getdoorman 1.0.5 → 1.0.7

package/src/rules/security/php.js

@@ -54,7 +54,7 @@ const rules = [
   {
     id: 'SEC-PHP-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via mysql_query with Concatenation',
     description: 'Concatenating user input into mysql_query() allows SQL injection.',
@@ -70,7 +70,7 @@ const rules = [
   {
     id: 'SEC-PHP-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via mysqli_query with Variable Interpolation',
     description: 'Using variable interpolation in mysqli_query() enables SQL injection.',
@@ -86,7 +86,7 @@ const rules = [
   {
     id: 'SEC-PHP-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via PDO::query with Variable Interpolation',
     description: 'Using string interpolation in PDO::query() bypasses prepared statement protection.',
@@ -102,7 +102,7 @@ const rules = [
   {
     id: 'SEC-PHP-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via $_GET in Query String',
     description: 'Directly embedding $_GET values in SQL queries allows injection.',
@@ -118,7 +118,7 @@ const rules = [
   {
     id: 'SEC-PHP-005',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via $_POST in Query String',
     description: 'Directly embedding $_POST values in SQL queries allows injection.',
@@ -134,7 +134,7 @@ const rules = [
   {
     id: 'SEC-PHP-006',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via sprintf()',
     description: 'Using sprintf to build SQL queries with user input allows injection.',
@@ -150,7 +150,7 @@ const rules = [
   {
     id: 'SEC-PHP-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via $_REQUEST in Query',
     description: 'Using $_REQUEST in SQL queries allows injection from any request method.',
@@ -198,7 +198,7 @@ const rules = [
   {
     id: 'SEC-PHP-010',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via $db->query with Concatenation',
     description: 'Using $db->query() with concatenated variables allows SQL injection.',
@@ -302,7 +302,7 @@ const rules = [
   {
     id: 'SEC-PHP-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via exec()',
     description: 'Passing user input to exec() allows arbitrary command execution.',
@@ -318,7 +318,7 @@ const rules = [
   {
     id: 'SEC-PHP-017',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via system()',
     description: 'Passing user input to system() allows arbitrary command execution.',
@@ -334,7 +334,7 @@ const rules = [
   {
     id: 'SEC-PHP-018',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via shell_exec()',
     description: 'Passing user input to shell_exec() allows arbitrary command execution.',
@@ -350,7 +350,7 @@ const rules = [
   {
     id: 'SEC-PHP-019',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via passthru()',
     description: 'Passing user input to passthru() allows arbitrary command execution.',
@@ -366,7 +366,7 @@ const rules = [
   {
     id: 'SEC-PHP-020',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Backtick Operator',
     description: 'Using backtick operator with user input allows arbitrary command execution.',
@@ -386,7 +386,7 @@ const rules = [
   {
     id: 'SEC-PHP-021',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Local File Inclusion via include()',
     description: 'Using include() with user input allows including arbitrary files.',
@@ -402,7 +402,7 @@ const rules = [
   {
     id: 'SEC-PHP-022',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Local File Inclusion via require()',
     description: 'Using require() with user input allows including arbitrary files.',
@@ -418,7 +418,7 @@ const rules = [
   {
     id: 'SEC-PHP-023',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'File Inclusion via include_once with Variable',
     description: 'Using include_once with user-controlled variable allows file inclusion.',
@@ -434,7 +434,7 @@ const rules = [
   {
     id: 'SEC-PHP-024',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Remote File Inclusion Enabled',
     description: 'Setting allow_url_include=On enables remote file inclusion attacks.',
@@ -450,7 +450,7 @@ const rules = [
   {
     id: 'SEC-PHP-025',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'File Inclusion via require_once with Variable',
     description: 'Using require_once with user-controlled variable allows file inclusion.',
@@ -470,7 +470,7 @@ const rules = [
   {
     id: 'SEC-PHP-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Unsafe unserialize() with User Input',
     description: 'Using unserialize() on user input allows object injection and RCE.',
@@ -518,7 +518,7 @@ const rules = [
   {
     id: 'SEC-PHP-029',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Phar Deserialization Attack',
     description: 'File operations on phar:// streams with user input trigger deserialization.',
@@ -554,7 +554,7 @@ const rules = [
   {
     id: 'SEC-PHP-031',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Code Injection via eval()',
     description: 'Using eval() with user-controlled input allows arbitrary code execution.',
@@ -586,7 +586,7 @@ const rules = [
   {
     id: 'SEC-PHP-033',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Code Execution via assert()',
     description: 'assert() with string arguments evaluates code like eval() in PHP < 8.',
@@ -602,7 +602,7 @@ const rules = [
   {
     id: 'SEC-PHP-034',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Code Execution via preg_replace /e Modifier',
     description: 'The /e modifier in preg_replace evaluates replacement as PHP code.',
@@ -722,7 +722,7 @@ const rules = [
   {
     id: 'SEC-PHP-041',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via Laravel DB::raw()',
     description: 'Using DB::raw() with user input bypasses query builder protections.',
@@ -786,7 +786,7 @@ const rules = [
   {
     id: 'SEC-PHP-045',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via Laravel whereRaw()',
     description: 'Using whereRaw() with concatenated user input enables SQL injection.',
@@ -806,7 +806,7 @@ const rules = [
   {
     id: 'SEC-PHP-046',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'WordPress SQL Injection via $wpdb->query()',
     description: 'Using $wpdb->query() without $wpdb->prepare() allows SQL injection.',
@@ -974,7 +974,7 @@ const rules = [
   {
     id: 'SEC-PHP-056',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Weak Password Hashing: md5()',
     description: 'Using md5() for password hashing is trivially crackable.',
@@ -1006,7 +1006,7 @@ const rules = [
   {
     id: 'SEC-PHP-058',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Encryption Key',
     description: 'Hardcoded encryption keys in source code can be extracted by attackers.',

package/src/rules/security/ruby.js

@@ -54,7 +54,7 @@ const rules = [
   {
     id: 'SEC-RUBY-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Interpolation in where()',
     description: 'Using string interpolation inside ActiveRecord where() allows SQL injection.',
@@ -70,7 +70,7 @@ const rules = [
   {
     id: 'SEC-RUBY-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Concatenation in where()',
     description: 'Concatenating user input into ActiveRecord where() enables SQL injection.',
@@ -86,7 +86,7 @@ const rules = [
   {
     id: 'SEC-RUBY-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Raw SQL with String Interpolation',
     description: 'Using execute() or select_all() with interpolated strings allows SQL injection.',
@@ -102,7 +102,7 @@ const rules = [
   {
     id: 'SEC-RUBY-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via find_by_sql',
     description: 'Using find_by_sql with string interpolation allows SQL injection.',
@@ -457,7 +457,7 @@ const rules = [
   {
     id: 'SEC-RUBY-025',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'CSRF Protection Disabled via Configuration',
     description: 'Setting allow_forgery_protection to false disables CSRF globally.',
@@ -477,7 +477,7 @@ const rules = [
   {
     id: 'SEC-RUBY-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via system()',
     description: 'Passing user input to system() allows command injection.',
@@ -493,7 +493,7 @@ const rules = [
   {
     id: 'SEC-RUBY-027',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Backticks',
     description: 'Using backticks with interpolation allows command injection.',
@@ -509,7 +509,7 @@ const rules = [
   {
     id: 'SEC-RUBY-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via exec()',
     description: 'Passing user input to exec() allows command injection.',
@@ -525,7 +525,7 @@ const rules = [
   {
     id: 'SEC-RUBY-029',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via IO.popen',
     description: 'Using IO.popen with string interpolation allows command injection.',
@@ -541,7 +541,7 @@ const rules = [
   {
     id: 'SEC-RUBY-030',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Open3 with Interpolation',
     description: 'Using Open3 methods with string interpolation allows command injection.',
@@ -561,7 +561,7 @@ const rules = [
   {
     id: 'SEC-RUBY-031',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Unsafe YAML.load',
     description: 'YAML.load can deserialize arbitrary Ruby objects, leading to RCE.',
@@ -577,7 +577,7 @@ const rules = [
   {
     id: 'SEC-RUBY-032',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Unsafe Marshal.load',
     description: 'Marshal.load can execute arbitrary code when deserializing untrusted data.',
@@ -593,7 +593,7 @@ const rules = [
   {
     id: 'SEC-RUBY-033',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Unsafe Marshal.restore',
     description: 'Marshal.restore is an alias for Marshal.load and is equally dangerous.',
@@ -625,7 +625,7 @@ const rules = [
   {
     id: 'SEC-RUBY-035',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Server-Side Template Injection via ERB.new',
     description: 'Passing user input to ERB.new allows arbitrary code execution.',
@@ -729,7 +729,7 @@ const rules = [
   {
     id: 'SEC-RUBY-041',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Code Injection via eval()',
     description: 'Using eval with user-controlled input allows arbitrary code execution.',
@@ -761,7 +761,7 @@ const rules = [
   {
     id: 'SEC-RUBY-043',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Unsafe constantize with User Input',
     description: 'Using constantize on user input allows instantiation of arbitrary classes.',
@@ -777,7 +777,7 @@ const rules = [
   {
     id: 'SEC-RUBY-044',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Code Injection via class_eval',
     description: 'Using class_eval with interpolated strings allows arbitrary code execution.',
@@ -845,7 +845,7 @@ const rules = [
   {
     id: 'SEC-RUBY-048',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Secret Key',
     description: 'Hardcoded secret_key_base exposes application to session forgery.',
@@ -961,7 +961,7 @@ const rules = [
   {
     id: 'SEC-RUBY-055',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Password',
     description: 'Hardcoded passwords in source code can be extracted by attackers.',
@@ -1029,7 +1029,7 @@ const rules = [
   {
     id: 'SEC-RUBY-059',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Template Injection via render with User Input',
     description: 'Passing user input to render() template name allows arbitrary template rendering.',

package/src/rules/security/rust.js

@@ -114,7 +114,7 @@ const rules = [
   {
     id: 'SEC-RS-005',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via format! in Query',
     description: 'Using format! to build SQL queries allows injection attacks.',
@@ -130,7 +130,7 @@ const rules = [
   {
     id: 'SEC-RS-006',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Concatenation',
     description: 'Building SQL queries with string concatenation allows injection.',
@@ -146,7 +146,7 @@ const rules = [
   {
     id: 'SEC-RS-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Command::new',
     description: 'Passing user-controlled input to Command::new or .arg() can lead to command injection.',
@@ -162,7 +162,7 @@ const rules = [
   {
     id: 'SEC-RS-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Shell Execution',
     description: 'Using Command::new("sh") or Command::new("bash") with -c flag and user input enables injection.',
@@ -210,7 +210,7 @@ const rules = [
   {
     id: 'SEC-RS-011',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Secret',
     description: 'Secrets hardcoded in source code can be extracted from binaries.',
@@ -371,7 +371,7 @@ const rules = [
   {
     id: 'SEC-RS-021',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'from_raw_parts Without Bounds Checking',
     description: 'slice::from_raw_parts creates a slice from a raw pointer without verifying bounds, risking buffer overflows.',

package/src/rules/security/shell.js

@@ -55,7 +55,7 @@ const rules = [
   {
     id: 'SEC-SHELL-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'eval with Variable Input',
     description: 'eval executes arbitrary code and is dangerous when used with user-controlled input.',
@@ -75,7 +75,7 @@ const rules = [
   {
     id: 'SEC-SHELL-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Pipe to Shell (curl | bash)',
     description: 'Piping downloaded content directly to a shell executes untrusted code without inspection.',
@@ -115,7 +115,7 @@ const rules = [
   {
     id: 'SEC-SHELL-005',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Password in Script',
     description: 'Passwords hardcoded in shell scripts can be read by anyone with file access.',
@@ -247,7 +247,7 @@ const rules = [
   {
     id: 'SEC-SHELL-011',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection in Shell Script',
     description: 'Interpolating variables into SQL commands allows SQL injection.',
@@ -267,7 +267,7 @@ const rules = [
   {
     id: 'SEC-SHELL-012',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Backticks with User Input',
     description: 'Using backticks with user-controlled variables allows arbitrary command execution.',
@@ -347,7 +347,7 @@ const rules = [
   {
     id: 'SEC-SHELL-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SUID/SGID Bit Setting',
     description: 'Setting SUID/SGID bits on scripts or binaries can lead to privilege escalation.',
@@ -467,7 +467,7 @@ const rules = [
   {
     id: 'SEC-SHELL-022',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Exposed AWS Credentials',
     description: 'AWS access keys hardcoded in shell scripts can be used to compromise cloud resources.',
@@ -507,7 +507,7 @@ const rules = [
   {
     id: 'SEC-SHELL-024',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Firewall Disabled',
     description: 'Disabling firewall rules removes a critical security layer.',
@@ -547,7 +547,7 @@ const rules = [
   {
     id: 'SEC-SHELL-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Obfuscated Command Execution',
     description: 'Decoding base64 and piping to shell is a common technique to hide malicious commands.',

package/src/rules/security/ssrf.js

@@ -40,7 +40,7 @@ const rules = [
   {
     id: 'SEC-SSRF-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'HTTP Request with User-Controlled URL (SSRF)',
     description:
@@ -49,10 +49,20 @@ const rules = [
     check({ files }) {
       const findings = [];
       const pattern = /(?:fetch|axios\.get|axios\.post|axios\.put|axios\.delete|axios\.request|axios\(|http\.get|http\.request|https\.get|https\.request|got\(|got\.get|request\(|needle\(|superagent\.get)\s*\(\s*(?:req\.body|req\.query|req\.params|userUrl|url|targetUrl|input)\b/;
+      const validationContext = /validateUrl|isValidUrl|allowedDomains|urlAllowlist|safeUrl|URL\.parse|new URL\(|protocol\s*[!=]==|hostname\s*[!=]==|startsWith\s*\(\s*['"]https/i;
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (isJS(path)) {
-          findings.push(...scanLines(content, pattern, path, this));
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.test(lines[i])) {
+              // Check surrounding 10 lines for URL validation
+              const context = lines.slice(Math.max(0, i - 10), i + 5).join('\n');
+              if (!validationContext.test(context)) {
+                findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+              }
+            }
+          }
         }
       }
       return findings;
@@ -95,10 +105,16 @@ const rules = [
     check({ files }) {
       const findings = [];
       const pattern = /169\.254\.169\.254|metadata\.google\.internal|metadata\.azure\.com/;
+      const blocklistContext = /block|deny|forbidden|not.?allowed|invalid|reject|blacklist|safelist|denylist|disallow|banned|BLOCKED/i;
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (isJS(path)) {
-          findings.push(...scanLines(content, pattern, path, this));
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (pattern.test(lines[i]) && !blocklistContext.test(lines[i])) {
+              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+            }
+          }
         }
       }
       return findings;

package/src/rules/security/swift.js

@@ -55,7 +55,7 @@ const rules = [
   {
     id: 'SEC-SWIFT-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded API Key or Secret',
     description: 'API keys or secrets hardcoded in source code can be extracted from compiled binaries.',
@@ -455,7 +455,7 @@ const rules = [
   {
     id: 'SEC-SWIFT-022',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Encryption Key',
     description: 'Encryption keys hardcoded in source code can be extracted from the binary.',
@@ -555,7 +555,7 @@ const rules = [
   {
     id: 'SEC-SWIFT-027',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection in SQLite',
     description: 'String interpolation in SQLite queries allows SQL injection.',

package/src/rules/security/taint.js

@@ -15,7 +15,7 @@ const rules = [
   {
     id: 'TAINT-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Data Flow / Taint Analysis — Indirect Injection',
     check({ files }) {

package/src/scanner.js

@@ -8,8 +8,7 @@ import { Worker } from 'worker_threads';
 import { fileURLToPath } from 'url';
 import { join, relative, dirname } from 'path';
 import { loadIgnorePatterns } from './ignore.js';
-
-const DOORMAN_VERSION = '1.0.0';
+import { VERSION as DOORMAN_VERSION } from './version.js';
 
 const SOURCE_PATTERNS = [
   '**/*.js',

package/src/telemetry.js

@@ -29,6 +29,7 @@
 // ---------------------------------------------------------------------------
 
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { VERSION } from './version.js';
 import { join } from 'path';
 import { createHash } from 'crypto';
 import { execSync } from 'child_process';
@@ -88,7 +89,7 @@ export function getAnonymousId(targetPath) {
  */
 export function buildPayload(scanResult, stack) {
   return {
-    version: '1.0.0',
+    version: VERSION,
     timestamp: new Date().toISOString(),
     // What stack (generic, not specific project)
     stack: {

package/src/version.js

@@ -0,0 +1,8 @@
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
+
+export const VERSION = pkg.version;