depsentinel 0.1.6 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/cli.js +4 -4
  2. package/dist/commands/init.js +2 -2
  3. package/dist/core/doctor-checks.js +10 -7
  4. package/package.json +1 -1
package/dist/cli.js CHANGED
@@ -53,13 +53,13 @@ export function createCli() {
53
53
  const context = options.json
54
54
  ? {
55
55
  publishesToNpm: true,
56
- publishFromCi: true,
57
- usesOidcTrustedPublisher: false
56
+ usesOidcTrustedPublisher: false,
57
+ usesDevContainer: false
58
58
  }
59
59
  : {
60
60
  publishesToNpm: await askYesNo("Does this project publish packages to npm?", false),
61
- publishFromCi: await askYesNo("Does this project publish from CI?", true),
62
- usesOidcTrustedPublisher: await askYesNo("Does npm publish use OIDC Trusted Publisher?", false)
61
+ usesOidcTrustedPublisher: await askYesNo("Does npm publish use OIDC Trusted Publisher?", false),
62
+ usesDevContainer: await askYesNo("Does this project use Dev Containers for local development?", false)
63
63
  };
64
64
  const result = runInit({
65
65
  preset: options.preset,
package/dist/commands/init.js CHANGED
@@ -157,8 +157,8 @@ export function runInit(options = {}) {
157
157
  const facts = detectProjectFacts(cwd);
158
158
  const context = options.context ?? {
159
159
  publishesToNpm: true,
160
- publishFromCi: true,
161
- usesOidcTrustedPublisher: false
160
+ usesOidcTrustedPublisher: false,
161
+ usesDevContainer: false
162
162
  };
163
163
  const planned = [
164
164
  planSafeFile(path.join(cwd, "depsentinel.json"), `${buildDepsentinelConfig(preset, context)}\n`),
package/dist/core/doctor-checks.js CHANGED
@@ -44,7 +44,7 @@ export function collectDiagnoses(rootDir, facts) {
44
44
  checkEnvPlaintext(rootDir),
45
45
  checkNpxHardening(),
46
46
  checkNpm2fa(context),
47
- checkDevContainer(rootDir),
47
+ checkDevContainer(rootDir, context),
48
48
  checkNodeModulesGitignored(rootDir)
49
49
  ];
50
50
  }
@@ -77,12 +77,12 @@ function checkMixedLockfiles(rootDir, facts) {
77
77
  function readProjectContext(rootDir) {
78
78
  const configPath = path.join(rootDir, "depsentinel.json");
79
79
  const parsed = readJsonSafe(configPath, {
80
- context: { publishesToNpm: true, publishFromCi: true, usesOidcTrustedPublisher: false }
80
+ context: { publishesToNpm: true, usesOidcTrustedPublisher: false, usesDevContainer: false }
81
81
  });
82
82
  return {
83
83
  publishesToNpm: parsed.context?.publishesToNpm ?? true,
84
- publishFromCi: parsed.context?.publishFromCi ?? true,
85
- usesOidcTrustedPublisher: parsed.context?.usesOidcTrustedPublisher ?? false
84
+ usesOidcTrustedPublisher: parsed.context?.usesOidcTrustedPublisher ?? false,
85
+ usesDevContainer: parsed.context?.usesDevContainer ?? false
86
86
  };
87
87
  }
88
88
  function checkNpmRc(rootDir) {
@@ -173,8 +173,8 @@ function checkLockfileCommitted(rootDir) {
173
173
  return skip("ci.lockfile-committed.manual", "ci", "Verify lockfile committed", "Use `git ls-files package-lock.json` to confirm your lockfile is committed.", "Run `git add package-lock.json && git commit -m \"chore: add lockfile\"`.");
174
174
  }
175
175
  function checkCiProvenance(rootDir, context) {
176
- if (!context.publishesToNpm || !context.publishFromCi) {
177
- return skip("ci.provenance.not-applicable", "ci", "Publish provenance not required", "Project context says npm publishing from CI is disabled.", "Set `context.publishesToNpm=true` and `context.publishFromCi=true` if you start publishing from CI.");
176
+ if (!context.publishesToNpm) {
177
+ return skip("ci.provenance.not-applicable", "ci", "Publish provenance not required", "Project context says npm publishing is disabled.", "Set `context.publishesToNpm=true` in depsentinel.json if this changes.");
178
178
  }
179
179
  const workflowsDir = path.join(rootDir, ".github", "workflows");
180
180
  if (!existsSync(workflowsDir))
@@ -238,7 +238,10 @@ function checkNpm2fa(context) {
238
238
  }
239
239
  return skip("maintainer.2fa.manual", "maintainer", "Verify npm account 2FA", "Accounts without 2FA are vulnerable to credential theft and package takeover.", "Run `npm profile enable-2fa auth-and-writes` to enable 2FA for your npm account.");
240
240
  }
241
- function checkDevContainer(rootDir) {
241
+ function checkDevContainer(rootDir, context) {
242
+ if (!context.usesDevContainer) {
243
+ return skip("maintainer.devcontainer.not-required", "maintainer", "Dev Container not required by project context", "Project context says Dev Containers are not part of local development workflow.", "Set `context.usesDevContainer=true` in depsentinel.json if you adopt Dev Containers.");
244
+ }
242
245
  const devContainerPath = path.join(rootDir, ".devcontainer", "devcontainer.json");
243
246
  if (existsSync(devContainerPath))
244
247
  return pass("maintainer.devcontainer.present", "maintainer", "Dev Container configured");
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "depsentinel",
3
- "version": "0.1.6",
3
+ "version": "0.1.7",
4
4
  "description": "JS/TS supply-chain hardening CLI — scan, secure, and enforce dependency policies",
5
5
  "license": "MIT",
6
6
  "author": "depsentinel contributors",