npm - devcompass - Versions diffs - 2.6.0 → 2.7.1 - Mend

devcompass 2.6.0 → 2.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +389 -96
package/data/known-malicious.json +57 -0
package/package.json +12 -4
package/src/analyzers/license-risk.js +225 -0
package/src/analyzers/package-quality.js +368 -0
package/src/analyzers/security-recommendations.js +274 -0
package/src/analyzers/supply-chain.js +223 -0
package/src/commands/analyze.js +447 -18
package/src/utils/json-formatter.js +118 -28

package/README.md CHANGED Viewed

@@ -1,52 +1,73 @@
 # 🧭 DevCompass
-**Dependency health checker with ecosystem intelligence and real-time GitHub issue tracking for 500+ popular npm packages. Features parallel processing for 80% faster analysis.**
+**Dependency health checker with ecosystem intelligence, real-time GitHub issue tracking for 500+ popular npm packages, parallel processing, supply chain security analysis, and advanced license risk detection.**
 [![npm version](https://img.shields.io/npm/v/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![npm downloads](https://img.shields.io/npm/dm/devcompass.svg)](https://www.npmjs.com/package/devcompass)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect security vulnerabilities**, **monitor GitHub issues in real-time for 500+ packages**, **check bundle sizes**, **verify licenses**, and **automatically fix issues** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
+Analyze your JavaScript projects to find unused dependencies, outdated packages, **detect security vulnerabilities**, **monitor GitHub issues in real-time for 500+ packages**, **check bundle sizes**, **verify licenses**, **detect supply chain attacks**, **analyze package quality**, and **automatically fix issues** with a single command. Perfect for **CI/CD pipelines** with JSON output and exit codes.
+> **NEW in v2.7.0:** Advanced security features - Supply chain analysis, license risk detection, package quality metrics! 🔐
 > **NEW in v2.6.0:** 80% faster with parallel processing! ⚡
 > **NEW in v2.5.0:** Expanded to 502 packages across 33 categories! 🎯
 > **NEW in v2.4.0:** Real-time GitHub issue tracking & predictive warnings! 🔮
-> **NEW in v2.3.1:** Fixed all security vulnerabilities! Health score: 2.5/10 → 8/10 🔒
-> **NEW in v2.3:** Security scanning, bundle analysis & license checker! 🔐
+> **NEW in v2.3.1:** Fixed all security vulnerabilities! Health score: 2.5/10 → 8/10 🔒
-## 🎉 Latest Update: v2.6.0
+## 🎉 Latest Update: v2.7.0
-**80% faster analysis with parallel processing!** DevCompass now checks multiple packages simultaneously:
+**Comprehensive security analysis without external dependencies!** DevCompass now includes advanced security features:
-- ⚡ **Parallel GitHub API requests** - Check 5 packages at once (configurable)
-- 📊 **Real-time progress tracking** - Live updates showing current package
-- 🚀 **80% performance improvement** - 5 packages in ~1s instead of ~5s
-- 📈 **Smart batching** - Respects GitHub rate limits automatically
-- ⏱️ **Performance metrics** - Shows time saved after analysis
-**Performance Comparison:**
-```
-v2.5.0 (Sequential): 5 packages × 1s = ~5 seconds
-v2.6.0 (Parallel):   5 packages ÷ 5 = ~1 second (80% faster!)
-```
+- 🛡️ **Supply Chain Security** - Detect malicious packages & typosquatting
+- ⚖️ **License Risk Detection** - Enhanced license compliance checking
+- 📊 **Package Quality Metrics** - Health scores for all dependencies
+- 💡 **Security Recommendations** - Actionable, prioritized fix suggestions
+- 🔍 **Install Script Analysis** - Detect suspicious postinstall hooks
+- 📈 **Maintainer Activity** - Track package maintenance status
 **Example output:**
 ```
-⠹ Checking GitHub activity (3/5 packages) - express
-⠹ Checking GitHub activity (4/5 packages) - webpack
-⠹ Checking GitHub activity (5/5 packages) - react
-✔ Scanned 5 dependencies in project
-⚡ GitHub check completed in 1.23s (parallel processing)
-```
+🛡️ SUPPLY CHAIN SECURITY (2 warnings)
+🟠 TYPOSQUATTING RISK
+  expresss
+    Similar to: express (official package)
+    → Remove expresss and install express
+⚖️ LICENSE RISK ANALYSIS (1 warning)
+🔴 CRITICAL LICENSE RISKS
+  gpl-package@1.0.0
+    License: AGPL-3.0
+    Network copyleft - very restrictive
+    → Replace with permissive alternative immediately
+📊 PACKAGE QUALITY METRICS (20 analyzed)
+🔴 ABANDONED PACKAGES (1)
+  old-lib@1.0.0
+    Health Score: 1.2/10
+    Last Update: 3 years ago
+    → Migrate to actively maintained alternative
+💡 SECURITY RECOMMENDATIONS (Prioritized)
+🔴 CRITICAL (Fix Immediately)
+  1. Remove typosquatting package
+     $ npm uninstall expresss && npm install express
-**What's tracked:**
-- 🎯 **502 tracked packages** organized into 33 categories
-- 🌐 **Full ecosystem coverage** - Frontend, backend, build tools, testing, databases
-- ⚡ **Zero performance impact** - Smart filtering + parallel processing
-- 📊 **Comprehensive monitoring** - React, Vue, Angular, Next.js, Express, and 497+ more
+📈 Expected Impact:
+  ✓ Current Health Score: 4.2/10
+  ✓ Expected Score: 8.7/10
+  ✓ Improvement: +4.5 points (45% increase)
+```
 ## ✨ Features
+- 🛡️ **Supply Chain Security** (v2.7) - Malicious package & typosquatting detection
+- ⚖️ **License Risk Analysis** (v2.7) - Enhanced license compliance checking
+- 📊 **Package Quality Metrics** (v2.7) - Health scoring for dependencies
+- 💡 **Security Recommendations** (v2.7) - Prioritized, actionable fixes
 - ⚡ **Parallel Processing** (v2.6) - 80% faster GitHub issue tracking
 - 🎯 **500+ Package Coverage** (v2.5) - Comprehensive ecosystem monitoring
 - 🔮 **GitHub Issue Tracking** (v2.4) - Real-time monitoring of package health
@@ -101,9 +122,236 @@ devcompass analyze --ci
 devcompass analyze --silent
 ```
-## 🔮 Predictive Warnings (v2.6.0)
+## 🛡️ Supply Chain Security (v2.7.0)
+DevCompass now detects **supply chain attacks** including malicious packages, typosquatting, and suspicious install scripts!
+### What it detects:
+- 🔴 **Malicious packages** - Known bad actors from curated database
+- 🎯 **Typosquatting** - Packages with names similar to popular packages (e.g., "epress" vs "express")
+- 📦 **Install script warnings** - Suspicious postinstall/preinstall hooks
+- 🔗 **Dangerous patterns** - curl, wget, eval, exec in install scripts
+### Detection Methods:
+- **Exact pattern matching** - Database of 15+ known malicious packages
+- **Levenshtein distance** - Detects 1-2 character differences from popular packages
+- **Pattern analysis** - Scans install scripts for suspicious commands
+### Example Output:
+```
+🛡️ SUPPLY CHAIN SECURITY (3 warnings)
+🔴 MALICIOUS PACKAGES DETECTED
+  epress
+    Known malicious package detected
+    → Remove immediately - this package is known to be malicious
+🟠 TYPOSQUATTING RISK
+  expresss
+    Similar to: express (official package)
+    Risk: HIGH - Potential malicious package
+    → Remove expresss and install express
+🟡 INSTALL SCRIPT WARNING
+  suspicious-package@1.0.0
+    Script: postinstall
+    Patterns: curl, eval
+    Risk: MEDIUM - Review install script before use
+    → Review the install script before deployment
+```
+### Monitored Patterns:
+**Popular packages protected (15+):**
+- express, request, lodash, axios, webpack
+- react, vue, angular, next, typescript
+- eslint, prettier, jest, mocha, chai
+**Suspicious install script patterns:**
+- Network operations: curl, wget, http://, https://
+- Code execution: eval, exec, child_process
+- Shell access: /bin/sh, /bin/bash, powershell
+- Dangerous keywords: bitcoin, mining, keylogger, backdoor
+## ⚖️ License Risk Analysis (v2.7.0)
+Enhanced license compliance checking with **business risk scoring** and **compatibility analysis**!
+### License Risk Levels:
+**CRITICAL RISK (Immediate action required):**
+- AGPL-1.0, AGPL-3.0 (Network copyleft - very restrictive)
+- UNLICENSED (No license - all rights reserved)
+**HIGH RISK (Review with legal team):**
+- GPL-1.0, GPL-2.0, GPL-3.0 (Copyleft - requires source disclosure)
+- SEE LICENSE IN, CUSTOM (Custom licenses requiring review)
+**MEDIUM RISK (Limited obligations):**
+- LGPL-2.0, LGPL-2.1, LGPL-3.0 (Weak copyleft)
+- MPL-1.0, MPL-2.0 (File-level copyleft)
+- EPL-1.0, EPL-2.0 (Module-level copyleft)
+**LOW RISK (Safe for commercial use):**
+- MIT, Apache-2.0, BSD, ISC (Permissive)
+- CC0-1.0, Unlicense (Public domain)
+### License Compatibility Checking:
+Detects conflicts between your project license and dependency licenses!
+**Example Output:**
+```
+⚖️ LICENSE RISK ANALYSIS (3 warnings)
+  Project License: MIT
+🔴 CRITICAL LICENSE RISKS
+  gpl-library@1.0.0
+    License: AGPL-3.0
+    Network copyleft - very restrictive
+    → Replace with permissive alternative immediately
+🟠 HIGH RISK LICENSES
+  old-package@2.0.0
+    License: GPL-2.0
+    Requires source code disclosure
+    → Consider replacing with MIT/Apache alternative
+🟡 LICENSE CONFLICT DETECTED
+  Your project: MIT
+  Dependencies with GPL: 2 packages
+  Risk: License compatibility issue
+  → Review legal compliance
+```
+## 📊 Package Quality Metrics (v2.7.0)
+Comprehensive **health scoring** for all your dependencies based on maintenance, activity, and community engagement!
+### Health Score Factors (0-10 scale):
+- **Age** - Newer packages score higher (max -2 points for 3+ years)
+- **Maintenance frequency** - Recent updates score higher (max -2 points)
+- **GitHub activity** - Issue resolution tracked (max -2 points)
+- **Dependencies** - Fewer dependencies score higher (max -1 point)
+- **Documentation** - Description and repository presence (max -1 point)
+- **Deprecation** - Deprecated packages get automatic 0
+### Package Status Categories:
+- **HEALTHY (7-10):** Well-maintained, recent updates
+- **NEEDS ATTENTION (5-7):** Some concerns, monitor closely
+- **STALE (3-5):** Not updated in 1-2 years
+- **ABANDONED (0-3):** 2+ years without updates, inactive maintainers
+- **DEPRECATED (0):** Officially marked as deprecated
+### Example Output:
+```
+📊 PACKAGE QUALITY METRICS (20 analyzed)
+✅ HEALTHY PACKAGES (15)
+  react, axios, lodash, express, webpack...
+🟡 NEEDS ATTENTION (3)
+  old-package@1.0.0
+    Health Score: 6.5/10
+    Last Update: 8 months ago
+    Open Issues: 45 (12% resolved)
+    → Monitor for updates
+🟠 STALE PACKAGES (1)
+  aging-lib@2.0.0
+    Health Score: 4.2/10
+    Last Update: 18 months ago
+    → Consider finding actively maintained alternative
+🔴 ABANDONED PACKAGES (1)
+  deprecated-lib@0.5.0
+    Health Score: 1.2/10
+    Last Update: 3 years ago
+    Maintainer: Inactive
+    → Migrate to actively maintained alternative
+🔴 DEPRECATED PACKAGES (1)
+  old-framework@2.0.0
+    Package is officially deprecated
+    → Find alternative immediately
+```
+### Performance:
+- Analyzes up to 20 packages per run (prevents rate limiting)
+- ~100ms per package (npm registry API)
+- 1-hour cache duration
+- GitHub data integration for enhanced metrics
+## 💡 Security Recommendations (v2.7.0)
+Intelligent, **prioritized recommendations** with actionable commands and impact analysis!
+### Priority Levels:
+1. **CRITICAL** - Immediate security risks (malicious packages, critical vulnerabilities)
+2. **HIGH** - Production stability issues (typosquatting, GPL conflicts, abandoned packages)
+3. **MEDIUM** - Maintenance concerns (stale packages, install scripts, unused deps)
+4. **LOW** - Minor improvements (outdated packages, documentation)
+### What You Get:
+- ✅ **Priority-based ordering** - Fix critical issues first
+- ✅ **Copy-paste commands** - Ready-to-run npm commands
+- ✅ **Impact analysis** - See expected health score improvement
+- ✅ **Category grouping** - Supply chain, license, security, quality
+- ✅ **Alternative suggestions** - Recommended replacements
+### Example Output:
+```
+💡 SECURITY RECOMMENDATIONS (Prioritized)
+🔴 CRITICAL (Fix Immediately)
+  1. Remove typosquatting package
+     Package: expresss
+     Action: Remove expresss and install express
+     $ npm uninstall expresss && npm install express
+     Impact: Prevents potential supply chain attack
+  2. High-risk license detected
+     Package: gpl-package@1.0.0
+     Action: Replace with permissive alternative
+     $ npm uninstall gpl-package
+     Impact: Ensures license compliance
+🟠 HIGH (Fix Soon)
+  3. Abandoned package detected
+     Package: old-lib@1.0.0
+     Action: Migrate to actively maintained alternative
+     $ npm uninstall old-lib
+     Impact: Improves long-term stability
+     Health Score: 1.2/10
+  4. Security vulnerabilities detected
+     Action: Run npm audit fix to resolve vulnerabilities
+     $ npm audit fix
+     Impact: Resolves 12 known vulnerabilities
+🟡 MEDIUM (Plan to Fix)
+  5. Clean up unused dependencies
+     Action: Remove unused packages
+     $ npm uninstall axios express lodash
+     Impact: Reduces node_modules size, improves security surface
+📈 Expected Impact:
+  ✓ Current Health Score: 4.2/10
+  ✓ Expected Score: 8.7/10
+  ✓ Improvement: +4.5 points (45% increase)
+  ✓ Issues Resolved: 5 critical/high/medium
+  ✓ Eliminate 2 critical security risks
+  ✓ Resolve 3 high-priority issues
+💡 TIP: Run devcompass fix to apply automated fixes!
+```
+## 🔮 Predictive Warnings (v2.7.0)
-DevCompass now monitors **real-time GitHub activity for 500+ packages** to detect potential issues before they're officially reported!
+DevCompass monitors **real-time GitHub activity for 500+ packages** to detect potential issues before they're officially reported!
 ### What it tracks:
 - 🐛 **Open bug reports** in the last 7/30 days
@@ -168,7 +416,7 @@ Organized into 33 categories covering the entire JavaScript ecosystem:
 6. **Smart filtering:** Only checks packages you've actually installed
 7. **Parallel processing:** Checks multiple packages simultaneously (v2.6.0)
-### Performance (NEW in v2.6.0):
+### Performance (v2.6.0+):
 - **Parallel processing:** Checks 5 packages simultaneously (80% faster!)
 - **Smart filtering:** Only checks installed packages from your project
 - **First run:** ~1 second for 5 packages (was ~5s in v2.5.0)
@@ -177,12 +425,12 @@ Organized into 33 categories covering the entire JavaScript ecosystem:
 - **Zero overhead:** Uninstalled packages aren't checked
 **Performance Benchmarks:**
-| Packages | v2.5.0 | v2.6.0 | Improvement |
-|----------|--------|--------|-------------|
-| 5        | ~5s    | ~1s    | 80% faster  |
-| 10       | ~10s   | ~2s    | 80% faster  |
-| 20       | ~20s   | ~4s    | 80% faster  |
-| 50       | ~50s   | ~10s   | 80% faster  |
+| Packages | v2.5.0 | v2.6.0+ | Improvement |
+|----------|--------|---------|-------------|
+| 5        | ~5s    | ~1s     | 80% faster  |
+| 10       | ~10s   | ~2s     | 80% faster  |
+| 20       | ~20s   | ~4s     | 80% faster  |
+| 50       | ~50s   | ~10s    | 80% faster  |
 > **Performance Example:** If you have 5 tracked packages installed (e.g., react, axios, lodash, express, webpack), DevCompass checks all 5 in parallel, completing in ~1 second instead of ~5 seconds!
@@ -264,9 +512,9 @@ Detect restrictive licenses that may require legal review!
 ### Combined Analysis Example
-**Full Output:**
+**Full Output (v2.7.0):**
 ```
-🔍 DevCompass v2.6.0 - Analyzing your project...
+🔍 DevCompass v2.7.0 - Analyzing your project...
 ✔ Scanned 25 dependencies in project
 ⚡ GitHub check completed in 1.23s (parallel processing)
@@ -278,6 +526,15 @@ Detect restrictive licenses that may require legal review!
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🛡️ SUPPLY CHAIN SECURITY (1 warning)
+🟠 TYPOSQUATTING RISK
+  expresss
+    Similar to: express (official package)
+    → Remove expresss and install express
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 🚨 ECOSYSTEM ALERTS (1)
 🟠 HIGH
@@ -299,18 +556,32 @@ Detect restrictive licenses that may require legal review!
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-📦 HEAVY PACKAGES (2)
+⚖️ LICENSE RISK ANALYSIS
-  Packages larger than 1MB:
+  Project License: MIT
-  typescript                8.1 MB
-  webpack                   2.3 MB
+✅ All licenses are compliant!
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-✅ LICENSE COMPLIANCE
+📊 PACKAGE QUALITY METRICS (20 analyzed)
-  All licenses are permissive!
+✅ HEALTHY PACKAGES (18)
+  react, axios, lodash, express, webpack...
+🟡 NEEDS ATTENTION (2)
+  old-package@1.0.0
+    Health Score: 6.5/10
+    Last Update: 8 months ago
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+📦 HEAVY PACKAGES (2)
+  Packages larger than 1MB:
+  typescript                8.1 MB
+  webpack                   2.3 MB
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
@@ -318,22 +589,35 @@ Detect restrictive licenses that may require legal review!
   Overall Score:              8.5/10
   Total Dependencies:         25
+  Supply Chain Warnings:      1
   Ecosystem Alerts:           1
   Predictive Warnings:        1
+  License Risks:              0
+  Quality Issues:             0
   Unused:                     0
   Outdated:                   2
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-💡 QUICK WINS
+💡 SECURITY RECOMMENDATIONS (Prioritized)
+🟠 HIGH (Fix Soon)
+  1. Typosquatting attempt detected
+     Package: expresss
+     $ npm uninstall expresss && npm install express
-  🔴 Fix critical issues:
+  2. Upgrade vulnerable package
+     Package: axios@1.6.0
+     $ npm install axios@1.6.2
-  npm install axios@1.6.2
+📈 Expected Impact:
-  Expected impact:
-  ✓ Resolve critical stability issues
-  ✓ Improve health score → 10/10
+  ✓ Current Health Score: 8.5/10
+  ✓ Expected Score: 9.8/10
+  ✓ Improvement: +1.3 points (13% increase)
+  ✓ Eliminate 1 supply chain risk
+  ✓ Resolve 1 high-priority issue
 💡 TIP: Run 'devcompass fix' to apply these fixes automatically!
 ```
@@ -346,57 +630,44 @@ Perfect for parsing in CI/CD pipelines:
 devcompass analyze --json
 ```
-**Output:**
+**Output (v2.7.0):**
 ```json
 {
-  "version": "2.6.0",
+  "version": "2.7.0",
   "timestamp": "2026-04-04T10:30:00.000Z",
   "summary": {
     "healthScore": 8.5,
     "totalDependencies": 25,
     "securityVulnerabilities": 0,
+    "supplyChainWarnings": 1,
     "ecosystemAlerts": 1,
     "predictiveWarnings": 1,
+    "licenseRisks": 0,
+    "qualityIssues": 0,
     "unusedDependencies": 0,
-    "outdatedPackages": 2,
-    "heavyPackages": 2,
-    "licenseWarnings": 0
+    "outdatedPackages": 2
   },
-  "security": {
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "moderate": 0,
-    "low": 0,
-    "vulnerabilities": []
-  },
-  "predictiveWarnings": [
-    {
-      "package": "express",
-      "severity": "medium",
-      "title": "Increased issue activity",
-      "description": "8 issues opened recently",
-      "recommendation": "Monitor for stability",
-      "githubData": {
-        "totalIssues": 234,
-        "recentIssues": 8,
-        "trend": "increasing",
-        "repoUrl": "https://github.com/expressjs/express"
-      }
-    }
-  ],
-  "bundleAnalysis": {
-    "heavyPackages": [
-      { "name": "typescript", "size": "8.1 MB" },
-      { "name": "webpack", "size": "2.3 MB" }
-    ]
+  "supplyChain": {
+    "total": 1,
+    "warnings": [...]
   },
-  "licenses": {
+  "licenseRisk": {
+    "total": 0,
+    "projectLicense": "MIT",
     "warnings": []
   },
-  "ecosystemAlerts": [...],
-  "unusedDependencies": [],
-  "outdatedPackages": [...]
+  "packageQuality": {
+    "total": 20,
+    "healthy": 18,
+    "needsAttention": 2,
+    "packages": [...]
+  },
+  "recommendations": {
+    "total": 2,
+    "critical": 0,
+    "high": 2,
+    "items": [...]
+  }
 }
 ```
@@ -441,9 +712,13 @@ DevCompass caches results to improve performance:
 - **Cache duration:** 1 hour
 - **Cache file:** `.devcompass-cache.json` (auto-gitignored)
-**What gets cached:**
-- GitHub issue data (v2.4+)
-- Predictive warnings (v2.4+)
+**What gets cached (v2.7.0):**
+- Supply chain analysis
+- License risk data
+- Package quality metrics
+- Security recommendations
+- GitHub issue data
+- Predictive warnings
 - Security vulnerabilities
 - Ecosystem alerts
 - Unused dependencies
@@ -580,7 +855,8 @@ DevCompass tracks **real-world issues** in 500+ popular packages and warns you b
 3. Uses semantic versioning for precise detection
 4. Checks live GitHub activity for 502+ packages
 5. Uses parallel processing for 80% faster checks (v2.6.0)
-6. Shows actionable fix commands
+6. Analyzes supply chain security (v2.7.0)
+7. Shows actionable fix commands
 ## 🎯 What It Detects
@@ -698,16 +974,19 @@ fi
 ### Security-Focused Workflow
 ```bash
-# 1. Run security scan
+# 1. Run comprehensive security scan
 devcompass analyze
 # 2. Check for critical vulnerabilities
 devcompass analyze --json | jq '.security.critical'
-# 3. Auto-fix if possible
+# 3. Check supply chain risks
+devcompass analyze --json | jq '.supplyChain.warnings'
+# 4. Auto-fix if possible
 npm audit fix
-# 4. Verify fixes
+# 5. Verify fixes
 devcompass analyze
 ```
@@ -753,6 +1032,9 @@ If you encounter a false positive, please [report it](https://github.com/AjayBTh
 10. **Verify before uninstalling** - DevCompass helps identify candidates, but always verify
 11. **Watch predictive warnings** - Monitor packages with increasing issue activity
 12. **Leverage parallel processing** - First run takes ~2s with v2.6.0 (was ~8s)
+13. **Monitor supply chain** - Check for typosquatting regularly (v2.7.0)
+14. **Review license risks** - Ensure GPL/AGPL compliance (v2.7.0)
+15. **Track package quality** - Replace abandoned packages proactively (v2.7.0)
 ## 🤝 Contributing
@@ -785,6 +1067,13 @@ Want to add known issues for a package?
 ```
 3. Submit a PR with your additions!
+### Adding Malicious Packages
+Help protect the community! Add known malicious packages:
+1. Edit `data/known-malicious.json`
+2. Add to `malicious_packages` array or `typosquat_patterns`
+3. Submit a PR with evidence/source
 ### Development
 ```bash
 # Clone the repo
@@ -849,7 +1138,11 @@ Check out DevCompass stats:
 - [x] ~~Predictive warnings based on bug activity~~ ✅ **Added in v2.4.0!**
 - [x] ~~Expand to top 500 npm packages~~ ✅ **Added in v2.5.0!**
 - [x] ~~Performance optimizations with parallel processing~~ ✅ **Added in v2.6.0!**
-- [ ] Advanced security features with Snyk integration (v2.7.0)
+- [x] ~~Advanced security features~~ ✅ **Added in v2.7.0!**
+  - [x] Supply chain security analysis
+  - [x] Enhanced license risk detection
+  - [x] Package quality metrics
+  - [x] Security recommendations engine
 - [ ] Enhanced fix command improvements (v2.8.0)
 - [ ] Dependency graph visualization (v3.0.0)
 - [ ] Web dashboard for team health monitoring (v3.0.0)