cve-guard-npm 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Naveen Rawat
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,147 @@
+# cve-guard-npm
+
+`cve-guard-npm` is a lifecycle hook guard for npm installs. It automatically scans package install targets for OSV/CVE vulnerabilities before install and audits the resulting dependency tree after install.
+
+## Features
+
+- Pre-install CVE scanning for packages requested with `npm install`
+- Interactive warnings and confirmation when vulnerabilities are detected
+- Post-install audit report using `npm audit --json`
+- Beautiful terminal experience with `chalk`, `boxen`, `cli-table3`, `gradient-string`, and `ora`
+- Works without changing normal npm commands after one-time setup
+- Graceful error handling for offline, malformed input, unsupported npm usage, and audit failures
+- Bonus reputation details for packages: weekly downloads, publish date, maintainers count
+
+## Installation
+
+```bash
+npm install --save-dev cve-guard-npm
+```
+
+## One-time Setup
+
+Add lifecycle scripts to your `package.json`:
+
+```json
+{
+  "scripts": {
+    "preinstall": "cve-guard-npm preinstall",
+    "postinstall": "cve-guard-npm postinstall"
+  }
+}
+```
+
+After setup, every future `npm install` call will trigger the CVE guard automatically.
+
+## Usage
+
+### Normal install
+
+```bash
+npm install express
+```
+
+This will automatically run the preinstall CVE scan for `express`, prompt if vulnerabilities exist, and run `npm audit --json` after install.
+
+### Preinstall flow
+
+If the package scan detects issues, you will see a report and a prompt like:
+
+```text
+Continue installation? (y/n):
+```
+
+If you choose `n`, the install aborts safely.
+
+### Postinstall flow
+
+After install completes, the package runs `npm audit --json` and prints a summary report for detected vulnerabilities.
+
+## Example Output
+
+### Preinstall
+
+```text
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+CVE PRE-INSTALL CHECK
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+Package: lodash
+  • Weekly downloads: 23,000,000
+  • Last publish date: 2024-12-05
+  • Maintainers: 4
+
+┌───────────┬────────────┬──────────────────────────────────────────────────────────┐
+│ Severity  │ CVE / GHSA │ Summary                                                  │
+├───────────┼────────────┼──────────────────────────────────────────────────────────┤
+│ HIGH      │ GHSA-xxxx  │ Prototype Pollution                                       │
+└───────────┴────────────┴──────────────────────────────────────────────────────────┘
+
+Continue installation? (y/n): n
+
+❌ Installation aborted by user.
+```
+
+### Postinstall
+
+```text
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+DEPENDENCY SECURITY REPORT
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+┌───────────┬───────┐
+│ Severity  │ Count │
+├───────────┼───────┤
+│ CRITICAL  │ 1     │
+│ HIGH      │ 2     │
+│ MODERATE  │ 5     │
+│ LOW       │ 1     │
+└───────────┴───────┘
+
+Affected Packages:
+
+┌──────────────────────────┬──────────┬──────────────────────────────┐
+│ Package@Version          │ Severity │ Identifier                   │
+├──────────────────────────┼──────────┼──────────────────────────────┤
+│ lodash@4.17.15           │ high     │ GHSA-xxxx                    │
+└──────────────────────────┴──────────┴──────────────────────────────┘
+```
+
+## Architecture Overview
+
+- `bin/cli.js` - executable entrypoint for `cve-guard-npm`
+- `lib/preinstall.js` - pre-install lifecycle hook logic
+- `lib/postinstall.js` - post-install audit reporting
+- `lib/osv.js` - reusable OSV API integration with retry and timeout support
+- `lib/audit.js` - npm audit execution and JSON parsing
+- `lib/formatter.js` - CLI output formatting and tables
+- `lib/logger.js` - rich boxed headers and log helpers
+- `lib/prompt.js` - interactive confirmation helper
+- `lib/utils.js` - npm argv parsing, package normalization, and package.json helpers
+- `lib/constants.js` - shared configuration values and mappings
+
+## Screenshots
+
+![Screenshot 1](https://via.placeholder.com/800x320?text=Preinstall+Security+Report)
+
+![Screenshot 2](https://via.placeholder.com/800x320?text=Postinstall+Audit+Summary)
+
+## Roadmap
+
+- [ ] Add support for lockfile-aware package resolution
+- [ ] Add optional CI-only enforcement mode
+- [ ] Add config file support for ignore rules
+- [ ] Add support for Yarn and pnpm lifecycle flows
+- [ ] Add package metadata caching to reduce network traffic
+
+## Contributing
+
+1. Fork the repository
+2. Create a branch for your feature or fix
+3. Submit a pull request with tests and documentation
+
+Please follow the existing code style and keep features modular.
+
+## License
+
+MIT

package/bin/cli.js

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+const { program } = require("commander");
+const pkg = require("../package.json");
+
+program
+  .name("cve-guard-npm")
+  .description("Guard npm installs with pre/post CVE and audit checks.")
+  .version(pkg.version);
+
+program
+  .command("preinstall")
+  .description("Run preinstall CVE check for packages being installed.")
+  .action(async () => {
+    const runPreinstall = require("../lib/preinstall");
+    await runPreinstall();
+  });
+
+program
+  .command("postinstall")
+  .description("Run postinstall audit report for installed dependencies.")
+  .action(async () => {
+    const runPostinstall = require("../lib/postinstall");
+    await runPostinstall();
+  });
+
+program.parseAsync(process.argv).catch((error) => {
+  console.error(error instanceof Error ? error.message : error);
+  process.exit(1);
+});

package/lib/audit.js

@@ -0,0 +1,96 @@
+const { execSync } = require("child_process");
+const { error, warn } = require("./logger");
+
+function parseAuditResults(parsed) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    moderate: 0,
+    low: 0,
+    unknown: 0,
+  };
+
+  const packages = [];
+  const vulnerabilities =
+    parsed.metadata?.vulnerabilities || parsed.vulnerabilities || {};
+
+  if (typeof vulnerabilities === "object") {
+    Object.entries(vulnerabilities).forEach(([pkgName, data]) => {
+      const severity = String(data.severity || "unknown").toLowerCase();
+      counts[severity] = (counts[severity] || 0) + 1;
+      const identifiers = Array.isArray(data.via)
+        ? data.via
+            .map((entry) => {
+              if (typeof entry === "string") {
+                return entry;
+              }
+              return entry.source || entry.title || "unknown";
+            })
+            .join(", ")
+        : "";
+
+      packages.push({
+        packageName: pkgName,
+        version: data.version || "unknown",
+        severity,
+        identifiers: identifiers || "n/a",
+      });
+    });
+  }
+
+  if (parsed.advisories && typeof parsed.advisories === "object") {
+    Object.values(parsed.advisories).forEach((advisory) => {
+      const severity = String(advisory.severity || "unknown").toLowerCase();
+      counts[severity] = (counts[severity] || 0) + 1;
+
+      packages.push({
+        packageName: advisory.module_name || advisory.package || "unknown",
+        version: advisory.patched_versions || "unknown",
+        severity,
+        identifiers: advisory.cves?.join(", ") || advisory.id || "n/a",
+      });
+    });
+  }
+
+  return { severityCounts: counts, packages };
+}
+
+function safeParseJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch (err) {
+    return null;
+  }
+}
+
+async function runAudit() {
+  try {
+    const stdout = execSync("npm audit --json", {
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8",
+      timeout: 20000,
+    });
+
+    const parsed = safeParseJson(stdout);
+    if (!parsed) {
+      return { error: "Invalid npm audit JSON response." };
+    }
+
+    return parseAuditResults(parsed);
+  } catch (errorObj) {
+    const stdout = errorObj.stdout ? String(errorObj.stdout) : null;
+    const parsed = stdout ? safeParseJson(stdout) : null;
+
+    if (parsed) {
+      return parseAuditResults(parsed);
+    }
+
+    warn("npm audit failed. Falling back to error details.");
+    error(errorObj.message || "npm audit execution failed.");
+    return { error: errorObj.message || "npm audit execution failed." };
+  }
+}
+
+module.exports = {
+  runAudit,
+};

package/lib/constants.js

@@ -0,0 +1,27 @@
+const SEVERITY_COLORS = {
+  critical: "red",
+  high: "orange",
+  moderate: "yellow",
+  low: "blue",
+  unknown: "gray",
+};
+
+const SEVERITY_ORDER = ["critical", "high", "moderate", "low", "unknown"];
+
+const OSV_ENDPOINT = "https://api.osv.dev/v1/query";
+const NPM_REGISTRY = "https://registry.npmjs.org";
+const NPM_DOWNLOADS = "https://api.npmjs.org/downloads/point/last-week";
+const PACKAGE_MANAGER = "npm";
+const API_TIMEOUT_MS = 10000;
+const API_RETRY_COUNT = 2;
+
+module.exports = {
+  SEVERITY_COLORS,
+  SEVERITY_ORDER,
+  OSV_ENDPOINT,
+  NPM_REGISTRY,
+  NPM_DOWNLOADS,
+  PACKAGE_MANAGER,
+  API_TIMEOUT_MS,
+  API_RETRY_COUNT,
+};

package/lib/formatter.js

@@ -0,0 +1,109 @@
+const chalk = require("chalk");
+const Table = require("cli-table3");
+const gradient = require("gradient-string");
+const { SEVERITY_COLORS, SEVERITY_ORDER } = require("./constants");
+
+function paintSeverity(severity) {
+  const key = String(severity || "unknown").toLowerCase();
+  const color = SEVERITY_COLORS[key] || SEVERITY_COLORS.unknown;
+  return chalk.keyword(color)(String(severity || "UNKNOWN").toUpperCase());
+}
+
+function formatVulnerabilityReport(reports) {
+  const lines = [];
+  reports.forEach((report) => {
+    lines.push(
+      chalk.bold.white(`
+Package: ${report.packageName}`),
+    );
+    if (report.reputation) {
+      lines.push(formatPackageReputationSummary(report.reputation));
+    }
+
+    const table = new Table({
+      head: [
+        chalk.bold("Severity"),
+        chalk.bold("CVE / GHSA"),
+        chalk.bold("Summary"),
+      ],
+      colWidths: [14, 24, 70],
+      wordWrap: true,
+    });
+
+    report.vulnerabilities.forEach((vuln) => {
+      table.push([
+        paintSeverity(vuln.severity),
+        vuln.id,
+        vuln.summary || "No summary available",
+      ]);
+    });
+
+    lines.push(table.toString());
+  });
+
+  return lines.join("\n");
+}
+
+function formatPackageReputationSummary(reputation) {
+  if (!reputation) {
+    return "";
+  }
+
+  const downloads = reputation.weeklyDownloads
+    ? chalk.green(reputation.weeklyDownloads.toLocaleString())
+    : chalk.gray("N/A");
+  const published = reputation.lastPublishDate
+    ? chalk.yellow(
+        new Date(reputation.lastPublishDate).toISOString().split("T")[0],
+      )
+    : chalk.gray("Unknown");
+  const maintainers =
+    reputation.maintainersCount != null
+      ? chalk.cyan(reputation.maintainersCount)
+      : chalk.gray("Unknown");
+
+  return `  • Weekly downloads: ${downloads}\n  • Last publish date: ${published}\n  • Maintainers: ${maintainers}`;
+}
+
+function formatAuditReport(audit) {
+  const { severityCounts, packages } = audit;
+  const severityTable = new Table({
+    head: [chalk.bold("Severity"), chalk.bold("Count")],
+    colWidths: [18, 12],
+  });
+
+  SEVERITY_ORDER.forEach((severity) => {
+    const count = severityCounts[severity] || 0;
+    if (count > 0) {
+      severityTable.push([paintSeverity(severity), chalk.bold(String(count))]);
+    }
+  });
+
+  const packageTable = new Table({
+    head: [
+      chalk.bold("Package@Version"),
+      chalk.bold("Severity"),
+      chalk.bold("Identifier"),
+    ],
+    colWidths: [30, 14, 56],
+    wordWrap: true,
+  });
+
+  packages.forEach((item) => {
+    packageTable.push([
+      `${item.packageName}@${item.version || "unknown"}`,
+      paintSeverity(item.severity),
+      item.identifiers || "n/a",
+    ]);
+  });
+
+  const header = gradient.rainbow("DEPENDENCY SECURITY REPORT");
+  return `${header}\n\n${severityTable.toString()}\n\nAffected Packages:\n${packageTable.toString()}`;
+}
+
+module.exports = {
+  paintSeverity,
+  formatVulnerabilityReport,
+  formatPackageReputationSummary,
+  formatAuditReport,
+};

package/lib/logger.js

@@ -0,0 +1,54 @@
+const chalk = require("chalk");
+const boxen = require("boxen");
+const gradient = require("gradient-string");
+
+function logBox(title, message, options = {}) {
+  const borderColor = options.borderColor || "cyan";
+  const titleText = chalk.bold.cyan(` ${title} `);
+  const content = `${titleText}\n${message}`;
+
+  console.log(
+    boxen(content, {
+      padding: 1,
+      margin: 1,
+      borderColor,
+      borderStyle: "round",
+      float: "center",
+      backgroundColor: "black",
+    }),
+  );
+}
+
+function header(text) {
+  return gradient.cristal.bold(text);
+}
+
+function info(message) {
+  console.log(chalk.cyan(message));
+}
+
+function success(message) {
+  console.log(chalk.green(message));
+}
+
+function warn(message) {
+  console.log(chalk.keyword("orange")(message));
+}
+
+function error(message) {
+  console.error(chalk.red(message));
+}
+
+function strong(message) {
+  return chalk.bold.white(message);
+}
+
+module.exports = {
+  logBox,
+  header,
+  info,
+  success,
+  warn,
+  error,
+  strong,
+};

package/lib/osv.js

@@ -0,0 +1,157 @@
+const axios = require("axios");
+const { warn } = require("./logger");
+const {
+  OSV_ENDPOINT,
+  NPM_REGISTRY,
+  NPM_DOWNLOADS,
+  API_TIMEOUT_MS,
+  API_RETRY_COUNT,
+} = require("./constants");
+
+function deriveSeverity(vuln) {
+  if (!vuln) {
+    return "unknown";
+  }
+
+  const severityBlock = Array.isArray(vuln.severity)
+    ? vuln.severity[0]
+    : vuln.severity;
+  if (severityBlock && typeof severityBlock === "object") {
+    const score = parseFloat(severityBlock.score);
+    if (!Number.isNaN(score)) {
+      if (score >= 9) return "critical";
+      if (score >= 7) return "high";
+      if (score >= 4) return "moderate";
+      return "low";
+    }
+
+    if (severityBlock.type) {
+      const label = String(severityBlock.type).toLowerCase();
+      if (label.includes("critical")) return "critical";
+      if (label.includes("high")) return "high";
+      if (label.includes("moderate")) return "moderate";
+      if (label.includes("low")) return "low";
+    }
+  }
+
+  if (typeof severityBlock === "string") {
+    const label = severityBlock.toLowerCase();
+    if (label.includes("critical")) return "critical";
+    if (label.includes("high")) return "high";
+    if (label.includes("moderate")) return "moderate";
+    if (label.includes("low")) return "low";
+  }
+
+  if (Array.isArray(vuln.aliases)) {
+    const aliasText = vuln.aliases.join(" ").toLowerCase();
+    if (aliasText.includes("cve-")) {
+      return "high";
+    }
+  }
+
+  return "unknown";
+}
+
+async function requestWithRetry(url, payload) {
+  let attempt = 0;
+
+  while (attempt < API_RETRY_COUNT) {
+    try {
+      return await axios.post(url, payload, {
+        timeout: API_TIMEOUT_MS,
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+        },
+      });
+    } catch (error) {
+      attempt += 1;
+      if (attempt >= API_RETRY_COUNT) {
+        throw error;
+      }
+      await new Promise((resolve) => setTimeout(resolve, 500));
+    }
+  }
+
+  throw new Error("OSV request failed after retries");
+}
+
+async function queryOsvForPackage(packageName) {
+  const payload = {
+    package: {
+      name: packageName,
+      ecosystem: "npm",
+    },
+  };
+
+  try {
+    const response = await requestWithRetry(OSV_ENDPOINT, payload);
+    const vulns = Array.isArray(response.data?.vulns)
+      ? response.data.vulns
+      : [];
+    return {
+      packageName,
+      vulnerabilities: vulns.map((vuln) => ({
+        id: String(vuln.id || vuln.aliases?.[0] || "UNKNOWN"),
+        summary: String(
+          vuln.summary || vuln.details || "No summary available",
+        ).trim(),
+        severity: deriveSeverity(vuln),
+        aliases: Array.isArray(vuln.aliases) ? vuln.aliases : [],
+        references: Array.isArray(vuln.references)
+          ? vuln.references.map((ref) => ref.url).filter(Boolean)
+          : [],
+      })),
+    };
+  } catch (error) {
+    warn(
+      `OSV query failed for ${packageName}: ${error.message || "request error"}`,
+    );
+    return {
+      packageName,
+      vulnerabilities: [],
+    };
+  }
+}
+
+async function fetchPackageMetadata(packageName) {
+  const url = `${NPM_REGISTRY}/${encodeURIComponent(packageName)}`;
+  const response = await axios.get(url, { timeout: API_TIMEOUT_MS });
+  return response.data;
+}
+
+async function fetchPackageDownloads(packageName) {
+  const url = `${NPM_DOWNLOADS}/${encodeURIComponent(packageName)}`;
+  const response = await axios.get(url, { timeout: API_TIMEOUT_MS });
+  return response.data;
+}
+
+async function fetchPackageReputation(packageName) {
+  try {
+    const [metadata, downloads] = await Promise.all([
+      fetchPackageMetadata(packageName),
+      fetchPackageDownloads(packageName),
+    ]);
+
+    const latestTag = metadata["dist-tags"]?.latest;
+    const lastPublishDate = metadata.time?.[latestTag] || null;
+
+    return {
+      weeklyDownloads: downloads?.downloads || 0,
+      lastPublishDate,
+      maintainersCount: Array.isArray(metadata.maintainers)
+        ? metadata.maintainers.length
+        : 0,
+    };
+  } catch (error) {
+    warn(
+      `Unable to fetch reputation for ${packageName}: ${error.message || "network failure"}`,
+    );
+    return null;
+  }
+}
+
+module.exports = {
+  queryOsvForPackage,
+  fetchPackageReputation,
+};

package/lib/postinstall.js

@@ -0,0 +1,31 @@
+const ora = require("ora");
+const { runAudit } = require("./audit");
+const { formatAuditReport } = require("./formatter");
+const { logBox, success, warn, error } = require("./logger");
+
+async function runPostinstall() {
+  const spinner = ora("Running npm audit postinstall...").start();
+
+  const auditResult = await runAudit();
+  spinner.stop();
+
+  if (auditResult.error) {
+    warn("npm audit could not complete successfully.");
+    error(auditResult.error);
+    return;
+  }
+
+  if (
+    !Array.isArray(auditResult.packages) ||
+    auditResult.packages.length === 0
+  ) {
+    success("No dependency vulnerabilities found by npm audit.");
+    return;
+  }
+
+  logBox("DEPENDENCY SECURITY REPORT", formatAuditReport(auditResult), {
+    borderColor: "yellow",
+  });
+}
+
+module.exports = runPostinstall;

package/lib/preinstall.js

@@ -0,0 +1,99 @@
+const path = require("path");
+const fs = require("fs-extra");
+const ora = require("ora");
+const {
+  getNpmConfigArgv,
+  extractInstallTargetsFromNpmArgv,
+} = require("./utils");
+const { queryOsvForPackage, fetchPackageReputation } = require("./osv");
+const {
+  formatVulnerabilityReport,
+  formatPackageReputationSummary,
+} = require("./formatter");
+const { logBox, info, success, warn } = require("./logger");
+const { askContinue } = require("./prompt");
+
+async function loadPackageJson() {
+  const packagePath = path.join(process.cwd(), "package.json");
+  if (await fs.pathExists(packagePath)) {
+    try {
+      return await fs.readJson(packagePath);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+
+async function runPreinstall() {
+  const packageJson = await loadPackageJson();
+  const rawArgv = getNpmConfigArgv();
+  const installTargets = extractInstallTargetsFromNpmArgv(rawArgv);
+
+  if (!installTargets.length) {
+    info("No install target packages detected. Skipping CVE pre-install scan.");
+    return;
+  }
+
+  const uniqueTargets = [...new Set(installTargets)];
+  const spinner = ora(
+    "Scanning requested packages for CVE exposure...",
+  ).start();
+  const results = [];
+
+  for (const packageName of uniqueTargets) {
+    spinner.text = `Scanning ${packageName}`;
+    const [osvResult, reputation] = await Promise.all([
+      queryOsvForPackage(packageName),
+      fetchPackageReputation(packageName),
+    ]);
+
+    results.push({
+      packageName,
+      vulnerabilities: osvResult.vulnerabilities,
+      reputation,
+    });
+  }
+
+  spinner.stop();
+
+  const vulnerablePackages = results.filter(
+    (result) => result.vulnerabilities.length > 0,
+  );
+
+  logBox(
+    "CVE PRE-INSTALL CHECK",
+    "Review detected issues before continuing installation.",
+    {
+      borderColor: vulnerablePackages.length > 0 ? "red" : "green",
+    },
+  );
+
+  if (!vulnerablePackages.length) {
+    success("No known CVEs detected for the requested install packages.");
+    return;
+  }
+
+  console.log(formatVulnerabilityReport(vulnerablePackages));
+
+  const reputationInfo = results
+    .filter((result) => result.reputation)
+    .map(
+      (result) =>
+        `\n${result.packageName}\n${formatPackageReputationSummary(result.reputation)}`,
+    )
+    .join("\n");
+
+  if (reputationInfo) {
+    console.log(reputationInfo);
+  }
+
+  const shouldContinue = await askContinue();
+  if (!shouldContinue) {
+    process.exit(1);
+  }
+
+  success("Installation will continue.");
+}
+
+module.exports = runPreinstall;

package/lib/prompt.js

@@ -0,0 +1,41 @@
+const inquirer = require("inquirer");
+const { success, error } = require("./logger");
+
+async function askContinue() {
+  const question = [
+    {
+      type: "input",
+      name: "confirm",
+      message: "Continue installation? (y/n):",
+      validate: (value) => {
+        if (typeof value !== "string") {
+          return "Please enter y or n.";
+        }
+
+        const normalized = value.trim().toLowerCase();
+        if (["y", "yes", "n", "no"].includes(normalized)) {
+          return true;
+        }
+
+        return "Answer must be y/yes or n/no.";
+      },
+      filter: (value) =>
+        typeof value === "string" ? value.trim().toLowerCase() : value,
+    },
+  ];
+
+  const { confirm } = await inquirer.prompt(question);
+  const accepted = ["y", "yes"].includes(confirm);
+
+  if (accepted) {
+    success("✔ Continuing installation...");
+    return true;
+  }
+
+  error("❌ Installation aborted by user.");
+  return false;
+}
+
+module.exports = {
+  askContinue,
+};

package/lib/utils.js

@@ -0,0 +1,103 @@
+function safeJsonParse(value, fallback = null) {
+  if (typeof value !== "string") {
+    return fallback;
+  }
+
+  try {
+    return JSON.parse(value);
+  } catch (error) {
+    return fallback;
+  }
+}
+
+function getNpmConfigArgv() {
+  const rawArgv = process.env.npm_config_argv;
+  if (!rawArgv) {
+    return null;
+  }
+
+  if (typeof rawArgv === "string") {
+    return safeJsonParse(rawArgv, null);
+  }
+
+  if (typeof rawArgv === "object") {
+    return rawArgv;
+  }
+
+  return null;
+}
+
+function normalizePackageToken(token) {
+  if (typeof token !== "string") {
+    return null;
+  }
+
+  const trimmed = token.trim();
+  if (!trimmed || trimmed.startsWith("-")) {
+    return null;
+  }
+
+  if (trimmed.startsWith("@")) {
+    const secondAt = trimmed.indexOf("@", 1);
+    return secondAt > 0 ? trimmed.slice(0, secondAt) : trimmed;
+  }
+
+  const firstAt = trimmed.indexOf("@");
+  return firstAt > 0 ? trimmed.slice(0, firstAt) : trimmed;
+}
+
+function isInstallCommand(argvArray) {
+  if (!Array.isArray(argvArray)) {
+    return false;
+  }
+
+  return argvArray.some((token) => ["install", "i", "add"].includes(token));
+}
+
+function extractInstallTargetsFromNpmArgv(argv) {
+  if (!argv || typeof argv !== "object") {
+    return [];
+  }
+
+  const rawTokens = Array.isArray(argv.original)
+    ? argv.original
+    : Array.isArray(argv.cooked)
+      ? argv.cooked
+      : Array.isArray(argv)
+        ? argv
+        : [];
+
+  if (!isInstallCommand(rawTokens)) {
+    return [];
+  }
+
+  const targets = [];
+  for (const token of rawTokens) {
+    if (typeof token !== "string") {
+      continue;
+    }
+
+    const lower = token.toLowerCase();
+    if (["npm", "install", "i", "add", "update", "audit"].includes(lower)) {
+      continue;
+    }
+
+    if (lower.startsWith("-")) {
+      continue;
+    }
+
+    const pkgName = normalizePackageToken(token);
+    if (pkgName) {
+      targets.push(pkgName);
+    }
+  }
+
+  return targets;
+}
+
+module.exports = {
+  safeJsonParse,
+  getNpmConfigArgv,
+  extractInstallTargetsFromNpmArgv,
+  normalizePackageToken,
+};

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "cve-guard-npm",
+  "version": "1.0.0",
+  "description": "A lifecycle hook guard for npm installs that scans CVEs before package installation and audits dependencies after install.",
+  "author": "Naveen Rawat <naveenrawat51@gmail.com>",
+  "license": "MIT",
+  "bin": {
+    "cve-guard-npm": "./bin/cli.js"
+  },
+  "main": "lib/preinstall.js",
+  "files": [
+    "bin",
+    "lib",
+    "README.md",
+    "LICENSE"
+  ],
+  "keywords": [
+    "npm",
+    "security",
+    "CVE",
+    "audit",
+    "npm-hooks",
+    "osv",
+    "vulnerability"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/naveenrawat51/cve-guard-npm.git"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "axios": "^1.6.0",
+    "boxen": "^7.1.0",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.3",
+    "commander": "^11.0.0",
+    "fs-extra": "^11.1.1",
+    "gradient-string": "^2.0.1",
+    "inquirer": "^9.2.10",
+    "ora": "^7.1.1"
+  }
+}