ghostimport 0.1.1 → 0.1.3

package/README.md

@@ -40,6 +40,8 @@ The result: your build fails, or your CI breaks at 2am, or — in the worst case
 
 ## Install
 
+Requires Node.js 22 or later.
+
 ```bash
 # Run once (no install needed)
 npx ghostimport
@@ -71,12 +73,27 @@ ghostimport --json
 # Skip "missing from package.json" warnings
 ghostimport --no-undeclared
 
+# Watch mode (re-scans on file changes)
+ghostimport --watch
+
 # Help
 ghostimport --help
 ```
 
 ### Add to CI (GitHub Actions)
 
+Use the built-in action for the simplest setup:
+
+```yaml
+- name: Check for hallucinated packages
+  uses: FGuerreir0/ghostimport@main
+  with:
+    path: '.'
+    scary: 'false'
+```
+
+Or run directly:
+
 ```yaml
 - name: Check for hallucinated packages
   run: npx ghostimport --quiet
@@ -84,6 +101,18 @@ ghostimport --help
 
 This step will fail (exit code 1) if any hallucinated packages are found.
 
+### Pre-commit
+
+Add to `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/FGuerreir0/ghostimport
+    rev: main
+    hooks:
+      - id: ghostimport
+```
+
 ---
 
 ## Programmatic API
@@ -163,6 +192,9 @@ interface ScanOptions {
 **Automatically ignores:**
 - Node.js built-ins (`fs`, `path`, `crypto`, `node:*`, ...)
 - Relative imports (`./`, `../`)
+- Path aliases (`@/`, `~/`, `$lib/`, and tsconfig `paths`)
+- URL/protocol imports (`https:`, `data:`, `bun:`, ...)
+- Virtual modules (`virtual:`, Vite/Rollup internals)
 - `node_modules/`, `dist/`, `.git/`, `build/`
 
 **Supported file types:** `.js` `.jsx` `.ts` `.tsx` `.mjs` `.cjs`

package/dist/cli.js

@@ -2,7 +2,7 @@
 
 // src/cli.ts
 import path5 from "path";
-import { readFileSync } from "fs";
+import { readFileSync, watch as fsWatch } from "fs";
 import { fileURLToPath } from "url";
 
 // src/scan.ts
@@ -268,7 +268,7 @@ import path3 from "path";
 var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", ".git", "dist", "build", ".next", "coverage", ".cache"]);
 var CODE_EXTS = /* @__PURE__ */ new Set([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"]);
 function walkFiles(dir) {
-  const results2 = [];
+  const results = [];
   function walk(current) {
     let entries;
     try {
@@ -280,12 +280,12 @@ function walkFiles(dir) {
       if (entry.isDirectory()) {
         if (!SKIP_DIRS.has(entry.name)) walk(path3.join(current, entry.name));
       } else if (entry.isFile()) {
-        if (CODE_EXTS.has(path3.extname(entry.name))) results2.push(path3.join(current, entry.name));
+        if (CODE_EXTS.has(path3.extname(entry.name))) results.push(path3.join(current, entry.name));
       }
     }
   }
   walk(dir);
-  return results2;
+  return results;
 }
 function readPackageJsonDeps(dir) {
   const pkgPath = path3.join(dir, "package.json");
@@ -395,7 +395,7 @@ async function scan(targetDir2, { onProgress, useCache = true, scary = false, co
   const allPkgs = [...importMap.keys()].filter(
     (pkg) => !matchesIgnore(pkg, conf.ignore) && !workspacePkgs.has(pkg) && !tsconfigAliases.has(pkg)
   );
-  const results2 = {
+  const results = {
     scanned: files.length,
     packages: allPkgs.length,
     hallucinated: [],
@@ -425,24 +425,24 @@ async function scan(targetDir2, { onProgress, useCache = true, scary = false, co
       }
       onProgress?.({ pkg, exists, error, total: allPkgs.length, done: i + j + 1 });
       if (exists === false) {
-        results2.hallucinated.push({ pkg, files: matchedFiles });
+        results.hallucinated.push({ pkg, files: matchedFiles });
       } else if (exists === null && error) {
-        results2.errors.push({ pkg, error, files: matchedFiles });
+        results.errors.push({ pkg, error, files: matchedFiles });
       } else if (exists === true && !declaredDeps.has(pkg)) {
-        results2.notInPackageJson.push({ pkg, files: matchedFiles });
+        results.notInPackageJson.push({ pkg, files: matchedFiles });
       }
     }
   }
   if (useCache) saveCache(cache);
-  results2.cacheHits = cacheHits;
+  results.cacheHits = cacheHits;
   if (scary) {
-    for (const { pkg, files: matchedFiles } of results2.hallucinated) {
-      results2.scary.push({ pkg, files: matchedFiles, type: "available" });
+    for (const { pkg, files: matchedFiles } of results.hallucinated) {
+      results.scary.push({ pkg, files: matchedFiles, type: "available" });
     }
-    for (const { pkg, files: matchedFiles } of results2.notInPackageJson) {
+    for (const { pkg, files: matchedFiles } of results.notInPackageJson) {
       const info = await checkScary(pkg);
       if (info.exists === true && info.risk !== "low") {
-        results2.scary.push({
+        results.scary.push({
           pkg,
           files: matchedFiles,
           type: "suspicious",
@@ -456,7 +456,7 @@ async function scan(targetDir2, { onProgress, useCache = true, scary = false, co
       }
     }
   }
-  return results2;
+  return results;
 }
 
 // src/cli.ts
@@ -479,6 +479,7 @@ var targetDir = path5.resolve(args.find((a) => !a.startsWith("--") && !a.startsW
 var flags = {
   quiet: args.includes("--quiet") || args.includes("-q"),
   json: args.includes("--json"),
+  watch: args.includes("--watch") || args.includes("-w"),
   noUndeclared: args.includes("--no-undeclared"),
   noCache: args.includes("--no-cache"),
   scary: args.includes("--scary"),
@@ -499,6 +500,7 @@ ${c.bold("Usage:")}
 ${c.bold("Options:")}
   --quiet, -q       Only show problems (no progress)
   --json            Output results as JSON
+  --watch, -w       Watch for file changes and re-scan
   --no-undeclared   Skip "imported but not in package.json" warnings
   --scary           Check for supply chain attack risk (squatting)
   --no-cache        Skip the local registry cache
@@ -522,97 +524,121 @@ ${c.bold("Examples:")}
   process.exit(0);
 }
 var config = loadConfig(targetDir);
-if (!flags.quiet && !flags.json) {
-  console.log(`
+async function runScan() {
+  if (!flags.quiet && !flags.json) {
+    console.log(`
 ${c.bold("ghostimport")} ${c.gray(`v${version}`)}`);
-  console.log(c.gray(`Scanning ${targetDir}`));
-  if (flags.scary) console.log(c.magenta("  \u26A0  Scary mode: checking supply chain risk"));
-  console.log();
-}
-var lastProgress = "";
-var results = await scan(targetDir, {
-  useCache: !flags.noCache,
-  scary: flags.scary,
-  config,
-  onProgress: flags.json || flags.quiet ? void 0 : ({ pkg, done, total }) => {
-    const pct = Math.round(done / total * 100);
-    const bar = "\u2588".repeat(Math.floor(pct / 5)) + "\u2591".repeat(20 - Math.floor(pct / 5));
-    const line = `  ${c.gray(bar)} ${pct}%  ${c.dim(pkg.slice(0, 30))}`;
-    process.stdout.write("\r" + line + " ".repeat(Math.max(0, lastProgress.length - line.length)));
-    lastProgress = line;
+    console.log(c.gray(`Scanning ${targetDir}`));
+    if (flags.scary) console.log(c.magenta("  \u26A0  Scary mode: checking supply chain risk"));
+    console.log();
   }
-});
-if (!flags.json && !flags.quiet && lastProgress) {
-  process.stdout.write("\r" + " ".repeat(lastProgress.length + 5) + "\r");
-}
-if (flags.json) {
-  console.log(JSON.stringify(results, null, 2));
-  process.exit(results.hallucinated.length > 0 ? 1 : 0);
-}
-var totalIssues = results.hallucinated.length + (flags.noUndeclared ? 0 : results.notInPackageJson.length);
-console.log(
-  `  ${c.gray("Scanned")} ${c.cyan(results.scanned + " files")} \xB7 ${c.cyan(results.packages + " unique packages")} checked` + (results.cacheHits > 0 ? ` ${c.gray(`(${results.cacheHits} cached)`)}` : "") + "\n"
-);
-if (results.hallucinated.length === 0) {
-  console.log(c.green("  \u2713 No hallucinated packages found"));
-} else {
-  console.log(c.bold(c.red(`  \u2717 ${results.hallucinated.length} hallucinated package${results.hallucinated.length > 1 ? "s" : ""} (do not exist on npm):
-`)));
-  for (const { pkg, files } of results.hallucinated) {
-    console.log(`  ${c.red("\u25CF")} ${c.bold(pkg)}`);
-    for (const f of files.slice(0, 3)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
-    if (files.length > 3) console.log(`    ${c.gray(`\u21B3 ...and ${files.length - 3} more files`)}`);
+  let lastProgress = "";
+  const results = await scan(targetDir, {
+    useCache: !flags.noCache,
+    scary: flags.scary,
+    config,
+    onProgress: flags.json || flags.quiet ? void 0 : ({ pkg, done, total }) => {
+      const pct = Math.round(done / total * 100);
+      const bar = "\u2588".repeat(Math.floor(pct / 5)) + "\u2591".repeat(20 - Math.floor(pct / 5));
+      const line = `  ${c.gray(bar)} ${pct}%  ${c.dim(pkg.slice(0, 30))}`;
+      process.stdout.write("\r" + line + " ".repeat(Math.max(0, lastProgress.length - line.length)));
+      lastProgress = line;
+    }
+  });
+  if (!flags.json && !flags.quiet && lastProgress) {
+    process.stdout.write("\r" + " ".repeat(lastProgress.length + 5) + "\r");
   }
-}
-if (flags.scary && results.scary.length > 0) {
-  console.log();
-  const available = results.scary.filter((s) => s.type === "available");
-  const suspicious = results.scary.filter((s) => s.type === "suspicious");
-  if (available.length > 0) {
-    console.log(c.bold(c.magenta(`  \u{1F480} ${available.length} package name${available.length > 1 ? "s" : ""} available for malicious registration:
+  if (flags.json) {
+    console.log(JSON.stringify(results, null, 2));
+    return results.hallucinated.length;
+  }
+  const totalIssues = results.hallucinated.length + (flags.noUndeclared ? 0 : results.notInPackageJson.length);
+  console.log(
+    `  ${c.gray("Scanned")} ${c.cyan(results.scanned + " files")} \xB7 ${c.cyan(results.packages + " unique packages")} checked` + (results.cacheHits > 0 ? ` ${c.gray(`(${results.cacheHits} cached)`)}` : "") + "\n"
+  );
+  if (results.hallucinated.length === 0) {
+    console.log(c.green("  \u2713 No hallucinated packages found"));
+  } else {
+    console.log(c.bold(c.red(`  \u2717 ${results.hallucinated.length} hallucinated package${results.hallucinated.length > 1 ? "s" : ""} (do not exist on npm):
 `)));
-    for (const { pkg } of available) {
-      console.log(`  ${c.magenta("\u25CF")} ${c.bold(pkg)}`);
-      console.log(`    ${c.red("\u21B3 Anyone can register this name with a malicious postinstall script")}`);
-      console.log(`    ${c.red("\u21B3 If installed, it could exfiltrate .env, tokens, SSH keys")}`);
+    for (const { pkg, files } of results.hallucinated) {
+      console.log(`  ${c.red("\u25CF")} ${c.bold(pkg)}`);
+      for (const f of files.slice(0, 3)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
+      if (files.length > 3) console.log(`    ${c.gray(`\u21B3 ...and ${files.length - 3} more files`)}`);
     }
   }
-  if (suspicious.length > 0) {
+  if (flags.scary && results.scary.length > 0) {
     console.log();
-    console.log(c.bold(c.magenta(`  \u{1F575}\uFE0F  ${suspicious.length} suspicious package${suspicious.length > 1 ? "s" : ""} (potential squats):
+    const available = results.scary.filter((s) => s.type === "available");
+    const suspicious = results.scary.filter((s) => s.type === "suspicious");
+    if (available.length > 0) {
+      console.log(c.bold(c.magenta(`  \u{1F480} ${available.length} package name${available.length > 1 ? "s" : ""} available for malicious registration:
+`)));
+      for (const { pkg } of available) {
+        console.log(`  ${c.magenta("\u25CF")} ${c.bold(pkg)}`);
+        console.log(`    ${c.red("\u21B3 Anyone can register this name with a malicious postinstall script")}`);
+        console.log(`    ${c.red("\u21B3 If installed, it could exfiltrate .env, tokens, SSH keys")}`);
+      }
+    }
+    if (suspicious.length > 0) {
+      console.log();
+      console.log(c.bold(c.magenta(`  \u{1F575}\uFE0F  ${suspicious.length} suspicious package${suspicious.length > 1 ? "s" : ""} (potential squats):
 `)));
-    for (const entry of suspicious) {
-      if (entry.type !== "suspicious") continue;
-      console.log(`  ${c.magenta("\u25CF")} ${c.bold(entry.pkg)} ${c.gray(`(created ${entry.created}, ${entry.downloads ?? "?"} downloads/week)`)}`);
-      for (const flag of entry.flags) console.log(`    ${c.yellow("\u21B3")} ${flag}`);
+      for (const entry of suspicious) {
+        if (entry.type !== "suspicious") continue;
+        console.log(`  ${c.magenta("\u25CF")} ${c.bold(entry.pkg)} ${c.gray(`(created ${entry.created}, ${entry.downloads ?? "?"} downloads/week)`)}`);
+        for (const flag of entry.flags) console.log(`    ${c.yellow("\u21B3")} ${flag}`);
+      }
     }
   }
-}
-if (!flags.noUndeclared && results.notInPackageJson.length > 0) {
-  console.log();
-  console.log(c.bold(c.yellow(`  \u26A0  ${results.notInPackageJson.length} package${results.notInPackageJson.length > 1 ? "s" : ""} imported but missing from package.json:
+  if (!flags.noUndeclared && results.notInPackageJson.length > 0) {
+    console.log();
+    console.log(c.bold(c.yellow(`  \u26A0  ${results.notInPackageJson.length} package${results.notInPackageJson.length > 1 ? "s" : ""} imported but missing from package.json:
 `)));
-  for (const { pkg, files } of results.notInPackageJson.slice(0, 10)) {
-    console.log(`  ${c.yellow("\u25CF")} ${c.bold(pkg)}`);
-    for (const f of files.slice(0, 2)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
+    for (const { pkg, files } of results.notInPackageJson.slice(0, 10)) {
+      console.log(`  ${c.yellow("\u25CF")} ${c.bold(pkg)}`);
+      for (const f of files.slice(0, 2)) console.log(`    ${c.gray("\u21B3")} ${c.dim(f)}`);
+    }
+    if (results.notInPackageJson.length > 10) {
+      console.log(`  ${c.gray(`  ...and ${results.notInPackageJson.length - 10} more`)}`);
+    }
   }
-  if (results.notInPackageJson.length > 10) {
-    console.log(`  ${c.gray(`  ...and ${results.notInPackageJson.length - 10} more`)}`);
+  if (results.errors.length > 0) {
+    console.log();
+    console.log(c.gray(`  \u26A1 ${results.errors.length} package(s) could not be checked (network/timeout)`));
   }
-}
-if (results.errors.length > 0) {
   console.log();
-  console.log(c.gray(`  \u26A1 ${results.errors.length} package(s) could not be checked (network/timeout)`));
-}
-console.log();
-if (totalIssues === 0 && results.scary.length === 0) {
-  console.log(c.green(c.bold("  All good! \u2713\n")));
-} else if (flags.scary && results.scary.length > 0) {
-  const scaryCount = results.scary.filter((s) => s.type === "available").length;
-  console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""} \xB7 ${scaryCount} supply chain risk${scaryCount > 1 ? "s" : ""}
+  if (totalIssues === 0 && results.scary.length === 0) {
+    console.log(c.green(c.bold("  All good! \u2713\n")));
+  } else if (flags.scary && results.scary.length > 0) {
+    const scaryCount = results.scary.filter((s) => s.type === "available").length;
+    console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""} \xB7 ${scaryCount} supply chain risk${scaryCount > 1 ? "s" : ""}
 `)));
-} else {
-  console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""}.
+  } else {
+    console.log(c.red(c.bold(`  Found ${totalIssues} issue${totalIssues > 1 ? "s" : ""}.
 `)));
+  }
+  return results.hallucinated.length;
+}
+var issues = await runScan();
+if (flags.watch) {
+  const CODE_EXTS2 = /* @__PURE__ */ new Set([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"]);
+  let debounce = null;
+  console.log(c.gray(`  Watching for changes in ${targetDir}...
+`));
+  fsWatch(targetDir, { recursive: true }, (_event, filename) => {
+    if (!filename) return;
+    const ext = path5.extname(filename);
+    if (!CODE_EXTS2.has(ext)) return;
+    if (filename.includes("node_modules") || filename.includes("dist")) return;
+    if (debounce) clearTimeout(debounce);
+    debounce = setTimeout(async () => {
+      console.clear();
+      await runScan();
+      console.log(c.gray(`  Watching for changes...
+`));
+    }, 300);
+  });
+} else {
+  process.exit(issues > 0 ? 1 : 0);
 }
-process.exit(results.hallucinated.length > 0 ? 1 : 0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghostimport",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Detects ghost imports in your code - imports that don't exist, hallucinated by AI coding tools.",
   "keywords": [
     "npm",
@@ -12,7 +12,13 @@
     "imports",
     "security",
     "lint",
-    "ghost"
+    "ghost",
+    "import-validation",
+    "ai-safety",
+    "supply-chain",
+    "hallucination-detection",
+    "copilot",
+    "pre-commit"
   ],
   "homepage": "https://github.com/FGuerreir0/ghostimport#readme",
   "bugs": {
@@ -50,6 +56,7 @@
     "clean": "node -e \"require('fs').rmSync('dist', { recursive: true, force: true })\"",
     "test": "tsx tests/test.ts",
     "dev": "tsx src/cli.ts",
+    "prepare": "git config core.hooksPath .githooks",
     "prepublishOnly": "npm run build"
   },
   "devDependencies": {