ghostimport 0.1.0

package/dist/cli.js

@@ -0,0 +1,587 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import path5 from "path";
+import { readFileSync } from "fs";
+import { fileURLToPath } from "url";
+
+// src/scan.ts
+import fs4 from "fs";
+import path4 from "path";
+
+// src/imports.ts
+var IMPORT_PATTERNS = [
+  /import\s+(?:[\w*{}\s,]+\s+from\s+)?['"]([^'".\n][^'"]*)['"]/g,
+  /require\s*\(\s*['"]([^'".\n][^'"]*)['"]\s*\)/g,
+  /import\s*\(\s*['"]([^'".\n][^'"]*)['"]\s*\)/g,
+  /export\s+(?:[\w*{}\s,]+\s+from\s+)?['"]([^'".\n][^'"]*)['"]/g
+];
+var BUILTIN_MODULES = /* @__PURE__ */ new Set([
+  "assert",
+  "assert/strict",
+  "async_hooks",
+  "buffer",
+  "child_process",
+  "cluster",
+  "console",
+  "constants",
+  "crypto",
+  "dgram",
+  "diagnostics_channel",
+  "dns",
+  "dns/promises",
+  "domain",
+  "events",
+  "fs",
+  "fs/promises",
+  "http",
+  "http2",
+  "https",
+  "inspector",
+  "inspector/promises",
+  "module",
+  "net",
+  "os",
+  "path",
+  "path/posix",
+  "path/win32",
+  "perf_hooks",
+  "process",
+  "punycode",
+  "querystring",
+  "readline",
+  "readline/promises",
+  "repl",
+  "sea",
+  "stream",
+  "stream/consumers",
+  "stream/promises",
+  "stream/web",
+  "string_decoder",
+  "sys",
+  "test",
+  "timers",
+  "timers/promises",
+  "tls",
+  "trace_events",
+  "tty",
+  "url",
+  "util",
+  "util/types",
+  "v8",
+  "vm",
+  "wasi",
+  "worker_threads",
+  "zlib"
+]);
+function isBuiltin(name) {
+  if (name.startsWith("node:")) return true;
+  return BUILTIN_MODULES.has(name);
+}
+function toPackageName(importPath) {
+  if (importPath.startsWith("@")) {
+    const parts = importPath.split("/");
+    if (parts.length < 2) return null;
+    return `${parts[0]}/${parts[1]}`;
+  }
+  return importPath.split("/")[0];
+}
+function extractImports(code) {
+  const found = /* @__PURE__ */ new Set();
+  for (const pattern of IMPORT_PATTERNS) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(code)) !== null) {
+      const raw = match[1];
+      const pkg = toPackageName(raw);
+      if (pkg && !isBuiltin(raw) && !isBuiltin(pkg)) {
+        found.add(pkg);
+      }
+    }
+  }
+  return [...found];
+}
+
+// src/cache.ts
+import fs from "fs";
+import path from "path";
+import os from "os";
+var CACHE_TTL = 24 * 60 * 60 * 1e3;
+function getCacheDir() {
+  const dir = path.join(os.homedir(), ".ghostimport");
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+  return dir;
+}
+function getCachePath() {
+  return path.join(getCacheDir(), "registry-cache.json");
+}
+function loadCache() {
+  const cachePath = getCachePath();
+  if (!fs.existsSync(cachePath)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(cachePath, "utf8"));
+  } catch {
+    return {};
+  }
+}
+function saveCache(cache) {
+  fs.writeFileSync(getCachePath(), JSON.stringify(cache, null, 2), "utf8");
+}
+function getCached(cache, pkgName) {
+  const entry = cache[pkgName];
+  if (!entry) return null;
+  if (Date.now() - entry.ts > CACHE_TTL) return null;
+  return entry;
+}
+
+// src/config.ts
+import fs2 from "fs";
+import path2 from "path";
+var defaults = { ignore: [], includeUndeclared: true };
+function loadConfig(dir) {
+  const configPath = path2.join(dir, ".ghostimportrc.json");
+  if (!fs2.existsSync(configPath)) return { ...defaults };
+  try {
+    const raw = JSON.parse(fs2.readFileSync(configPath, "utf8"));
+    return { ...defaults, ...raw };
+  } catch {
+    return { ...defaults };
+  }
+}
+function matchesIgnore(pkg, patterns) {
+  for (const pattern of patterns) {
+    if (pattern === pkg) return true;
+    if (pattern.endsWith("/*")) {
+      const prefix = pattern.slice(0, -1);
+      if (pkg.startsWith(prefix)) return true;
+    }
+  }
+  return false;
+}
+
+// src/npm.ts
+import https from "https";
+function httpGetJson(url) {
+  return new Promise((resolve, reject) => {
+    const req = https.get(url, { headers: { Accept: "application/json" }, timeout: 8e3 }, (res) => {
+      let data = "";
+      res.on("data", (chunk) => {
+        data += chunk;
+      });
+      res.on("end", () => {
+        if (res.statusCode === 200) {
+          try {
+            resolve(JSON.parse(data));
+          } catch {
+            reject(new Error("Invalid JSON"));
+          }
+        } else if (res.statusCode === 404) {
+          resolve(null);
+        } else {
+          reject(new Error(`HTTP ${res.statusCode}`));
+        }
+      });
+    });
+    req.on("timeout", () => {
+      req.destroy();
+      reject(new Error("timeout"));
+    });
+    req.on("error", reject);
+  });
+}
+function encodePackageName(pkgName) {
+  return pkgName.startsWith("@") ? "@" + encodeURIComponent(pkgName.slice(1)) : encodeURIComponent(pkgName);
+}
+function checkNpm(pkgName) {
+  return new Promise((resolve) => {
+    const options = {
+      hostname: "registry.npmjs.org",
+      path: `/${encodePackageName(pkgName)}`,
+      method: "GET",
+      headers: { Accept: "application/json" },
+      timeout: 8e3
+    };
+    const req = https.request(options, (res) => {
+      res.resume();
+      if (res.statusCode === 200) {
+        resolve({ exists: true });
+      } else if (res.statusCode === 404) {
+        resolve({ exists: false });
+      } else {
+        resolve({ exists: null, error: `HTTP ${res.statusCode}` });
+      }
+    });
+    req.on("timeout", () => {
+      req.destroy();
+      resolve({ exists: null, error: "timeout" });
+    });
+    req.on("error", (err) => {
+      resolve({ exists: null, error: err.message });
+    });
+    req.end();
+  });
+}
+async function checkScary(pkgName) {
+  const encoded = encodePackageName(pkgName);
+  try {
+    const meta = await httpGetJson(`https://registry.npmjs.org/${encoded}`);
+    if (!meta) return { exists: false, squatRisk: "available" };
+    const created = meta.time?.created ? new Date(meta.time.created) : null;
+    const ageMs = created ? Date.now() - created.getTime() : Infinity;
+    const ageDays = Math.floor(ageMs / (1e3 * 60 * 60 * 24));
+    let downloads = null;
+    try {
+      const dl = await httpGetJson(`https://api.npmjs.org/downloads/point/last-week/${encoded}`);
+      downloads = dl?.downloads ?? null;
+    } catch {
+    }
+    const flags2 = [];
+    if (ageDays < 30) flags2.push(`created ${ageDays} days ago`);
+    if (downloads !== null && downloads < 50) flags2.push(`${downloads} weekly downloads`);
+    if (meta.versions && Object.keys(meta.versions).length <= 1) flags2.push("single version published");
+    const risk = flags2.length >= 2 ? "high" : flags2.length === 1 ? "medium" : "low";
+    return {
+      exists: true,
+      created: created?.toISOString().slice(0, 10) ?? "unknown",
+      downloads,
+      versions: meta.versions ? Object.keys(meta.versions).length : 0,
+      risk,
+      flags: flags2
+    };
+  } catch (err) {
+    return { exists: null, error: err.message };
+  }
+}
+
+// src/files.ts
+import fs3 from "fs";
+import path3 from "path";
+var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".next", "coverage", ".cache"]);
+var CODE_EXTS = /* @__PURE__ */ new Set([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"]);
+function walkFiles(dir) {
+  const results2 = [];
+  function walk(current) {
+    let entries;
+    try {
+      entries = fs3.readdirSync(current, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      if (entry.isDirectory()) {
+        if (!SKIP_DIRS.has(entry.name)) walk(path3.join(current, entry.name));
+      } else if (entry.isFile()) {
+        if (CODE_EXTS.has(path3.extname(entry.name))) results2.push(path3.join(current, entry.name));
+      }
+    }
+  }
+  walk(dir);
+  return results2;
+}
+function readPackageJsonDeps(dir) {
+  const pkgPath = path3.join(dir, "package.json");
+  if (!fs3.existsSync(pkgPath)) return /* @__PURE__ */ new Set();
+  try {
+    const pkg = JSON.parse(fs3.readFileSync(pkgPath, "utf8"));
+    return /* @__PURE__ */ new Set([
+      ...Object.keys(pkg.dependencies ?? {}),
+      ...Object.keys(pkg.devDependencies ?? {}),
+      ...Object.keys(pkg.peerDependencies ?? {}),
+      ...Object.keys(pkg.optionalDependencies ?? {})
+    ]);
+  } catch {
+    return /* @__PURE__ */ new Set();
+  }
+}
+function readWorkspacePackages(dir) {
+  const names = /* @__PURE__ */ new Set();
+  try {
+    const pkg = JSON.parse(fs3.readFileSync(path3.join(dir, "package.json"), "utf8"));
+    const workspaces = Array.isArray(pkg.workspaces) ? pkg.workspaces : pkg.workspaces?.packages ?? [];
+    for (const pattern of workspaces) {
+      const base = pattern.replace(/\/?\*$/, "");
+      const wsDir = path3.join(dir, base);
+      if (!fs3.existsSync(wsDir)) continue;
+      for (const entry of fs3.readdirSync(wsDir, { withFileTypes: true })) {
+        if (!entry.isDirectory()) continue;
+        const wsPkgPath = path3.join(wsDir, entry.name, "package.json");
+        if (!fs3.existsSync(wsPkgPath)) continue;
+        try {
+          const wsPkg = JSON.parse(fs3.readFileSync(wsPkgPath, "utf8"));
+          if (wsPkg.name) names.add(wsPkg.name);
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  const pnpmPath = path3.join(dir, "pnpm-workspace.yaml");
+  if (!fs3.existsSync(pnpmPath)) return names;
+  try {
+    const content = fs3.readFileSync(pnpmPath, "utf8");
+    for (const m of content.matchAll(/- ['"]?([^'"\n]+)['"]?/g)) {
+      const base = m[1].replace(/\/?\*$/, "");
+      const wsDir = path3.join(dir, base);
+      if (!fs3.existsSync(wsDir)) continue;
+      for (const entry of fs3.readdirSync(wsDir, { withFileTypes: true })) {
+        if (!entry.isDirectory()) continue;
+        const wsPkgPath = path3.join(wsDir, entry.name, "package.json");
+        if (!fs3.existsSync(wsPkgPath)) continue;
+        try {
+          const wsPkg = JSON.parse(fs3.readFileSync(wsPkgPath, "utf8"));
+          if (wsPkg.name) names.add(wsPkg.name);
+        } catch {
+        }
+      }
+    }
+  } catch {
+  }
+  return names;
+}
+
+// src/scan.ts
+var CONCURRENCY = 10;
+async function scan(targetDir2, { onProgress, useCache = true, scary = false, config: config2 } = {}) {
+  const conf = config2 ?? loadConfig(targetDir2);
+  const files = walkFiles(targetDir2);
+  const declaredDeps = readPackageJsonDeps(targetDir2);
+  const workspacePkgs = readWorkspacePackages(targetDir2);
+  const cache = useCache ? loadCache() : {};
+  let cacheHits = 0;
+  const importMap = /* @__PURE__ */ new Map();
+  for (const file of files) {
+    let code;
+    try {
+      code = fs4.readFileSync(file, "utf8");
+    } catch {
+      continue;
+    }
+    for (const pkg of extractImports(code)) {
+      if (!importMap.has(pkg)) importMap.set(pkg, []);
+      importMap.get(pkg).push(path4.relative(targetDir2, file));
+    }
+  }
+  const allPkgs = [...importMap.keys()].filter(
+    (pkg) => !matchesIgnore(pkg, conf.ignore) && !workspacePkgs.has(pkg)
+  );
+  const results2 = {
+    scanned: files.length,
+    packages: allPkgs.length,
+    hallucinated: [],
+    notInPackageJson: [],
+    errors: [],
+    scary: [],
+    cacheHits: 0
+  };
+  for (let i = 0; i < allPkgs.length; i += CONCURRENCY) {
+    const batch = allPkgs.slice(i, i + CONCURRENCY);
+    const checks = await Promise.all(
+      batch.map((pkg) => {
+        const cached = getCached(cache, pkg);
+        if (cached) {
+          cacheHits++;
+          return Promise.resolve({ exists: cached.exists });
+        }
+        return checkNpm(pkg);
+      })
+    );
+    for (let j = 0; j < batch.length; j++) {
+      const pkg = batch[j];
+      const { exists, error } = checks[j];
+      const matchedFiles = importMap.get(pkg);
+      if (exists !== null && useCache) {
+        cache[pkg] = { exists, ts: Date.now() };
+      }
+      onProgress?.({ pkg, exists, error, total: allPkgs.length, done: i + j + 1 });
+      if (exists === false) {
+        results2.hallucinated.push({ pkg, files: matchedFiles });
+      } else if (exists === null && error) {
+        results2.errors.push({ pkg, error, files: matchedFiles });
+      } else if (exists === true && !declaredDeps.has(pkg)) {
+        results2.notInPackageJson.push({ pkg, files: matchedFiles });
+      }
+    }
+  }
+  if (useCache) saveCache(cache);
+  results2.cacheHits = cacheHits;
+  if (scary) {
+    for (const { pkg, files: matchedFiles } of results2.hallucinated) {
+      results2.scary.push({ pkg, files: matchedFiles, type: "available" });
+    }
+    for (const { pkg, files: matchedFiles } of results2.notInPackageJson) {
+      const info = await checkScary(pkg);
+      if (info.exists === true && info.risk !== "low") {
+        results2.scary.push({
+          pkg,
+          files: matchedFiles,
+          type: "suspicious",
+          exists: true,
+          created: info.created,
+          downloads: info.downloads,
+          versions: info.versions,
+          risk: info.risk,
+          flags: info.flags
+        });
+      }
+    }
+  }
+  return results2;
+}
+
+// src/cli.ts
+var __dirname = path5.dirname(fileURLToPath(import.meta.url));
+var { version } = JSON.parse(
+  readFileSync(path5.join(__dirname, "..", "package.json"), "utf8")
+);
+var c = {
+  red: (s) => `\x1B[31m${s}\x1B[0m`,
+  yellow: (s) => `\x1B[33m${s}\x1B[0m`,
+  green: (s) => `\x1B[32m${s}\x1B[0m`,
+  cyan: (s) => `\x1B[36m${s}\x1B[0m`,
+  gray: (s) => `\x1B[90m${s}\x1B[0m`,
+  bold: (s) => `\x1B[1m${s}\x1B[0m`,
+  dim: (s) => `\x1B[2m${s}\x1B[0m`,
+  magenta: (s) => `\x1B[35m${s}\x1B[0m`
+};
+var args = process.argv.slice(2);
+var targetDir = path5.resolve(args.find((a) => !a.startsWith("--") && !a.startsWith("-")) ?? ".");
+var flags = {
+  quiet: args.includes("--quiet") || args.includes("-q"),
+  json: args.includes("--json"),
+  noUndeclared: args.includes("--no-undeclared"),
+  noCache: args.includes("--no-cache"),
+  scary: args.includes("--scary"),
+  help: args.includes("--help") || args.includes("-h"),
+  version: args.includes("--version") || args.includes("-v")
+};
+if (flags.version) {
+  console.log(`ghostimport v${version}`);
+  process.exit(0);
+}
+if (flags.help) {
+  console.log(`
+${c.bold("ghostimport")} \u2014 detect hallucinated npm packages in your code
+
+${c.bold("Usage:")}
+  ghostimport [dir] [options]
+
+${c.bold("Options:")}
+  --quiet, -q       Only show problems (no progress)
+  --json            Output results as JSON
+  --no-undeclared   Skip "imported but not in package.json" warnings
+  --scary           Check for supply chain attack risk (squatting)
+  --no-cache        Skip the local registry cache
+  --version, -v     Show version
+  --help, -h        Show this help
+
+${c.bold("Config:")}
+  Create ${c.cyan(".ghostimportrc.json")} in your project root:
+  {
+    "ignore": ["@company/*", "internal-lib"],
+    "includeUndeclared": true
+  }
+
+${c.bold("Examples:")}
+  ghostimport                  scan current directory
+  ghostimport ./src            scan specific folder
+  ghostimport --quiet          only show issues
+  ghostimport --scary          check supply chain risk
+  ghostimport --json           machine-readable output
+`);
+  process.exit(0);
+}
+var config = loadConfig(targetDir);
+if (!flags.quiet && !flags.json) {
+  console.log(`
+${c.bold("ghostimport")} ${c.gray(`v${version}`)}`);
+  console.log(c.gray(`Scanning ${targetDir}`));
+  if (flags.scary) console.log(c.magenta("  \u26A0  Scary mode: checking supply chain risk"));
+  console.log();
+}
+var lastProgress = "";
+var results = await scan(targetDir, {
+  useCache: !flags.noCache,
+  scary: flags.scary,
+  config,
+  onProgress: flags.json || flags.quiet ? void 0 : ({ pkg, done, total }) => {
+    const pct = Math.round(done / total * 100);
+    const bar = "\u2588".repeat(Math.floor(pct / 5)) + "\u2591".repeat(20 - Math.floor(pct / 5));
+    const line = `  ${c.gray(bar)} ${pct}%  ${c.dim(pkg.slice(0, 30))}`;
+    process.stdout.write("\r" + line + " ".repeat(Math.max(0, lastProgress.length - line.length)));
+    lastProgress = line;
+  }
+});
+if (!flags.json && !flags.quiet && lastProgress) {
+  process.stdout.write("\r" + " ".repeat(lastProgress.length + 5) + "\r");
+}
+if (flags.json) {
+  console.log(JSON.stringify(results, null, 2));
+  process.exit(results.hallucinated.length > 0 ? 1 : 0);
+}
+var totalIssues = results.hallucinated.length + (flags.noUndeclared ? 0 : results.notInPackageJson.length);
+console.log(
+  `  ${c.gray("Scanned")} ${c.cyan(results.scanned + " files")} \xB7 ${c.cyan(results.packages + " unique packages")} checked` + (results.cacheHits > 0 ? ` ${c.gray(`(${results.cacheHits} cached)`)}` : "") + "\n"
+);
+if (results.hallucinated.length === 0) {
+  console.log(c.green("  \u2713 No hallucinated packages found"));
+} else {
+  console.log(c.bold(c.red(`  \u2717 ${results.hallucinated.length} hallucinated package${results.hallucinated.length > 1 ? "s" : ""} (do not exist on npm):
+`)));
+  for (const { pkg, files } of results.hallucinated) {
+    console.log(`  ${c.red("\u25CF")} ${c.bold(pkg)}`);
+    for (const f of files.slice(0, 3)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
+    if (files.length > 3) console.log(`    ${c.gray(`\u21B3 ...and ${files.length - 3} more files`)}`);
+  }
+}
+if (flags.scary && results.scary.length > 0) {
+  console.log();
+  const available = results.scary.filter((s) => s.type === "available");
+  const suspicious = results.scary.filter((s) => s.type === "suspicious");
+  if (available.length > 0) {
+    console.log(c.bold(c.magenta(`  \u{1F480} ${available.length} package name${available.length > 1 ? "s" : ""} available for malicious registration:
+`)));
+    for (const { pkg } of available) {
+      console.log(`  ${c.magenta("\u25CF")} ${c.bold(pkg)}`);
+      console.log(`    ${c.red("\u21B3 Anyone can register this name with a malicious postinstall script")}`);
+      console.log(`    ${c.red("\u21B3 If installed, it could exfiltrate .env, tokens, SSH keys")}`);
+    }
+  }
+  if (suspicious.length > 0) {
+    console.log();
+    console.log(c.bold(c.magenta(`  \u{1F575}\uFE0F  ${suspicious.length} suspicious package${suspicious.length > 1 ? "s" : ""} (potential squats):
+`)));
+    for (const entry of suspicious) {
+      if (entry.type !== "suspicious") continue;
+      console.log(`  ${c.magenta("\u25CF")} ${c.bold(entry.pkg)} ${c.gray(`(created ${entry.created}, ${entry.downloads ?? "?"} downloads/week)`)}`);
+      for (const flag of entry.flags) console.log(`    ${c.yellow("\u21B3")} ${flag}`);
+    }
+  }
+}
+if (!flags.noUndeclared && results.notInPackageJson.length > 0) {
+  console.log();
+  console.log(c.bold(c.yellow(`  \u26A0  ${results.notInPackageJson.length} package${results.notInPackageJson.length > 1 ? "s" : ""} imported but missing from package.json:
+`)));
+  for (const { pkg, files } of results.notInPackageJson.slice(0, 10)) {
+    console.log(`  ${c.yellow("\u25CF")} ${c.bold(pkg)}`);
+    for (const f of files.slice(0, 2)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
+  }
+  if (results.notInPackageJson.length > 10) {
+    console.log(`  ${c.gray(`  ...and ${results.notInPackageJson.length - 10} more`)}`);
+  }
+}
+if (results.errors.length > 0) {
+  console.log();
+  console.log(c.gray(`  \u26A1 ${results.errors.length} package(s) could not be checked (network/timeout)`));
+}
+console.log();
+if (totalIssues === 0 && results.scary.length === 0) {
+  console.log(c.green(c.bold("  All good! \u2713\n")));
+} else if (flags.scary && results.scary.length > 0) {
+  const scaryCount = results.scary.filter((s) => s.type === "available").length;
+  console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""} \xB7 ${scaryCount} supply chain risk${scaryCount > 1 ? "s" : ""}
+`)));
+} else {
+  console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""}.
+`)));
+}
+process.exit(results.hallucinated.length > 0 ? 1 : 0);

package/dist/config.d.ts

@@ -0,0 +1,3 @@
+import type { Config } from './types';
+export declare function loadConfig(dir: string): Config;
+export declare function matchesIgnore(pkg: string, patterns: string[]): boolean;

package/dist/files.d.ts

@@ -0,0 +1,3 @@
+export declare function walkFiles(dir: string): string[];
+export declare function readPackageJsonDeps(dir: string): Set<string>;
+export declare function readWorkspacePackages(dir: string): Set<string>;

package/dist/imports.d.ts

@@ -0,0 +1 @@
+export declare function extractImports(code: string): string[];