dep-drift-sec 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,116 @@
+# dep-drift-sec
+
+**Production-grade security and stability guardrails for your Node.js dependencies.**
+
+`dep-drift-sec` is an open-source CLI tool designed to prevent production breakage and identify supply-chain risks. It bridges the gap between basic vulnerability scanners and manual audits by focusing on **dependency drift**, **transitive relationships**, and **maintenance heuristics**.
+
+> [!NOTE]
+> The CLI is open-source and works entirely offline/locally without any mandatory backend service.
+
+---
+
+## Key Features
+
+- **Drift Protection**: Detects flexible version ranges (`^`, `~`) in `package.json` and transitive version conflicts that cause "works on my machine" bugs.
+- **Transitive Visibility**: Explicitly surfaces the full dependency chain for every risky package found.
+- **Maintenance Heuristics**: 
+  - **Unmaintained**: Identifies packages not updated in the last 18 months.
+  - **Deprecated**: Alerts on packages officially marked as deprecated by maintainers.
+  - **Single-Maintainer**: Highlights potential single-point-of-failure risks in your supply chain.
+- **CI/CD Ready**: Machine-readable JSON output and standardized exit codes for easy pipeline integration.
+
+---
+
+## Getting Started
+
+### Installation (Development)
+```bash
+npm install
+npm run build
+```
+
+### Usage
+
+#### Using `npx` (Recommended for CI/Production)
+```bash
+# Run a check on the current directory
+npx dep-drift-sec check
+
+# Run with JSON output and SaaS-ready flag
+npx dep-drift-sec check --json --upload
+
+# Check a specific project path
+npx dep-drift-sec check --path ./my-project
+```
+
+#### Using Local Scripts
+```bash
+# Quick scan (requires local build)
+npm run scan
+
+# Direct execution
+node dist/cli/index.js check
+```
+
+---
+
+## Scan Results Contract (v1.0)
+
+When run with `--json`, the CLI produces a versioned, stable JSON structure.
+
+### Example Output
+```json
+{
+  "meta": {
+    "schemaVersion": "1.0",
+    "scanId": "550e8400-e29b-41d4-a716-446655440000",
+    "projectName": "my-project",
+    "projectId": "a3f5b2c...",
+    "generatedAt": "2026-01-17T20:55:00Z"
+  },
+  "summary": {
+    "driftCount": 0,
+    "securityCount": 1,
+    "riskLevel": "medium",
+    "riskReason": "1 dependency has security or drift issues, increasing breakage and security risk.",
+    "recommendedAction": "warn",
+    "recommendedExitCode": 2
+  },
+  "drift": [],
+  "security": [
+    {
+      "dependencyName": "example-pkg",
+      "transitive": true,
+      "introducedBy": ["direct-parent"],
+      "description": "An example package",
+      "issues": [
+        {
+          "type": "unmaintained",
+          "reason": "Last update was 70 months ago.",
+          "riskLevel": "medium",
+          "details": { "lastUpdate": "2020-03-04" }
+        }
+      ],
+      "overallRisk": "medium"
+    }
+  ]
+}
+```
+
+---
+
+## CI/CD Integration (Exit Codes)
+
+| Code | Meaning | Outcome |
+| :--- | :--- | :--- |
+| `0` | **OK** | No drift or security issues found. |
+| `1` | **Drift Detected** | Version ranges found in `package.json`. |
+| `2` | **Security Issue** | Heuristics triggered (unmaintained, etc). |
+| `3` | **Mixed Issues** | Both drift and security issues present. |
+| `4` | **Internal Error** | Missing files or runtime failure. |
+
+---
+
+## License
+
+MIT - See [LICENSE](./LICENSE) for details.

package/dist/adapters/fs-loader.js

@@ -0,0 +1,17 @@
+import fs from 'fs/promises';
+import path from 'path';
+export async function loadProjectData(projectPath) {
+    const packageJsonPath = path.join(projectPath, 'package.json');
+    const packageLockPath = path.join(projectPath, 'package-lock.json');
+    try {
+        const packageJsonContent = await fs.readFile(packageJsonPath, 'utf8');
+        const packageLockContent = await fs.readFile(packageLockPath, 'utf8');
+        return {
+            packageJson: JSON.parse(packageJsonContent),
+            packageLock: JSON.parse(packageLockContent),
+        };
+    }
+    catch (error) {
+        throw new Error(`Failed to load project data from ${projectPath}: ${error.message}`);
+    }
+}

package/dist/adapters/npm-registry.js

@@ -0,0 +1,30 @@
+import axios from 'axios';
+const REGISTRY_URL = 'https://registry.npmjs.org';
+export async function fetchNpmMetadata(packageName) {
+    try {
+        const response = await axios.get(`${REGISTRY_URL}/${packageName}`, {
+            timeout: 5000,
+        });
+        return response.data;
+    }
+    catch (error) {
+        // If not found or error, return null (might be private or deleted)
+        return null;
+    }
+}
+export async function fetchAllMetadata(packageNames) {
+    const metadataMap = {};
+    // For MVP, we fetch sequentially or in small chunks to avoid registry rate limits
+    // but since we might have many transitive deps, we'll do them in parallel with a limit if needed.
+    // Here we'll just do a simple Promise.all for now.
+    const results = await Promise.all(packageNames.map(async (name) => {
+        const meta = await fetchNpmMetadata(name);
+        return { name, meta };
+    }));
+    for (const { name, meta } of results) {
+        if (meta) {
+            metadataMap[name] = meta;
+        }
+    }
+    return metadataMap;
+}

package/dist/cli/index.js

@@ -0,0 +1,131 @@
+#!/usr/bin/env node
+import { Command } from 'commander';
+import path from 'path';
+import crypto from 'crypto';
+import { loadProjectData } from '../adapters/fs-loader.js';
+import { fetchAllMetadata } from '../adapters/npm-registry.js';
+import { detectDrift } from '../core/drift.js';
+import { analyzeSecurity } from '../core/security.js';
+import { formatConsoleReport } from '../report/console-report.js';
+import { formatJsonReport } from '../report/json-report.js';
+import { buildDependencyGraph } from '../core/graph.js';
+const program = new Command();
+program
+    .name('dep-drift-sec')
+    .description('Detect dependency drift and basic security risks')
+    .version('1.0.0');
+program
+    .command('check')
+    .description('Run drift and security checks on the current project')
+    .option('--json', 'Output report in JSON format')
+    .option('--path <path>', 'Path to the Node project', '.')
+    .option('--upload', 'Upload results to SaaS (reserved)')
+    .action(async (options) => {
+    try {
+        if (options.upload) {
+            console.warn('Warning: Upload is not enabled in the open-source CLI.');
+        }
+        const projectPath = path.resolve(process.cwd(), options.path);
+        const project = await loadProjectData(projectPath);
+        // Generate stable projectId from lockfile content
+        const lockfileContent = JSON.stringify(project.packageLock);
+        const projectId = crypto.createHash('sha256').update(lockfileContent).digest('hex');
+        const scanId = crypto.randomUUID();
+        const generatedAt = new Date().toISOString();
+        // 1. Extract unique deps for metadata fetching
+        const lockPackages = project.packageLock.packages || {};
+        const uniqueDeps = new Set();
+        for (const p of Object.keys(lockPackages)) {
+            if (p === '' || !p.startsWith('node_modules/'))
+                continue;
+            uniqueDeps.add(p.split('node_modules/').pop());
+        }
+        // 2. Fetch metadata
+        const metadataMap = await fetchAllMetadata(Array.from(uniqueDeps));
+        // 3. Build normalized graph
+        const graph = buildDependencyGraph(project, metadataMap, 'local');
+        // 4. Analyze
+        const driftGroups = detectDrift(graph);
+        const securityGroups = analyzeSecurity(graph);
+        // 5. Calculate Summary Totals
+        const totalDriftIssues = driftGroups.reduce((acc, g) => acc + g.issues.length, 0);
+        const uniqueSecurityDeps = securityGroups.length;
+        // 6. Determine overall risk factors
+        let overallRisk = 'low';
+        let riskReason = 'No significant risks detected. Your dependencies appear healthy.';
+        let recommendedAction = 'allow';
+        const affectedDeps = new Set([
+            ...securityGroups.map(g => g.dependencyName),
+            ...driftGroups.map(g => g.dependencyName)
+        ]);
+        const affectedCount = affectedDeps.size;
+        const transitiveCount = [
+            ...securityGroups.filter(g => g.transitive),
+            ...driftGroups.filter(g => g.transitive && !securityGroups.some(sg => sg.dependencyName === g.dependencyName))
+        ].length;
+        if (affectedCount > 0) {
+            const transText = transitiveCount > 0 ? ` (${transitiveCount} transitive)` : "";
+            riskReason = `${affectedCount} dependenc${affectedCount > 1 ? 'ies have' : 'y has'} security or drift issues${transText}, increasing breakage and security risk.`;
+        }
+        if (securityGroups.some(g => g.overallRisk === 'high')) {
+            overallRisk = 'high';
+            recommendedAction = 'block';
+        }
+        else if (securityGroups.some(g => g.overallRisk === 'medium') || driftGroups.length > 0) {
+            overallRisk = 'medium';
+            recommendedAction = 'warn';
+        }
+        else if (securityGroups.some(g => g.overallRisk === 'low')) {
+            overallRisk = 'low';
+            recommendedAction = 'allow';
+        }
+        // 7. Determine Exit Code (Preserved logic)
+        let exitCode = 0;
+        if (totalDriftIssues > 0 && securityGroups.length > 0)
+            exitCode = 3;
+        else if (totalDriftIssues > 0)
+            exitCode = 1;
+        else if (securityGroups.length > 0)
+            exitCode = 2;
+        const report = {
+            meta: {
+                schemaVersion: "1.0",
+                scanId,
+                projectName: project.packageJson.name || 'unknown',
+                projectId,
+                generatedAt,
+            },
+            summary: {
+                driftCount: totalDriftIssues,
+                securityCount: uniqueSecurityDeps,
+                riskLevel: overallRisk,
+                riskReason,
+                recommendedAction,
+                recommendedExitCode: exitCode,
+            },
+            drift: driftGroups,
+            security: securityGroups,
+        };
+        if (options.json) {
+            process.stdout.write(formatJsonReport(report) + '\n');
+        }
+        else {
+            process.stdout.write(formatConsoleReport(report) + '\n');
+        }
+        process.exitCode = exitCode;
+    }
+    catch (error) {
+        if (!options.json) {
+            console.error(`Error: ${error.message}`);
+        }
+        else {
+            // In JSON mode, we should still output valid JSON if possible,
+            // but for a fatal initialization error, we'll just exit with code 4.
+            // The requirements say "JSON output is always valid when --json is passed",
+            // so let's try to wrap the error.
+            process.stdout.write(JSON.stringify({ error: error.message, exitCode: 4 }) + '\n');
+        }
+        process.exitCode = 4;
+    }
+});
+program.parse(process.argv);

package/dist/core/drift.js

@@ -0,0 +1,52 @@
+export function detectDrift(graph) {
+    const groups = [];
+    const groupMap = new Map();
+    const getGroup = (name) => {
+        if (!groupMap.has(name)) {
+            const node = graph.dependencies.find(d => d.name === name);
+            const group = {
+                dependencyName: name,
+                transitive: node?.transitive ?? false,
+                introducedBy: node?.introducedBy ?? [],
+                issues: []
+            };
+            groupMap.set(name, group);
+            groups.push(group);
+        }
+        return groupMap.get(name);
+    };
+    for (const node of graph.dependencies) {
+        // 1. Check for ^ or ~ on direct dependencies
+        if (!node.transitive) {
+            const range = node.version;
+            if (range.startsWith('^') || range.startsWith('~')) {
+                getGroup(node.name).issues.push({
+                    dependencyName: node.name,
+                    type: 'range-usage',
+                    expected: range,
+                    actual: range,
+                    reason: `The dependency "${node.name}" uses a "${range[0]}" symbol (e.g., ^ or ~). This means npm might automatically install a newer version. To ensure everyone uses the exact same version, it is better to use a fixed version (e.g., "1.2.3" instead of "${range}").`
+                });
+            }
+        }
+    }
+    // 2. Detect multiple versions of the same dependency (Transitive Drift)
+    const versionMap = {};
+    for (const node of graph.dependencies) {
+        if (!versionMap[node.name])
+            versionMap[node.name] = new Set();
+        versionMap[node.name].add(node.resolvedVersion);
+    }
+    for (const [name, versions] of Object.entries(versionMap)) {
+        if (versions.size > 1) {
+            getGroup(name).issues.push({
+                dependencyName: name,
+                type: 'transitive-drift',
+                expected: Array.from(versions)[0],
+                actual: Array.from(versions).join(', '),
+                reason: `Multiple versions of "${name}" are present in your project (${Array.from(versions).join(', ')}). This often happens when different libraries require incompatible versions of the same dependency. This can increase project size and cause unpredictable bugs.`
+            });
+        }
+    }
+    return groups.filter(g => g.issues.length > 0);
+}

package/dist/core/graph.js

@@ -0,0 +1,73 @@
+export function buildDependencyGraph(project, metadataMap, environment = 'local') {
+    const { packageJson, packageLock } = project;
+    const dependencies = [];
+    const lockPackages = packageLock.packages || {};
+    const directDeps = {
+        ...(packageJson.dependencies || {}),
+        ...(packageJson.devDependencies || {})
+    };
+    // Build a map of dependency name -> list of parents that require it
+    // We use both the path (for nested npm v3 style) AND the dependencies field (for flat npm v7+ style)
+    const parentMap = {};
+    for (const [path, pkg] of Object.entries(lockPackages)) {
+        // 1. From Path Nesting (Fallback for minimized lockfiles or npm < 7)
+        const pathParts = path.split('node_modules/');
+        if (pathParts.length > 2) {
+            const depName = pathParts[pathParts.length - 1];
+            const parentName = pathParts[pathParts.length - 2].replace(/\/$/, '');
+            if (!parentMap[depName])
+                parentMap[depName] = new Set();
+            parentMap[depName].add(parentName);
+        }
+        // 2. From dependencies field (Standard npm behavior)
+        const currentPkgName = path === '' ? (packageJson.name || 'root') : path.split('node_modules/').pop();
+        const pkgDeps = {
+            ...(pkg.dependencies || {}),
+            ...(pkg.devDependencies || {}),
+            ...(pkg.optionalDependencies || {})
+        };
+        for (const depName of Object.keys(pkgDeps)) {
+            if (!parentMap[depName])
+                parentMap[depName] = new Set();
+            parentMap[depName].add(currentPkgName);
+        }
+    }
+    // Process nodes
+    const processedNodes = new Map();
+    for (const [path, pkg] of Object.entries(lockPackages)) {
+        if (path === '')
+            continue; // Skip root
+        if (path.startsWith('node_modules/')) {
+            const name = path.split('node_modules/').pop();
+            // If we have multiple paths for the same package (transitive drift),
+            // we'll handle them as separate nodes if their versions differ,
+            // but usually buildDependencyGraph has been flat-ish so far.
+            // Let's keep it simple: one node per unique package name from the lockfile's perspective.
+            const versionRange = directDeps[name] || pkg.version;
+            const isTransitive = !directDeps[name];
+            const meta = metadataMap[name];
+            // Direct parents are those who have this dependency in their path segment
+            // but we filter out 'root' for the introducedBy array as requested previously
+            // actually, if it's transitive, we want the non-root parents.
+            const parents = Array.from(parentMap[name] || []).filter(p => p !== (packageJson.name || 'root'));
+            dependencies.push({
+                name,
+                version: typeof versionRange === 'string' ? versionRange : pkg.version,
+                resolvedVersion: pkg.version,
+                transitive: isTransitive,
+                introducedBy: parents,
+                metadata: {
+                    lastPublish: meta?.time?.[meta['dist-tags']?.latest],
+                    maintainers: meta?.maintainers?.length,
+                    deprecated: meta?.deprecated,
+                    description: meta?.description,
+                },
+            });
+        }
+    }
+    return {
+        root: packageJson.name || 'root',
+        environment,
+        dependencies,
+    };
+}

package/dist/core/security.js

@@ -0,0 +1,78 @@
+export function analyzeSecurity(graph) {
+    const groups = [];
+    const now = new Date();
+    const eighteenMonthsAgo = new Date();
+    eighteenMonthsAgo.setMonth(now.getMonth() - 18);
+    // We check each unique dependency name in the graph
+    const dependencyMap = new Map();
+    for (const node of graph.dependencies) {
+        if (dependencyMap.has(node.name))
+            continue;
+        const { metadata } = node;
+        const issues = [];
+        // 1. Deprecated
+        if (metadata.deprecated) {
+            issues.push({
+                type: 'deprecated',
+                reason: `The author of "${node.name}" has marked this library as obsolete (deprecated). Message: "${metadata.deprecated}". It is highly recommended to find a modern alternative as it will likely no longer receive updates.`,
+                riskLevel: 'high',
+                details: {
+                    message: metadata.deprecated,
+                    latestVersion: node.resolvedVersion,
+                    description: metadata.description
+                }
+            });
+        }
+        // 2. Unmaintained
+        if (metadata.lastPublish) {
+            const lastPublishDate = new Date(metadata.lastPublish);
+            if (lastPublishDate < eighteenMonthsAgo) {
+                const monthsSince = Math.round((now.getTime() - lastPublishDate.getTime()) / (1000 * 60 * 60 * 24 * 30.44));
+                issues.push({
+                    type: 'unmaintained',
+                    reason: `The last update for "${node.name}" was on ${lastPublishDate.toLocaleDateString()} (more than 18 months ago). A library that is no longer updated may contain unpatched security vulnerabilities or become incompatible with newer Node.js versions.`,
+                    riskLevel: 'medium',
+                    details: {
+                        lastUpdate: lastPublishDate.toISOString().split('T')[0],
+                        monthsSinceLastUpdate: monthsSince,
+                        version: node.resolvedVersion,
+                        description: metadata.description
+                    }
+                });
+            }
+        }
+        // 3. Single maintainer
+        if (metadata.maintainers === 1) {
+            issues.push({
+                type: 'single-maintainer',
+                reason: `"${node.name}" is managed by only one person. This is risky because if this person stops maintaining it or if their account is compromised, there is no one else to fix issues quickly.`,
+                riskLevel: 'low',
+                details: {
+                    maintainerCount: 1,
+                    description: metadata.description
+                }
+            });
+        }
+        if (issues.length > 0) {
+            // Calculate overallRisk
+            const riskOrder = { 'low': 0, 'medium': 1, 'high': 2 };
+            let overallRisk = 'low';
+            for (const issue of issues) {
+                if (riskOrder[issue.riskLevel] > riskOrder[overallRisk]) {
+                    overallRisk = issue.riskLevel;
+                }
+            }
+            const group = {
+                dependencyName: node.name,
+                transitive: node.transitive,
+                introducedBy: node.introducedBy || [],
+                description: metadata.description,
+                issues,
+                overallRisk
+            };
+            dependencyMap.set(node.name, group);
+            groups.push(group);
+        }
+    }
+    return groups;
+}

package/dist/core/types.js

@@ -0,0 +1,44 @@
+import { z } from 'zod';
+export const RiskLevelSchema = z.enum(['low', 'medium', 'high']);
+export const RecommendedActionSchema = z.enum(['allow', 'warn', 'block']);
+export const DependencyNodeSchema = z.object({
+    name: z.string(),
+    version: z.string(), // Range or fixed version from package.json
+    resolvedVersion: z.string(), // Actual version from lockfile
+    transitive: z.boolean(),
+    introducedBy: z.array(z.string()).optional(),
+    metadata: z.object({
+        lastPublish: z.string().optional(), // Date string
+        maintainers: z.number().optional(),
+        downloads: z.number().optional(),
+        deprecated: z.string().optional(),
+        description: z.string().optional(),
+    }),
+});
+export const DependencyGraphSchema = z.object({
+    root: z.string(),
+    environment: z.enum(['local', 'ci', 'prod']),
+    dependencies: z.array(DependencyNodeSchema),
+});
+export const ScanMetadataSchema = z.object({
+    schemaVersion: z.literal("1.0"),
+    scanId: z.string().uuid(),
+    projectName: z.string(),
+    projectId: z.string(),
+    generatedAt: z.string().datetime(),
+});
+export const AnalysisReportSchema = z.object({
+    summary: z.object({
+        driftCount: z.number(),
+        securityCount: z.number(),
+        riskLevel: RiskLevelSchema,
+        riskReason: z.string().optional(),
+        recommendedAction: RecommendedActionSchema.optional(),
+        recommendedExitCode: z.number(),
+    }),
+    drift: z.array(z.any()),
+    security: z.array(z.any()),
+});
+export const ScanResultSchema = AnalysisReportSchema.extend({
+    meta: ScanMetadataSchema,
+});

package/dist/report/console-report.js

@@ -0,0 +1,69 @@
+export function formatConsoleReport(report) {
+    const { summary, drift, security } = report;
+    let output = `\n=== dep-drift-sec Analysis ===\n`;
+    output += `Risk Level: ${summary.riskLevel.toUpperCase()}\n`;
+    output += `Action:     ${(summary.recommendedAction || 'allow').toUpperCase()}\n`;
+    output += `Reason:     ${summary.riskReason || 'N/A'}\n\n`;
+    output += `Drift Issues: ${summary.driftCount}\n`;
+    output += `Security Issues: ${summary.securityCount}\n\n`;
+    if (drift.length > 0) {
+        output += `--- Dependency Drift ---\n`;
+        drift.forEach((group) => {
+            const label = group.transitive ? '[TRANSITIVE]' : '[DIRECT]';
+            const introducedBy = group.transitive && group.introducedBy.length > 0
+                ? ` (via ${group.introducedBy.join(', ')})`
+                : '';
+            output += `${label} ${group.dependencyName}${introducedBy}\n`;
+            output += `  Impact: This dependency has version fluctuations which can lead to "works on my machine" bugs.\n`;
+            group.issues.forEach(issue => {
+                output += `  - [${issue.type.toUpperCase()}] ${issue.reason}\n`;
+                output += `    Expected: ${issue.expected}, Actual: ${issue.actual}\n`;
+            });
+            output += `\n`;
+        });
+    }
+    if (security.length > 0) {
+        output += `--- Security Heuristics ---\n`;
+        security.forEach((group) => {
+            const label = group.transitive ? '[TRANSITIVE]' : '[DIRECT]';
+            const introducedBy = group.transitive && group.introducedBy.length > 0
+                ? ` (via ${group.introducedBy.join(', ')})`
+                : '';
+            output += `[${group.overallRisk.toUpperCase()}] ${label} ${group.dependencyName}${introducedBy}\n`;
+            // Per-dependency explanation
+            if (group.overallRisk === 'high') {
+                output += `  Impact: This package is deprecated or critical; it should be replaced immediately to avoid security breaches.\n`;
+            }
+            else if (group.overallRisk === 'medium') {
+                output += `  Impact: This package is unmaintained; it may have hidden vulnerabilities or compatibility issues.\n`;
+            }
+            else {
+                output += `  Impact: This package has minor supply chain risks (e.g., single maintainer).\n`;
+            }
+            if (group.description) {
+                output += `  Description: ${group.description}\n`;
+            }
+            group.issues.forEach(issue => {
+                output += `  - [${issue.type.toUpperCase()}] ${issue.reason}\n`;
+                if (issue.details) {
+                    const detailLines = [];
+                    for (const [key, value] of Object.entries(issue.details)) {
+                        if (key === 'description')
+                            continue;
+                        if (value !== undefined)
+                            detailLines.push(`${key}: ${value}`);
+                    }
+                    if (detailLines.length > 0) {
+                        output += `      Details: ${detailLines.join(', ')}\n`;
+                    }
+                }
+            });
+            output += `\n`;
+        });
+    }
+    if (summary.driftCount === 0 && summary.securityCount === 0) {
+        output += `No issues detected. Your dependencies are healthy!\n`;
+    }
+    output += `\nRecommended Exit Code: ${summary.recommendedExitCode}\n`;
+    return output;
+}

package/dist/report/json-report.js

@@ -0,0 +1,6 @@
+import { ScanResultSchema } from '../core/types.js';
+export function formatJsonReport(report) {
+    // Validate schema before outputting to ensure stability
+    ScanResultSchema.parse(report);
+    return JSON.stringify(report, null, 2);
+}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "dep-drift-sec",
+  "version": "0.1.0",
+  "main": "index.js",
+  "scripts": {
+    "test": "vitest",
+    "build": "tsc",
+    "scan": "node dist/cli/index.js check"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/simonelakra/dep-drift-sec.git"
+  },
+  "bugs": {
+    "url": "https://github.com/simonelakra/dep-drift-sec/issues"
+  },
+  "homepage": "https://github.com/simonelakra/dep-drift-sec#readme",
+  "files": [
+    "dist"
+  ],
+  "description": "Production-ready CLI to detect dependency drift and security risks.",
+  "devDependencies": {
+    "@types/node": "^25.0.9",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.17"
+  },
+  "dependencies": {
+    "axios": "^1.13.2",
+    "commander": "^14.0.2",
+    "zod": "^4.3.5"
+  },
+  "bin": {
+    "dep-drift-sec": "dist/cli/index.js"
+  },
+  "type": "module"
+}