@synkro-sh/cli 1.4.81 → 1.4.83
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/bootstrap.js +13 -14
- package/dist/bootstrap.js.map +1 -1
- package/package.json +1 -1
package/dist/bootstrap.js
CHANGED
|
@@ -2698,7 +2698,8 @@ async function main() {
|
|
|
2698
2698
|
|
|
2699
2699
|
main();
|
|
2700
2700
|
`;
|
|
2701
|
-
BASH_JUDGE_TS = `#!/usr/bin/env bun
|
|
2701
|
+
BASH_JUDGE_TS = String.raw`#!/usr/bin/env bun
|
|
2702
|
+
import process from 'node:process';
|
|
2702
2703
|
import {
|
|
2703
2704
|
loadJwt, ensureFreshJwt, detectRepo, loadConfig, route, tag, localGrade,
|
|
2704
2705
|
parseVerdict, dispatchCapture, dispatchFinding, ruleMode, postWithRetry, readStdin,
|
|
@@ -2750,17 +2751,17 @@ async function main() {
|
|
|
2750
2751
|
if (!jwt) { outputEmpty(); return; }
|
|
2751
2752
|
jwt = await ensureFreshJwt(jwt);
|
|
2752
2753
|
|
|
2753
|
-
//
|
|
2754
|
+
// ─── Install protection: server-side pkg-scan (CVE + typosquat + tarball + reputation) ───
|
|
2754
2755
|
let installScanMsg = '';
|
|
2755
2756
|
if (toolName === 'Bash') {
|
|
2756
2757
|
const pkgInstallMatch = command.match(
|
|
2757
|
-
/^(
|
|
2758
|
+
/^(?:.*&&\s*|.*;\s*)?(?:npm\s+(?:install|i|add)|pnpm\s+(?:add|install|i)|yarn\s+add|bun\s+(?:add|install|i)|(?:uv\s+)?pip3?\s+install|go\s+get|cargo\s+add|gem\s+install|composer\s+require)\s+([^|;&><]+)/
|
|
2758
2759
|
);
|
|
2759
|
-
const isPip = /(?:
|
|
2760
|
+
const isPip = /(?:uv\s+)?pip3?\s+install/.test(command);
|
|
2760
2761
|
if (pkgInstallMatch) {
|
|
2761
2762
|
const rawArgs = pkgInstallMatch[1];
|
|
2762
2763
|
const packages: Array<{ name: string; version: string; ecosystem: string }> = [];
|
|
2763
|
-
const tokens = rawArgs.split(
|
|
2764
|
+
const tokens = rawArgs.split(/\s+/);
|
|
2764
2765
|
let skipNext = false;
|
|
2765
2766
|
for (const token of tokens) {
|
|
2766
2767
|
if (skipNext) { skipNext = false; continue; }
|
|
@@ -2802,11 +2803,9 @@ async function main() {
|
|
|
2802
2803
|
const blockSignals = pkgResults
|
|
2803
2804
|
.flatMap((p: any) => (p.signals || []).filter((s: any) => s.severity === 'critical' || s.severity === 'high'))
|
|
2804
2805
|
.slice(0, 5);
|
|
2805
|
-
const scanMsg = '[synkro:installScan] ' + cmdShort + '
|
|
2806
|
-
const details = blockSignals.map((s: any) => s.detail).join('
|
|
2807
|
-
'
|
|
2808
|
-
const ctx = details + '
|
|
2809
|
-
Do NOT install packages with security risks. Use a patched version or a different package.';
|
|
2806
|
+
const scanMsg = '[synkro:installScan] ' + cmdShort + ' → blocked';
|
|
2807
|
+
const details = blockSignals.map((s: any) => s.detail).join('\n');
|
|
2808
|
+
const ctx = details + '\nDo NOT install packages with security risks. Use a patched version or a different package.';
|
|
2810
2809
|
|
|
2811
2810
|
const config = await loadConfig(jwt);
|
|
2812
2811
|
for (const p of pkgResults) {
|
|
@@ -2815,7 +2814,7 @@ Do NOT install packages with security risks. Use a patched version or a differen
|
|
|
2815
2814
|
dispatchFinding(jwt, {
|
|
2816
2815
|
session_id: sessionId,
|
|
2817
2816
|
file_path: command,
|
|
2818
|
-
finding_type:
|
|
2817
|
+
finding_type: 'cve' as const,
|
|
2819
2818
|
finding_id: s.type + ':' + p.name,
|
|
2820
2819
|
severity: s.severity,
|
|
2821
2820
|
status: 'open',
|
|
@@ -2847,7 +2846,7 @@ Do NOT install packages with security risks. Use a patched version or a differen
|
|
|
2847
2846
|
installScanMsg = '[synkro:installScan] ' + summary;
|
|
2848
2847
|
} else {
|
|
2849
2848
|
const scannedPkgs = packages.map(p => p.name + '@' + p.version).join(', ');
|
|
2850
|
-
installScanMsg = '[synkro:installScan] ' + scannedPkgs + '
|
|
2849
|
+
installScanMsg = '[synkro:installScan] ' + scannedPkgs + ' → clean';
|
|
2851
2850
|
}
|
|
2852
2851
|
} catch (e) {
|
|
2853
2852
|
log('bashGuard pkg-scan failed: ' + String(e));
|
|
@@ -2929,7 +2928,7 @@ Do NOT install packages with security risks. Use a patched version or a differen
|
|
|
2929
2928
|
return;
|
|
2930
2929
|
}
|
|
2931
2930
|
|
|
2932
|
-
//
|
|
2931
|
+
// ─── Cloud grading ───
|
|
2933
2932
|
const isHeadless = ['acceptEdits', 'bypassPermissions', 'plan', 'auto'].includes(permissionMode)
|
|
2934
2933
|
|| process.env.SYNKRO_HEADLESS === '1';
|
|
2935
2934
|
|
|
@@ -6397,7 +6396,7 @@ function writeConfigEnv(opts) {
|
|
|
6397
6396
|
`SYNKRO_CREDENTIALS_PATH=${shellQuoteSingle(credsPath)}`,
|
|
6398
6397
|
`SYNKRO_TIER=${shellQuoteSingle(safeTier)}`,
|
|
6399
6398
|
`SYNKRO_INFERENCE=${shellQuoteSingle(safeInference)}`,
|
|
6400
|
-
`SYNKRO_VERSION=${shellQuoteSingle("1.4.
|
|
6399
|
+
`SYNKRO_VERSION=${shellQuoteSingle("1.4.83")}`
|
|
6401
6400
|
];
|
|
6402
6401
|
if (safeSynkroBin) lines.push(`SYNKRO_CLI_BIN=${shellQuoteSingle(safeSynkroBin)}`);
|
|
6403
6402
|
if (safeUserId) lines.push(`SYNKRO_USER_ID=${shellQuoteSingle(safeUserId)}`);
|