dep-oracle 1.1.4 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -1
- package/action/action.yml +1 -1
- package/dist/action/index.js +11325 -0
- package/dist/{chunk-7WUFMWUI.js → chunk-TXSNFX3N.js} +46 -10
- package/dist/chunk-TXSNFX3N.js.map +1 -0
- package/dist/cli/index.js +46 -10
- package/dist/cli/index.js.map +1 -1
- package/dist/index.js +96 -5
- package/dist/index.js.map +1 -1
- package/dist/mcp/server.js +39 -28
- package/dist/mcp/server.js.map +1 -1
- package/package.json +2 -1
- package/server.json +55 -0
- package/dist/chunk-7WUFMWUI.js.map +0 -1
package/README.md
CHANGED
|
@@ -99,7 +99,7 @@ dep-oracle scan --verbose
|
|
|
99
99
|
## Output Example
|
|
100
100
|
|
|
101
101
|
```
|
|
102
|
-
dep-oracle v1.
|
|
102
|
+
dep-oracle v1.2.0
|
|
103
103
|
Scanning package.json...
|
|
104
104
|
Found 47 direct dependencies, 683 transitive
|
|
105
105
|
Collecting data... [=============================] 100% (2.3s)
|
|
@@ -223,6 +223,9 @@ Then in Claude Code, just ask:
|
|
|
223
223
|
| `dep_oracle_blast_radius` | Impact analysis for a package |
|
|
224
224
|
| `dep_oracle_zombies` | List all zombie dependencies |
|
|
225
225
|
| `dep_oracle_suggest_migration` | Get alternative package suggestions |
|
|
226
|
+
| `dep_oracle_typosquat_check` | Check typosquatting risk for a package name |
|
|
227
|
+
| `dep_oracle_compare` | Compare two packages side-by-side |
|
|
228
|
+
| `dep_oracle_report` | Generate a JSON report, optionally to file |
|
|
226
229
|
|
|
227
230
|
## GitHub Action
|
|
228
231
|
|
|
@@ -344,6 +347,28 @@ npm run lint # TypeScript type checking
|
|
|
344
347
|
|
|
345
348
|
## Changelog
|
|
346
349
|
|
|
350
|
+
### v1.2.0 (2026-02-22)
|
|
351
|
+
|
|
352
|
+
- **Security**: Path traversal protection in MCP tools (validated dir/output paths)
|
|
353
|
+
- **Security**: Package name validation (npm naming rules enforced)
|
|
354
|
+
- **Security**: HTML reporter metric values escaped (XSS defense-in-depth)
|
|
355
|
+
- **Security**: GitHub username/repo validation in URL parser
|
|
356
|
+
- **Security**: GitHub Sponsors username validation in funding collector
|
|
357
|
+
- **Feature**: Programmatic API — `import { scan, checkPackage } from 'dep-oracle'`
|
|
358
|
+
- **Feature**: 3 new MCP tools: `dep_oracle_typosquat_check`, `dep_oracle_compare`, `dep_oracle_report` (8 total)
|
|
359
|
+
- **Feature**: GitHub Action now builds correctly (self-contained bundle)
|
|
360
|
+
- **Fix**: Collector timeout (30s) prevents hanging on slow APIs
|
|
361
|
+
- **Fix**: Trust score weight validation (must sum to 1.0)
|
|
362
|
+
- **Fix**: Patch bonus only applies when vulnerabilities exist
|
|
363
|
+
- **Fix**: Python parser preserves `#egg=` fragments in git URLs
|
|
364
|
+
- **Fix**: Typosquat homoglyph detection now catches 2-character substitutions
|
|
365
|
+
- **Fix**: Cache error handling distinguishes JSON corruption from I/O errors
|
|
366
|
+
- **Fix**: `server.json` now included in npm package for MCP registry
|
|
367
|
+
|
|
368
|
+
### v1.1.4 (2026-02-22)
|
|
369
|
+
|
|
370
|
+
- **Package.json Fix**: Removed invalid `readme` field that caused npm to display literal string instead of README content
|
|
371
|
+
|
|
347
372
|
### v1.1.3 (2026-02-22)
|
|
348
373
|
|
|
349
374
|
- **npm README Fix**: English README now correctly shown on npmjs.com (excluded Turkish README from npm package via prepack/postpack lifecycle)
|
package/action/action.yml
CHANGED