@synkro-sh/cli 1.4.55 → 1.4.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bootstrap.js +57 -15
- package/dist/bootstrap.js.map +1 -1
- package/package.json +1 -1
package/dist/bootstrap.js
CHANGED
|
@@ -146,24 +146,12 @@ function installCCHooks(settingsPath, config) {
|
|
|
146
146
|
type: "command",
|
|
147
147
|
command: config.editPrecheckScriptPath,
|
|
148
148
|
timeout: 30
|
|
149
|
-
}
|
|
150
|
-
],
|
|
151
|
-
[SYNKRO_MARKER]: true
|
|
152
|
-
});
|
|
153
|
-
settings.hooks.PreToolUse.push({
|
|
154
|
-
matcher: "Edit|Write|MultiEdit|NotebookEdit",
|
|
155
|
-
hooks: [
|
|
149
|
+
},
|
|
156
150
|
{
|
|
157
151
|
type: "command",
|
|
158
152
|
command: config.cwePrecheckScriptPath,
|
|
159
153
|
timeout: 30
|
|
160
|
-
}
|
|
161
|
-
],
|
|
162
|
-
[SYNKRO_MARKER]: true
|
|
163
|
-
});
|
|
164
|
-
settings.hooks.PreToolUse.push({
|
|
165
|
-
matcher: "Edit|Write|MultiEdit|NotebookEdit",
|
|
166
|
-
hooks: [
|
|
154
|
+
},
|
|
167
155
|
{
|
|
168
156
|
type: "command",
|
|
169
157
|
command: config.cvePrecheckScriptPath,
|
|
@@ -2089,6 +2077,60 @@ async function main() {
|
|
|
2089
2077
|
if (!jwt) { outputEmpty(); return; }
|
|
2090
2078
|
jwt = await ensureFreshJwt(jwt);
|
|
2091
2079
|
|
|
2080
|
+
// \u2500\u2500\u2500 CVE scan for package install commands \u2500\u2500\u2500
|
|
2081
|
+
if (toolName === 'Bash') {
|
|
2082
|
+
const pkgInstallMatch = command.match(
|
|
2083
|
+
/(?:npm\\s+(?:install|i|add)|pnpm\\s+(?:add|install|i)|yarn\\s+add|bun\\s+(?:add|install|i)|pip\\s+install|pip3\\s+install|go\\s+get|cargo\\s+add|gem\\s+install|composer\\s+require)\\s+(.+)/
|
|
2084
|
+
);
|
|
2085
|
+
if (pkgInstallMatch) {
|
|
2086
|
+
const rawArgs = pkgInstallMatch[1];
|
|
2087
|
+
const deps: Record<string, string> = {};
|
|
2088
|
+
const tokens = rawArgs.split(/\\s+/);
|
|
2089
|
+
for (const token of tokens) {
|
|
2090
|
+
if (token.startsWith('-')) continue;
|
|
2091
|
+
const atIdx = token.lastIndexOf('@');
|
|
2092
|
+
if (atIdx > 0) {
|
|
2093
|
+
deps[token.slice(0, atIdx)] = token.slice(atIdx + 1);
|
|
2094
|
+
} else {
|
|
2095
|
+
deps[token] = '*';
|
|
2096
|
+
}
|
|
2097
|
+
}
|
|
2098
|
+
if (Object.keys(deps).length > 0) {
|
|
2099
|
+
try {
|
|
2100
|
+
const cveBody = { file_path: 'package.json', content: JSON.stringify({ dependencies: deps }), dependencies: deps };
|
|
2101
|
+
const cveResp = await fetch(GATEWAY_URL + '/api/v1/cve-scan', {
|
|
2102
|
+
method: 'POST',
|
|
2103
|
+
headers: { 'Content-Type': 'application/json', Authorization: 'Bearer ' + jwt },
|
|
2104
|
+
body: JSON.stringify(cveBody),
|
|
2105
|
+
signal: AbortSignal.timeout(8000),
|
|
2106
|
+
}).then(r => r.json()) as any;
|
|
2107
|
+
|
|
2108
|
+
const findings = Array.isArray(cveResp?.findings) ? cveResp.findings : [];
|
|
2109
|
+
if (findings.length > 0) {
|
|
2110
|
+
const top3 = findings.slice(0, 3).map((f: any) => {
|
|
2111
|
+
const id = f.cve || f.id || '?';
|
|
2112
|
+
const pkg = f.package || '?';
|
|
2113
|
+
const ver = f.version || '?';
|
|
2114
|
+
const title = f.title || f.summary || 'vulnerable';
|
|
2115
|
+
return '[' + id + '] ' + pkg + '@' + ver + ': ' + title;
|
|
2116
|
+
}).join('; ');
|
|
2117
|
+
const count = findings.length;
|
|
2118
|
+
const label = count === 1 ? 'advisory' : 'advisories';
|
|
2119
|
+
const cveMsg = '[synkro:cveScan] ' + cmdShort + ' \\u2192 ' + count + ' ' + label;
|
|
2120
|
+
const ctx = 'CVE: ' + top3 + '\\nDo NOT install packages with known vulnerabilities. Use a patched version or a different package.';
|
|
2121
|
+
outputJson({
|
|
2122
|
+
systemMessage: cveMsg,
|
|
2123
|
+
hookSpecificOutput: { hookEventName: 'PreToolUse', permissionDecision: 'deny', permissionDecisionReason: ctx, additionalContext: ctx },
|
|
2124
|
+
});
|
|
2125
|
+
return;
|
|
2126
|
+
}
|
|
2127
|
+
} catch (e) {
|
|
2128
|
+
log('bashGuard CVE check failed: ' + String(e));
|
|
2129
|
+
}
|
|
2130
|
+
}
|
|
2131
|
+
}
|
|
2132
|
+
}
|
|
2133
|
+
|
|
2092
2134
|
const transcript = extractTranscript(transcriptPath);
|
|
2093
2135
|
const lastPrompt = readLastPrompt();
|
|
2094
2136
|
|
|
@@ -5051,7 +5093,7 @@ function writeConfigEnv(opts) {
|
|
|
5051
5093
|
`SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
|
|
5052
5094
|
`SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
|
|
5053
5095
|
`SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
|
|
5054
|
-
`SYNKRO_VERSION=${shellQuoteSingle("1.4.
|
|
5096
|
+
`SYNKRO_VERSION=${shellQuoteSingle("1.4.57")}`
|
|
5055
5097
|
];
|
|
5056
5098
|
if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
|
|
5057
5099
|
if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
|