npm - @synkro-sh/cli - Versions diffs - 1.4.55 → 1.4.56 - Mend

@synkro-sh/cli 1.4.55 → 1.4.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/bootstrap.js CHANGED Viewed

@@ -2089,6 +2089,60 @@ async function main() {
     if (!jwt) { outputEmpty(); return; }
     jwt = await ensureFreshJwt(jwt);
+    // \u2500\u2500\u2500 CVE scan for package install commands \u2500\u2500\u2500
+    if (toolName === 'Bash') {
+      const pkgInstallMatch = command.match(
+        /(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|pip\\s+install|pip3\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
+      );
+      if (pkgInstallMatch) {
+        const rawArgs = pkgInstallMatch[1];
+        const deps: Record<string, string> = {};
+        const tokens = rawArgs.split(/\\s+/);
+        for (const token of tokens) {
+          if (token.startsWith('-')) continue;
+          const atIdx = token.lastIndexOf('@');
+          if (atIdx > 0) {
+            deps[token.slice(0, atIdx)] = token.slice(atIdx + 1);
+          } else {
+            deps[token] = '*';
+          }
+        }
+        if (Object.keys(deps).length > 0) {
+          try {
+            const cveBody = { file_path: 'package.json', content: JSON.stringify({ dependencies: deps }), dependencies: deps };
+            const cveResp = await fetch(GATEWAY_URL + '/api/v1/cve-scan', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
+              body: JSON.stringify(cveBody),
+              signal: AbortSignal.timeout(8000),
+            }).then(r => r.json()) as any;
+            const findings = Array.isArray(cveResp?.findings) ? cveResp.findings : [];
+            if (findings.length > 0) {
+              const top3 = findings.slice(0, 3).map((f: any) => {
+                const id = f.cve || f.id || '?';
+                const pkg = f.package || '?';
+                const ver = f.version || '?';
+                const title = f.title || f.summary || 'vulnerable';
+                return '[' + id + '] ' + pkg + '@' + ver + ': ' + title;
+              }).join('; ');
+              const count = findings.length;
+              const label = count === 1 ? 'advisory' : 'advisories';
+              const cveMsg = '[synkro:cveScan] ' + cmdShort + ' \\u2192 ' + count + ' ' + label;
+              const ctx = 'CVE: ' + top3 + '\\nDo NOT install packages with known vulnerabilities. Use a patched version or a different package.';
+              outputJson({
+                systemMessage: cveMsg,
+                hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
+              });
+              return;
+            }
+          } catch (e) {
+            log('bashGuard CVE check failed: ' + String(e));
+          }
+        }
+      }
+    }
     const transcript = extractTranscript(transcriptPath);
     const lastPrompt = readLastPrompt();
@@ -5051,7 +5105,7 @@ function writeConfigEnv(opts) {
     `SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
     `SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
     `SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
-    `SYNKRO_VERSION=${shellQuoteSingle("1.4.55")}`
+    `SYNKRO_VERSION=${shellQuoteSingle("1.4.56")}`
   ];
   if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
   if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);