depguard-cli 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/audit.d.ts.map +1 -1
- package/dist/audit.js +10 -4
- package/dist/audit.js.map +1 -1
- package/dist/mcp.js +1 -1
- package/dist/semver.d.ts +19 -0
- package/dist/semver.d.ts.map +1 -0
- package/dist/semver.js +71 -0
- package/dist/semver.js.map +1 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -224,7 +224,7 @@ depguard combines two advisory databases for maximum coverage:
|
|
|
224
224
|
| **npm Registry** | Advisories from `npm audit` |
|
|
225
225
|
| **GitHub Advisory Database** | GHSA advisories, often not in npm |
|
|
226
226
|
|
|
227
|
-
Results are deduplicated and each advisory includes a `source` field (`npm` or `github`).
|
|
227
|
+
Results are deduplicated, filtered by the current package version (only vulnerabilities that actually affect the installed version are reported), and each advisory includes a `source` field (`npm` or `github`).
|
|
228
228
|
|
|
229
229
|
### Caching
|
|
230
230
|
|
|
@@ -257,7 +257,7 @@ A dependency is compatible if its license is equally or more permissive than you
|
|
|
257
257
|
```bash
|
|
258
258
|
npm run build # compile TypeScript
|
|
259
259
|
npm run lint # ESLint (strict)
|
|
260
|
-
npm test #
|
|
260
|
+
npm test # 84 tests (all offline)
|
|
261
261
|
npm run check # build + lint + test + audit
|
|
262
262
|
```
|
|
263
263
|
|
package/dist/audit.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,OAAO,EAAqC,MAAM,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,OAAO,EAAqC,MAAM,YAAY,CAAA;AAuEzF;;;;GAIG;AACH,wBAAsB,KAAK,CACzB,IAAI,EAAE,MAAM,EACZ,aAAa,SAAQ,EACrB,OAAO,GAAE,OAA0B,GAClC,OAAO,CAAC,WAAW,CAAC,CA0GtB"}
|
package/dist/audit.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
import { fetchPackage, fetchDownloads, fetchAdvisories, fetchGitHubAdvisories } from './registry.js';
|
|
2
2
|
import { checkLicenseCompatibility } from './license.js';
|
|
3
3
|
import { analyzeScripts } from './script-analysis.js';
|
|
4
|
+
import { satisfiesRange } from './semver.js';
|
|
4
5
|
const INSTALL_SCRIPT_NAMES = ['preinstall', 'install', 'postinstall'];
|
|
5
6
|
/** Map GitHub severity to npm severity */
|
|
6
7
|
function mapGitHubSeverity(severity) {
|
|
@@ -16,10 +17,10 @@ function mapGitHubSeverity(severity) {
|
|
|
16
17
|
* Merge npm and GitHub advisories, deduplicating by URL.
|
|
17
18
|
* GitHub advisories are converted to NpmAdvisory format.
|
|
18
19
|
*/
|
|
19
|
-
function mergeAdvisories(npmAdvisories, ghAdvisories) {
|
|
20
|
+
function mergeAdvisories(npmAdvisories, ghAdvisories, currentVersion) {
|
|
20
21
|
const seen = new Set();
|
|
21
22
|
const merged = [];
|
|
22
|
-
// Add npm advisories first
|
|
23
|
+
// Add npm advisories first (npm bulk endpoint already filters by version)
|
|
23
24
|
for (const adv of npmAdvisories) {
|
|
24
25
|
seen.add(adv.url);
|
|
25
26
|
merged.push({ ...adv, source: 'npm' });
|
|
@@ -35,13 +36,18 @@ function mergeAdvisories(npmAdvisories, ghAdvisories) {
|
|
|
35
36
|
const ghsaInNpm = npmAdvisories.some(a => a.url.includes(gh.ghsa_id));
|
|
36
37
|
if (ghsaInNpm)
|
|
37
38
|
continue;
|
|
39
|
+
// Filter: only include if current version is actually affected
|
|
38
40
|
const vuln = gh.vulnerabilities?.[0];
|
|
41
|
+
const range = vuln?.vulnerable_version_range;
|
|
42
|
+
if (range && !satisfiesRange(currentVersion, range)) {
|
|
43
|
+
continue; // Current version is NOT in the vulnerable range — skip
|
|
44
|
+
}
|
|
39
45
|
merged.push({
|
|
40
46
|
id: parseInt(gh.ghsa_id.replace(/\D/g, '').slice(0, 8)) || 0,
|
|
41
47
|
title: gh.summary,
|
|
42
48
|
severity: mapGitHubSeverity(gh.severity),
|
|
43
49
|
url: gh.html_url,
|
|
44
|
-
vulnerable_versions:
|
|
50
|
+
vulnerable_versions: range ?? '*',
|
|
45
51
|
patched_versions: vuln?.first_patched_version ?? null,
|
|
46
52
|
cwe: gh.cwes?.map(c => c.cwe_id),
|
|
47
53
|
cvss: gh.cvss ? { score: gh.cvss.score, vectorString: gh.cvss.vector_string } : undefined,
|
|
@@ -93,7 +99,7 @@ export async function audit(name, targetLicense = 'MIT', fetcher = globalThis.fe
|
|
|
93
99
|
return [];
|
|
94
100
|
}),
|
|
95
101
|
]);
|
|
96
|
-
const advisories = mergeAdvisories(npmAdvisories, ghAdvisories);
|
|
102
|
+
const advisories = mergeAdvisories(npmAdvisories, ghAdvisories, latestVersion);
|
|
97
103
|
const license = versionData?.license ?? pkg.license ?? null;
|
|
98
104
|
const deps = versionData?.dependencies ?? {};
|
|
99
105
|
const scripts = versionData?.scripts ?? {};
|
package/dist/audit.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AACpG,OAAO,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAA;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;
|
|
1
|
+
{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AACpG,OAAO,EAAE,yBAAyB,EAAE,MAAM,cAAc,CAAA;AACxD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AACrD,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAE5C,MAAM,oBAAoB,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,CAAC,CAAA;AAErE,0CAA0C;AAC1C,SAAS,iBAAiB,CAAC,QAAgB;IACzC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC,CAAC,OAAO,UAAU,CAAA;QAClC,KAAK,MAAM,CAAC,CAAC,OAAO,MAAM,CAAA;QAC1B,KAAK,QAAQ,CAAC,CAAC,OAAO,UAAU,CAAA;QAChC,KAAK,KAAK,CAAC,CAAC,OAAO,KAAK,CAAA;QACxB,OAAO,CAAC,CAAC,OAAO,KAAK,CAAA;IACvB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CACtB,aAA4B,EAC5B,YAA+D,EAC/D,cAAsB;IAEtB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAC9B,MAAM,MAAM,GAAkB,EAAE,CAAA;IAEhC,0EAA0E;IAC1E,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QACjB,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,GAAG,EAAE,MAAM,EAAE,KAAc,EAAE,CAAC,CAAA;IACjD,CAAC;IAED,oCAAoC;IACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC;QAAE,OAAO,MAAM,CAAA;IAE/C,oDAAoD;IACpD,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;QAC9B,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC;YAAE,SAAQ;QAEnC,uEAAuE;QACvE,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAA;QACrE,IAAI,SAAS;YAAE,SAAQ;QAEvB,+DAA+D;QAC/D,MAAM,IAAI,GAAG,EAAE,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,CAAA;QACpC,MAAM,KAAK,GAAG,IAAI,EAAE,wBAAwB,CAAA;QAC5C,IAAI,KAAK,IAAI,CAAC,cAAc,CAAC,cAAc,EAAE,KAAK,CAAC,EAAE,CAAC;YACpD,SAAQ,CAAC,wDAAwD;QACnE,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;YAC5D,KAAK,EAAE,EAAE,CAAC,OAAO;YACjB,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC,QAAQ,CAAC;YACxC,GAAG,EAAE,EAAE,CAAC,QAAQ;YAChB,mBAAmB,EAAE,KAAK,IAAI,GAAG;YACjC,gBAAgB,EAAE,IAAI,EAAE,qBAAqB,IAAI,IAAI;YACrD,GAAG,EAAE,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAChC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,SAAS;YACzF,MAAM,EAAE,QAAQ;SACjB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK,CACzB,IAAY,EACZ,aAAa,GAAG,KAAK,EACrB,UAAmB,UAAU,CAAC,KAAK;IAEnC,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IAE7C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO;YACL,IAAI;YACJ,OAAO,EAAE,SAAS;YAClB,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,EAAE;YACf,WAAW,EAAE,IAAI;YACjB,eAAe,EAAE,CAAC;YAClB,YAAY,EAAE,CAAC;YACf,eAAe,EAAE,CAAC;YAClB,iBAAiB,EAAE,KAAK;YACxB,UAAU,EAAE,KAAK;YACjB,eAAe,EAAE,oBAAoB,EAAE;YACvC,cAAc,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE;YAChD,oBAAoB,EAAE,yBAAyB,CAAC,IAAI,EAAE,aAAa,CAAC;YACpE,QAAQ,EAAE,CAAC,gDAAgD,CAAC;SAC7D,CAAA;IACH,CAAC;IAED,MAAM,aAAa,GAAG,GAAG,CAAC,WAAW,CAAC,EAAE,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,GAAG,EAAE,IAAI,SAAS,CAAA;IAC9F,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAA;IAE/C,sEAAsE;IACtE,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACjE,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACvC,QAAQ,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAA;YAChD,OAAO,CAAC,CAAA;QACV,CAAC,CAAC;QACF,eAAe,CAAC,IAAI,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YACvD,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAA;YACxD,OAAO,EAAE,CAAA;QACX,CAAC,CAAC;QACF,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;YAC9C,QAAQ,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAA;YAC3D,OAAO,EAAE,CAAA;QACX,CAAC,CAAC;KACH,CAAC,CAAA;IAEF,MAAM,UAAU,GAAG,eAAe,CAAC,aAAa,EAAE,YAAY,EAAE,aAAa,CAAC,CAAA;IAE9E,MAAM,OAAO,GAAG,WAAW,EAAE,OAAO,IAAI,GAAG,CAAC,OAAO,IAAI,IAAI,CAAA;IAC3D,MAAM,IAAI,GAAG,WAAW,EAAE,YAAY,IAAI,EAAE,CAAA;IAC5C,MAAM,OAAO,GAAG,WAAW,EAAE,OAAO,IAAI,EAAE,CAAA;IAE1C,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,CAAA;IACtE,MAAM,UAAU,GAAG,CAAC,CAAC,WAAW,EAAE,UAAU,CAAA;IAC5C,MAAM,YAAY,GAAG,cAAc,CAAC,OAAiC,CAAC,CAAA;IAEtE,IAAI,UAAU,EAAE,CAAC;QACf,QAAQ,CAAC,IAAI,CAAC,0BAA0B,WAAW,EAAE,UAAU,EAAE,CAAC,CAAA;IACpE,CAAC;IAED,IAAI,iBAAiB,EAAE,CAAC;QACtB,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAA;IACjE,CAAC;IAED,IAAI,YAAY,CAAC,UAAU,EAAE,CAAC;QAC5B,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAA;QACtF,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAA;QAC9E,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;YACtB,QAAQ,CAAC,IAAI,CAAC,aAAa,aAAa,iDAAiD,CAAC,CAAA;QAC5F,CAAC;QACD,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YAClB,QAAQ,CAAC,IAAI,CAAC,YAAY,SAAS,4DAA4D,CAAC,CAAA;QAClG,CAAC;IACH,CAAC;IAED,MAAM,eAAe,GAAyB;QAC5C,KAAK,EAAE,UAAU,CAAC,MAAM;QACxB,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAClE,IAAI,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC1D,QAAQ,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAClE,GAAG,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;QACxD,UAAU;KACX,CAAA;IAED,MAAM,aAAa,GAAG,yBAAyB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAA;IAEvE,4BAA4B;IAC5B,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;SACnC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,UAAU,CAAC;SAC1D,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC;SACrB,IAAI,EAAE,CAAA;IACT,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAErE,OAAO;QACL,IAAI;QACJ,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI;QACrD,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,EAAE;QAClC,WAAW;QACX,eAAe,EAAE,SAAS;QAC1B,YAAY,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,MAAM;QAC9C,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM;QACzC,iBAAiB;QACjB,UAAU;QACV,eAAe;QACf,cAAc,EAAE,YAAY;QAC5B,oBAAoB,EAAE,aAAa;QACnC,QAAQ;KACT,CAAA;AACH,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAA;AAChF,CAAC"}
|
package/dist/mcp.js
CHANGED
package/dist/semver.d.ts
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal semver range checker — zero dependencies.
|
|
3
|
+
* Supports common version range patterns from GitHub advisories:
|
|
4
|
+
* "< 4.0.0", ">= 1.0.0, < 2.0.0", "<= 3.5.0", "= 1.2.3"
|
|
5
|
+
*
|
|
6
|
+
* Does NOT support: ||, ~, ^, *, x, pre-release tags, build metadata.
|
|
7
|
+
* This is intentional — advisory ranges use simple comparators.
|
|
8
|
+
*/
|
|
9
|
+
/**
|
|
10
|
+
* Check if a version satisfies a vulnerability range string.
|
|
11
|
+
* Returns true if the version IS vulnerable (falls within the range).
|
|
12
|
+
*
|
|
13
|
+
* Examples:
|
|
14
|
+
* satisfiesRange("4.17.21", "< 4.17.20") → false (not vulnerable)
|
|
15
|
+
* satisfiesRange("4.17.19", "< 4.17.20") → true (vulnerable)
|
|
16
|
+
* satisfiesRange("1.5.0", ">= 1.0.0, < 2.0.0") → true (vulnerable)
|
|
17
|
+
*/
|
|
18
|
+
export declare function satisfiesRange(version: string, range: string): boolean;
|
|
19
|
+
//# sourceMappingURL=semver.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"semver.d.ts","sourceRoot":"","sources":["../src/semver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAwCH;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAuBtE"}
|
package/dist/semver.js
ADDED
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Minimal semver range checker — zero dependencies.
|
|
3
|
+
* Supports common version range patterns from GitHub advisories:
|
|
4
|
+
* "< 4.0.0", ">= 1.0.0, < 2.0.0", "<= 3.5.0", "= 1.2.3"
|
|
5
|
+
*
|
|
6
|
+
* Does NOT support: ||, ~, ^, *, x, pre-release tags, build metadata.
|
|
7
|
+
* This is intentional — advisory ranges use simple comparators.
|
|
8
|
+
*/
|
|
9
|
+
function parse(version) {
|
|
10
|
+
// Strip leading 'v' and any pre-release/build suffix
|
|
11
|
+
const clean = version.replace(/^v/, '').replace(/[-+].*$/, '').trim();
|
|
12
|
+
const parts = clean.split('.');
|
|
13
|
+
if (parts.length < 2)
|
|
14
|
+
return null;
|
|
15
|
+
const major = parseInt(parts[0], 10);
|
|
16
|
+
const minor = parseInt(parts[1], 10);
|
|
17
|
+
const patch = parts.length >= 3 ? parseInt(parts[2], 10) : 0;
|
|
18
|
+
if (isNaN(major) || isNaN(minor) || isNaN(patch))
|
|
19
|
+
return null;
|
|
20
|
+
return { major, minor, patch };
|
|
21
|
+
}
|
|
22
|
+
function compare(a, b) {
|
|
23
|
+
if (a.major !== b.major)
|
|
24
|
+
return a.major - b.major;
|
|
25
|
+
if (a.minor !== b.minor)
|
|
26
|
+
return a.minor - b.minor;
|
|
27
|
+
return a.patch - b.patch;
|
|
28
|
+
}
|
|
29
|
+
function matchComparator(version, op, target) {
|
|
30
|
+
const cmp = compare(version, target);
|
|
31
|
+
switch (op) {
|
|
32
|
+
case '<': return cmp < 0;
|
|
33
|
+
case '<=': return cmp <= 0;
|
|
34
|
+
case '>': return cmp > 0;
|
|
35
|
+
case '>=': return cmp >= 0;
|
|
36
|
+
case '=': return cmp === 0;
|
|
37
|
+
default: return cmp === 0;
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
/**
|
|
41
|
+
* Check if a version satisfies a vulnerability range string.
|
|
42
|
+
* Returns true if the version IS vulnerable (falls within the range).
|
|
43
|
+
*
|
|
44
|
+
* Examples:
|
|
45
|
+
* satisfiesRange("4.17.21", "< 4.17.20") → false (not vulnerable)
|
|
46
|
+
* satisfiesRange("4.17.19", "< 4.17.20") → true (vulnerable)
|
|
47
|
+
* satisfiesRange("1.5.0", ">= 1.0.0, < 2.0.0") → true (vulnerable)
|
|
48
|
+
*/
|
|
49
|
+
export function satisfiesRange(version, range) {
|
|
50
|
+
const ver = parse(version);
|
|
51
|
+
if (!ver)
|
|
52
|
+
return true; // If we can't parse, assume vulnerable (safe default)
|
|
53
|
+
if (!range || range === '*')
|
|
54
|
+
return true;
|
|
55
|
+
// Split by comma for compound ranges: ">= 1.0.0, < 2.0.0"
|
|
56
|
+
const parts = range.split(',').map(s => s.trim()).filter(Boolean);
|
|
57
|
+
for (const part of parts) {
|
|
58
|
+
const match = part.match(/^(>=|<=|>|<|=)\s*(.+)$/);
|
|
59
|
+
if (!match)
|
|
60
|
+
continue;
|
|
61
|
+
const op = match[1];
|
|
62
|
+
const target = parse(match[2]);
|
|
63
|
+
if (!target)
|
|
64
|
+
continue;
|
|
65
|
+
if (!matchComparator(ver, op, target)) {
|
|
66
|
+
return false; // One condition not met → not in vulnerable range
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
return true;
|
|
70
|
+
}
|
|
71
|
+
//# sourceMappingURL=semver.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"semver.js","sourceRoot":"","sources":["../src/semver.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,SAAS,KAAK,CAAC,OAAe;IAC5B,qDAAqD;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;IACrE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAEjC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACpC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACpC,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAE5D,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC7D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;AAChC,CAAC;AAED,SAAS,OAAO,CAAC,CAAS,EAAE,CAAS;IACnC,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAA;IACjD,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK;QAAE,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAA;IACjD,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAA;AAC1B,CAAC;AAED,SAAS,eAAe,CAAC,OAAe,EAAE,EAAU,EAAE,MAAc;IAClE,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACpC,QAAQ,EAAE,EAAE,CAAC;QACX,KAAK,GAAG,CAAC,CAAC,OAAO,GAAG,GAAG,CAAC,CAAA;QACxB,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;QAC1B,KAAK,GAAG,CAAC,CAAC,OAAO,GAAG,GAAG,CAAC,CAAA;QACxB,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAA;QAC1B,KAAK,GAAG,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,CAAA;QAC1B,OAAO,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,CAAA;IAC3B,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe,EAAE,KAAa;IAC3D,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,CAAA;IAC1B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA,CAAC,sDAAsD;IAE5E,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,GAAG;QAAE,OAAO,IAAI,CAAA;IAExC,0DAA0D;IAC1D,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAA;IAEjE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAClD,IAAI,CAAC,KAAK;YAAE,SAAQ;QAEpB,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACnB,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;QAC9B,IAAI,CAAC,MAAM;YAAE,SAAQ;QAErB,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC;YACtC,OAAO,KAAK,CAAA,CAAC,kDAAkD;QACjE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC"}
|
package/package.json
CHANGED