@westbayberry/dg 1.0.33 → 1.0.34

package/dist/index.mjs

@@ -53,7 +53,7 @@ __export(auth_exports, {
 import { readFileSync, writeFileSync, chmodSync, unlinkSync, existsSync } from "node:fs";
 import { join } from "node:path";
 import { homedir } from "node:os";
-import { exec } from "node:child_process";
+import { spawn } from "node:child_process";
 import { randomUUID } from "node:crypto";
 async function createAuthSession() {
   let res;
@@ -154,24 +154,35 @@ function getOrCreateDeviceId() {
   return deviceId;
 }
 function openBrowser(url) {
-  if (!/^https?:\/\//i.test(url)) return;
-  const escaped = url.replace(/"/g, '\\"');
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") return;
+  } catch {
+    return;
+  }
   let cmd;
+  let args;
   switch (process.platform) {
     case "darwin":
-      cmd = `open "${escaped}"`;
+      cmd = "open";
+      args = [url];
       break;
     case "linux":
-      cmd = `xdg-open "${escaped}"`;
+      cmd = "xdg-open";
+      args = [url];
       break;
     case "win32":
-      cmd = `start "" "${escaped}"`;
+      cmd = "cmd.exe";
+      args = ["/c", "start", "", url];
       break;
     default:
       return;
   }
-  exec(cmd, () => {
-  });
+  try {
+    const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+    child.unref();
+  } catch {
+  }
 }
 var WEB_BASE, CONFIG_FILE;
 var init_auth = __esm({
@@ -211,6 +222,22 @@ function loadDgrc() {
   }
   return {};
 }
+function validateApiUrl(url) {
+  try {
+    const parsed = new URL(url);
+    const isLocal = parsed.hostname === "localhost" || parsed.hostname.startsWith("127.");
+    if (parsed.protocol !== "https:" && !isLocal) {
+      process.stderr.write(`Error: API URL must use HTTPS (got ${parsed.protocol}). Use localhost for local testing.
+`);
+      process.exit(1);
+    }
+    return url;
+  } catch {
+    process.stderr.write(`Error: Invalid API URL: ${url}
+`);
+    process.exit(1);
+  }
+}
 function getVersion() {
   try {
     const thisDir = dirname(fileURLToPath(import.meta.url));
@@ -286,12 +313,14 @@ function parseConfig(argv) {
   return {
     apiKey,
     deviceId,
-    apiUrl: values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com",
+    apiUrl: validateApiUrl(
+      values["api-url"] ?? process.env.DG_API_URL ?? dgrc.apiUrl ?? "https://api.westbayberry.com"
+    ),
     mode: modeRaw,
     blockThreshold,
     warnThreshold,
     maxPackages,
-    allowlist: allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? [],
+    allowlist: (allowlistRaw ? allowlistRaw.split(",").map((s) => s.trim()).filter(Boolean) : dgrc.allowlist ?? []).map((s) => s.toLowerCase()),
     json: values.json,
     scanAll: values["scan-all"],
     baseLockfile: values["base-lockfile"] ?? null,
@@ -370,7 +399,7 @@ var init_config = __esm({
 });
 
 // src/npm-wrapper.ts
-import { spawn } from "node:child_process";
+import { spawn as spawn2 } from "node:child_process";
 import { readFileSync as readFileSync3, existsSync as existsSync3 } from "node:fs";
 import { join as join3 } from "node:path";
 function parseNpmArgs(args) {
@@ -451,7 +480,7 @@ function parsePackageSpec(spec) {
 }
 async function resolveVersion(spec) {
   return new Promise((resolve) => {
-    const child = spawn("npm", ["view", spec, "version"], {
+    const child = spawn2("npm", ["view", spec, "version"], {
       stdio: ["pipe", "pipe", "pipe"]
     });
     let stdout = "";
@@ -509,7 +538,7 @@ async function resolvePackages(specs) {
 }
 function runNpm(args) {
   return new Promise((resolve) => {
-    const child = spawn("npm", args, {
+    const child = spawn2("npm", args, {
       stdio: "inherit",
       shell: false
     });
@@ -27588,9 +27617,9 @@ var init_ansi_styles = __esm({
 
 // node_modules/wrap-ansi/index.js
 function wrapAnsi(string, columns, options) {
-  return String(string).normalize().replaceAll("\r\n", "\n").split("\n").map((line) => exec2(line, columns, options)).join("\n");
+  return String(string).normalize().replaceAll("\r\n", "\n").split("\n").map((line) => exec(line, columns, options)).join("\n");
 }
-var ESCAPES, END_CODE, ANSI_ESCAPE_BELL, ANSI_CSI, ANSI_OSC, ANSI_SGR_TERMINATOR, ANSI_ESCAPE_LINK, wrapAnsiCode, wrapAnsiHyperlink, wordLengths, wrapWord, stringVisibleTrimSpacesRight, exec2;
+var ESCAPES, END_CODE, ANSI_ESCAPE_BELL, ANSI_CSI, ANSI_OSC, ANSI_SGR_TERMINATOR, ANSI_ESCAPE_LINK, wrapAnsiCode, wrapAnsiHyperlink, wordLengths, wrapWord, stringVisibleTrimSpacesRight, exec;
 var init_wrap_ansi = __esm({
   "node_modules/wrap-ansi/index.js"() {
     init_string_width();
@@ -27662,7 +27691,7 @@ var init_wrap_ansi = __esm({
       }
       return words.slice(0, last).join(" ") + words.slice(last).join("");
     };
-    exec2 = (string, columns, options = {}) => {
+    exec = (string, columns, options = {}) => {
       if (options.trim !== false && string.trim() === "") {
         return "";
       }
@@ -30753,7 +30782,7 @@ var require_websocket = __commonJS({
     var tls = __require("tls");
     var { randomBytes, createHash } = __require("crypto");
     var { Duplex, Readable } = __require("stream");
-    var { URL } = __require("url");
+    var { URL: URL2 } = __require("url");
     var PerMessageDeflate = require_permessage_deflate();
     var Receiver2 = require_receiver();
     var Sender2 = require_sender();
@@ -31246,11 +31275,11 @@ var require_websocket = __commonJS({
         );
       }
       let parsedUrl;
-      if (address instanceof URL) {
+      if (address instanceof URL2) {
         parsedUrl = address;
       } else {
         try {
-          parsedUrl = new URL(address);
+          parsedUrl = new URL2(address);
         } catch (e) {
           throw new SyntaxError(`Invalid URL: ${address}`);
         }
@@ -31387,7 +31416,7 @@ var require_websocket = __commonJS({
           req.abort();
           let addr;
           try {
-            addr = new URL(location, address);
+            addr = new URL2(location, address);
           } catch (e) {
             const err = new SyntaxError(`Invalid URL: ${location}`);
             emitErrorAndClose(websocket, err);
@@ -38919,6 +38948,38 @@ var init_LoginApp = __esm({
   }
 });
 
+// src/sanitize.ts
+import { stripVTControlCharacters } from "node:util";
+function sanitize(s) {
+  return stripVTControlCharacters(s);
+}
+function sanitizeResponse(response) {
+  return {
+    ...response,
+    packages: response.packages.map((pkg) => ({
+      ...pkg,
+      name: sanitize(pkg.name),
+      version: sanitize(pkg.version),
+      findings: pkg.findings.map((f) => ({
+        ...f,
+        id: sanitize(f.id ?? ""),
+        title: sanitize(f.title),
+        evidence: f.evidence.map(sanitize)
+      })),
+      reasons: (pkg.reasons ?? []).map(sanitize),
+      recommendation: pkg.recommendation ? sanitize(pkg.recommendation) : void 0
+    })),
+    safeVersions: Object.fromEntries(
+      Object.entries(response.safeVersions).map(([k, v]) => [sanitize(k), sanitize(v)])
+    )
+  };
+}
+var init_sanitize = __esm({
+  "src/sanitize.ts"() {
+    "use strict";
+  }
+});
+
 // src/api.ts
 function buildHeaders(config) {
   const headers = {
@@ -39065,7 +39126,11 @@ async function callAnalyzeBatch(packages, config) {
       body
     );
   }
-  return await response.json();
+  const raw = await response.json();
+  if (!raw || typeof raw.score !== "number" || !Array.isArray(raw.packages)) {
+    throw new APIError("Invalid API response format", 0, "");
+  }
+  return sanitizeResponse(raw);
 }
 async function callPyPIAnalyzeAPI(packages, config, onProgress) {
   const batchSize = config.apiKey ? BATCH_SIZE : ANON_BATCH_SIZE;
@@ -39139,12 +39204,17 @@ async function callPyPIBatch(packages, config) {
     const body = await response.text();
     throw new APIError(`API returned ${response.status}: ${body}`, response.status, body);
   }
-  return await response.json();
+  const raw = await response.json();
+  if (!raw || typeof raw.score !== "number" || !Array.isArray(raw.packages)) {
+    throw new APIError("Invalid API response format", 0, "");
+  }
+  return sanitizeResponse(raw);
 }
 var APIError, TrialExhaustedError, BATCH_SIZE, ANON_BATCH_SIZE, MAX_RETRIES, RETRY_DELAY_MS;
 var init_api = __esm({
   "src/api.ts"() {
     "use strict";
+    init_sanitize();
     APIError = class extends Error {
       constructor(message, statusCode, body) {
         super(message);
@@ -39183,7 +39253,9 @@ function parseLockfile(content) {
           version: e.version ?? "",
           resolved: e.resolved,
           integrity: e.integrity,
-          dev: e.dev
+          dev: e.dev,
+          optional: e.optional,
+          hasPlatformRestriction: !!(e.os || e.cpu)
         });
       }
     }
@@ -39405,9 +39477,16 @@ var init_parse_package_json = __esm({
 });
 
 // src/lockfile.ts
-import { execFileSync } from "node:child_process";
-import { readFileSync as readFileSync6, existsSync as existsSync5 } from "node:fs";
+import { execFileSync as execFileSync2 } from "node:child_process";
+import { readFileSync as readFileSync6, existsSync as existsSync5, statSync } from "node:fs";
 import { join as join5 } from "node:path";
+function readFileSafe(path) {
+  const size = statSync(path).size;
+  if (size > MAX_LOCKFILE_BYTES) {
+    throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path}`);
+  }
+  return readFileSync6(path, "utf-8");
+}
 function discoverChanges(cwd2, config) {
   if (config.workspace) {
     cwd2 = join5(cwd2, config.workspace);
@@ -39418,13 +39497,14 @@ function discoverChanges(cwd2, config) {
       "No lockfile found (package-lock.json, yarn.lock, or pnpm-lock.yaml). Run from your project root or use --base-lockfile."
     );
   }
-  const headContent = readFileSync6(lockfileInfo.path, "utf-8");
+  const headContent = readFileSafe(lockfileInfo.path);
   const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
   const directDeps = getDirectDeps(cwd2);
   if (config.scanAll) {
     const packages2 = [];
     for (const [name, entry] of headParsed.packages) {
       if (packages2.length >= config.maxPackages) break;
+      if (entry.optional && entry.hasPlatformRestriction) continue;
       packages2.push({
         name,
         version: entry.version,
@@ -39438,7 +39518,7 @@ function discoverChanges(cwd2, config) {
     if (!existsSync5(config.baseLockfile)) {
       throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
     }
-    const baseContent2 = readFileSync6(config.baseLockfile, "utf-8");
+    const baseContent2 = readFileSafe(config.baseLockfile);
     const baseParsed = parseLockfile(baseContent2);
     const diff2 = diffLockfiles(baseParsed, headParsed, config.maxPackages, directDeps);
     return {
@@ -39459,7 +39539,7 @@ function discoverChanges(cwd2, config) {
   }
   const pkgJsonPath = join5(cwd2, "package.json");
   if (existsSync5(pkgJsonPath)) {
-    const headPkgJson = readFileSync6(pkgJsonPath, "utf-8");
+    const headPkgJson = readFileSafe(pkgJsonPath);
     const basePkgJson = getGitBaseFile(cwd2, "package.json");
     if (basePkgJson !== null) {
       const diff2 = diffPackageJsons(basePkgJson, headPkgJson, config.maxPackages);
@@ -39480,6 +39560,7 @@ function discoverChanges(cwd2, config) {
   const packages = [];
   for (const [name, entry] of headParsed.packages) {
     if (packages.length >= config.maxPackages) break;
+    if (entry.optional && entry.hasPlatformRestriction) continue;
     packages.push({
       name,
       version: entry.version,
@@ -39514,7 +39595,7 @@ function parseLockfileByType(content, type) {
 }
 function getDirectDeps(cwd2) {
   try {
-    const content = readFileSync6(join5(cwd2, "package.json"), "utf-8");
+    const content = readFileSafe(join5(cwd2, "package.json"));
     const pkg = JSON.parse(content);
     return /* @__PURE__ */ new Set([
       ...Object.keys(pkg.dependencies ?? {}),
@@ -39526,7 +39607,7 @@ function getDirectDeps(cwd2) {
 }
 function getGitBaseLockfile(cwd2) {
   try {
-    const mergeBase = execFileSync("git", ["merge-base", "HEAD", "main"], {
+    const mergeBase = execFileSync2("git", ["merge-base", "HEAD", "main"], {
       cwd: cwd2,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -39534,7 +39615,7 @@ function getGitBaseLockfile(cwd2) {
     if (!mergeBase) return null;
     for (const name of ["package-lock.json", "yarn.lock", "pnpm-lock.yaml"]) {
       try {
-        return execFileSync("git", ["show", `${mergeBase}:${name}`], {
+        return execFileSync2("git", ["show", `${mergeBase}:${name}`], {
           cwd: cwd2,
           encoding: "utf-8",
           stdio: ["pipe", "pipe", "pipe"]
@@ -39550,13 +39631,13 @@ function getGitBaseLockfile(cwd2) {
 }
 function getGitBaseFile(cwd2, filename) {
   try {
-    const mergeBase = execFileSync("git", ["merge-base", "HEAD", "main"], {
+    const mergeBase = execFileSync2("git", ["merge-base", "HEAD", "main"], {
       cwd: cwd2,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
     if (!mergeBase) return null;
-    return execFileSync("git", ["show", `${mergeBase}:${filename}`], {
+    return execFileSync2("git", ["show", `${mergeBase}:${filename}`], {
       cwd: cwd2,
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
@@ -39574,7 +39655,7 @@ function toPackageInput(change) {
   };
 }
 function parsePythonDepFile(projectDir, depFile) {
-  const content = readFileSync6(join5(projectDir, depFile), "utf-8");
+  const content = readFileSafe(join5(projectDir, depFile));
   if (depFile === "Pipfile.lock") {
     try {
       const parsed = JSON.parse(content);
@@ -39622,6 +39703,7 @@ function parsePythonDepFile(projectDir, depFile) {
   }
   return packages;
 }
+var MAX_LOCKFILE_BYTES;
 var init_lockfile = __esm({
   "src/lockfile.ts"() {
     "use strict";
@@ -39630,6 +39712,7 @@ var init_lockfile = __esm({
     init_parse_pnpm_lock();
     init_diff2();
     init_parse_package_json();
+    MAX_LOCKFILE_BYTES = 50 * 1024 * 1024;
   }
 });
 
@@ -39638,7 +39721,7 @@ var discover_exports = {};
 __export(discover_exports, {
   discoverProjects: () => discoverProjects
 });
-import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, statSync } from "node:fs";
+import { existsSync as existsSync6, readFileSync as readFileSync7, readdirSync, lstatSync } from "node:fs";
 import { join as join6, relative, basename } from "node:path";
 function discoverProjects(root) {
   const projects = [];
@@ -39689,7 +39772,8 @@ function walk(dir, root, depth, out) {
     if (SKIP_DIRS.has(entry) || entry.startsWith(".")) continue;
     const full = join6(dir, entry);
     try {
-      if (statSync(full).isDirectory()) {
+      const st = lstatSync(full);
+      if (st.isDirectory() && !st.isSymbolicLink()) {
         walk(full, root, depth + 1, out);
       }
     } catch {
@@ -39980,7 +40064,7 @@ async function runStatic(config) {
     process.exit(0);
   }
   const packages = discovery.packages.filter(
-    (p) => !config.allowlist.includes(p.name)
+    (p) => !config.allowlist.includes(p.name.toLowerCase())
   );
   if (packages.length === 0) {
     process.stderr.write(
@@ -40088,7 +40172,7 @@ async function runStaticNpm(npmArgs, config) {
   return scanAndInstallStatic(resolved, parsed, config);
 }
 async function scanAndInstallStatic(resolved, parsed, config) {
-  const toScan = resolved.filter((p) => !config.allowlist.includes(p.name));
+  const toScan = resolved.filter((p) => !config.allowlist.includes(p.name.toLowerCase()));
   if (toScan.length === 0) {
     process.stderr.write(
       import_chalk4.default.dim("  All packages are allowlisted. Passing through to npm.\n")
@@ -40271,7 +40355,7 @@ var hook_exports = {};
 __export(hook_exports, {
   handleHookCommand: () => handleHookCommand
 });
-import { execFileSync as execFileSync2 } from "node:child_process";
+import { execFileSync as execFileSync3 } from "node:child_process";
 import {
   existsSync as existsSync7,
   readFileSync as readFileSync8,
@@ -40283,7 +40367,7 @@ import {
 import { join as join7 } from "node:path";
 function findGitDir() {
   try {
-    return execFileSync2("git", ["rev-parse", "--git-dir"], {
+    return execFileSync3("git", ["rev-parse", "--git-dir"], {
       encoding: "utf-8",
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
@@ -40518,7 +40602,7 @@ function useNpmWrapper(npmArgs, config) {
           return;
         }
         const toScan = resolved.filter(
-          (p) => !config.allowlist.includes(p.name)
+          (p) => !config.allowlist.includes(p.name.toLowerCase())
         );
         if (toScan.length === 0) {
           dispatch({ type: "INSTALLING" });
@@ -40728,6 +40812,7 @@ var init_ScoreHeader = __esm({
       severityCounts
     }) => {
       const logo = renderLogo(action);
+      const showLogo = (process.stdout.columns ?? 80) >= 60;
       return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
         Box_default,
         {
@@ -40767,7 +40852,7 @@ var init_ScoreHeader = __esm({
                 /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { dimColor: true, children: `\x1B]8;;https://westbayberry.com\x07westbayberry.com\x1B]8;;\x07` })
               ] })
             ] }),
-            /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Box_default, { flexDirection: "column", marginLeft: 2, children: logo.map((line, i) => /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { children: line }, i)) })
+            showLogo && /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Box_default, { flexDirection: "column", marginLeft: 2, children: logo.map((line, i) => /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(Text, { children: line }, i)) })
           ] })
         }
       );
@@ -41002,6 +41087,7 @@ var init_ErrorView = __esm({
     "use strict";
     await init_build2();
     import_chalk8 = __toESM(require_source());
+    init_sanitize();
     import_jsx_runtime7 = __toESM(require_jsx_runtime());
     ErrorView = ({ error }) => {
       const hint = getHint(error);
@@ -41015,7 +41101,7 @@ var init_ErrorView = __esm({
           paddingRight: 1,
           children: [
             /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Text, { children: import_chalk8.default.red.bold("\u2718 Error") }),
-            /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Text, { children: error.message }),
+            /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(Text, { children: sanitize(error.message) }),
             hint && /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(Text, { children: [
               import_chalk8.default.yellow("\u2192"),
               " ",
@@ -41211,7 +41297,7 @@ function useScan(config) {
     }
     try {
       const discovery = discoverChanges(process.cwd(), config);
-      const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name));
+      const packages = discovery.packages.filter((p) => !config.allowlist.includes(p.name.toLowerCase()));
       if (packages.length === 0) {
         const message = discovery.packages.length === 0 ? "No package changes detected." : "All changed packages are allowlisted.";
         dispatch({ type: "DISCOVERY_EMPTY", message });
@@ -41273,7 +41359,7 @@ async function scanProjects(projects, config, dispatch) {
         const discovery = discoverChanges(proj.path, fullScanConfig);
         for (const pkg of discovery.packages) {
           const key = `${pkg.name}@${pkg.version}`;
-          if (!config.allowlist.includes(pkg.name) && !seenNpm.has(key)) {
+          if (!config.allowlist.includes(pkg.name.toLowerCase()) && !seenNpm.has(key)) {
             seenNpm.add(key);
             npmPackages.push(pkg);
           }
@@ -41286,7 +41372,7 @@ async function scanProjects(projects, config, dispatch) {
         const packages = parsePythonDepFile(proj.path, proj.depFile);
         for (const pkg of packages) {
           const key = `${pkg.name}@${pkg.version}`;
-          if (!config.allowlist.includes(pkg.name) && !seenPypi.has(key)) {
+          if (!config.allowlist.includes(pkg.name.toLowerCase()) && !seenPypi.has(key)) {
             seenPypi.add(key);
             pypiPackages.push(pkg);
           }
@@ -41858,6 +41944,15 @@ var init_InteractiveResultsView = __esm({
         const newVp = adjustViewport(cursor, expandedIndex, expandLevel, clamped);
         dispatchView({ type: "MOVE", cursor, viewport: newVp });
       }, [availableRows]);
+      (0, import_react31.useEffect)(() => {
+        const dp = detailPaneRef.current;
+        if (dp && detailLines.length > 0) {
+          const maxScroll = Math.max(0, detailLines.length - detailContentRows);
+          if (dp.scroll > maxScroll) {
+            setDetailPane({ groupIndex: dp.groupIndex, scroll: maxScroll });
+          }
+        }
+      }, [detailContentRows, detailLines.length]);
       use_input_default((input, key) => {
         if (groups.length === 0) {
           if (input === "q" || key.return) onExit();
@@ -41906,6 +42001,11 @@ var init_InteractiveResultsView = __esm({
           }
           return;
         }
+        if (groups.length === 0) {
+          if (input === "q") onExit();
+          else if (input === "/") setSearchMode(true);
+          return;
+        }
         const { cursor, expandLevel: expLvl, expandedIndex: expIdx, viewport: vpStart } = viewRef.current;
         if (key.upArrow || input === "k") {
           const next = Math.max(0, cursor - 1);
@@ -41956,6 +42056,7 @@ var init_InteractiveResultsView = __esm({
       const aboveCount = view.viewport;
       const belowCount = groups.length - visibleEnd;
       const nameCol = Math.max(20, innerWidth - 22);
+      const clampedCursor = groups.length > 0 ? Math.min(view.cursor, groups.length - 1) : 0;
       if (showHelp) {
         const isDetail = detailPane !== null;
         return /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { flexDirection: "column", children: [
@@ -42194,7 +42295,7 @@ var init_InteractiveResultsView = __esm({
             children: [
               /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Box_default, { justifyContent: "space-between", children: [
                 /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { bold: true, children: "Flagged Packages" }),
-                /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { dimColor: true, children: searchQuery ? `${groups.length} of ${allGroupCount}` : `${view.cursor + 1}/${groups.length}` })
+                /* @__PURE__ */ (0, import_jsx_runtime10.jsx)(Text, { dimColor: true, children: searchQuery ? `${groups.length} of ${allGroupCount}` : `${clampedCursor + 1}/${groups.length}` })
               ] }),
               aboveCount > 0 && /* @__PURE__ */ (0, import_jsx_runtime10.jsxs)(Text, { dimColor: true, children: [
                 import_chalk10.default.cyan(" \u2191"),
@@ -42204,7 +42305,7 @@ var init_InteractiveResultsView = __esm({
               ] }),
               visibleGroups.map((group, visIdx) => {
                 const globalIdx = view.viewport + visIdx;
-                const isCursor = globalIdx === view.cursor;
+                const isCursor = globalIdx === clampedCursor;
                 const level = getLevel(globalIdx);
                 const rep = group.packages[0];
                 const { label, color } = actionBadge3(rep.score, config);
@@ -42406,6 +42507,7 @@ var init_ProjectSelector = __esm({
     import_react32 = __toESM(require_react());
     await init_build2();
     import_chalk11 = __toESM(require_source());
+    init_sanitize();
     import_jsx_runtime11 = __toESM(require_jsx_runtime());
     ProjectSelector = ({ projects, onConfirm, onCancel }) => {
       const [cursor, setCursor] = (0, import_react32.useState)(0);
@@ -42458,7 +42560,7 @@ var init_ProjectSelector = __esm({
             prefix,
             check,
             "  ",
-            proj.relativePath.padEnd(40),
+            sanitize(proj.relativePath).padEnd(40),
             " ",
             ecosystemLabel(proj.ecosystem).padEnd(5),
             " ",
@@ -42656,7 +42758,7 @@ init_npm_wrapper();
 import { readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "node:fs";
 import { homedir as homedir3 } from "node:os";
 import { join as join4 } from "node:path";
-import { spawn as spawn2, execSync } from "node:child_process";
+import { spawn as spawn3, execFileSync } from "node:child_process";
 var PKG_NAME = "@westbayberry/dg";
 var CACHE_FILE = join4(homedir3(), ".dg-update-check.json");
 var CHECK_INTERVAL_MS = 24 * 60 * 60 * 1e3;
@@ -42709,7 +42811,7 @@ function isNewer(latest, current) {
 }
 function spawnBackgroundUpdate(version) {
   try {
-    const child = spawn2("npm", ["install", "-g", `${PKG_NAME}@${version}`], {
+    const child = spawn3("npm", ["install", "-g", `${PKG_NAME}@${version}`], {
       detached: true,
       stdio: "ignore"
     });
@@ -42755,7 +42857,7 @@ async function runUpdate(currentVersion) {
   process.stderr.write(chalk10.dim(`  Installing ${PKG_NAME}@${latest}...
 `));
   try {
-    execSync(`npm install -g ${PKG_NAME}@${latest}`, { stdio: "inherit" });
+    execFileSync("npm", ["install", "-g", `${PKG_NAME}@${latest}`], { stdio: "inherit" });
     writeCache({ latest, checkedAt: Date.now() });
     process.stderr.write(
       chalk10.green(`
@@ -42774,6 +42876,10 @@ async function runUpdate(currentVersion) {
 
 // src/bin.ts
 var CLI_VERSION = getVersion();
+process.on("SIGINT", () => {
+  process.stderr.write("\n");
+  process.exit(130);
+});
 var isInteractive = process.stdout.isTTY === true && !process.env.CI && !process.env.NO_COLOR;
 async function main() {
   const rawCommand = process.argv[2];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@westbayberry/dg",
-  "version": "1.0.33",
+  "version": "1.0.34",
   "description": "Supply chain security scanner for npm and Python dependencies — detects malicious packages, typosquatting, dependency confusion, and 26+ attack patterns",
   "bin": {
     "dependency-guardian": "dist/index.mjs",