@westbayberry/dg 1.0.53 → 1.0.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +53 -10
  2. package/dist/index.mjs +5804 -1555
  3. package/package.json +6 -3
package/README.md CHANGED
@@ -1,6 +1,27 @@
1
1
  # @westbayberry/dg
2
2
 
3
- Supply chain security scanner for npm and Python dependencies. Scans lockfile changes for malicious packages, typosquatting, dependency confusion, and credential theft before they reach production.
3
+ Behavioral supply chain security for npm and Python. Reads what packages
4
+ actually do — install hooks, credential access, network exfiltration,
5
+ obfuscation — and gates risky installs before they touch your machine.
6
+
7
+ **35 detectors · 99.66% catch rate on 155,704 packages · 0.66% FPR** —
8
+ [published methodology](https://westbayberry.com/benchmark).
9
+
10
+ ## What `dg` actually does
11
+
12
+ | Surface | What it does | Default mode |
13
+ |---|---|---|
14
+ | `dg npm install <pkg>` | Resolves the full dependency tree (top-level + transitive) without running install scripts, scans every package, then invokes the real `npm install` only if the verdict permits. Top-level versions are pinned to the exact version we scanned. Bare `dg npm install` honors `package-lock.json` pinned versions. | **block** |
15
+ | `dg pip install <pkg>` | Resolves the full pip tree via `pip install --dry-run --report=-` (pip ≥ 23.0); scans the full set before invoking real `pip install`. On older pip, transitive scan is reported as unavailable and (in block mode) the install is refused. | **block** |
16
+ | `dg scan` | Read-only audit. Diffs lockfiles and reports findings. Does **not** block anything by default. | warn |
17
+ | `dg hook install` | Adds a pre-commit hook that runs `dg scan --mode block` when a lockfile change is staged. Quiet when nothing is wrong. | block |
18
+
19
+ For maximum protection in CI/build pipelines, add `--strict` to the install
20
+ wrapper. `--strict` implies `--dg-no-scripts` and refuses any partial-coverage
21
+ scan (transitive enumeration must succeed).
22
+
23
+ DG only activates when you intentionally invoke it, install the hook, or
24
+ run it in CI. It does not globally hijack `npm`/`pip`.
4
25
 
5
26
  ## Install
6
27
 
@@ -14,29 +35,49 @@ Requires Node.js 18+.
14
35
 
15
36
  ```bash
16
37
  dg login
17
- dg scan
38
+ dg scan # read-only audit of the current project
18
39
  ```
19
40
 
20
- `dg scan` finds your lockfiles, diffs against `main`, and sends the changed package names and versions to the Dependency Guardian API. Results come back as a summary with severity, evidence, and safe-version recommendations.
41
+ Scope-truthful output: a clean project shows
42
+ `✓ Dependency Guardian checked 142 packages. No risky behavior found.`
43
+ A flagged install shows only the warn/block packages with one-line
44
+ reasons and a clear next step.
21
45
 
22
- Supports `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `requirements.txt`, `Pipfile.lock`, and `poetry.lock`.
46
+ Supports `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`,
47
+ `requirements.txt`, `Pipfile.lock`, and `poetry.lock`.
23
48
 
24
49
  ## Commands
25
50
 
26
51
  ```
27
- dg scan Scan dependencies for supply chain threats
28
- dg npm install <pkg> Scan packages before installing them
52
+ dg scan Read-only audit of the project's lockfiles
53
+ dg status Show your auth state, plan tier, and whether protection is on
29
54
  dg login / logout Manage authentication
30
- dg hook install Install git pre-commit hook
55
+ dg npm install <pkg> Protective install wrapper (default mode: block)
56
+ dg pip install <pkg> Protective install wrapper (default mode: block)
57
+ dg protect Opt this project in to auto-protection on every install
58
+ dg protect off Disable opt-in protection in this project
59
+ dg wrap Print the shell-alias snippet without writing a project marker
60
+ dg hook install Install a git pre-commit hook that gates lockfile diffs
61
+ dg hook uninstall Remove the git pre-commit hook
62
+ dg publish-check Self-scan before `npm publish` / `pip upload`
31
63
  dg update Check for and install the latest version
32
64
  ```
33
65
 
66
+ Full reference: <https://westbayberry.com/docs/cli-reference>
67
+
34
68
  ## Common Options
35
69
 
36
70
  | Flag | Default | Description |
37
71
  |------|---------|-------------|
38
- | `--mode <mode>` | `warn` | `block` / `warn` / `off` |
39
- | `--json` | | Output raw JSON (for CI parsing) |
72
+ | `--mode <mode>` | `warn` for `scan`, `block` for install wrappers | `block` / `warn` / `off` |
73
+ | `--details` | off | Verbose table view (the older format) |
74
+ | `--explain` | off | Plain-English explanation of findings |
75
+ | `--json` | off | Stable machine-readable JSON (CI) |
76
+ | `--ci` | auto when `CI=1` | Deterministic output, no spinners |
77
+ | `--dg-force` | off | Bypass a block (visible in output, audit-friendly) |
78
+ | `--dg-no-scripts` | off | Pass `--ignore-scripts` to the real install |
79
+ | `--strict` | off | Refuse partial-coverage scans + auto `--dg-no-scripts` |
80
+ | `--quiet` | off | Suppress login + update nudges (still prints findings) |
40
81
  | `--workspace <dir>` | | Scan a specific workspace subdirectory |
41
82
 
42
83
  ## Exit Codes
@@ -82,5 +123,7 @@ export DO_NOT_TRACK=1
82
123
  ## Links
83
124
 
84
125
  - [Dashboard](https://westbayberry.com/dashboard)
85
- - [Documentation](https://westbayberry.com/docs)
126
+ - [Documentation](https://westbayberry.com/docs) — setup walkthrough
127
+ - [CLI reference](https://westbayberry.com/docs/cli-reference) — every command and flag
86
128
  - [Pricing](https://westbayberry.com/pricing)
129
+ - [Changelog](https://github.com/WestBayBerry/dependency-guardian-action/blob/main/CHANGELOG.md)