chain-audit 0.6.5 → 0.6.8

package/README.md

@@ -1,6 +1,6 @@
 # chain-audit
 
-[![CI](https://github.com/hukasx0/chain-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/hukasx0/chain-audit/actions/workflows/ci.yml)
+[![CI](https://github.com/HubertKasperek/chain-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/HubertKasperek/chain-audit/actions/workflows/ci.yml)
 [![npm version](https://img.shields.io/npm/v/chain-audit.svg)](https://www.npmjs.com/package/chain-audit)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node.js Version](https://img.shields.io/node/v/chain-audit.svg)](https://nodejs.org)
@@ -50,7 +50,7 @@ bun add -d chain-audit
 
 > **Note:** In 99.99% of cases, `npm install -g chain-audit` is sufficient. Standalone executables are only for special cases where Node.js, npm, Bun, or other package managers are unavailable or installation is restricted.
 
-Pre-built standalone executables are available in the [GitHub Releases](https://github.com/hukasx0/chain-audit/releases) for Linux (x64 and ARM64). These are self-contained binaries that don't require Node.js or Bun to be installed.
+Pre-built standalone executables are available in the [GitHub Releases](https://github.com/HubertKasperek/chain-audit/releases) for Linux (x64 and ARM64). These are self-contained binaries that don't require Node.js or Bun to be installed.
 
 **Use cases for standalone executables:**
 - CI/CD environments without Node.js
@@ -62,7 +62,7 @@ You can also compile chain-audit to a standalone binary yourself (For Linux, Win
 
 ```bash
 # Clone the repository
-git clone https://github.com/hukasx0/chain-audit.git
+git clone https://github.com/HubertKasperek/chain-audit.git
 cd chain-audit
 
 # Compile to single executable
@@ -183,7 +183,7 @@ Issues will be displayed sorted by severity (highest first), then by package nam
 ## Example Output
 
 ```
-chain-audit v0.6.5
+chain-audit v0.6.8
 Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules
 ────────────────────────────────────────────────────────────
 
@@ -431,7 +431,7 @@ on: [push, pull_request]
 
 jobs:
   scan:
-    uses: hukasx0/chain-audit/.github/workflows/scan.yml@main
+    uses: HubertKasperek/chain-audit/.github/workflows/scan.yml@main
     with:
       fail-on: high
       scan-code: false
@@ -591,11 +591,11 @@ npm rebuild
 
 ## Contributing
 
-**Repository:** [github.com/hukasx0/chain-audit](https://github.com/hukasx0/chain-audit)
+**Repository:** [github.com/HubertKasperek/chain-audit](https://github.com/HubertKasperek/chain-audit)
 
 ```bash
 # Clone and install
-git clone https://github.com/hukasx0/chain-audit.git
+git clone https://github.com/HubertKasperek/chain-audit.git
 cd chain-audit
 npm install
 
@@ -613,7 +613,7 @@ node src/index.js --node-modules /path/to/project/node_modules
 
 Hubert Kasperek
 
-[MIT License](https://github.com/hukasx0/chain-audit/blob/main/LICENSE)
+[MIT License](https://github.com/HubertKasperek/chain-audit/blob/main/LICENSE)
 
 ---
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "chain-audit",
-  "version": "0.6.5",
-  "description": "Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules. Scans for malicious install scripts, typosquatting, extraneous packages, lockfile integrity, obfuscated code, executable files, and suspicious code patterns.",
+  "version": "0.6.8",
+  "description": "Zero-dependency heuristic scanner CLI to detect supply chain attacks in node_modules. Detects malicious install scripts, network access, env exfiltration, lockfile integrity, obfuscated code, and suspicious patterns. Works fully offline.",
   "main": "src/index.js",
   "bin": {
     "chain-audit": "src/index.js"
@@ -42,16 +42,16 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/hukasx0/chain-audit.git"
+    "url": "git+https://github.com/HubertKasperek/chain-audit.git"
   },
   "bugs": {
-    "url": "https://github.com/hukasx0/chain-audit/issues"
+    "url": "https://github.com/HubertKasperek/chain-audit/issues"
   },
-  "homepage": "https://github.com/hukasx0/chain-audit#readme",
+  "homepage": "https://github.com/HubertKasperek/chain-audit#readme",
   "engines": {
     "node": ">=18.0.0"
   },
   "devDependencies": {
-    "eslint": "^8.57.0"
+    "eslint": "9.39.2"
   }
 }

package/src/analyzer.js

@@ -286,7 +286,8 @@ function checkLockfileIntegrity(pkg, lockIndex, issues, verbose = false, config
   if (!config.checkLockfile) return;
   if (!lockIndex.lockPresent) return;
 
-  const lockByPath = lockIndex.indexByPath.get(pkg.relativePath);
+  const normalizedRelativePath = normalizePackageRelativePath(pkg.relativePath);
+  const lockByPath = lockIndex.indexByPath.get(normalizedRelativePath);
   const lockByName = lockIndex.indexByName.get(pkg.name);
 
   if (!lockByPath && !lockByName) {
@@ -358,15 +359,16 @@ function checkLockfileIntegrity(pkg, lockIndex, issues, verbose = false, config
 function checkPackageStructureIntegrity(pkg, lockIndex, issues, verbose = false) {
   if (!lockIndex.lockPresent) return;
 
-  const lockByPath = lockIndex.indexByPath.get(pkg.relativePath);
+  const normalizedRelativePath = normalizePackageRelativePath(pkg.relativePath);
+  const lockByPath = lockIndex.indexByPath.get(normalizedRelativePath);
   const lockByName = lockIndex.indexByName.get(pkg.name);
   const lockEntry = lockByPath || lockByName;
 
   if (!lockEntry) return; // Already flagged as extraneous in checkLockfileIntegrity
 
   // Check 1: Package should have a name matching the expected name
-  const expectedName = lockByPath ? extractPackageNameFromPath(pkg.relativePath) : pkg.name;
-  if (pkg.name && pkg.name !== expectedName && !pkg.name.startsWith('@')) {
+  const expectedName = lockByPath ? extractPackageNameFromPath(normalizedRelativePath) : pkg.name;
+  if (pkg.name && pkg.name !== expectedName) {
     const issue = {
       severity: 'high',
       reason: 'package_name_mismatch',
@@ -437,12 +439,28 @@ function checkPackageStructureIntegrity(pkg, lockIndex, issues, verbose = false)
  * Extract expected package name from relative path
  */
 function extractPackageNameFromPath(relativePath) {
-  const parts = relativePath.split('/');
+  const normalized = normalizePackageRelativePath(relativePath);
+  const parts = normalized.split('/').filter(Boolean);
+  if (parts.length === 0) return '';
+
+  // Use the last package segment after the last "node_modules/".
+  // Example: "foo/node_modules/bar" -> "bar".
+  const nodeModulesIndex = parts.lastIndexOf('node_modules');
+  const start = nodeModulesIndex >= 0 ? nodeModulesIndex + 1 : 0;
+  const first = parts[start];
+  const second = parts[start + 1];
+
   // Handle scoped packages (@scope/name)
-  if (parts[0] && parts[0].startsWith('@') && parts.length >= 2) {
-    return `${parts[0]}/${parts[1]}`;
+  if (first && first.startsWith('@') && second) {
+    return `${first}/${second}`;
   }
-  return parts[0];
+
+  return first || '';
+}
+
+function normalizePackageRelativePath(relativePath) {
+  if (!relativePath) return '';
+  return String(relativePath).replace(/\\/g, '/');
 }
 
 /**
@@ -1010,7 +1028,8 @@ function findNativeArtifacts(pkgDir, maxDepth = 3) {
     let entries = [];
     try {
       entries = fs.readdirSync(dir, { withFileTypes: true });
-    } catch {
+    } catch (err) {
+      console.warn(`Warning: Cannot read directory ${dir} while searching for native artifacts: ${err.message}`);
       continue;
     }
 
@@ -1062,10 +1081,10 @@ function checkExecutableFiles(pkg, issues, verbose = false, config = {}) {
     const issue = {
       severity: severity,
       reason: 'executable_files',
-      detail: `Contains executable files (shell scripts, etc.): ${listed}${found.length > 5 ? `, +${found.length - 5} more` : ''}`,
+      detail: `Contains executable files (shell scripts, binaries, etc.): ${listed}${found.length > 5 ? `, +${found.length - 5} more` : ''}`,
       recommendation: suspiciousFiles.length > 0
         ? 'Executable files outside bin/ directory are suspicious and may indicate a supply chain attack. Review immediately.'
-        : 'Shell scripts in bin/ directory are less suspicious but should be reviewed for malicious content.',
+        : 'Shell scripts and binaries in bin/ directory are less suspicious but should be reviewed for malicious content.',
     };
     
     if (verbose) {
@@ -1112,6 +1131,7 @@ function checkExecutableFiles(pkg, issues, verbose = false, config = {}) {
  */
 function findExecutableFiles(pkgDir, maxDepth = 5) {
   const found = [];
+  const binaryFiles = []; // Track binary files that couldn't be read
   const stack = [{ dir: pkgDir, depth: 0 }];
   
   // Executable file extensions - only real executables, not .js (those are scanned by code scanner)
@@ -1135,7 +1155,8 @@ function findExecutableFiles(pkgDir, maxDepth = 5) {
     let entries = [];
     try {
       entries = fs.readdirSync(dir, { withFileTypes: true });
-    } catch {
+    } catch (err) {
+      console.warn(`Warning: Cannot read directory ${dir} while searching for executable files: ${err.message}`);
       continue;
     }
 
@@ -1186,12 +1207,13 @@ function findExecutableFiles(pkgDir, maxDepth = 5) {
                   found.push(fullPath);
                 }
               } catch {
-                // If we can't read content, skip (might be binary)
-                continue;
+                // If we can't read content, it's likely a binary file
+                // Track it as a binary executable (no extension but executable)
+                binaryFiles.push(fullPath);
               }
             }
-          } catch {
-            // Skip files we can't check
+          } catch (err) {
+            console.warn(`Warning: Cannot check file ${fullPath} for executable permissions: ${err.message}`);
             continue;
           }
         }
@@ -1199,6 +1221,9 @@ function findExecutableFiles(pkgDir, maxDepth = 5) {
     }
   }
 
+  // Add binary files to found list (they are executables too)
+  found.push(...binaryFiles);
+
   return found;
 }
 
@@ -1494,137 +1519,106 @@ function checkMetadataAnomalies(pkg, issues, verbose = false) {
 }
 
 /**
- * Check if a match is in a comment, string literal, or regex pattern definition
- * This helps reduce false positives when scanning code that defines detection patterns
+ * Get lexical context right before a character index.
+ * Tracks whether parser is currently in comment or string.
  */
-function isMatchInNonExecutableContext(content, matchIndex, matchLength) {
-  // Get the line containing the match
-  const lines = content.split('\n');
-  let charCount = 0;
-  let lineIndex = 0;
-  let lineStart = 0;
-  
-  for (let i = 0; i < lines.length; i++) {
-    const lineEnd = charCount + lines[i].length;
-    if (matchIndex >= charCount && matchIndex < lineEnd) {
-      lineIndex = i;
-      lineStart = charCount;
-      break;
-    }
-    charCount = lineEnd + 1; // +1 for newline
-  }
-  
-  const line = lines[lineIndex];
-  const matchInLine = matchIndex - lineStart;
-  const lineBeforeMatch = line.slice(0, matchInLine);
-  
-  // Check if it's in a multi-line comment (need to check entire content, not just line)
-  const contentBeforeMatch = content.slice(0, matchIndex);
-  const lastCommentStart = contentBeforeMatch.lastIndexOf('/*');
-  if (lastCommentStart !== -1) {
-    const lastCommentEnd = contentBeforeMatch.lastIndexOf('*/');
-    if (lastCommentEnd < lastCommentStart) {
-      // Comment started but not closed - match is after comment start
-      return true; // In multi-line comment
-    }
-  }
-  
-  // Check if it's in a single-line comment
-  const singleLineCommentIndex = lineBeforeMatch.lastIndexOf('//');
-  if (singleLineCommentIndex !== -1) {
-    // Check if there's no newline between comment and match (same line)
-    const afterComment = lineBeforeMatch.slice(singleLineCommentIndex + 2);
-    if (!afterComment.includes('\n')) {
-      // No newline means we're still on the same line as the comment
-      // Check if there's an unclosed string (which would mean we're not in comment)
-      // But simpler: if // is before match on same line and no newline, we're in comment
-      return true; // In comment
-    }
-  }
-  
-  // Check if it's in a string literal (single, double, or template string)
-  // Need to check entire content before match, not just the line (for multiline strings)
+function getLexicalContextBeforeIndex(content, targetIndex) {
+  let inLineComment = false;
+  let inBlockComment = false;
   let inString = false;
   let stringChar = null;
+  let stringStart = -1;
   let escaped = false;
-  
-  // Check entire content before match for string context
-  for (let i = 0; i < contentBeforeMatch.length; i++) {
-    const char = contentBeforeMatch[i];
-    if (escaped) {
-      escaped = false;
+
+  for (let i = 0; i < targetIndex; i++) {
+    const char = content[i];
+    const nextChar = content[i + 1];
+
+    if (inLineComment) {
+      if (char === '\n') {
+        inLineComment = false;
+      }
       continue;
     }
-    if (char === '\\') {
-      escaped = true;
+
+    if (inBlockComment) {
+      if (char === '*' && nextChar === '/') {
+        inBlockComment = false;
+        i++;
+      }
       continue;
     }
-    if ((char === '"' || char === "'" || char === '`') && !inString) {
+
+    if (inString) {
+      if (escaped) {
+        escaped = false;
+        continue;
+      }
+      if (char === '\\') {
+        escaped = true;
+        continue;
+      }
+      if (char === stringChar) {
+        inString = false;
+        stringChar = null;
+        stringStart = -1;
+      }
+      continue;
+    }
+
+    if (char === '/' && nextChar === '/') {
+      inLineComment = true;
+      i++;
+      continue;
+    }
+
+    if (char === '/' && nextChar === '*') {
+      inBlockComment = true;
+      i++;
+      continue;
+    }
+
+    if (char === '"' || char === '\'' || char === '`') {
       inString = true;
       stringChar = char;
-    } else if (char === stringChar && inString) {
-      inString = false;
-      stringChar = null;
+      stringStart = i;
     }
   }
+
+  return {
+    inLineComment,
+    inBlockComment,
+    inString,
+    stringChar,
+    stringStart,
+  };
+}
+
+/**
+ * Check if a match is in a comment, string literal, or regex pattern definition
+ * This helps reduce false positives when scanning code that defines detection patterns
+ */
+function isMatchInNonExecutableContext(content, matchIndex, matchLength) {
+  const contentBeforeMatch = content.slice(0, matchIndex);
+  const lexicalContext = getLexicalContextBeforeIndex(content, matchIndex);
+
+  if (lexicalContext.inBlockComment || lexicalContext.inLineComment) {
+    return true;
+  }
   
   // If we're in a string, check if match is also in the string
-  if (inString) {
-    // CRITICAL: Don't ignore patterns in strings if they're passed to code execution functions
-    // Malware often uses: eval("process.env.SECRET"), new Function("return process.env.TOKEN")
-    // Check if the string is passed to eval, Function, require, setTimeout, etc.
-    const dangerousContexts = [
-      /\beval\s*\(/,
-      /\bnew\s+Function\s*\(/,
-      /\bFunction\s*\(/,
-      /\brequire\s*\(/,
-      /\bsetTimeout\s*\(/,
-      /\bsetInterval\s*\(/,
-      /\bvm\.runInContext\s*\(/,
-      /\bvm\.runInNewContext\s*\(/,
-      /\bvm\.runInThisContext\s*\(/,
-      /\bvm\.compileFunction\s*\(/,
-    ];
+  if (lexicalContext.inString) {
+    const stringChar = lexicalContext.stringChar;
+    // Don't ignore only when the string is an immediate argument to a dangerous call.
+    // This avoids false positives from descriptive text like "uses eval(), new Function()".
+    const immediateDangerousCall = /(?:\beval|\bFunction|\bnew\s+Function|\brequire|\bsetTimeout|\bsetInterval|\bvm\.(?:runInContext|runInNewContext|runInThisContext|compileFunction))\s*\(\s*$/;
     
-    // Find the start of the string by looking backwards from match
-    let stringStartIndex = -1;
-    let foundQuote = false;
-    for (let i = matchInLine - 1; i >= 0; i--) {
-      if (lineBeforeMatch[i] === stringChar && (i === 0 || lineBeforeMatch[i - 1] !== '\\')) {
-        stringStartIndex = lineStart + i + 1; // +1 to get position after quote
-        foundQuote = true;
-        break;
-      }
-    }
-    
-    if (foundQuote && stringStartIndex !== -1) {
+    const stringStartIndex = lexicalContext.stringStart >= 0 ? lexicalContext.stringStart + 1 : -1;
+    if (stringStartIndex !== -1) {
       // Look backwards from string start to find if it's passed to dangerous function
       const beforeString = content.slice(Math.max(0, stringStartIndex - 200), stringStartIndex);
-      
-      // Check if string is passed to dangerous function
-      for (const dangerousPattern of dangerousContexts) {
-        const dangerousMatch = beforeString.match(dangerousPattern);
-        if (dangerousMatch) {
-          // Check if the dangerous function call is before the string (within reasonable distance)
-          const dangerousIndex = stringStartIndex - beforeString.length + dangerousMatch.index;
-          const distance = stringStartIndex - dangerousIndex;
-          // If dangerous function is within 100 chars before string, don't ignore
-          if (distance < 100 && distance > 0) {
-            return false; // DON'T ignore - this is dangerous!
-          }
-        }
-      }
-      
-      // Also check for require("https://...") pattern specifically
-      if (stringChar === '"' || stringChar === "'") {
-        const requireMatch = beforeString.match(/\brequire\s*\(\s*$/);
-        if (requireMatch) {
-          // String is passed to require() - check if it's a URL
-          const afterMatch = content.slice(matchIndex + matchLength, matchIndex + matchLength + 20);
-          if (/https?:\/\//.test(afterMatch)) {
-            return false; // DON'T ignore - require("https://...") is suspicious!
-          }
-        }
+      if (immediateDangerousCall.test(beforeString)) {
+        return false; // DON'T ignore - string is directly executed
       }
     }
     
@@ -2620,8 +2614,8 @@ function analyzeCode(pkg, config, issues, verbose = false) {
         }
       }
 
-    } catch {
-      // Skip files that can't be read
+    } catch (err) {
+      console.warn(`Warning: Cannot read or analyze file ${filePath}: ${err.message}`);
       continue;
     }
   }
@@ -2661,7 +2655,8 @@ function findJsFiles(dir, maxDepth = 2) {
     let entries = [];
     try {
       entries = fs.readdirSync(currentDir, { withFileTypes: true });
-    } catch {
+    } catch (err) {
+      console.warn(`Warning: Cannot read directory ${currentDir} while searching for JS files: ${err.message}`);
       continue;
     }
 
@@ -2761,21 +2756,33 @@ function extractCodeSnippet(content, pattern, contextLines = 3) {
     const match = lines[i].match(pattern);
     if (match) {
       const isMinified = isMinifiedLine(lines[i]);
+      const obfuscationType = getObfuscationType(pattern);
+      const isBase64 = obfuscationType === 'base64_encoding';
+      const isLongBase64 = isBase64 && match[0].length > 200;
       
-      if (isMinified) {
-        // For minified code, show a truncated snippet around the match
+      if (isMinified || isLongBase64) {
+        // For minified code or long base64, show a truncated snippet around the match
         const matchIndex = match.index;
         const matchLength = match[0].length;
         const line = lines[i];
         
+        // For very long base64 matches, limit how much of the match we show
+        const maxMatchDisplay = isBase64 ? 200 : matchLength; // Show max 200 chars of base64 match
+        const displayMatchLength = Math.min(matchLength, maxMatchDisplay);
+        const matchIsTruncated = isBase64 && matchLength > maxMatchDisplay;
+        
         // Extract context around the match (150 chars before, 150 after)
         const contextBefore = 150;
         const contextAfter = 150;
         const start = Math.max(0, matchIndex - contextBefore);
-        const end = Math.min(line.length, matchIndex + matchLength + contextAfter);
+        const end = Math.min(line.length, matchIndex + displayMatchLength + contextAfter);
         
         const beforeText = start > 0 ? '...' : '';
-        const afterText = end < line.length ? '...' : '';
+        let afterText = '';
+        if (matchIsTruncated || end < line.length) {
+          afterText = '...';
+        }
+        
         const snippetText = beforeText + line.slice(start, end) + afterText;
         
         // Calculate the position of the match marker in the snippet
@@ -2787,12 +2794,15 @@ function extractCodeSnippet(content, pattern, contextLines = 3) {
         const snippetLines = [];
         snippetLines.push(`${linePrefix}${snippetText}`);
         // Add marker pointing to the match (limit to reasonable length)
-        const markerChars = Math.min(matchLength, 15);
+        const markerChars = Math.min(displayMatchLength, 15);
         const markerLine = '        ' + ' '.repeat(markerPadding) + 
                           '^'.repeat(markerChars) + 
                           ` (column ${matchIndex + 1})`;
         snippetLines.push(markerLine);
-        snippetLines.push(`        [Minified code - showing context around match only]`);
+        const contextNote = isBase64 
+          ? '[Base64 encoded data - showing context around match only]'
+          : '[Minified code - showing context around match only]';
+        snippetLines.push(`        ${contextNote}`);
         
         return {
           lineNumber: i + 1,

package/src/collector.js

@@ -13,6 +13,15 @@ const JSON_READ_ERROR = {
   UNKNOWN: 'UNKNOWN',
 };
 
+/**
+ * Normalize relative package paths for lockfile lookups across platforms.
+ * lockfile paths use "/" separators even on Windows.
+ */
+function normalizeRelativePath(relativePath) {
+  if (!relativePath) return '';
+  return String(relativePath).replace(/\\/g, '/');
+}
+
 /**
  * Safely read and parse a JSON file with detailed error information
  * @param {string} filePath - Path to JSON file
@@ -92,7 +101,8 @@ function collectPackages(nodeModulesPath, maxDepth = 10) {
     let realDir;
     try {
       realDir = fs.realpathSync(dir);
-    } catch {
+    } catch (err) {
+      console.warn(`Warning: Cannot resolve real path for ${dir}: ${err.message}`);
       continue;
     }
 
@@ -104,6 +114,7 @@ function collectPackages(nodeModulesPath, maxDepth = 10) {
       entries = fs.readdirSync(dir, { withFileTypes: true });
     } catch (err) {
       // Permission denied or other read error
+      console.warn(`Warning: Cannot read directory ${dir}: ${err.message}`);
       continue;
     }
 
@@ -113,7 +124,7 @@ function collectPackages(nodeModulesPath, maxDepth = 10) {
       if (entry.name === '.bin') continue;
 
       const entryPath = path.join(dir, entry.name);
-      const relPath = relative ? path.join(relative, entry.name) : entry.name;
+      const relPath = normalizeRelativePath(relative ? path.join(relative, entry.name) : entry.name);
 
       if (!entry.isDirectory()) continue;
 
@@ -137,7 +148,8 @@ function processScopedPackage(scopeDir, scopeRel, depth, stack, packages) {
   let scopeEntries = [];
   try {
     scopeEntries = fs.readdirSync(scopeDir, { withFileTypes: true });
-  } catch {
+  } catch (err) {
+    console.warn(`Warning: Cannot read scoped package directory ${scopeDir}: ${err.message}`);
     return;
   }
 
@@ -146,7 +158,7 @@ function processScopedPackage(scopeDir, scopeRel, depth, stack, packages) {
     if (scoped.name.startsWith('.')) continue;
 
     const scopedDir = path.join(scopeDir, scoped.name);
-    const scopedRel = path.join(scopeRel, scoped.name);
+    const scopedRel = normalizeRelativePath(path.join(scopeRel, scoped.name));
     
     processPackage(scopedDir, scopedRel, depth, stack, packages);
   }
@@ -169,13 +181,13 @@ function processPackage(pkgDir, pkgRel, depth, stack, packages) {
     if (fs.existsSync(nestedNodeModules)) {
       stack.push({
         dir: nestedNodeModules,
-        relative: path.join(pkgRel, 'node_modules'),
+        relative: normalizeRelativePath(path.join(pkgRel, 'node_modules')),
         depth: depth + 1,
       });
     }
   } else {
     // Not a package, might be a directory containing packages
-    stack.push({ dir: pkgDir, relative: pkgRel, depth });
+    stack.push({ dir: pkgDir, relative: normalizeRelativePath(pkgRel), depth });
   }
 }
 
@@ -216,7 +228,7 @@ function readPackage(dir, relativePath) {
       license: null,
       publishConfig: null,
       dir,
-      relativePath,
+      relativePath: normalizeRelativePath(relativePath),
       // Error information for security analysis
       _parseError: true,
       _errorType: result.errorType,
@@ -247,7 +259,7 @@ function readPackage(dir, relativePath) {
     publishConfig: pkg.publishConfig || null,
     // Directory info
     dir,
-    relativePath,
+    relativePath: normalizeRelativePath(relativePath),
   };
 }
 

package/src/formatters.js

@@ -84,7 +84,8 @@ function formatText(issues, summary, context) {
     for (const issue of sorted) {
       if (issue.severity !== currentSeverity) {
         currentSeverity = issue.severity;
-        lines.push(color(`── ${currentSeverity.toUpperCase()} ──`, getSeverityColor(issue.severity)));
+        const severityLabel = currentSeverity ? currentSeverity.toUpperCase() : 'UNKNOWN';
+        lines.push(color(`── ${severityLabel} ──`, getSeverityColor(issue.severity)));
       }
 
       const pkgInfo = `${issue.package}@${issue.version}`;
@@ -301,7 +302,7 @@ function formatText(issues, summary, context) {
   lines.push('');
   lines.push(color('─'.repeat(60), colors.dim));
   lines.push(color('chain-audit by Hubert Kasperek • MIT License', colors.dim));
-  lines.push(color('https://github.com/hukasx0/chain-audit', colors.dim));
+  lines.push(color('https://github.com/HubertKasperek/chain-audit', colors.dim));
   lines.push('');
   lines.push(color('Disclaimer: Licensed under MIT License, provided "AS IS" without warranty.', colors.dim));
   lines.push(color('The author makes no guarantees and takes no responsibility for false', colors.dim));
@@ -315,6 +316,9 @@ function formatText(issues, summary, context) {
  * Get ANSI color code for severity
  */
 function getSeverityColor(severity) {
+  if (severity === null || severity === undefined) {
+    return colors.dim;
+  }
   switch (severity) {
     case 'critical': return colors.magenta;
     case 'high': return colors.red;
@@ -414,7 +418,7 @@ function formatSarif(issues, summary, context) {
           driver: {
             name: 'chain-audit',
             version: context.version || '1.0.0',
-            informationUri: 'https://github.com/hukasx0/chain-audit',
+            informationUri: 'https://github.com/HubertKasperek/chain-audit',
             rules: generateSarifRules(),
           },
         },

package/src/index.js

@@ -25,7 +25,7 @@ const { color, colors } = require('./utils');
 
 const pkgMeta = (safeReadJSONWithDetails(path.join(__dirname, '..', 'package.json')).data) || {};
 
-function detectDefaultLockfile(cwd) {
+function detectDefaultLockfile(searchStartDirs) {
   const candidates = [
     'package-lock.json',
     'npm-shrinkwrap.json',
@@ -33,10 +33,31 @@ function detectDefaultLockfile(cwd) {
     'pnpm-lock.yaml',
     'bun.lock',
   ];
-  for (const candidate of candidates) {
-    const full = path.resolve(cwd, candidate);
-    if (fs.existsSync(full)) return full;
+
+  const starts = Array.isArray(searchStartDirs) ? searchStartDirs : [searchStartDirs];
+  const visited = new Set();
+
+  for (const start of starts) {
+    if (!start) continue;
+
+    let currentDir = path.resolve(start);
+    while (true) {
+      if (!visited.has(currentDir)) {
+        visited.add(currentDir);
+        for (const candidate of candidates) {
+          const full = path.join(currentDir, candidate);
+          if (fs.existsSync(full) && fs.statSync(full).isFile()) {
+            return full;
+          }
+        }
+      }
+
+      const parent = path.dirname(currentDir);
+      if (parent === currentDir) break;
+      currentDir = parent;
+    }
   }
+
   return null;
 }
 
@@ -120,7 +141,8 @@ function run(argv = process.argv) {
   }
 
   // Resolve lockfile
-  const resolvedLock = config.lockPath || detectDefaultLockfile(process.cwd());
+  const scanRoot = path.dirname(config.nodeModules);
+  const resolvedLock = config.lockPath || detectDefaultLockfile([scanRoot, process.cwd()]);
   const lockIndex = buildLockIndex(resolvedLock);
 
   // Collect and analyze packages
@@ -157,6 +179,7 @@ function run(argv = process.argv) {
   }
 
   const summary = summarize(filteredIssues);
+  const overallSummary = summarize(issues);
   const context = {
     nodeModules: config.nodeModules,
     lockfile: lockIndex.lockPresent ? resolvedLock : null,
@@ -187,7 +210,7 @@ function run(argv = process.argv) {
   const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
   const rankSeverity = (level) => level === null ? -1 : severityOrder.indexOf(level);
 
-  if (config.failOn && summary.maxSeverity !== null && rankSeverity(summary.maxSeverity) >= rankSeverity(config.failOn)) {
+  if (config.failOn && overallSummary.maxSeverity !== null && rankSeverity(overallSummary.maxSeverity) >= rankSeverity(config.failOn)) {
     return { exitCode: 1, issues, summary };
   }
 
@@ -315,7 +338,7 @@ ${color('DISCLAIMER:', colors.bold)}
   manually and use as part of defense-in-depth.
 
 ${color('MORE INFO:', colors.bold)}
-  https://github.com/hukasx0/chain-audit
+  https://github.com/HubertKasperek/chain-audit
 `;
   console.log(text);
 }

package/src/lockfile.js

@@ -594,7 +594,8 @@ function computePackageIntegrity(pkgDir, algorithm = 'sha512') {
     const hash = crypto.createHash(algorithm);
     hash.update(content);
     return hash.digest('base64');
-  } catch {
+  } catch (err) {
+    console.warn(`Warning: Cannot compute package integrity for ${pkgDir}: ${err.message}`);
     return null;
   }
 }
@@ -657,7 +658,8 @@ function computeFileIntegrity(filePath, algorithm = 'sha512') {
     const hash = crypto.createHash(algorithm);
     hash.update(content);
     return `${algorithm}-${hash.digest('base64')}`;
-  } catch {
+  } catch (err) {
+    console.warn(`Warning: Cannot compute file integrity for ${filePath}: ${err.message}`);
     return null;
   }
 }