agentaudit 3.9.39 → 3.9.40

package/cli.mjs

@@ -539,20 +539,17 @@ const SKIP_EXTENSIONS = new Set([
   '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
   '.snap', '.patch', '.diff', '.log', '.csv', '.tsv', '.parquet',
 ]);
-// Files that are never security-relevant (config/docs/metadata)
+// Files that are never security-relevant (pure text/metadata only — NO executable files!)
+// Rule: if it CAN execute code (.js, .ts, .mjs, .py etc.), it MUST be scanned.
+// An attacker could hide malware in any executable config file.
 const SKIP_FILES = new Set([
   'license', 'license.md', 'license.txt', 'licence', 'licence.md',
   'changelog.md', 'changelog', 'changes.md', 'history.md',
   'contributing.md', 'contributors.md', 'authors', 'authors.md',
   'code_of_conduct.md', 'security.md', 'funding.yml',
-  '.prettierrc', '.prettierrc.json', '.prettierrc.js', '.prettierignore',
-  '.eslintignore', '.gitignore', '.gitattributes', '.npmignore',
+  '.gitignore', '.gitattributes', '.npmignore', '.dockerignore',
   '.editorconfig', '.browserslistrc', '.nvmrc', '.node-version',
-  '.dockerignore', 'renovate.json', '.renovaterc',
-  'jest.config.js', 'jest.config.ts', 'vitest.config.ts', 'vitest.config.js',
-  '.babelrc', 'babel.config.js', 'babel.config.json',
-  'postcss.config.js', 'postcss.config.mjs', 'tailwind.config.js', 'tailwind.config.ts',
-  'prettier.config.js', 'prettier.config.mjs',
+  '.prettierignore', '.eslintignore',
 ]);
 
 function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.39",
+  "version": "3.9.40",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {