@yawlabs/npmjs-mcp 0.11.11 → 0.11.13

package/dist/index.js

@@ -31105,8 +31105,12 @@ async function request(baseUrl, path, options) {
         debug(`${method} ${url2} -> ${res.status} ${elapsed}ms`);
         return { ok: true, status: res.status };
       }
-      const data = await res.json();
+      const text = await res.text();
       debug(`${method} ${url2} -> ${res.status} ${elapsed}ms`);
+      if (text.length === 0) {
+        return { ok: true, status: res.status };
+      }
+      const data = JSON.parse(text);
       return { ok: true, status: res.status, data };
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -31469,9 +31473,13 @@ var analysisTools = [
         if (latest) auditMap[name] = [latest];
       }
       let auditData = {};
+      let auditSucceeded = false;
       if (Object.keys(auditMap).length > 0) {
         const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", auditMap);
-        if (auditRes.ok && auditRes.data) auditData = auditRes.data;
+        if (auditRes.ok && auditRes.data) {
+          auditData = auditRes.data;
+          auditSucceeded = true;
+        }
       }
       const results = partials.map(({ name, pkgRes, dlRes }) => {
         if (!pkgRes.ok) {
@@ -31482,8 +31490,9 @@ var analysisTools = [
         const latest = pkg["dist-tags"]?.latest;
         const latestVersion = latest ? pkg.versions[latest] : void 0;
         const versionKeys = Object.keys(pkg.versions);
+        const wasAudited = auditSucceeded && name in auditMap;
         const advisories = auditData[name];
-        const vulnerabilities = Array.isArray(advisories) ? advisories.length : 0;
+        const vulnerabilities = wasAudited ? Array.isArray(advisories) ? advisories.length : 0 : null;
         return {
           name,
           description: pkg.description,
@@ -31498,7 +31507,8 @@ var analysisTools = [
           hasReadme: !!(pkg.readme && pkg.readme.length > 0),
           repository: pkg.repository,
           homepage: pkg.homepage,
-          vulnerabilities
+          vulnerabilities,
+          auditReliable: wasAudited
         };
       });
       return { ok: true, status: 200, data: { comparison: results } };
@@ -31586,8 +31596,11 @@ var analysisTools = [
           // Holistic single-string verdict layered priority-first: a deprecated
           // package supersedes everything (don't use it), a vulnerable package
           // supersedes maintenance signals (active development doesn't undo a
-          // CVE), then staleness, recency, and the catch-all.
-          assessment: isDeprecated ? "DEPRECATED" : vulnerabilityCount !== null && vulnerabilityCount > 0 ? "VULNERABLE" : isStale ? "STALE" : daysSinceLastPublish !== null && daysSinceLastPublish < 90 ? "ACTIVE" : "MAINTENANCE"
+          // CVE), then AUDIT_UNKNOWN when we couldn't verify vuln status (a 5xx
+          // on the audit endpoint or a packument with no `latest` to audit) --
+          // better to flag the unknown than confidently report ACTIVE on
+          // unverified data. Then staleness, recency, and the catch-all.
+          assessment: isDeprecated ? "DEPRECATED" : vulnerabilityCount !== null && vulnerabilityCount > 0 ? "VULNERABLE" : !auditReliable ? "AUDIT_UNKNOWN" : isStale ? "STALE" : daysSinceLastPublish !== null && daysSinceLastPublish < 90 ? "ACTIVE" : "MAINTENANCE"
         }
       };
     }
@@ -31951,7 +31964,10 @@ var dependencyTools = [
         if (tree[resolvedKey]) return;
         const versionData = pkg.versions[resolvedVersion];
         if (!versionData) {
-          tree[resolvedKey] = { version: resolvedVersion, dependencies: {}, failed: true };
+          if (!failedPackages.has(name)) {
+            failedPackages.add(name);
+            tree[resolvedKey] = { version: resolvedVersion, dependencies: {}, failed: true };
+          }
           return;
         }
         const deps = versionData.dependencies ?? {};
@@ -32141,6 +32157,15 @@ function classifyHookTarget(target) {
   return { type: "package", name: target };
 }
 function validateHookTarget(target) {
+  if (typeof target !== "string" || target.length === 0) {
+    return "Hook target is empty.";
+  }
+  if (target === "~") {
+    return "Hook target '~' is missing the username (use '~your-username').";
+  }
+  if (target === "@") {
+    return "Hook target '@' is missing the scope (use '@scope' or '@scope/pkg').";
+  }
   const { type, name } = classifyHookTarget(target);
   if (type === "owner") return validateUsername(name);
   if (type === "scope") return validateScope(name);
@@ -32663,6 +32688,8 @@ var packageTools = [
       version: external_exports.string().optional().describe("Semver version or dist-tag (default: 'latest')")
     }),
     handler: async (input) => {
+      const nameErr = validatePackageName(input.name);
+      if (nameErr) return { ok: false, status: 400, error: nameErr };
       const ver = input.version ?? "latest";
       let typesPackage;
       if (input.name.startsWith("@")) {
@@ -33242,6 +33269,13 @@ var workflowTools = [
                 });
                 canPublishHeadless = false;
               }
+            } else if (twoFactorAuth === "disabled" && readWriteTokens.length === 0) {
+              checks.push({
+                check: "Token capability",
+                status: "fail",
+                detail: `2FA is disabled but no read-write tokens found out of ${totalTokens} total. Need a token with publish permissions.`
+              });
+              canPublishHeadless = false;
             }
             if (isScoped && scope) {
               checks.push({
@@ -33413,7 +33447,19 @@ var writeTools = [
       for (const v of affected) {
         packument.versions[v].deprecated = input.message;
       }
-      const putRes = await registryPutAuth(`/${encPkg(input.name)}`, packument);
+      if (!packument._rev) {
+        return {
+          ok: false,
+          status: 500,
+          error: `Packument for ${input.name} missing _rev -- cannot deprecate. Try again; this is usually transient.`
+        };
+      }
+      delete packument._revisions;
+      delete packument._attachments;
+      const putRes = await registryPutAuth(
+        `/${encPkg(input.name)}/-rev/${encodeURIComponent(packument._rev)}`,
+        packument
+      );
       if (!putRes.ok) return translateError(putRes, { pkg: input.name, op: "deprecate (write)" });
       return {
         ok: true,
@@ -33463,7 +33509,19 @@ var writeTools = [
       for (const v of affected) {
         packument.versions[v].deprecated = "";
       }
-      const putRes = await registryPutAuth(`/${encPkg(input.name)}`, packument);
+      if (!packument._rev) {
+        return {
+          ok: false,
+          status: 500,
+          error: `Packument for ${input.name} missing _rev -- cannot undeprecate. Try again; this is usually transient.`
+        };
+      }
+      delete packument._revisions;
+      delete packument._attachments;
+      const putRes = await registryPutAuth(
+        `/${encPkg(input.name)}/-rev/${encodeURIComponent(packument._rev)}`,
+        packument
+      );
       if (!putRes.ok) return translateError(putRes, { pkg: input.name, op: "undeprecate (write)" });
       return {
         ok: true,
@@ -34235,7 +34293,7 @@ var writeTools = [
 ];
 
 // src/index.ts
-var version2 = true ? "0.11.11" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.11.13" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version" || subcommand === "-v" || subcommand === "-V") {
   console.log(version2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/npmjs-mcp",
-  "version": "0.11.11",
+  "version": "0.11.13",
   "mcpName": "io.github.YawLabs/npmjs-mcp",
   "description": "npm registry MCP server — package intelligence, security audits, and dependency analysis for AI assistants",
   "license": "MIT",