show the top N; if more exist, summarize the
+  // tail by severity so a reviewer can see what's hidden.
+  private formatTopVulnerabilities(limit: number): string {
+    const sorted = [...this.vulnerabilities].sort(
+      (left, right) =>
+        SEVERITY_ORDER.indexOf(left.severity) -
+        SEVERITY_ORDER.indexOf(right.severity)
+    )
+    const lines = sorted
+      .slice(0, limit)
+      .map(vuln => `  - [${vuln.severity}] OSV: ${vuln.id} - ${vuln.summary}`)
+    if (sorted.length <= limit) return lines.join('\n')
+
+    const tailCounts: Record<Severity, number> = {
+      CRITICAL: 0,
+      HIGH: 0,
+      MODERATE: 0,
+      LOW: 0,
+      UNKNOWN: 0,
+    }
+    for (const vuln of sorted.slice(limit)) tailCounts[vuln.severity]++
+    const tailSummary = SEVERITY_ORDER.filter(sev => tailCounts[sev] > 0)
+      .map(sev => `${tailCounts[sev]} ${sev}`)
+      .join(', ')
+    return `${lines.join('\n')}\n  - ... and ${
+      sorted.length - limit
+    } more (${tailSummary})`
+  }
+
+  private generateReport(
+    packageInfo: PackageInfo,
+    downloads: number | null
+  ): void {
     const riskLevel = this.getRiskLevel()
     const decision = this.getDecision()
-    const formattedDownloads = downloads.toLocaleString()
+    const formattedDownloads =
+      downloads === null ? 'unavailable' : `${downloads.toLocaleString()}/week`
 
     console.log(`
 ### 📦 ${packageInfo.package}@${packageInfo.version}
 
-**${riskLevel}** | **${decision}**
+**${this.getChangeLabel()}** | **${riskLevel}** | **${decision}**
 
-📈 **Downloads:** ${formattedDownloads}/week  
-🔗 **Dependencies:** ${packageInfo.dependenciesCount}  
+📈 **Downloads:** ${formattedDownloads}
+🔗 **Dependencies:** ${packageInfo.dependenciesCount}
 📊 **Risk Score:** ${this.riskScore}/100
 
 ${
@@ -276,14 +468,7 @@ ${
   this.vulnerabilities.length > 0
     ? `🚨 **Security Vulnerabilities (${
         this.vulnerabilities.length
-      }):**\n${this.vulnerabilities
-        .slice(0, 3)
-        .map(vuln => `  - ${vuln}`)
-        .join('\n')}${
-        this.vulnerabilities.length > 3
-          ? `\n  - ... and ${this.vulnerabilities.length - 3} more`
-          : ''
-      }`
+      }):**\n${this.formatTopVulnerabilities(3)}`
     : '🛡️ **Security:** No vulnerabilities found'
 }
 
@@ -291,7 +476,10 @@ ${
 `)
   }
 
-  async audit(): Promise<void> {
+  // Returns true on success, false if the audit failed (e.g. network error).
+  // On failure, emits a ❌ REJECT report block so the failure is visible in
+  // the PR comment and trips the CI grep for `❌ REJECT`.
+  async audit(): Promise<boolean> {
     try {
       const npmData = await this.fetchNpmData()
       const packageInfo = this.extractPackageInfo(npmData)
@@ -302,74 +490,151 @@ ${
       this.assessAdoptionRisk(downloads)
 
       this.generateReport(packageInfo, downloads)
+      return true
     } catch (error) {
-      console.error(`❌ Audit failed: ${error}`)
-      process.exit(1)
+      const message = error instanceof Error ? error.message : String(error)
+      console.error(`❌ Audit failed for ${this.packageName}: ${message}`)
+      console.log(`
+### 📦 ${this.packageName}@${this.version}
+
+**${this.getChangeLabel()}** | **🔴 HIGH/CRITICAL** | **❌ REJECT**
+
+🚨 **Audit could not complete:**
+\`\`\`
+${message}
+\`\`\`
+
+---
+`)
+      return false
     }
   }
 }
 
-// Simple git diff function
-async function getAddedDependencies(): Promise<DependencyInfo[]> {
-  try {
-    const {stdout} = await execAsync(
-      `git diff HEAD~1 HEAD -- src/utils/allowed-dependencies.ts`,
-      {maxBuffer: 1024 * 1024}
-    )
+// Parse a `+`/`-` diff line for an entry like:  '@scope/pkg': '1.2.3',
+// `\s+` (not `.*`) anchors the indent so that an unquoted key like
+// `three: '0.178.0'` isn't eaten by a greedy prefix.
+//
+// Both the name and version captures restrict to characters that are valid
+// in npm package names and semver ranges. This is defense-in-depth: the
+// captured strings are passed to fetch URLs and to the npm registry, never
+// to a shell, but rejecting `$(){};|&\`` here keeps the parser honest.
+const NAME_CHARS = 'a-zA-Z0-9@._/~^*+-'
+const VERSION_CHARS = 'a-zA-Z0-9.<>=~^*+|& \\-'
+const DEP_LINE_REGEX = new RegExp(
+  `^[+-]\\s+(?:['"\`]([${NAME_CHARS}]+)['"\`]|([${NAME_CHARS}]+))\\s*:\\s*['"\`]([${VERSION_CHARS}]+)['"\`]`
+)
+
+function parseDepLine(
+  line: string
+): {name: string; version: string} | undefined {
+  const match = line.match(DEP_LINE_REGEX)
+  if (!match) return undefined
+  const name = match[1] || match[2]
+  const version = match[3]
+  if (!name || !version) return undefined
+  return {name, version}
+}
 
-    const addedLines = stdout
-      .split('\n')
-      .filter(line => line.startsWith('+'))
-      .filter(line => !line.startsWith('+++'))
-      .filter(line => line.includes(':'))
+// Refs come from env (or default constants), but git treats refs starting
+// with `-` as flags. Reject anything that doesn't look like a ref to avoid
+// surprises (e.g. `--upload-pack=…` style argv injection).
+const REF_REGEX = /^[A-Za-z0-9_./~^@-]+$/
+function validateRef(ref: string, label: string): string {
+  if (ref.startsWith('-') || !REF_REGEX.test(ref)) {
+    throw new Error(`Invalid ${label} ref: ${ref}`)
+  }
+  return ref
+}
 
-    const addedDependencies: DependencyInfo[] = []
+async function getChangedDependencies(): Promise<DependencyInfo[]> {
+  // Allow CI to pass the PR's base and head refs so the diff covers every
+  // commit in the PR, not just the last one. Fall back to HEAD~1..HEAD for
+  // local use.
+  const baseRef = validateRef(
+    process.env.AUDIT_BASE_REF || 'HEAD~1',
+    'AUDIT_BASE_REF'
+  )
+  const headRef = validateRef(
+    process.env.AUDIT_HEAD_REF || 'HEAD',
+    'AUDIT_HEAD_REF'
+  )
 
-    for (const line of addedLines) {
-      const depRegex =
-        /\+.*(?:['"`]([^'"`]+)['"`]|([a-zA-Z0-9@_-]+))\s*:\s*['"`]([^'"`]+)['"`]/
-      const match = line.match(depRegex)
+  // `base...head` (three-dot) diffs against the merge-base of the two refs,
+  // not the current base tip. That keeps the audit stable when the base
+  // branch advances after the PR diverged: unrelated edits to
+  // allowed-dependencies.ts landing on main after this PR forked won't
+  // show up here.
+  const {stdout} = await execFileAsync(
+    'git',
+    [
+      'diff',
+      `${baseRef}...${headRef}`,
+      '--',
+      'src/utils/allowed-dependencies.ts',
+    ],
+    {maxBuffer: 1024 * 1024}
+  )
 
-      if (match) {
-        const packageName = match[1] || match[2]
-        const version = match[3]
-        addedDependencies.push({name: packageName, version})
-      }
-    }
+  const removed = new Map<string, string>()
+  const added = new Map<string, string>()
 
-    return addedDependencies
-  } catch (error) {
-    console.error(`⚠️ Could not get git diff: ${error}`)
-    return []
+  for (const line of stdout.split('\n')) {
+    if (line.startsWith('---') || line.startsWith('+++')) continue
+    const parsed = parseDepLine(line)
+    if (!parsed) continue
+    if (line.startsWith('-')) removed.set(parsed.name, parsed.version)
+    else if (line.startsWith('+')) added.set(parsed.name, parsed.version)
   }
-}
 
-// Simple audit of multiple dependencies
-async function auditAddedDependencies(): Promise<void> {
-  try {
-    const depsToAudit = await getAddedDependencies()
-
-    if (depsToAudit.length === 0) {
-      console.log(
-        '## Dependency Audit Results\n✅ No new dependencies found - no audit needed.'
-      )
-      return
+  const changes: DependencyInfo[] = []
+  for (const [name, version] of added) {
+    const previousVersion = removed.get(name)
+    if (previousVersion === undefined) {
+      changes.push({name, version, kind: 'added'})
+    } else if (previousVersion !== version) {
+      changes.push({name, version, kind: 'bumped', previousVersion})
     }
+    // Same name and version on both sides = unchanged, skip.
+  }
+  return changes
+}
+
+// Returns true if every audit succeeded.
+async function auditChangedDependencies(): Promise<boolean> {
+  const depsToAudit = await getChangedDependencies()
 
+  if (depsToAudit.length === 0) {
     console.log(
-      `## Dependency Audit Results\n🔍 Audited ${depsToAudit.length} new ${
-        depsToAudit.length === 1 ? 'dependency' : 'dependencies'
-      }:\n`
+      '## Dependency Audit Results\n✅ No dependency changes detected — no audit needed.'
     )
+    return true
+  }
 
-    for (const dep of depsToAudit) {
-      const auditor = new PackageAuditor(dep.name, dep.version)
-      await auditor.audit()
-    }
-  } catch (error) {
-    console.error(`❌ Audit failed: ${error}`)
-    process.exit(1)
+  const addedCount = depsToAudit.filter(dep => dep.kind === 'added').length
+  const bumpedCount = depsToAudit.length - addedCount
+  const summaryParts: string[] = []
+  if (addedCount) summaryParts.push(`${addedCount} added`)
+  if (bumpedCount) summaryParts.push(`${bumpedCount} version-bumped`)
+
+  console.log(
+    `## Dependency Audit Results\n🔍 Audited ${depsToAudit.length} ${
+      depsToAudit.length === 1 ? 'change' : 'changes'
+    } (${summaryParts.join(', ')}):\n`
+  )
+
+  let allOk = true
+  for (const dep of depsToAudit) {
+    const auditor = new PackageAuditor(
+      dep.name,
+      dep.version,
+      dep.kind,
+      dep.previousVersion
+    )
+    const ok = await auditor.audit()
+    if (!ok) allOk = false
   }
+  return allOk
 }
 
 // CLI interface
@@ -392,8 +657,9 @@ async function main(): Promise<void> {
   const args = process.argv.slice(2)
 
   if (args.length === 0) {
-    // Mode: Audit new dependencies from git diff
-    await auditAddedDependencies()
+    // Mode: Audit new/changed dependencies from git diff
+    const ok = await auditChangedDependencies()
+    if (!ok) process.exit(1)
   } else if (args[0] === '--help' || args[0] === '-h') {
     showUsage()
   } else {
@@ -401,7 +667,8 @@ async function main(): Promise<void> {
     const packageName = args[0]
     const version = args[1] || 'latest'
     const auditor = new PackageAuditor(packageName, version)
-    await auditor.audit()
+    const ok = await auditor.audit()
+    if (!ok) process.exit(1)
   }
 }