npm - herozion - Versions diffs - 1.0.71 - Mend

herozion 1.0.71

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,20 @@
+# Herozion — npm package
+Binary wrapper for the [Herozion](https://herozion.io) CLI security scanner.
+## Usage without global install (recommended)
+```bash
+# Run directly with npx — no install, no PATH modification
+npx herozion scan .
+# Or as a project dev-dependency
+npm install herozion --save-dev
+npx herozion scan .
+```
+The binary is stored inside `node_modules/herozion/bin/` — it never touches your system PATH.
+## Full documentation
+See [github.com/Herozion/scanner](https://github.com/Herozion/scanner#readme)

package/bin/herozion.js ADDED Viewed

@@ -0,0 +1,39 @@
+#!/usr/bin/env node
+/**
+ * Herozion bin shim.
+ *
+ * Locates the pre-built binary downloaded by install.js and spawns it,
+ * forwarding all arguments and environment variables.
+ *
+ * The binary lives in node_modules/herozion/bin/ — never in the system PATH.
+ * This means `npx herozion scan .` or running from a project dev-dependency
+ * gives herozion access ONLY to what you pass as arguments.
+ */
+"use strict";
+const { spawnSync } = require("child_process");
+const path = require("path");
+const fs = require("fs");
+const isWindows = process.platform === "win32";
+const binaryName = isWindows ? "herozion.exe" : "herozion";
+const binaryPath = path.join(__dirname, binaryName);
+if (!fs.existsSync(binaryPath)) {
+  console.error(
+    "herozion: binary not found. The postinstall download may have failed.\n" +
+    "Try reinstalling: npm install herozion\n" +
+    "Or download manually from: https://github.com/Herozion/scanner-releases/releases/latest"
+  );
+  process.exit(1);
+}
+const result = spawnSync(binaryPath, process.argv.slice(2), {
+  stdio: "inherit",
+  env: process.env,
+  // Shell is false: the binary is exec'd directly, no shell expansion
+  shell: false,
+});
+process.exit(result.status ?? 1);

package/install.js ADDED Viewed

@@ -0,0 +1,113 @@
+#!/usr/bin/env node
+/**
+ * Herozion postinstall script.
+ *
+ * Downloads the correct pre-built binary from GitHub Releases and saves it
+ * inside this package's directory so that the `herozion` bin shim can exec it.
+ *
+ * The binary is NEVER placed in the system PATH — it lives in node_modules/
+ * alongside this package.  Running `npx herozion scan .` or adding herozion
+ * as a dev-dependency keeps the scope limited to the project.
+ *
+ * Supported platforms:
+ *   Windows  x64  → herozion-windows-amd64.exe
+ *   Linux    x64  → herozion-linux-amd64
+ *   macOS    arm64 → herozion-macos-arm64
+ *   macOS    x64  → herozion-macos-amd64
+ */
+"use strict";
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+const { execSync } = require("child_process");
+const VERSION = require("./package.json").version;
+const BASE_URL =
+  `https://github.com/Herozion/scanner-releases/releases/download/v${VERSION}`;
+// ── Platform detection ────────────────────────────────────────────────────────
+function getBinaryName() {
+  const { platform, arch } = process;
+  if (platform === "win32" && arch === "x64") return "herozion-windows-amd64.exe";
+  if (platform === "linux" && (arch === "x64" || arch === "ia32")) return "herozion-linux-amd64";
+  if (platform === "darwin" && arch === "arm64") return "herozion-macos-arm64";
+  if (platform === "darwin" && (arch === "x64" || arch === "ia32")) return "herozion-macos-amd64";
+  throw new Error(
+    `Herozion: unsupported platform ${platform}/${arch}.\n` +
+    "Please open an issue at https://github.com/Herozion/scanner/issues"
+  );
+}
+// ── Download helper ───────────────────────────────────────────────────────────
+function download(url, destPath, redirectCount = 0) {
+  return new Promise((resolve, reject) => {
+    if (redirectCount > 5) {
+      return reject(new Error("Too many redirects"));
+    }
+    https.get(url, { headers: { "User-Agent": "herozion-npm-installer" } }, (res) => {
+      if (res.statusCode === 301 || res.statusCode === 302) {
+        return resolve(download(res.headers.location, destPath, redirectCount + 1));
+      }
+      if (res.statusCode !== 200) {
+        return reject(new Error(`HTTP ${res.statusCode} — failed to download ${url}`));
+      }
+      const file = fs.createWriteStream(destPath);
+      res.pipe(file);
+      file.on("finish", () => file.close(resolve));
+      file.on("error", (err) => {
+        fs.unlink(destPath, () => {});
+        reject(err);
+      });
+    }).on("error", reject);
+  });
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+async function main() {
+  const binaryName = getBinaryName();
+  const url = `${BASE_URL}/${binaryName}`;
+  // Store the binary inside this package directory (node_modules/herozion/)
+  const binDir = path.join(__dirname, "bin");
+  fs.mkdirSync(binDir, { recursive: true });
+  const isWindows = process.platform === "win32";
+  const destName = isWindows ? "herozion.exe" : "herozion";
+  const destPath = path.join(binDir, destName);
+  // Skip download if binary already exists and matches version
+  const markerPath = path.join(binDir, `.version-${VERSION}`);
+  if (fs.existsSync(destPath) && fs.existsSync(markerPath)) {
+    console.log(`herozion: binary v${VERSION} already present, skipping download.`);
+    return;
+  }
+  console.log(`herozion: downloading ${binaryName} v${VERSION}...`);
+  try {
+    await download(url, destPath);
+    if (!isWindows) {
+      fs.chmodSync(destPath, 0o755);
+    }
+    // Write version marker so we don't re-download on repeated installs
+    fs.writeFileSync(markerPath, VERSION, "utf8");
+    console.log(`herozion: binary installed successfully.`);
+  } catch (err) {
+    // Non-fatal: warn and continue — the bin shim will give a clear error at runtime
+    console.warn(`herozion: WARNING — could not download binary: ${err.message}`);
+    console.warn("You can download it manually from:");
+    console.warn(`  ${url}`);
+  }
+}
+main().catch((err) => {
+  console.error("herozion install error:", err.message);
+  // Do not exit(1) — a failed postinstall breaks `npm install` entirely
+});

package/package.json ADDED Viewed

@@ -0,0 +1,34 @@
+{
+  "name": "herozion",
+  "version": "1.0.71",
+  "description": "Security audit and performance analysis CLI tool for developers",
+  "keywords": ["security", "audit", "vulnerability", "cli", "owasp"],
+  "homepage": "https://herozion.io",
+  "bugs": {
+    "url": "https://github.com/Herozion/scanner/issues"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Herozion/scanner.git"
+  },
+  "license": "SEE LICENSE IN LICENSE",
+  "bin": {
+    "herozion": "bin/herozion.js"
+  },
+  "files": [
+    "bin/herozion.js",
+    "install.js",
+    "README.md"
+  ],
+  "scripts": {
+    "postinstall": "node install.js"
+  },
+  "engines": {
+    "node": ">=16.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "os": ["darwin", "linux", "win32"],
+  "cpu": ["x64", "arm64"]
+}