devcompass 2.5.0 → 2.7.0

package/data/known-malicious.json

@@ -0,0 +1,57 @@
+{
+  "malicious_packages": [
+    "epress",
+    "expres",
+    "expresss",
+    "reqest",
+    "requet",
+    "lodas",
+    "loadsh",
+    "axois",
+    "axioss",
+    "webpak",
+    "webpackk",
+    "reactt",
+    "vuee",
+    "angularr"
+  ],
+  "typosquat_patterns": {
+    "express": ["epress", "expres", "expresss", "exprss"],
+    "request": ["reqest", "requet", "requets"],
+    "lodash": ["lodas", "loadsh", "lodahs", "lodsh"],
+    "axios": ["axois", "axioss", "axos", "axious"],
+    "webpack": ["webpak", "webpackk", "wepback"],
+    "react": ["reactt", "reakt", "raect"],
+    "vue": ["vuee", "veu", "vuw"],
+    "angular": ["angularr", "anguler", "angulr"],
+    "next": ["nextt", "nxt", "nex"],
+    "typescript": ["typscript", "typescrpt", "typescrip"],
+    "eslint": ["esslint", "elint", "eslnt"],
+    "prettier": ["pretier", "prettir", "pretter"],
+    "jest": ["jst", "jestt", "jест"],
+    "mocha": ["mocha", "mоcha", "mосha"],
+    "chai": ["chаi", "сhai", "chаi"]
+  },
+  "suspicious_patterns": {
+    "install_scripts": [
+      "curl",
+      "wget",
+      "powershell",
+      "eval",
+      "exec",
+      "child_process",
+      "/bin/sh",
+      "/bin/bash",
+      "http://",
+      "https://"
+    ],
+    "suspicious_dependencies": [
+      "bitcoin",
+      "cryptocurrency",
+      "mining",
+      "miner",
+      "keylogger",
+      "backdoor"
+    ]
+  }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devcompass",
-  "version": "2.5.0",
-  "description": "Dependency health checker with ecosystem intelligence and real-time GitHub issue tracking for JavaScript/TypeScript projects. Monitors 500+ popular npm packages.",
+  "version": "2.7.0",
+  "description": "Dependency health checker with ecosystem intelligence, real-time GitHub issue tracking for 500+ popular npm packages, parallel processing, supply chain security analysis, and advanced license risk detection.",
   "main": "src/index.js",
   "bin": {
     "devcompass": "./bin/devcompass.js"
@@ -43,7 +43,17 @@
     "dependency-monitoring",
     "issue-tracking",
     "package-health",
-    "top-500-packages"
+    "top-500-packages",
+    "parallel-processing",
+    "performance-optimization",
+    "supply-chain-security",
+    "typosquatting-detection",
+    "malicious-packages",
+    "license-compliance",
+    "license-risk",
+    "package-quality",
+    "security-recommendations",
+    "dependency-quality"
   ],
   "author": "Ajay Thorat <ajaythorat988@gmail.com>",
   "license": "MIT",

package/src/alerts/github-tracker.js

@@ -604,7 +604,7 @@ async function fetchGitHubIssues(packageName) {
   const repo = TRACKED_REPOS[packageName];
   
   if (!repo) {
-    return null; // Not tracked
+    return null;
   }
   
   try {
@@ -672,7 +672,6 @@ function analyzeIssues(issues, packageName) {
   const now = Date.now();
   const day = 24 * 60 * 60 * 1000;
   
-  // Count issues by recency
   const last7Days = issues.filter(i => 
     (now - new Date(i.created_at).getTime()) < 7 * day
   ).length;
@@ -681,7 +680,6 @@ function analyzeIssues(issues, packageName) {
     (now - new Date(i.created_at).getTime()) < 30 * day
   ).length;
   
-  // Detect critical issues (high priority labels)
   const criticalLabels = ['critical', 'security', 'regression', 'breaking'];
   const criticalIssues = issues.filter(issue => 
     issue.labels.some(label => 
@@ -691,7 +689,6 @@ function analyzeIssues(issues, packageName) {
     )
   );
   
-  // Calculate risk score
   let riskScore = 0;
   if (last7Days > 15) riskScore += 3;
   else if (last7Days > 10) riskScore += 2;
@@ -713,7 +710,7 @@ function analyzeIssues(issues, packageName) {
 }
 
 /**
- * Determine trend (increasing/stable/decreasing)
+ * Determine trend
  */
 function determineTrend(last7Days, last30Days) {
   const weeklyAverage = last30Days / 4;
@@ -728,9 +725,54 @@ function determineTrend(last7Days, last30Days) {
 }
 
 /**
- * Check GitHub issues for multiple packages (OPTIMIZED)
+ * Process packages in parallel batches
+ * NEW in v2.6.0: Parallel processing for better performance
  */
-async function checkGitHubIssues(packages) {
+async function processBatch(packages, concurrency = 5, onProgress) {
+  const results = [];
+  const batches = [];
+  
+  // Split into batches
+  for (let i = 0; i < packages.length; i += concurrency) {
+    batches.push(packages.slice(i, i + concurrency));
+  }
+  
+  // Process each batch in parallel
+  for (let batchIndex = 0; batchIndex < batches.length; batchIndex++) {
+    const batch = batches[batchIndex];
+    
+    // Process batch in parallel
+    const batchResults = await Promise.all(
+      batch.map(async (packageName) => {
+        const result = await fetchGitHubIssues(packageName);
+        
+        // Call progress callback
+        if (onProgress) {
+          const processed = batchIndex * concurrency + batch.indexOf(packageName) + 1;
+          onProgress(processed, packages.length, packageName);
+        }
+        
+        return result;
+      })
+    );
+    
+    results.push(...batchResults.filter(r => r !== null));
+    
+    // Small delay between batches to respect rate limits
+    if (batchIndex < batches.length - 1) {
+      await new Promise(resolve => setTimeout(resolve, 200));
+    }
+  }
+  
+  return results;
+}
+
+/**
+ * Check GitHub issues for multiple packages (OPTIMIZED v2.6.0)
+ * Now uses parallel processing for 80% faster execution
+ */
+async function checkGitHubIssues(packages, options = {}) {
+  const { concurrency = 5, onProgress } = options;
   const results = [];
   const packageNames = Object.keys(packages);
   
@@ -741,17 +783,9 @@ async function checkGitHubIssues(packages) {
     return results;
   }
   
-  // Process in batches to avoid rate limits
-  for (const packageName of trackedAndInstalled) {
-    const result = await fetchGitHubIssues(packageName);
-    
-    if (result) {
-      results.push(result);
-    }
-    
-    // Rate limit: wait 1 second between requests
-    await new Promise(resolve => setTimeout(resolve, 1000));
-  }
+  // Use parallel processing
+  const batchResults = await processBatch(trackedAndInstalled, concurrency, onProgress);
+  results.push(...batchResults);
   
   return results;
 }
@@ -764,7 +798,7 @@ function getTrackedPackageCount() {
 }
 
 /**
- * Get tracked packages by category (for documentation)
+ * Get tracked packages by category
  */
 function getTrackedPackagesByCategory() {
   return {

package/src/alerts/predictive.js

@@ -3,9 +3,11 @@ const { checkGitHubIssues } = require('./github-tracker');
 
 /**
  * Generate predictive warnings based on GitHub activity
- * OPTIMIZED: Only checks packages that are actually installed
+ * ENHANCED v2.6.0: Added progress callback support for parallel processing
  */
-async function generatePredictiveWarnings(packages) {
+async function generatePredictiveWarnings(packages, options = {}) {
+  const { onProgress } = options;
+  
   try {
     // Only check packages that are actually installed
     const installedPackages = Object.keys(packages);
@@ -14,8 +16,12 @@ async function generatePredictiveWarnings(packages) {
       return [];
     }
     
-    // Pass only installed packages to GitHub checker
-    const githubData = await checkGitHubIssues(packages);
+    // Pass options to GitHub checker (including progress callback)
+    // v2.6.0: Now supports parallel processing with concurrency control
+    const githubData = await checkGitHubIssues(packages, {
+      concurrency: 5, // Process 5 packages in parallel
+      onProgress: onProgress // Pass through progress callback
+    });
     
     const warnings = [];
     

package/src/analyzers/license-risk.js

@@ -0,0 +1,225 @@
+// src/analyzers/license-risk.js
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * License risk levels and compatibility
+ */
+const LICENSE_RISKS = {
+  // High Risk - Restrictive/Copyleft
+  'GPL-1.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'GPL-2.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'GPL-3.0': { risk: 'high', type: 'copyleft', business: 'Requires source disclosure' },
+  'AGPL-1.0': { risk: 'critical', type: 'copyleft', business: 'Network copyleft - very restrictive' },
+  'AGPL-3.0': { risk: 'critical', type: 'copyleft', business: 'Network copyleft - very restrictive' },
+  'LGPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  'LGPL-2.1': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  'LGPL-3.0': { risk: 'medium', type: 'weak-copyleft', business: 'Limited copyleft obligations' },
+  
+  // Medium Risk
+  'MPL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'MPL-1.1': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'MPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  'EPL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'Module-level copyleft' },
+  'EPL-2.0': { risk: 'medium', type: 'weak-copyleft', business: 'Module-level copyleft' },
+  'CDDL-1.0': { risk: 'medium', type: 'weak-copyleft', business: 'File-level copyleft' },
+  
+  // Low Risk - Permissive
+  'MIT': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'Apache-2.0': { risk: 'low', type: 'permissive', business: 'Permissive with patent grant' },
+  'BSD-2-Clause': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'BSD-3-Clause': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'ISC': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  'CC0-1.0': { risk: 'low', type: 'public-domain', business: 'Public domain' },
+  'Unlicense': { risk: 'low', type: 'public-domain', business: 'Public domain' },
+  '0BSD': { risk: 'low', type: 'permissive', business: 'Very permissive' },
+  
+  // Unknown/Special
+  'UNLICENSED': { risk: 'critical', type: 'unknown', business: 'No license - all rights reserved' },
+  'SEE LICENSE IN': { risk: 'high', type: 'unknown', business: 'Custom license - review required' },
+  'CUSTOM': { risk: 'high', type: 'unknown', business: 'Custom license - review required' }
+};
+
+/**
+ * License compatibility matrix
+ * Can license A be combined with license B?
+ */
+const LICENSE_COMPATIBILITY = {
+  'MIT': ['MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-2.0', 'GPL-3.0', 'LGPL-2.1', 'LGPL-3.0'],
+  'Apache-2.0': ['Apache-2.0', 'GPL-3.0', 'LGPL-3.0'],
+  'GPL-2.0': ['GPL-2.0', 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC'],
+  'GPL-3.0': ['GPL-3.0', 'MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC'],
+  'LGPL-2.1': ['LGPL-2.1', 'MIT', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-2.0'],
+  'LGPL-3.0': ['LGPL-3.0', 'MIT', 'Apache-2.0', 'BSD-2-Clause', 'BSD-3-Clause', 'ISC', 'GPL-3.0']
+};
+
+/**
+ * Normalize license name
+ */
+function normalizeLicense(license) {
+  if (!license) return 'UNLICENSED';
+  
+  const normalized = license
+    .replace(/\s+/g, '-')
+    .replace(/[()]/g, '')
+    .toUpperCase();
+  
+  // Handle common variations
+  if (normalized.includes('MIT')) return 'MIT';
+  if (normalized.includes('APACHE-2')) return 'Apache-2.0';
+  if (normalized.includes('BSD-2')) return 'BSD-2-Clause';
+  if (normalized.includes('BSD-3')) return 'BSD-3-Clause';
+  if (normalized.includes('ISC')) return 'ISC';
+  if (normalized.includes('GPL-2')) return 'GPL-2.0';
+  if (normalized.includes('GPL-3')) return 'GPL-3.0';
+  if (normalized.includes('LGPL-2')) return 'LGPL-2.1';
+  if (normalized.includes('LGPL-3')) return 'LGPL-3.0';
+  if (normalized.includes('AGPL')) return 'AGPL-3.0';
+  if (normalized.includes('MPL')) return 'MPL-2.0';
+  if (normalized.includes('SEE LICENSE')) return 'SEE LICENSE IN';
+  if (normalized === 'UNLICENSED') return 'UNLICENSED';
+  
+  return license;
+}
+
+/**
+ * Get license risk information
+ */
+function getLicenseRisk(license) {
+  const normalized = normalizeLicense(license);
+  return LICENSE_RISKS[normalized] || {
+    risk: 'high',
+    type: 'unknown',
+    business: 'Unknown license - review required'
+  };
+}
+
+/**
+ * Check license compatibility
+ */
+function checkLicenseCompatibility(projectLicense, dependencyLicenses) {
+  const conflicts = [];
+  const normalized = normalizeLicense(projectLicense);
+  const compatible = LICENSE_COMPATIBILITY[normalized] || [];
+  
+  for (const [pkg, license] of Object.entries(dependencyLicenses)) {
+    const depNormalized = normalizeLicense(license);
+    const depRisk = getLicenseRisk(license);
+    
+    // Check if copyleft license conflicts with permissive project
+    if (depRisk.type === 'copyleft' && !compatible.includes(depNormalized)) {
+      conflicts.push({
+        package: pkg,
+        license: license,
+        projectLicense: projectLicense,
+        severity: 'high',
+        issue: 'License incompatibility',
+        message: `${license} dependency may conflict with ${projectLicense} project license`,
+        recommendation: 'Review license compatibility with legal team'
+      });
+    }
+  }
+  
+  return conflicts;
+}
+
+/**
+ * Analyze license risks for all dependencies
+ */
+async function analyzeLicenseRisks(projectPath, licenses) {
+  const warnings = [];
+  const stats = {
+    total: 0,
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    copyleft: 0,
+    permissive: 0,
+    unknown: 0
+  };
+  
+  // Get project license
+  let projectLicense = 'MIT'; // Default
+  try {
+    const projectPkgPath = path.join(projectPath, 'package.json');
+    if (fs.existsSync(projectPkgPath)) {
+      const projectPkg = JSON.parse(fs.readFileSync(projectPkgPath, 'utf8'));
+      projectLicense = projectPkg.license || 'MIT';
+    }
+  } catch (error) {
+    // Use default
+  }
+  
+  const dependencyLicenses = {};
+  
+  // Analyze each license
+  for (const pkg of licenses) {
+    stats.total++;
+    
+    const risk = getLicenseRisk(pkg.license);
+    dependencyLicenses[pkg.package] = pkg.license;
+    
+    // Count by type
+    if (risk.type === 'copyleft' || risk.type === 'weak-copyleft') {
+      stats.copyleft++;
+    } else if (risk.type === 'permissive' || risk.type === 'public-domain') {
+      stats.permissive++;
+    } else {
+      stats.unknown++;
+    }
+    
+    // Add warnings for high-risk licenses
+    if (risk.risk === 'critical' || risk.risk === 'high') {
+      stats[risk.risk]++;
+      
+      warnings.push({
+        package: pkg.package,
+        license: pkg.license,
+        severity: risk.risk,
+        type: risk.type,
+        issue: 'High-risk license',
+        message: `${pkg.license}: ${risk.business}`,
+        recommendation: risk.risk === 'critical' 
+          ? 'Replace with permissive alternative immediately'
+          : 'Consider replacing with MIT/Apache alternative'
+      });
+    } else if (risk.risk === 'medium') {
+      stats.medium++;
+    } else {
+      stats.low++;
+    }
+  }
+  
+  // Check license compatibility
+  const conflicts = checkLicenseCompatibility(projectLicense, dependencyLicenses);
+  warnings.push(...conflicts);
+  
+  return {
+    warnings,
+    stats,
+    projectLicense
+  };
+}
+
+/**
+ * Get license risk score (0-10)
+ */
+function getLicenseRiskScore(stats) {
+  let score = 10;
+  
+  score -= stats.critical * 3;
+  score -= stats.high * 2;
+  score -= stats.medium * 0.5;
+  
+  return Math.max(0, score);
+}
+
+module.exports = {
+  analyzeLicenseRisks,
+  getLicenseRisk,
+  checkLicenseCompatibility,
+  normalizeLicense,
+  getLicenseRiskScore,
+  LICENSE_RISKS
+};