@westbayberry/dg 2.0.10 → 2.1.0

package/dist/policy/cooldown.js

@@ -0,0 +1,104 @@
+import { parseCooldownAge } from "../config/settings.js";
+export function durationToDays(value) {
+    const trimmed = value.trim();
+    if (trimmed === "" || trimmed === "0" || trimmed === "off") {
+        return 0;
+    }
+    const match = /^([1-9]\d{0,3})(h|d)$/.exec(trimmed);
+    if (!match || !match[1] || !match[2]) {
+        return 0;
+    }
+    const amount = Number.parseInt(match[1], 10);
+    return match[2] === "h" ? amount / 24 : amount;
+}
+export function effectiveCooldownAge(config, env, ecosystem) {
+    const fromEnv = env.DG_COOLDOWN_AGE;
+    if (fromEnv !== undefined) {
+        try {
+            return parseCooldownAge(fromEnv, "DG_COOLDOWN_AGE", false);
+        }
+        catch {
+            // fall through to config: a malformed env override must not change policy
+        }
+    }
+    const perEcosystem = ecosystem === "npm"
+        ? config.cooldown.npmAge
+        : ecosystem === "pypi"
+            ? config.cooldown.pypiAge
+            : config.cooldown.cargoAge;
+    return perEcosystem !== "" ? perEcosystem : config.cooldown.age;
+}
+function normalizePypiName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+}
+export function isCooldownExempt(packageName, exempt, ecosystem) {
+    const name = ecosystem === "pypi" ? normalizePypiName(packageName) : packageName;
+    return exempt
+        .split(",")
+        .map((entry) => entry.trim())
+        .filter(Boolean)
+        .some((pattern) => {
+        const candidate = ecosystem === "pypi" ? normalizePypiName(pattern) : pattern;
+        if (candidate.endsWith("*")) {
+            return name.startsWith(candidate.slice(0, -1));
+        }
+        return name === candidate;
+    });
+}
+export function cooldownRequestParam(config, env, ecosystem, packageName) {
+    const minAgeDays = durationToDays(effectiveCooldownAge(config, env, ecosystem));
+    if (minAgeDays <= 0) {
+        return undefined;
+    }
+    if (packageName && isCooldownExempt(packageName, config.cooldown.exempt, ecosystem)) {
+        return undefined;
+    }
+    return { minAgeDays, onUnknown: config.cooldown.onUnknown };
+}
+export function formatCooldownDuration(days) {
+    const hours = days * 24;
+    if (hours <= 0) {
+        return "0h";
+    }
+    if (hours < 48) {
+        return `${Math.round(hours)}h`;
+    }
+    return `${Math.floor(days)}d`;
+}
+export function formatPackageAge(ageDays) {
+    if (ageDays < 0) {
+        return "in the future";
+    }
+    const hours = ageDays * 24;
+    if (hours < 1) {
+        return "<1h ago";
+    }
+    if (hours < 48) {
+        return `${Math.floor(hours)}h ago`;
+    }
+    return `${Math.floor(ageDays)}d ago`;
+}
+export function describeCooldownSettings(config, env) {
+    if (env.DG_COOLDOWN_AGE !== undefined) {
+        try {
+            const envDays = durationToDays(parseCooldownAge(env.DG_COOLDOWN_AGE, "DG_COOLDOWN_AGE", false));
+            return `${envDays > 0 ? formatCooldownDuration(envDays) : "off"} (DG_COOLDOWN_AGE)`;
+        }
+        catch {
+            // malformed env override is ignored everywhere; describe the config instead
+        }
+    }
+    const baseDays = durationToDays(config.cooldown.age);
+    const base = baseDays > 0 ? formatCooldownDuration(baseDays) : "off";
+    const overrides = ["npm", "pypi", "cargo"]
+        .map((ecosystem) => {
+        const value = ecosystem === "npm" ? config.cooldown.npmAge : ecosystem === "pypi" ? config.cooldown.pypiAge : config.cooldown.cargoAge;
+        if (value === "") {
+            return undefined;
+        }
+        const days = durationToDays(value);
+        return `${ecosystem} ${days > 0 ? formatCooldownDuration(days) : "off"}`;
+    })
+        .filter((entry) => entry !== undefined);
+    return overrides.length > 0 ? `${base} (${overrides.join(", ")})` : base;
+}

package/dist/policy/evaluate.js

@@ -100,18 +100,6 @@ export function applyForceOverride(options, env = process.env) {
         webhookQueued: emitWebhookEvent(event, env)
     };
 }
-export function scriptPolicyArgs(options) {
-    if (!options.policy.scriptHardening && options.policy.mode !== "strict") {
-        return options.existingArgs;
-    }
-    if (hasScriptDisableFlag(options.existingArgs)) {
-        return options.existingArgs;
-    }
-    if (options.manager === "yarn") {
-        return [...options.existingArgs, "--ignore-scripts"];
-    }
-    return [...options.existingArgs, "--ignore-scripts"];
-}
 function findTrustedAllowlist(packageName, policy, allowlists) {
     return allowlists.find((entry) => {
         if (entry.packageName !== packageName) {
@@ -123,6 +111,3 @@ function findTrustedAllowlist(packageName, policy, allowlists) {
         return true;
     });
 }
-function hasScriptDisableFlag(args) {
-    return args.some((arg) => arg === "--ignore-scripts" || arg === "--ignore-scripts=true");
-}

package/dist/presentation/provenance.js

@@ -0,0 +1,23 @@
+export function provenanceLabel(provenance) {
+    if (provenance.status === "attested") {
+        const tag = slsaTag(provenance.predicateType);
+        return tag ? `attested (${tag})` : "attested";
+    }
+    if (provenance.status === "none") {
+        return "none";
+    }
+    return "unknown (not yet checked)";
+}
+export function provenanceDowngradeLine(version, provenance) {
+    if (!provenance.downgrade) {
+        return null;
+    }
+    return `provenance downgraded — ${provenance.downgrade.fromVersion} was attested, ${version} is not`;
+}
+function slsaTag(predicateType) {
+    if (!predicateType) {
+        return null;
+    }
+    const match = /slsa\.dev\/provenance\/(v[0-9][0-9.]*)/.exec(predicateType);
+    return match ? `slsa ${match[1]}` : null;
+}

package/dist/project/dgfile.js

@@ -0,0 +1,307 @@
+import { createHash, randomUUID } from "node:crypto";
+import { existsSync, readFileSync } from "node:fs";
+import { userInfo } from "node:os";
+import { join } from "node:path";
+import { gitTrimmed } from "../util/git.js";
+import { writeJsonAtomic } from "../util/json-file.js";
+export const DG_FILE_NAME = "dg.json";
+export const DECISION_ENTRY_CAP = 500;
+export const DECISION_REASON_MAX = 500;
+const KNOWN_TOP_LEVEL_KEYS = new Set(["version", "scriptApprovals", "decisions"]);
+const KNOWN_SCRIPT_APPROVAL_KEYS = new Set(["npm", "observed"]);
+const SCRIPT_HOOKS = ["preinstall", "install", "postinstall", "gyp"];
+export function dgFilePath(root) {
+    return join(root, DG_FILE_NAME);
+}
+export function findProjectRoot(cwd, env = process.env) {
+    try {
+        return gitTrimmed(["rev-parse", "--show-toplevel"], { cwd, env });
+    }
+    catch {
+        return null;
+    }
+}
+export function emptyDgFile(path) {
+    return { path, exists: false, readable: true, raw: {}, decisions: [], scriptApprovals: emptyScriptApprovals() };
+}
+export function loadDgFile(root) {
+    const path = dgFilePath(root);
+    if (!existsSync(path)) {
+        return emptyDgFile(path);
+    }
+    let raw;
+    try {
+        raw = JSON.parse(readFileSync(path, "utf8"));
+    }
+    catch (error) {
+        return failOpen(path, `malformed JSON (${error instanceof Error ? error.message : "parse error"})`);
+    }
+    if (!isPlainObject(raw)) {
+        return failOpen(path, "top level must be a JSON object");
+    }
+    if (raw.version !== undefined && raw.version !== 1) {
+        return failOpen(path, `unsupported dg.json version ${String(raw.version)}`);
+    }
+    const listed = raw.decisions;
+    if (listed !== undefined && !Array.isArray(listed)) {
+        return failOpen(path, "decisions must be an array");
+    }
+    const entries = Array.isArray(listed) ? listed : [];
+    if (entries.length > DECISION_ENTRY_CAP) {
+        return failOpen(path, `more than ${DECISION_ENTRY_CAP} decisions`);
+    }
+    const approvalsRaw = raw.scriptApprovals;
+    if (approvalsRaw !== undefined && !isPlainObject(approvalsRaw)) {
+        return failOpen(path, "scriptApprovals must be an object");
+    }
+    const decisions = [];
+    for (const entry of entries) {
+        const parsed = parseDecisionEntry(entry);
+        if (parsed) {
+            decisions.push(parsed);
+        }
+    }
+    const approvals = approvalsRaw ?? {};
+    return {
+        path,
+        exists: true,
+        readable: true,
+        raw,
+        decisions,
+        scriptApprovals: {
+            npm: parseEntryMap(approvals.npm, parseApprovalEntry),
+            observed: parseEntryMap(approvals.observed, parseObservedEntry),
+            unknownKeys: unknownKeysOf(approvals, KNOWN_SCRIPT_APPROVAL_KEYS)
+        }
+    };
+}
+export function warnUnreadableDgFile(file, write = (line) => process.stderr.write(line)) {
+    if (!file.readable) {
+        write(`dg: ignoring decisions in ${file.path} — ${file.failure ?? "unreadable"} (no warnings suppressed)\n`);
+    }
+}
+export function appendDecisions(file, additions, now = new Date()) {
+    const added = additions.map((decision) => ({
+        ...decision,
+        id: randomUUID(),
+        reason: decision.reason.slice(0, DECISION_REASON_MAX),
+        acceptedAt: decision.acceptedAt ?? now.toISOString()
+    }));
+    return { ...file, decisions: [...file.decisions, ...added] };
+}
+export function removeDecisions(file, ids) {
+    return { ...file, decisions: file.decisions.filter((entry) => !ids.has(entry.id)) };
+}
+export function saveDgFile(file) {
+    if (!file.readable) {
+        throw new Error(`refusing to rewrite ${file.path}: ${file.failure ?? "unreadable"}`);
+    }
+    const top = unknownKeysOf(file.raw, KNOWN_TOP_LEVEL_KEYS);
+    if (file.decisions.length > 0) {
+        top.decisions = file.decisions.map(serializeDecisionEntry);
+    }
+    const approvals = { ...file.scriptApprovals.unknownKeys };
+    if (Object.keys(file.scriptApprovals.npm).length > 0) {
+        approvals.npm = sortedRecord(file.scriptApprovals.npm);
+    }
+    if (Object.keys(file.scriptApprovals.observed).length > 0) {
+        approvals.observed = sortedRecord(file.scriptApprovals.observed);
+    }
+    if (Object.keys(approvals).length > 0) {
+        top.scriptApprovals = sortedRecord(approvals);
+    }
+    const ordered = { version: 1 };
+    for (const key of Object.keys(top).sort()) {
+        ordered[key] = top[key];
+    }
+    writeJsonAtomic(file.path, ordered, { fileMode: 0o644, dirMode: 0o755 });
+}
+export function resolveAcceptedBy(cwd, env = process.env) {
+    try {
+        const email = gitTrimmed(["config", "user.email"], { cwd, env });
+        if (email) {
+            return email;
+        }
+    }
+    catch {
+        /* fall through */
+    }
+    try {
+        return userInfo().username;
+    }
+    catch {
+        return "unknown";
+    }
+}
+function serializeDecisionEntry(entry) {
+    return {
+        ...entry.extra,
+        id: entry.id,
+        ecosystem: entry.ecosystem,
+        name: entry.name,
+        scope: entry.scope.kind === "exact" ? { kind: "exact", version: entry.scope.version } : { kind: "any" },
+        findings: entry.findings,
+        reason: entry.reason,
+        acceptedBy: entry.acceptedBy,
+        acceptedAt: entry.acceptedAt,
+        ...(entry.expiresAt ? { expiresAt: entry.expiresAt } : {})
+    };
+}
+const ENTRY_FIELDS = new Set(["id", "ecosystem", "name", "scope", "findings", "reason", "acceptedBy", "acceptedAt", "expiresAt"]);
+function parseDecisionEntry(value) {
+    if (!isPlainObject(value)) {
+        return null;
+    }
+    const ecosystem = value.ecosystem;
+    if (ecosystem !== "npm" && ecosystem !== "pypi") {
+        return null;
+    }
+    const name = value.name;
+    if (typeof name !== "string" || name.length === 0) {
+        return null;
+    }
+    const scope = parseScope(value.scope);
+    if (!scope) {
+        return null;
+    }
+    const findings = parseFindings(value.findings);
+    if (!findings) {
+        return null;
+    }
+    const expiresAt = value.expiresAt;
+    if (expiresAt !== undefined && typeof expiresAt !== "string") {
+        return null;
+    }
+    const extra = {};
+    for (const [key, field] of Object.entries(value)) {
+        if (!ENTRY_FIELDS.has(key)) {
+            extra[key] = field;
+        }
+    }
+    return {
+        id: typeof value.id === "string" && value.id.length > 0 ? value.id : derivedEntryId(value),
+        ecosystem,
+        name,
+        scope,
+        findings,
+        reason: typeof value.reason === "string" ? value.reason.slice(0, DECISION_REASON_MAX) : "",
+        acceptedBy: typeof value.acceptedBy === "string" && value.acceptedBy.length > 0 ? value.acceptedBy : "unknown",
+        acceptedAt: typeof value.acceptedAt === "string" ? value.acceptedAt : "",
+        ...(typeof expiresAt === "string" ? { expiresAt } : {}),
+        ...(Object.keys(extra).length > 0 ? { extra } : {})
+    };
+}
+function parseScope(value) {
+    if (!isPlainObject(value)) {
+        return null;
+    }
+    if (value.kind === "any") {
+        return { kind: "any" };
+    }
+    if (value.kind === "exact" && typeof value.version === "string" && value.version.length > 0) {
+        return { kind: "exact", version: value.version };
+    }
+    return null;
+}
+function parseFindings(value) {
+    if (value === undefined) {
+        return {};
+    }
+    if (!isPlainObject(value)) {
+        return null;
+    }
+    const findings = {};
+    for (const [category, severity] of Object.entries(value)) {
+        if (typeof severity !== "number" || !Number.isInteger(severity) || severity < 1 || severity > 5) {
+            return null;
+        }
+        findings[category] = severity;
+    }
+    return findings;
+}
+function derivedEntryId(value) {
+    return createHash("sha256").update(JSON.stringify(value)).digest("hex").slice(0, 12);
+}
+function parseEntryMap(raw, parseEntry) {
+    if (!isPlainObject(raw)) {
+        return {};
+    }
+    const entries = {};
+    for (const [name, value] of Object.entries(raw)) {
+        const parsed = parseEntry(value);
+        if (parsed !== null) {
+            entries[name] = parsed;
+        }
+    }
+    return entries;
+}
+function parseApprovalEntry(value) {
+    if (!isPlainObject(value)) {
+        return null;
+    }
+    const decision = value.decision;
+    if (decision !== "allow" && decision !== "deny") {
+        return null;
+    }
+    if (typeof value.scriptsHash !== "string" || typeof value.approvedAt !== "string") {
+        return null;
+    }
+    const provenance = value.provenance;
+    if (provenance !== "prompt" && provenance !== "command" && provenance !== "imported-pnpm") {
+        return null;
+    }
+    return {
+        decision,
+        scriptsHash: value.scriptsHash,
+        hooks: parseHooks(value.hooks),
+        ...(typeof value.approvedVersion === "string" ? { approvedVersion: value.approvedVersion } : {}),
+        ...(typeof value.reason === "string" ? { reason: value.reason } : {}),
+        approvedAt: value.approvedAt,
+        provenance
+    };
+}
+function parseObservedEntry(value) {
+    if (!isPlainObject(value)) {
+        return null;
+    }
+    if (typeof value.version !== "string" || typeof value.scriptsHash !== "string" || typeof value.firstSeen !== "string") {
+        return null;
+    }
+    return {
+        version: value.version,
+        hooks: parseHooks(value.hooks),
+        scriptsHash: value.scriptsHash,
+        firstSeen: value.firstSeen
+    };
+}
+function parseHooks(raw) {
+    if (!Array.isArray(raw)) {
+        return [];
+    }
+    return SCRIPT_HOOKS.filter((hook) => raw.includes(hook));
+}
+function sortedRecord(record) {
+    const sorted = {};
+    for (const key of Object.keys(record).sort()) {
+        sorted[key] = record[key];
+    }
+    return sorted;
+}
+function unknownKeysOf(raw, known) {
+    const unknown = {};
+    for (const [key, value] of Object.entries(raw)) {
+        if (!known.has(key)) {
+            unknown[key] = value;
+        }
+    }
+    return unknown;
+}
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function emptyScriptApprovals() {
+    return { npm: {}, observed: {}, unknownKeys: {} };
+}
+function failOpen(path, failure) {
+    return { path, exists: true, readable: false, failure, raw: {}, decisions: [], scriptApprovals: emptyScriptApprovals() };
+}

package/dist/proxy/enforcement.js

@@ -140,6 +140,7 @@ function withOptionalDecisionFields(decision, verdict) {
         ...(verdict.dashboardUrl ? { dashboardUrl: verdict.dashboardUrl } : {}),
         ...(verdict.unauthenticated ? { unauthenticated: true } : {}),
         ...(verdict.resetsAt ? { resetsAt: verdict.resetsAt } : {}),
-        ...(verdict.quotaBehavior ? { quotaBehavior: verdict.quotaBehavior } : {})
+        ...(verdict.quotaBehavior ? { quotaBehavior: verdict.quotaBehavior } : {}),
+        ...(verdict.cooldown ? { cooldown: verdict.cooldown } : {})
     };
 }

package/dist/proxy/metadata-map.js

@@ -202,7 +202,9 @@ function fallbackIdentity(artifactUrl, classification) {
     const ecosystem = ecosystemForManager(classification.manager);
     const parsed = ecosystem === "pypi"
         ? parsePypiArtifactFilename(decodeURIComponent(artifactUrl.pathname.split("/").filter(Boolean).at(-1) ?? "")) ?? parsePackageVersionFromUrl(artifactUrl)
-        : parsePackageVersionFromUrl(artifactUrl);
+        : ecosystem === "cargo"
+            ? parseCargoArtifactUrl(artifactUrl) ?? parsePackageVersionFromUrl(artifactUrl)
+            : parsePackageVersionFromUrl(artifactUrl);
     const requested = requestedIdentityFromArgs(classification, parsed.name);
     return {
         ecosystem,
@@ -213,6 +215,28 @@ function fallbackIdentity(artifactUrl, classification) {
         sourceKind: "url-fallback"
     };
 }
+// crates.io serves downloads at /api/v1/crates/{name}/{version}/download,
+// static.crates.io at /crates/{name}/{version}/download and as
+// {name}-{version}.crate files. Crate versions always start with a digit
+// (semver), so the filename split is unambiguous even for names with dashes.
+function parseCargoArtifactUrl(artifactUrl) {
+    const downloadMatch = /^\/(?:api\/v1\/)?crates\/([^/]+)\/([^/]+)\/download\/?$/.exec(artifactUrl.pathname);
+    if (downloadMatch && downloadMatch[1] && downloadMatch[2]) {
+        return {
+            name: decodeURIComponent(downloadMatch[1]),
+            version: decodeURIComponent(downloadMatch[2])
+        };
+    }
+    const file = decodeURIComponent(artifactUrl.pathname.split("/").filter(Boolean).at(-1) ?? "");
+    if (/\.crate$/i.test(file)) {
+        const stem = file.slice(0, -".crate".length);
+        const match = /^(.+)-(\d[0-9A-Za-z.+-]*)$/.exec(stem);
+        if (match && match[1] && match[2]) {
+            return { name: match[1], version: match[2] };
+        }
+    }
+    return null;
+}
 function parsePackageVersionFromUrl(artifactUrl) {
     const parts = artifactUrl.pathname.split("/").filter(Boolean).map((part) => decodeURIComponent(part));
     const file = parts.at(-1) ?? artifactUrl.hostname;

package/dist/proxy/server.js

@@ -11,6 +11,8 @@ import { createSecureContext, createServer as createTlsServer, connect as tlsCon
 import { createEphemeralCertificateAuthority } from "./ca.js";
 import { shouldMitmHost } from "./classify-host.js";
 import { enforceProtectedInstall } from "./enforcement.js";
+import { cooldownRequestParam } from "../policy/cooldown.js";
+import { loadUserConfig } from "../config/settings.js";
 import { artifactDisplayName, artifactUrlHash, extractRegistryMetadataIdentities, isRegistryIndexRequest, resolveArtifactIdentity } from "./metadata-map.js";
 import { authorityFor, connectViaUpstreamProxy, selectUpstreamProxy } from "./upstream-proxy.js";
 import { redactSecrets } from "../launcher/output-redaction.js";
@@ -625,6 +627,7 @@ async function lookupVerdict(options, target, sha256, upstream, identity) {
     if (shouldUseScanTarball(options, target, identity)) {
         return lookupScanTarballVerdict(options, target, sha256, upstream, identity);
     }
+    const cooldown = resolveCooldownRequest(options.env, identity);
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), options.verdictTimeoutMs ?? installVerdictTimeoutMs(options.env));
     try {
@@ -647,7 +650,8 @@ async function lookupVerdict(options, target, sha256, upstream, identity) {
                 sourceKind: identity.sourceKind,
                 sha256,
                 statusCode: upstream.statusCode,
-                contentType: headerValue(upstream.headers["content-type"])
+                contentType: headerValue(upstream.headers["content-type"]),
+                ...(cooldown ? { cooldown } : {})
             }),
             signal: controller.signal
         });
@@ -762,13 +766,37 @@ function normalizeVerdict(value, target, identity, streamedSha256) {
         };
     }
     const cause = typeof value.cause === "string" ? value.cause : undefined;
+    const cooldown = parseCooldownInfo(value.cooldown);
     return {
         verdict,
         packageName: typeof value.packageName === "string" ? value.packageName : artifactDisplayName(identity) || packageNameFromUrl(target),
         ...(isProxyCause(cause) ? { cause } : {}),
         reason: typeof value.reason === "string" ? value.reason : `API verdict ${verdict}`,
         ...(typeof value.dashboardUrl === "string" ? { dashboardUrl: value.dashboardUrl } : {}),
-        ...(value.unauthenticated === true ? { unauthenticated: true } : {})
+        ...(value.unauthenticated === true ? { unauthenticated: true } : {}),
+        ...(cooldown ? { cooldown } : {})
+    };
+}
+function resolveCooldownRequest(env, identity) {
+    if (identity.ecosystem === "unknown" || identity.version === "unknown") {
+        return undefined;
+    }
+    try {
+        return cooldownRequestParam(loadUserConfig(env), env, identity.ecosystem, identity.name);
+    }
+    catch {
+        return undefined;
+    }
+}
+function parseCooldownInfo(value) {
+    if (!isRecord(value) || typeof value.requiredDays !== "number" || !Number.isFinite(value.requiredDays)) {
+        return undefined;
+    }
+    return {
+        requiredDays: value.requiredDays,
+        ...(typeof value.ageDays === "number" && Number.isFinite(value.ageDays) ? { ageDays: value.ageDays } : {}),
+        ...(typeof value.publishedAt === "string" ? { publishedAt: value.publishedAt } : {}),
+        ...(typeof value.eligibleAt === "string" ? { eligibleAt: value.eligibleAt } : {})
     };
 }
 function normalizeScanTarballVerdict(value, target, identity, streamedSha256) {
@@ -920,6 +948,7 @@ function isProxyCause(value) {
         "api-timeout",
         "registry-timeout",
         "analysis-incomplete",
+        "cooldown",
         "unsupported-manager",
         "proxy-setup-failure"
     ].includes(value ?? "");

package/dist/scan/collect.js

@@ -1,5 +1,6 @@
 import { readdirSync } from "node:fs";
 import { join, relative } from "node:path";
+import { gitIgnoredDirectories } from "./discovery.js";
 import { parseLockfilePackages } from "../verify/preflight.js";
 export const LOCKFILE_ECOSYSTEMS = {
     "package-lock.json": "npm",
@@ -49,11 +50,15 @@ function lockfilesPerEcosystem(entries) {
     }
     return matches;
 }
-function shouldDescend(entry) {
-    return entry.isDirectory() && !IGNORED_DIRECTORIES.has(entry.name) && !entry.name.startsWith(".");
+function shouldDescend(entry, directory, gitIgnored) {
+    return (entry.isDirectory() &&
+        !IGNORED_DIRECTORIES.has(entry.name) &&
+        !entry.name.startsWith(".") &&
+        !gitIgnored.has(join(directory, entry.name)));
 }
 export function discoverScanProjects(root) {
     const projects = [];
+    const gitIgnored = gitIgnoredDirectories(root);
     walk(root, 0);
     return projects;
     function walk(directory, depth) {
@@ -71,7 +76,7 @@ export function discoverScanProjects(root) {
             });
         }
         for (const entry of entries) {
-            if (shouldDescend(entry)) {
+            if (shouldDescend(entry, directory, gitIgnored)) {
                 walk(join(directory, entry.name), depth + 1);
             }
         }
@@ -79,6 +84,7 @@ export function discoverScanProjects(root) {
 }
 export async function discoverScanProjectsAsync(root, onProgress) {
     const projects = [];
+    const gitIgnored = gitIgnoredDirectories(root);
     let lastYield = Date.now();
     await walk(root, 0);
     return projects;
@@ -103,7 +109,7 @@ export async function discoverScanProjectsAsync(root, onProgress) {
             onProgress?.({ path: relativePath === "." ? depFile : `${relativePath}/${depFile}`, found: projects.length });
         }
         for (const entry of entries) {
-            if (shouldDescend(entry)) {
+            if (shouldDescend(entry, directory, gitIgnored)) {
                 await walk(join(directory, entry.name), depth + 1);
             }
         }