dependency-radar 0.8.1 → 0.9.0

package/dist/cli.js

@@ -13,9 +13,11 @@ const importGraphRunner_1 = require("./runners/importGraphRunner");
 const npmAudit_1 = require("./runners/npmAudit");
 const npmLs_1 = require("./runners/npmLs");
 const npmOutdated_1 = require("./runners/npmOutdated");
+const npmRegistryMetadata_1 = require("./runners/npmRegistryMetadata");
 const lockfileSignals_1 = require("./runners/lockfileSignals");
 const report_1 = require("./report");
 const compare_1 = require("./compare");
+const findings_1 = require("./findings");
 const outputFormats_1 = require("./outputFormats");
 const why_1 = require("./why");
 const schema_1 = require("./schema");
@@ -935,7 +937,7 @@ function buildCombinedDependencyGraph(rootPath, packageMetas, dependencyGraphs)
  * --project, --quiet, --out, --keep-temp, --offline, --json, --format, --sbom, --target-node,
  * --audit-signatures, --schema, --timestamp, --open, --no-report, --fail-on, --help / -h.
  *
- * The --offline flag disables both audit and outdated checks. Unknown options or unexpected positional
+ * The --offline flag disables registry-backed checks. Unknown options or unexpected positional
  * arguments cause the process to exit with an error.
  *
  * @param argv - Array of CLI tokens (typically process.argv.slice(2))
@@ -1175,12 +1177,20 @@ Options:
   --timestamp        Add a local timestamp to generated report filenames
   --no-report        Do not write HTML/JSON report files or temp artifacts to disk
   --keep-temp        Keep .dependency-radar folder
-  --offline          Skip npm audit and npm outdated (useful for offline scans)
+  --offline          Skip registry-backed checks (audit, outdated, signatures, targeted registry enrichment)
   --open             Open the generated report using the system default application
   --fail-on <rules>  Fail with exit code 1 when selected rules are violated
-                     Supported: reachable-vuln, production-vuln, high-severity-vuln,
-                                licence-mismatch, copyleft-detected, unknown-licence,
-                                supply-chain-source
+                     Scan rules: reachable-vuln, production-vuln, high-severity-vuln,
+                                 licence-mismatch, copyleft-detected, unknown-licence,
+                                 supply-chain-source
+                     Compare rules: new-supply-chain-signal, new-install-script,
+                                    new-native-binding, new-bin, new-direct-dependency,
+                                    new-child-process, new-network-access, new-env-access,
+                                    new-home-access, new-ssh-usage, new-obfuscation-signal,
+                                    new-bundled-dependencies, new-shrinkwrap,
+                                    new-recent-package, new-recent-version,
+                                    new-low-release-history, new-reactivated-package,
+                                    new-old-major-patch
 
 \`explain\` reuses the same local scan model and prints a terminal view for one package.
 \`why\` prints shortest dependency paths for one package.
@@ -1359,6 +1369,9 @@ function printPolicyViolations(violations) {
     console.log(colorLeadingSymbol("✖ Policy violations detected:"));
     for (const violation of violations) {
         console.log(`- ${violation.message}`);
+        for (const detail of violation.details || []) {
+            console.log(`  - ${detail}`);
+        }
     }
 }
 /**
@@ -1750,6 +1763,28 @@ async function executeAnalysis(opts, options) {
             ...(toolVersions ? { toolVersions } : {}),
             ...(typeof opts.targetNodeMajor === "number" ? { targetNodeMajor: opts.targetNodeMajor } : {}),
         });
+        if (opts.outdated) {
+            let registryEnrichment = { attempted: 0, succeeded: 0 };
+            try {
+                registryEnrichment = await (0, npmRegistryMetadata_1.enrichAggregatedWithRegistryMetadata)(aggregated, {
+                    offline: false,
+                });
+            }
+            catch (err) {
+                if (!opts.quiet) {
+                    const message = err instanceof Error ? err.message : String(err);
+                    spinner.log(statusLine("⚠", `Targeted registry metadata unavailable (${message})`));
+                }
+            }
+            if (!opts.quiet && registryEnrichment.succeeded > 0) {
+                spinner.log(statusLine("✔", `Targeted registry metadata collected for ${registryEnrichment.succeeded} suspicious package${registryEnrichment.succeeded === 1 ? "" : "s"}`));
+            }
+            if (registryEnrichment.attempted > 0) {
+                const findings = (0, findings_1.buildDependencyFindings)(aggregated, { targetNodeMajor: opts.targetNodeMajor });
+                aggregated.findings = findings;
+                aggregated.summary.findingCount = findings.length;
+            }
+        }
         dependencyCount = Object.keys(aggregated.dependencies).length;
         const importGraphComplete = perPackageImportGraph.every((result) => result.ok);
         const summary = buildCliSummary(aggregated, {
@@ -1903,6 +1938,16 @@ async function runWhyCommand(opts) {
         process.exit(1);
     }
 }
+/**
+ * Compare the current analysis against a previous report and print the comparison and policy violations.
+ *
+ * Validates the `opts.comparePath` report file against the expected schema, runs a new analysis without
+ * writing artifacts, computes a diff between the previous and current aggregated results, prints the
+ * formatted comparison, prints any policy violations (including compare-specific violations), and exits
+ * with code 1 when validation fails or any policy violations are present.
+ *
+ * @param opts - CLI options controlling the comparison run (must include `comparePath` and may include `failOn`)
+ */
 async function runCompareCommand(opts) {
     var _a;
     const previousPath = (_a = opts.comparePath) === null || _a === void 0 ? void 0 : _a.trim();
@@ -1938,8 +1983,17 @@ async function runCompareCommand(opts) {
         emitArtifactSummary: false,
         emitWorkspacePackageSummary: false,
     });
+    const comparison = (0, compare_1.compareReports)(previous, result.aggregated);
+    const policyViolations = [
+        ...result.policyViolations,
+        ...(0, failOn_1.evaluateComparePolicyViolations)(previous, result.aggregated, opts.failOn),
+    ];
     console.log("");
-    console.log((0, compare_1.formatCompareOutput)((0, compare_1.compareReports)(previous, result.aggregated)));
+    console.log((0, compare_1.formatCompareOutput)(comparison));
+    printPolicyViolations(policyViolations);
+    if (policyViolations.length > 0) {
+        process.exit(1);
+    }
 }
 /**
  * Run the CLI entrypoint and dispatch to the selected command.

package/dist/explain.js

@@ -9,6 +9,34 @@ const BLOCKER_LABELS = {
     installScripts: 'Install lifecycle scripts',
     deprecated: 'Deprecated by author',
 };
+const EXECUTION_SIGNAL_LABELS = {
+    'network-access': 'network access',
+    'dynamic-exec': 'dynamic execution',
+    'child-process': 'child process APIs',
+    encoding: 'encoding/decoding logic',
+    obfuscated: 'obfuscation-like code shape',
+    'reads-env': 'environment access',
+    'reads-home': 'home directory access',
+    'uses-ssh': 'SSH-related references'
+};
+const PACKAGING_SIGNAL_LABELS = {
+    'bundled-dependencies': 'bundled dependencies',
+    'embedded-shrinkwrap': 'embedded npm-shrinkwrap.json'
+};
+const REGISTRY_SIGNAL_LABELS = {
+    'recent-package': 'recently created package',
+    'recent-version': 'recently published installed version',
+    'low-release-history': 'low release history',
+    'reactivated-package': 'reactivated after dormancy',
+    'old-major-new-patch': 'recent patch on older major line'
+};
+/**
+ * Locate dependency records for a given package name and return them in prioritized order.
+ *
+ * @param aggregated - The aggregated dataset containing dependency records
+ * @param packageName - The package name to search for
+ * @returns An array of matching `DependencyRecord` objects sorted with direct dependencies first, then by descending package version; empty if none found
+ */
 function findDependenciesByPackageName(aggregated, packageName) {
     return Object.values(aggregated.dependencies || {})
         .filter((dep) => dep.package.name === packageName)
@@ -19,8 +47,17 @@ function findDependenciesByPackageName(aggregated, packageName) {
         return compareVersionStrings(b.package.version, a.package.version);
     });
 }
+/**
+ * Generate a human-readable, line-oriented explanation report for a package
+ * across the provided dependency records.
+ *
+ * @param packageName - The package name shown in the report header
+ * @param matches - DependencyRecord entries for the package to render as individual sections
+ * @param context - Rendering context controlling audit availability and import-graph completeness
+ * @returns The formatted multi-section report as a string. If `matches` is empty the string is `✖ Package not found: ${packageName}`.
+ */
 function formatExplainOutput(packageName, matches, context) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
     if (matches.length === 0) {
         return `✖ Package not found: ${packageName}`;
     }
@@ -89,6 +126,51 @@ function formatExplainOutput(packageName, matches, context) {
         else {
             lines.push('  none');
         }
+        lines.push('');
+        lines.push('Local execution signals:');
+        const scriptSignals = new Set(((_f = (_e = dep.execution) === null || _e === void 0 ? void 0 : _e.scripts) === null || _f === void 0 ? void 0 : _f.signals) || []);
+        const localSignals = (((_g = dep.execution) === null || _g === void 0 ? void 0 : _g.signals) || []).filter((signal) => !scriptSignals.has(signal));
+        if (localSignals.length) {
+            for (const signal of localSignals) {
+                lines.push(`  - ${signal} (${EXECUTION_SIGNAL_LABELS[signal] || 'review signal'})`);
+            }
+        }
+        else {
+            lines.push('  none');
+        }
+        lines.push('');
+        lines.push('Packaging signals:');
+        if ((_j = (_h = dep.packaging) === null || _h === void 0 ? void 0 : _h.signals) === null || _j === void 0 ? void 0 : _j.length) {
+            for (const signal of dep.packaging.signals) {
+                lines.push(`  - ${signal} (${PACKAGING_SIGNAL_LABELS[signal] || 'review signal'})`);
+            }
+            if ((_k = dep.packaging.bundledDependencies) === null || _k === void 0 ? void 0 : _k.length) {
+                lines.push(`  bundled dependencies: ${dep.packaging.bundledDependencies.join(', ')}`);
+            }
+        }
+        else {
+            lines.push('  none');
+        }
+        lines.push('');
+        lines.push('Registry metadata signals:');
+        const registry = (_l = dep.supplyChain) === null || _l === void 0 ? void 0 : _l.registry;
+        if ((_m = registry === null || registry === void 0 ? void 0 : registry.signals) === null || _m === void 0 ? void 0 : _m.length) {
+            for (const signal of registry.signals) {
+                lines.push(`  - ${signal} (${REGISTRY_SIGNAL_LABELS[signal] || 'review signal'})`);
+            }
+            if (registry.installedVersionPublishedAt) {
+                lines.push(`  installed version published: ${registry.installedVersionPublishedAt}`);
+            }
+            if (typeof registry.versionCount === 'number') {
+                lines.push(`  version count: ${registry.versionCount}`);
+            }
+        }
+        else if ((registry === null || registry === void 0 ? void 0 : registry.attempted) && !registry.ok) {
+            lines.push(`  unavailable (${registry.error || 'lookup failed'})`);
+        }
+        else {
+            lines.push('  none');
+        }
         if (otherVersions.length > 0) {
             lines.push('');
             lines.push('Other detected versions:');

package/dist/failOn.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SUPPORTED_FAIL_ON_RULES = void 0;
 exports.parseFailOnRules = parseFailOnRules;
 exports.evaluatePolicyViolations = evaluatePolicyViolations;
+exports.evaluateComparePolicyViolations = evaluateComparePolicyViolations;
 const license_1 = require("./license");
 exports.SUPPORTED_FAIL_ON_RULES = [
     'reachable-vuln',
@@ -11,7 +12,25 @@ exports.SUPPORTED_FAIL_ON_RULES = [
     'licence-mismatch',
     'copyleft-detected',
     'unknown-licence',
-    'supply-chain-source'
+    'supply-chain-source',
+    'new-supply-chain-signal',
+    'new-install-script',
+    'new-native-binding',
+    'new-bin',
+    'new-direct-dependency',
+    'new-child-process',
+    'new-network-access',
+    'new-env-access',
+    'new-home-access',
+    'new-ssh-usage',
+    'new-obfuscation-signal',
+    'new-bundled-dependencies',
+    'new-shrinkwrap',
+    'new-recent-package',
+    'new-recent-version',
+    'new-low-release-history',
+    'new-reactivated-package',
+    'new-old-major-patch'
 ];
 const SUPPORTED_FAIL_ON_RULE_SET = new Set(exports.SUPPORTED_FAIL_ON_RULES);
 /**
@@ -37,6 +56,230 @@ function vulnerabilityCount(dep) {
         (dep.security.summary.moderate || 0) +
         (dep.security.summary.low || 0));
 }
+/**
+ * Group dependency records by their package name.
+ *
+ * @param deps - Optional record of dependency entries keyed by dependency id; entries missing a package name are ignored
+ * @returns A Map whose keys are package names and whose values are arrays of `DependencyRecord` objects for that package
+ */
+function byPackageName(deps) {
+    var _a;
+    const map = new Map();
+    for (const dep of Object.values(deps || {})) {
+        const name = (_a = dep.package) === null || _a === void 0 ? void 0 : _a.name;
+        if (!name)
+            continue;
+        const entries = map.get(name) || [];
+        entries.push(dep);
+        map.set(name, entries);
+    }
+    return map;
+}
+/**
+ * Produce a package label for a dependency using its package id when available, otherwise `name@version`.
+ *
+ * @param dep - The dependency record whose package will be formatted
+ * @returns The package `id` if present; otherwise the package `name` and `version` joined with `@`
+ */
+function formatPackage(dep) {
+    return dep.package.id || `${dep.package.name}@${dep.package.version}`;
+}
+/**
+ * Retrieve the package's execution script hook names sorted lexicographically.
+ *
+ * @param dep - Dependency record to read hooks from
+ * @returns The hook names from `dep.execution?.scripts?.hooks` sorted lexicographically; an empty array if no hooks are present
+ */
+function sortedHooks(dep) {
+    var _a, _b;
+    return [...(((_b = (_a = dep.execution) === null || _a === void 0 ? void 0 : _a.scripts) === null || _b === void 0 ? void 0 : _b.hooks) || [])].sort();
+}
+/**
+ * Collect execution-related signals from a dependency record.
+ *
+ * @param dep - The dependency record to inspect for execution signals
+ * @returns A Set of unique `ExecutionSignal` values found on the dependency
+ */
+function executionSignals(dep) {
+    var _a, _b, _c;
+    return new Set([
+        ...(((_a = dep.execution) === null || _a === void 0 ? void 0 : _a.signals) || []),
+        ...(((_c = (_b = dep.execution) === null || _b === void 0 ? void 0 : _b.scripts) === null || _c === void 0 ? void 0 : _c.signals) || [])
+    ]);
+}
+/**
+ * Collects packaging signals present on a dependency.
+ *
+ * @param dep - The dependency record to inspect
+ * @returns A Set of `PackagingSignal` values found on `dep`; empty if the dependency has no packaging signals
+ */
+function packagingSignals(dep) {
+    var _a;
+    return new Set(((_a = dep.packaging) === null || _a === void 0 ? void 0 : _a.signals) || []);
+}
+/**
+ * Get the registry risk signals associated with a dependency.
+ *
+ * @param dep - The dependency record to inspect
+ * @returns A Set of `RegistryRiskSignal` values found on the dependency's `supplyChain.registry.signals`; an empty `Set` if none are present
+ */
+function registrySignals(dep) {
+    var _a, _b;
+    return new Set(((_b = (_a = dep.supplyChain) === null || _a === void 0 ? void 0 : _a.registry) === null || _b === void 0 ? void 0 : _b.signals) || []);
+}
+/**
+ * Extracts the package name associated with a supply-chain signal.
+ *
+ * Prefers `signal.packageName` when present; otherwise derives the name from
+ * `signal.packageId` by taking the substring before the last `@`. Returns
+ * `undefined` if neither value yields a usable package name.
+ *
+ * @param signal - The supply-chain signal to inspect
+ * @returns The package name if present or derivable, `undefined` otherwise
+ */
+function signalPackageName(signal) {
+    if (signal.packageName)
+        return signal.packageName;
+    if (!signal.packageId)
+        return undefined;
+    const at = signal.packageId.lastIndexOf('@');
+    if (at <= 0)
+        return undefined;
+    return signal.packageId.slice(0, at);
+}
+/**
+ * Produce a human-readable package label for a supply-chain signal.
+ *
+ * @param signal - The supply-chain signal object used to derive the label.
+ * @returns The label chosen in this priority: `signal.packageId`, `packageName@packageVersion`, `packageName`, or `'lockfile'` when no package information is available.
+ */
+function signalPackageLabel(signal) {
+    if (signal.packageId)
+        return signal.packageId;
+    if (signal.packageName && signal.packageVersion)
+        return `${signal.packageName}@${signal.packageVersion}`;
+    if (signal.packageName)
+        return signal.packageName;
+    return 'lockfile';
+}
+/**
+ * Produce sets of observed supply-chain signal types, both per-package and globally.
+ *
+ * @param signals - Array of supply-chain signals to analyze; may be `undefined` or empty.
+ * @returns An object with:
+ *  - `byPackage`: map from package name to a `Set` of signal `type` strings observed for that package.
+ *  - `global`: `Set` of all signal `type` strings observed (including those not tied to a package).
+ */
+function supplyChainSignalKeys(signals) {
+    const byPackage = new Map();
+    const global = new Set();
+    for (const signal of signals || []) {
+        global.add(signal.type);
+        const name = signalPackageName(signal);
+        if (!name)
+            continue;
+        const types = byPackage.get(name) || new Set();
+        types.add(signal.type);
+        byPackage.set(name, types);
+    }
+    return { byPackage, global };
+}
+/**
+ * Appends a PolicyViolation for dependencies that newly exhibit the specified execution signal.
+ *
+ * If the provided `rule` is present in `rules` and one or more entries in `currentDeps`
+ * have the `signal` while no previous dependency with the same package name had it,
+ * a `PolicyViolation` describing the new execution signal(s) is pushed onto `violations`.
+ *
+ * @param violations - Mutable array to receive the generated PolicyViolation when matches are found
+ * @param previousByName - Map of package name to previous DependencyRecord[] used as the baseline for comparison
+ * @param currentDeps - Current dependency records to evaluate for newly introduced signals
+ * @param rules - Set of enabled fail-on rules; the function is a no-op if `rule` is not in this set
+ * @param rule - The specific FailOnRule to produce a violation for when triggered
+ * @param signal - The ExecutionSignal to detect as newly introduced
+ */
+function pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, rule, signal) {
+    if (!rules.has(rule))
+        return;
+    const details = currentDeps
+        .filter((dep) => {
+        if (!executionSignals(dep).has(signal))
+            return false;
+        return !(previousByName.get(dep.package.name) || []).some((previousDep) => executionSignals(previousDep).has(signal));
+    })
+        .map((dep) => `${formatPackage(dep)} introduced execution signal: ${signal}`)
+        .sort();
+    if (details.length === 0)
+        return;
+    violations.push({
+        rule,
+        count: details.length,
+        message: `${details.length} new execution ${pluralize(details.length, 'signal', 'signals')}: ${signal}`,
+        details
+    });
+}
+/**
+ * Add a policy violation to `violations` when `signal` appears in current dependencies but was not present for the same package name in `previousByName`, and the given `rule` is enabled.
+ *
+ * @param violations - Accumulates discovered PolicyViolation objects; this function may push a new violation into it.
+ * @param previousByName - Map from package name to previous scan DependencyRecord[] used to determine whether `signal` was already present for a package.
+ * @param currentDeps - Current scan dependencies to inspect for newly introduced packaging signals.
+ * @param rules - Selected fail-on rules; the function no-ops if `rule` is not in this set.
+ * @param rule - The specific packaging-related compare-mode rule to enforce (e.g., `new-shrinkwrap` or `new-bundled-dependencies`).
+ * @param signal - The PackagingSignal type to detect as newly introduced.
+ */
+function pushNewPackagingSignalViolation(violations, previousByName, currentDeps, rules, rule, signal) {
+    if (!rules.has(rule))
+        return;
+    const details = currentDeps
+        .filter((dep) => {
+        if (!packagingSignals(dep).has(signal))
+            return false;
+        return !(previousByName.get(dep.package.name) || []).some((previousDep) => packagingSignals(previousDep).has(signal));
+    })
+        .map((dep) => `${formatPackage(dep)} introduced packaging signal: ${signal}`)
+        .sort();
+    if (details.length === 0)
+        return;
+    violations.push({
+        rule,
+        count: details.length,
+        message: `${details.length} new packaging ${pluralize(details.length, 'signal', 'signals')}: ${signal}`,
+        details
+    });
+}
+/**
+ * Append a PolicyViolation for registry risk signals that appear in the current scan but were not present previously.
+ *
+ * If `rule` is not enabled in `rules`, this function does nothing. When enabled, it identifies current dependencies whose registry signals include `signal` and for which no previous dependency with the same package name had that signal, then pushes a violation with the total `count`, a summary `message`, and `details` listing affected packages.
+ *
+ * @param violations - Array to which the resulting PolicyViolation will be pushed
+ * @param previousByName - Map of package name to list of previous DependencyRecord entries
+ * @param currentDeps - List of current DependencyRecord entries to inspect
+ * @param rules - Set of enabled fail-on rules
+ * @param rule - The specific fail-on rule to check (must be present in `rules` to produce a violation)
+ * @param signal - The registry risk signal to detect as newly introduced
+ */
+function pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, rule, signal) {
+    if (!rules.has(rule))
+        return;
+    const details = currentDeps
+        .filter((dep) => {
+        if (!registrySignals(dep).has(signal))
+            return false;
+        return !(previousByName.get(dep.package.name) || []).some((previousDep) => registrySignals(previousDep).has(signal));
+    })
+        .map((dep) => `${formatPackage(dep)} introduced registry risk signal: ${signal}`)
+        .sort();
+    if (details.length === 0)
+        return;
+    violations.push({
+        rule,
+        count: details.length,
+        message: `${details.length} new registry ${pluralize(details.length, 'risk signal', 'risk signals')}: ${signal}`,
+        details
+    });
+}
 /**
  * Detects whether a dependency has a strong copyleft license.
  *
@@ -189,3 +432,129 @@ function evaluatePolicyViolations(aggregated, rules) {
     }
     return violations;
 }
+/**
+ * Compute compare-mode policy violations that focus on newly introduced risky traits.
+ *
+ * Delta rules compare the current scan against a previous Dependency Radar JSON report. They only fire
+ * when a targeted trait appears in the current report and the baseline did not show that trait for the
+ * same package name, or did not show that supply-chain signal type at all when a signal cannot be tied to
+ * a package.
+ */
+function evaluateComparePolicyViolations(previous, current, rules) {
+    var _a, _b;
+    if (rules.size === 0)
+        return [];
+    const previousByName = byPackageName(previous.dependencies);
+    const currentDeps = Object.values(current.dependencies || {});
+    const violations = [];
+    if (rules.has('new-supply-chain-signal')) {
+        const previousSignals = supplyChainSignalKeys((_a = previous.supplyChain) === null || _a === void 0 ? void 0 : _a.signals);
+        const details = (((_b = current.supplyChain) === null || _b === void 0 ? void 0 : _b.signals) || [])
+            .filter((signal) => {
+            var _a;
+            const name = signalPackageName(signal);
+            if (name)
+                return !((_a = previousSignals.byPackage.get(name)) === null || _a === void 0 ? void 0 : _a.has(signal.type));
+            return !previousSignals.global.has(signal.type);
+        })
+            .map((signal) => `${signalPackageLabel(signal)} introduced supply-chain signal: ${signal.type}`)
+            .sort();
+        if (details.length > 0) {
+            violations.push({
+                rule: 'new-supply-chain-signal',
+                count: details.length,
+                message: `${details.length} new supply-chain ${pluralize(details.length, 'signal', 'signals')}`,
+                details
+            });
+        }
+    }
+    if (rules.has('new-install-script')) {
+        const details = currentDeps
+            .filter((dep) => {
+            if (sortedHooks(dep).length === 0)
+                return false;
+            return !(previousByName.get(dep.package.name) || []).some((previousDep) => sortedHooks(previousDep).length > 0);
+        })
+            .map((dep) => `${formatPackage(dep)} introduced install hooks: ${sortedHooks(dep).join(', ')}`)
+            .sort();
+        if (details.length > 0) {
+            violations.push({
+                rule: 'new-install-script',
+                count: details.length,
+                message: `${details.length} new ${pluralize(details.length, 'install script surface', 'install script surfaces')}`,
+                details
+            });
+        }
+    }
+    if (rules.has('new-native-binding')) {
+        const details = currentDeps
+            .filter((dep) => {
+            var _a;
+            if (!((_a = dep.execution) === null || _a === void 0 ? void 0 : _a.native))
+                return false;
+            return !(previousByName.get(dep.package.name) || []).some((previousDep) => { var _a; return Boolean((_a = previousDep.execution) === null || _a === void 0 ? void 0 : _a.native); });
+        })
+            .map((dep) => `${formatPackage(dep)} introduced native build/binary surface`)
+            .sort();
+        if (details.length > 0) {
+            violations.push({
+                rule: 'new-native-binding',
+                count: details.length,
+                message: `${details.length} new native ${pluralize(details.length, 'binding surface', 'binding surfaces')}`,
+                details
+            });
+        }
+    }
+    if (rules.has('new-bin')) {
+        const details = currentDeps
+            .filter((dep) => {
+            var _a;
+            if (!((_a = dep.package) === null || _a === void 0 ? void 0 : _a.hasBin))
+                return false;
+            return !(previousByName.get(dep.package.name) || []).some((previousDep) => { var _a; return Boolean((_a = previousDep.package) === null || _a === void 0 ? void 0 : _a.hasBin); });
+        })
+            .map((dep) => `${formatPackage(dep)} introduced a package bin`)
+            .sort();
+        if (details.length > 0) {
+            violations.push({
+                rule: 'new-bin',
+                count: details.length,
+                message: `${details.length} new package ${pluralize(details.length, 'bin', 'bins')}`,
+                details
+            });
+        }
+    }
+    if (rules.has('new-direct-dependency')) {
+        const details = currentDeps
+            .filter((dep) => {
+            var _a;
+            if (!((_a = dep.usage) === null || _a === void 0 ? void 0 : _a.direct))
+                return false;
+            return !(previousByName.get(dep.package.name) || []).some((previousDep) => { var _a; return Boolean((_a = previousDep.usage) === null || _a === void 0 ? void 0 : _a.direct); });
+        })
+            .map((dep) => `${formatPackage(dep)} is now a direct dependency`)
+            .sort();
+        if (details.length > 0) {
+            violations.push({
+                rule: 'new-direct-dependency',
+                count: details.length,
+                message: `${details.length} new direct ${pluralize(details.length, 'dependency', 'dependencies')}`,
+                details
+            });
+        }
+    }
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-child-process', 'child-process');
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-network-access', 'network-access');
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-env-access', 'reads-env');
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-home-access', 'reads-home');
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-ssh-usage', 'uses-ssh');
+    pushNewExecutionSignalViolation(violations, previousByName, currentDeps, rules, 'new-obfuscation-signal', 'obfuscated');
+    pushNewPackagingSignalViolation(violations, previousByName, currentDeps, rules, 'new-bundled-dependencies', 'bundled-dependencies');
+    pushNewPackagingSignalViolation(violations, previousByName, currentDeps, rules, 'new-shrinkwrap', 'embedded-shrinkwrap');
+    pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, 'new-recent-package', 'recent-package');
+    pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, 'new-recent-version', 'recent-version');
+    pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, 'new-low-release-history', 'low-release-history');
+    pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, 'new-reactivated-package', 'reactivated-package');
+    pushNewRegistrySignalViolation(violations, previousByName, currentDeps, rules, 'new-old-major-patch', 'old-major-new-patch');
+    return violations;
+}