install-guard 1.0.1 → 1.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sarthak Kumar Sahoo
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,27 +1,56 @@
+![npm](https://img.shields.io/npm/v/install-guard)
+![downloads](https://img.shields.io/npm/dw/install-guard)
+![license](https://img.shields.io/npm/l/install-guard)
+
 # 🚨 Should You Trust That npm Package Before Installing?
 
-**install-guard** analyzes npm packages and tells you if they are safe to install — before you install them.
+**install-guard** analyzes npm packages for security risks and tells you if they're safe — **before** you install them.
 
 ---
 
 <details>
-<summary>Example</summary>
+<summary>📦 See it in action</summary>
 
 ```bash
-npx install-guard install some-random-lib
+$ npx install-guard install some-random-lib
 ```
 
 ```
-📦 Analyzing some-random-lib...
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  📦 some-random-lib v0.1.3
+  A random utility library
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  Risk Score: 8/10  🚨 High Risk
+  ████████░░
+
+─────────────────────────────────────────────────
+
+  📊 Package Info
 
-Downloads (weekly): 120
-Risk Score: 8/10 🚨 High Risk
+  Downloads (weekly)    120
+  Maintainers           1
+  License               Unknown
+  Last Published        3 days ago
+  Dependencies          14
+  Versions              2
 
-⚠ Very low downloads
-⚠ Uses install scripts
-⚠ Recently published
+─────────────────────────────────────────────────
 
-❓ Do you still want to install this package? (y/n)
+  🔍 Security Checks
+
+  ✘ Downloads:        Very low (120/week)
+  ✔ Last Updated:     Recently updated
+  ✘ Install Scripts:  Has install/postinstall scripts
+  ⚠ Maintainers:      Single maintainer
+  ✘ License:          No license specified
+  ⚠ Repository:       No repository URL
+  ✘ Package Age:      Published less than 30 days ago
+  ✔ Dependencies:     14 direct dependencies
+
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  ⚠ High risk package. Continue install? (y/n):
 ```
 
 </details>
@@ -32,9 +61,9 @@ Risk Score: 8/10 🚨 High Risk
 
 Installing npm packages blindly is risky.
 
-- Malicious packages are published daily
+- Malicious packages are published **daily**
 - Popular packages get compromised
-- `npm audit` only checks known vulnerabilities — not trust
+- `npm audit` only checks known vulnerabilities — **not trust**
 
 You shouldn't have to guess if a package is safe.
 
@@ -42,44 +71,56 @@ You shouldn't have to guess if a package is safe.
 
 ## 🛡️ The Solution
 
-install-guard gives you a **risk score before you install anything**.
+install-guard gives you a **risk score before you install anything**, powered by 10+ security checks.
 
 ---
 
 ## ⚡ Quick Start
 
-Check a package:
+Analyze a package:
 
 ```bash
 npx install-guard axios
 ```
 
-Safely install a package:
+Safely install with a risk check:
 
 ```bash
 npx install-guard install axios
 ```
 
-Scan your project:
+Scan your entire project:
 
 ```bash
 npx install-guard scan
 ```
 
+Scan with detailed output per package:
+
+```bash
+npx install-guard scan --verbose
+```
+
 ---
 
 ## 🧠 How Risk Score Works
 
-install-guard analyzes:
-
-- 📉 Weekly downloads (popularity)
-- 🕒 Last update time
-- ⚠ Install/postinstall scripts
-- 📦 Version activity
+install-guard runs **10+ security checks** on every package:
 
-Each factor contributes to a **risk score (0–10)**.
+| Check | What it detects |
+|-------|----------------|
+| 📉 **Downloads** | Low popularity = higher risk |
+| 🕒 **Last Updated** | Abandoned packages |
+| ⚠ **Install Scripts** | `preinstall` / `postinstall` hooks (common attack vector) |
+| 👥 **Maintainers** | Single or no maintainers |
+| 📜 **License** | Missing or non-permissive licenses |
+| 🔗 **Repository** | No source code link |
+| 📅 **Package Age** | Brand new packages (< 30 days) |
+| 📦 **Dependencies** | High dependency count |
+| 🚫 **Deprecated** | Flagged as deprecated on npm |
+| 🧠 **Typosquatting** | Names suspiciously similar to popular packages |
 
-Lower score = safer package.
+Each factor contributes to a **risk score (0–10)**. Lower = safer.
 
 ---
 
@@ -88,44 +129,88 @@ Lower score = safer package.
 ### ✅ Safe package
 
 ```
-axios
-Downloads: 20,000,000+
-Risk: 1/10
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  📦 axios v1.7.2
+
+  Risk Score: 1/10  ✅ Low Risk
+  █░░░░░░░░░
+
+  🔍 Security Checks
+  ✔ Downloads:       44,392,817/week
+  ✔ Last Updated:    Recently updated
+  ✔ Install Scripts: No install scripts
+  ✔ Maintainers:     3 maintainers
+  ✔ License:         MIT
+  ✔ Repository:      Has repository link
+  ✔ Package Age:     9+ year(s) old
+  ✔ Dependencies:    8 direct dependencies
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 ```
 
----
-
 ### 🚨 Risky package
 
 ```
-some-lib
-Downloads: 200
-Risk: 8/10
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  📦 some-lib v0.1.0
+
+  Risk Score: 8/10  🚨 High Risk
+  ████████░░
+
+  🔍 Security Checks
+  ✘ Downloads:       Very low (83/week)
+  ✘ Install Scripts: Has install/postinstall scripts
+  ✘ License:         No license specified
+  ⚠ Maintainers:     Single maintainer
+  ⚠ Repository:      No repository URL
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+```
 
-⚠ Low downloads
-⚠ Uses install scripts
+### 📋 Project scan
+
+```
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+  📋 Dependency Scan Summary
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+  Package              Risk        Status
+  ────────────────────────────────────────────
+  some-lib             8/10        🚨 High Risk
+  old-utils            5/10        ⚠  Medium
+  express              0/10        ✅ Safe
+  axios                1/10        ✅ Safe
+
+─────────────────────────────────────────────────
+  Summary: 2 safe · 1 medium · 1 high risk
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 ```
 
 ---
 
 ## ✨ Features
 
-- 🔍 Analyze any npm package instantly
-- ⚠ Risk scoring (0–10)
-- 🛑 Block risky installs
-- 📦 Project-wide dependency scan
-- ⚡ Zero setup (works with npx)
+- 🔍 **Deep analysis** — 10+ security checks per package
+- 🧠 **Typosquatting detection** — catches lookalike package names
+- ⚠ **Risk scoring (0–10)** — instant safety assessment
+- 🛑 **Block risky installs** — prompts before installing medium/high risk packages
+- 📋 **Project-wide scan** — audit all dependencies in one command
+- 📊 **Summary table** — sorted by risk with safe/medium/high breakdown
+- ⚡ **Zero setup** — works instantly with `npx`
+- 🎨 **Beautiful CLI output** — color-coded, easy to read
 
 ---
 
 ## 🤔 Why not npm audit?
 
 | Feature               | npm audit | install-guard |
-|-----------------------|-----------|------------|
-| Known vulnerabilities | ✅        | ✅         |
-| Trust analysis        | ❌        | ✅         |
-| Pre-install check     | ❌        | ✅         |
-| Install blocking      | ❌        | ✅         |
+|-----------------------|-----------|---------------|
+| Known vulnerabilities | ✅        | ✅            |
+| Trust analysis        | ❌        | ✅            |
+| Pre-install check     | ❌        | ✅            |
+| Install blocking      | ❌        | ✅            |
+| Typosquatting check   | ❌        | ✅            |
+| License analysis      | ❌        | ✅            |
+| Maintainer check      | ❌        | ✅            |
+| Package age check     | ❌        | ✅            |
 
 ---
 
@@ -140,9 +225,24 @@ npm install -g install-guard
 ## 🔮 Roadmap
 
 - 🔍 GitHub activity analysis
-- 🧠 Typosquatting detection
+- 🧠 Advanced typosquatting (permutations, homoglyphs)
 - 📊 Dependency tree visualization
-- 🔌 CI/CD integration
+- 🔌 CI/CD integration (exit codes for pipelines)
+- 🏷️ `.install-guardrc` config for custom thresholds
+- 📝 JSON/CSV report export
+
+---
+
+## 🤝 Contributing
+
+PRs welcome! Let's make npm safer together.
+
+---
+
+## ⭐ Support
+
+If you find this useful, consider giving it a star ⭐
+It helps others discover the project!
 
 ---
 

package/bin/cli.js

@@ -8,13 +8,14 @@ const program = new Command();
 
 program
     .name("install-guard")
-    .description("Check npm package risk before installing");
+    .description("Analyze npm packages for security risks before installing")
+    .version("2.0.0");
 
 program
     .argument("[package]", "package name to analyze")
     .action(async (pkg) => {
         if (!pkg) {
-            console.log("Please provide a package name");
+            program.help();
             return;
         }
         await analyzePackage(pkg);
@@ -22,14 +23,18 @@ program
 
 program
     .command("scan")
-    .description("Scan current project dependencies")
-    .action(scanProject);
-    
+    .description("Scan all project dependencies for risks")
+    .option("-v, --verbose", "Show detailed analysis for each package")
+    .action(async (opts) => {
+        await scanProject({ verbose: opts.verbose });
+    });
+
 program
-  .command("install <pkg>")
-  .description("Analyze and install package safely")
-  .action(async (pkg) => {
-    const { analyzeAndPrompt } = await import("../src/install.js");
-    await analyzeAndPrompt(pkg);
-  });
+    .command("install <pkg>")
+    .description("Analyze and safely install a package")
+    .action(async (pkg) => {
+        const { analyzeAndPrompt } = await import("../src/install.js");
+        await analyzeAndPrompt(pkg);
+    });
+
 program.parse();

package/package.json

@@ -1,22 +1,27 @@
 {
   "name": "install-guard",
-  "version": "1.0.1",
+  "version": "1.1.1",
   "main": "index.js",
   "bin": {
     "install-guard": "./bin/cli.js"
   },
-  
   "type": "module",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "author": "Sarthak Kumar Sahoo",
   "license": "MIT",
-  "description": "Check if an npm package is safe before installing",
+  "description": "Analyze npm packages for security risks before installing",
   "dependencies": {
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
     "ora": "^9.3.0"
   },
-  "keywords": ["npm", "security", "cli", "dependency", "audit"]
+  "keywords": [
+    "npm",
+    "security",
+    "cli",
+    "dependency",
+    "audit"
+  ]
 }

package/src/analyze.js

@@ -1,34 +1,21 @@
-import chalk from "chalk";
 import ora from "ora";
 import { getPackageData } from "./npm.js";
 import { calculateRisk } from "./score.js";
+import { formatAnalysis } from "./format.js";
 
 export async function analyze(pkgName) {
     const spinner = ora(`Analyzing ${pkgName}...`).start();
 
     try {
         const data = await getPackageData(pkgName);
-        const { score, warnings } = calculateRisk(data);
+        const result = calculateRisk(data);
 
         spinner.stop();
+        console.log(formatAnalysis(data, result));
 
-        console.log(chalk.bold(`\n📦 ${data.name}`));
-        console.log(`Version: ${data.version}`);
-        console.log(`Downloads (weekly): ${data.downloads.toLocaleString()}`);
-        console.log(`Risk Score: ${score}/10`);
-
-        if (score <= 3) {
-            console.log(chalk.green("✅ Low risk"));
-        } else if (score <= 6) {
-            console.log(chalk.yellow("⚠ Medium risk"));
-        } else {
-            console.log(chalk.red("🚨 High risk"));
-        }
-
-        warnings.forEach((w) => {
-            console.log(chalk.yellow(`⚠ ${w}`));
-        });
+        return { data, result };
     } catch (err) {
-        spinner.fail("Failed to fetch package");
+        spinner.fail(`Failed to analyze "${pkgName}": ${err.message}`);
+        return null;
     }
 }

package/src/format.js

@@ -0,0 +1,202 @@
+import chalk from "chalk";
+
+const SEPARATOR = chalk.gray("━".repeat(50));
+const THIN_SEP = chalk.gray("─".repeat(50));
+
+function riskBar(score) {
+  const filled = score;
+  const empty = 10 - score;
+  const color =
+    score <= 3 ? chalk.green : score <= 6 ? chalk.yellow : chalk.red;
+  return color("█".repeat(filled)) + chalk.gray("░".repeat(empty));
+}
+
+function riskLabel(level) {
+  switch (level) {
+    case "low":
+      return chalk.green.bold("✅ Low Risk");
+    case "medium":
+      return chalk.yellow.bold("⚠  Medium Risk");
+    case "high":
+      return chalk.red.bold("🚨 High Risk");
+  }
+}
+
+function checkIcon(status) {
+  switch (status) {
+    case "pass":
+      return chalk.green("✔");
+    case "warn":
+      return chalk.yellow("⚠");
+    case "fail":
+      return chalk.red("✘");
+  }
+}
+
+function timeAgo(dateStr) {
+  if (!dateStr) return "Unknown";
+  const diff = Date.now() - new Date(dateStr).getTime();
+  const days = Math.floor(diff / (1000 * 60 * 60 * 24));
+  if (days < 1) return "today";
+  if (days === 1) return "1 day ago";
+  if (days < 30) return `${days} days ago`;
+  const months = Math.floor(days / 30);
+  if (months === 1) return "1 month ago";
+  if (months < 12) return `${months} months ago`;
+  const years = Math.floor(days / 365);
+  if (years === 1) return "1 year ago";
+  return `${years} years ago`;
+}
+
+export function formatAnalysis(data, result) {
+  const lines = [];
+
+  lines.push("");
+  lines.push(SEPARATOR);
+  lines.push(
+    chalk.bold(`  📦 ${data.name} `) + chalk.gray(`v${data.version}`)
+  );
+  if (data.description) {
+    lines.push(chalk.gray(`  ${data.description.slice(0, 70)}`));
+  }
+  lines.push(SEPARATOR);
+
+  // Risk score
+  lines.push("");
+  lines.push(
+    `  Risk Score: ${chalk.bold(`${result.score}/10`)}  ${riskLabel(result.level)}`
+  );
+  lines.push(`  ${riskBar(result.score)}`);
+
+  lines.push("");
+  lines.push(THIN_SEP);
+
+  // Package info
+  lines.push("");
+  lines.push(chalk.bold("  📊 Package Info"));
+  lines.push("");
+
+  const info = [
+    ["Downloads (weekly)", data.downloads.toLocaleString()],
+    ["Maintainers", String(data.maintainers.length)],
+    [
+      "License",
+      typeof data.license === "string"
+        ? data.license
+        : data.license?.type || "Unknown",
+    ],
+    ["Last Published", timeAgo(data.lastPublished)],
+    ["Dependencies", String(data.dependencies)],
+    ["Versions", String(data.totalVersions)],
+  ];
+
+  for (const [label, value] of info) {
+    lines.push(
+      `  ${chalk.gray(label.padEnd(22))} ${chalk.white(value)}`
+    );
+  }
+
+  if (data.deprecated) {
+    lines.push("");
+    lines.push(
+      chalk.red.bold(
+        `  ⚠ DEPRECATED: ${typeof data.deprecated === "string" ? data.deprecated : "This package is deprecated"}`
+      )
+    );
+  }
+
+  lines.push("");
+  lines.push(THIN_SEP);
+
+  // Security checks
+  lines.push("");
+  lines.push(chalk.bold("  🔍 Security Checks"));
+  lines.push("");
+
+  for (const check of result.checks) {
+    const icon = checkIcon(check.status);
+    const detail =
+      check.status === "pass"
+        ? chalk.green(check.detail)
+        : check.status === "warn"
+          ? chalk.yellow(check.detail)
+          : chalk.red(check.detail);
+    lines.push(`  ${icon} ${chalk.gray(check.label + ":")} ${detail}`);
+  }
+
+  lines.push("");
+  lines.push(SEPARATOR);
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+export function formatScanSummary(results) {
+  const lines = [];
+
+  results.sort((a, b) => b.result.score - a.result.score);
+
+  lines.push("");
+  lines.push(SEPARATOR);
+  lines.push(chalk.bold("  📋 Dependency Scan Summary"));
+  lines.push(SEPARATOR);
+  lines.push("");
+
+  const nameWidth = Math.max(
+    20,
+    ...results.map((r) => r.data.name.length + 2)
+  );
+
+  lines.push(
+    chalk.gray(
+      "  " +
+        "Package".padEnd(nameWidth) +
+        "Risk".padEnd(12) +
+        "Status"
+    )
+  );
+  lines.push(chalk.gray("  " + "─".repeat(nameWidth + 26)));
+
+  for (const { data, result } of results) {
+    const name = data.name.padEnd(nameWidth);
+    const risk = `${result.score}/10`.padEnd(12);
+    let status;
+    switch (result.level) {
+      case "low":
+        status = chalk.green("✅ Safe");
+        break;
+      case "medium":
+        status = chalk.yellow("⚠  Medium");
+        break;
+      case "high":
+        status = chalk.red("🚨 High Risk");
+        break;
+    }
+
+    const colorFn =
+      result.level === "high"
+        ? chalk.red
+        : result.level === "medium"
+          ? chalk.yellow
+          : chalk.white;
+    lines.push(`  ${colorFn(name)}${risk}${status}`);
+  }
+
+  lines.push("");
+  lines.push(THIN_SEP);
+
+  const safe = results.filter((r) => r.result.level === "low").length;
+  const medium = results.filter(
+    (r) => r.result.level === "medium"
+  ).length;
+  const high = results.filter((r) => r.result.level === "high").length;
+
+  lines.push(
+    `  ${chalk.bold("Summary:")} ${chalk.green(`${safe} safe`)} · ${chalk.yellow(`${medium} medium`)} · ${chalk.red(`${high} high risk`)}`
+  );
+  lines.push("");
+  lines.push(SEPARATOR);
+  lines.push("");
+
+  return lines.join("\n");
+}

package/src/index.js

@@ -1,5 +1,5 @@
 import { analyze } from "./analyze.js";
 
 export async function analyzePackage(pkg) {
-    await analyze(pkg);
+    return await analyze(pkg);
 }

package/src/install.js

@@ -1,7 +1,12 @@
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import readline from "readline";
+import chalk from "chalk";
+import ora from "ora";
 import { getPackageData } from "./npm.js";
 import { calculateRisk } from "./score.js";
+import { formatAnalysis } from "./format.js";
+
+const VALID_PKG_NAME = /^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*(@[a-z0-9._^~>=<|-]+)?$/i;
 
 function askQuestion(query) {
     const rl = readline.createInterface({
@@ -18,27 +23,44 @@ function askQuestion(query) {
 }
 
 export async function analyzeAndPrompt(pkgName) {
-    console.log(`\nAnalyzing ${pkgName}...\n`);
+    if (!VALID_PKG_NAME.test(pkgName)) {
+        console.log(chalk.red("\n  ✘ Invalid package name.\n"));
+        return;
+    }
 
-    const data = await getPackageData(pkgName);
-    const { score, warnings } = calculateRisk(data);
+    const spinner = ora(`Analyzing ${pkgName}...`).start();
 
-    console.log(`Risk Score: ${score}/10`);
+    let data, result;
+    try {
+        data = await getPackageData(pkgName);
+        result = calculateRisk(data);
+        spinner.stop();
+    } catch (err) {
+        spinner.fail(`Failed to analyze "${pkgName}": ${err.message}`);
+        return;
+    }
 
-    warnings.forEach((w) => console.log(`⚠ ${w}`));
+    console.log(formatAnalysis(data, result));
 
-    if (score >= 6) {
+    if (result.level === "high") {
         const ans = await askQuestion(
-            "\nHigh risk package. Continue install? (y/n): "
+            chalk.red.bold("  ⚠ High risk package. Continue install? (y/n): ")
+        );
+        if (ans.toLowerCase() !== "y") {
+            console.log(chalk.yellow("\n  Installation aborted.\n"));
+            return;
+        }
+    } else if (result.level === "medium") {
+        const ans = await askQuestion(
+            chalk.yellow("  ⚠ Medium risk. Continue install? (y/n): ")
         );
-
         if (ans.toLowerCase() !== "y") {
-            console.log("Installation aborted.");
+            console.log(chalk.yellow("\n  Installation aborted.\n"));
             return;
         }
     }
 
-    console.log("\nInstalling...\n");
-
-    execSync(`npm install ${pkgName}`, { stdio: "inherit" });
+    console.log(chalk.green("\n  Installing...\n"));
+    execFileSync("npm", ["install", pkgName], { stdio: "inherit" });
+    console.log(chalk.green(`\n  ✔ ${pkgName} installed successfully.\n`));
 }

package/src/npm.js

@@ -1,27 +1,42 @@
-import axios from "axios";
-
 export async function getPackageData(pkg) {
-  const registryUrl = `https://registry.npmjs.org/${pkg}`;
-  const downloadUrl = `https://api.npmjs.org/downloads/point/last-week/${pkg}`;
+  const encodedPkg = encodeURIComponent(pkg).replace("%40", "@");
+  const registryUrl = `https://registry.npmjs.org/${encodedPkg}`;
+  const downloadUrl = `https://api.npmjs.org/downloads/point/last-week/${encodedPkg}`;
 
   const [registryRes, downloadRes] = await Promise.all([
-    axios.get(registryUrl),
-    axios.get(downloadUrl),
+    fetch(registryUrl).then((r) => {
+      if (!r.ok) throw new Error(`Package "${pkg}" not found on npm`);
+      return r.json();
+    }),
+    fetch(downloadUrl)
+      .then((r) => r.json())
+      .catch(() => ({ downloads: 0 })),
   ]);
 
-  const data = registryRes.data;
-  const latest = data["dist-tags"].latest;
-  const versionData = data.versions[latest];
+  const data = registryRes;
+  const latest = data["dist-tags"]?.latest;
+  if (!latest) throw new Error(`No published version found for "${pkg}"`);
+
+  const versionData = data.versions?.[latest] || {};
+  const timeData = data.time || {};
 
   return {
     name: data.name,
-    maintainers: data.maintainers?.length || 0,
-    lastPublished: data.time?.[latest],
-    hasInstallScript:
-      versionData.scripts?.install ||
-      versionData.scripts?.postinstall ||
-      false,
     version: latest,
-    downloads: downloadRes.data.downloads || 0,
+    description: data.description || "",
+    downloads: downloadRes.downloads || 0,
+    maintainers: data.maintainers || [],
+    license: versionData.license || data.license || "Unknown",
+    lastPublished: timeData[latest],
+    firstPublished: timeData.created,
+    hasInstallScript: !!(
+      versionData.scripts?.install ||
+      versionData.scripts?.preinstall ||
+      versionData.scripts?.postinstall
+    ),
+    deprecated: versionData.deprecated || false,
+    repository: data.repository?.url || versionData.repository?.url || null,
+    dependencies: Object.keys(versionData.dependencies || {}).length,
+    totalVersions: Object.keys(data.versions || {}).length,
   };
 }

package/src/scan.js

@@ -1,15 +1,63 @@
 import fs from "fs";
-import { analyzePackage } from "./index.js";
+import path from "path";
+import chalk from "chalk";
+import ora from "ora";
+import { getPackageData } from "./npm.js";
+import { calculateRisk } from "./score.js";
+import { formatAnalysis, formatScanSummary } from "./format.js";
 
-export async function scanProject() {
-    const pkg = JSON.parse(fs.readFileSync("package.json"));
+export async function scanProject({ verbose } = {}) {
+    const pkgPath = path.resolve("package.json");
+
+    if (!fs.existsSync(pkgPath)) {
+        console.log(chalk.red("\n  ✘ No package.json found in current directory\n"));
+        process.exit(1);
+    }
+
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
 
     const deps = {
         ...pkg.dependencies,
         ...pkg.devDependencies,
     };
 
-    for (const dep of Object.keys(deps)) {
-        await analyzePackage(dep);
+    const depNames = Object.keys(deps);
+
+    if (depNames.length === 0) {
+        console.log(chalk.yellow("\n  No dependencies found.\n"));
+        return;
+    }
+
+    console.log(chalk.bold(`\n  Scanning ${depNames.length} dependencies...\n`));
+
+    const results = [];
+    const spinner = ora();
+
+    for (const dep of depNames) {
+        spinner.start(`Analyzing ${dep}...`);
+        try {
+            const data = await getPackageData(dep);
+            const result = calculateRisk(data);
+            results.push({ data, result });
+
+            if (verbose) {
+                spinner.stop();
+                console.log(formatAnalysis(data, result));
+            } else {
+                const icon =
+                    result.level === "high"
+                        ? "🚨"
+                        : result.level === "medium"
+                          ? "⚠"
+                          : "✅";
+                spinner.succeed(
+                    `${dep} ${chalk.gray(`(${result.score}/10)`)} ${icon}`
+                );
+            }
+        } catch {
+            spinner.fail(`${dep} - failed to fetch`);
+        }
     }
+
+    console.log(formatScanSummary(results));
 }

package/src/score.js

@@ -1,47 +1,128 @@
+import { checkTyposquat } from "./typosquat.js";
+
 export function calculateRisk(pkg) {
     let score = 0;
-    const warnings = [];
+    const checks = [];
+    const now = new Date();
 
-    // 🟢 Popularity (VERY IMPORTANT)
-    if (pkg.downloads < 1000) {
+    // ── Downloads ──────────────────────────────────
+    if (pkg.downloads < 100) {
         score += 3;
-        warnings.push("Very low downloads");
-    } else if (pkg.downloads < 10000) {
+        checks.push({ label: "Downloads", status: "fail", detail: `Very low (${pkg.downloads.toLocaleString()}/week)` });
+    } else if (pkg.downloads < 1_000) {
         score += 2;
-        warnings.push("Low downloads");
+        checks.push({ label: "Downloads", status: "warn", detail: `Low (${pkg.downloads.toLocaleString()}/week)` });
+    } else if (pkg.downloads < 10_000) {
+        score += 1;
+        checks.push({ label: "Downloads", status: "warn", detail: `Moderate (${pkg.downloads.toLocaleString()}/week)` });
+    } else {
+        checks.push({ label: "Downloads", status: "pass", detail: `${pkg.downloads.toLocaleString()}/week` });
     }
 
-    // 🟡 Update recency
-    const lastUpdate = new Date(pkg.lastPublished);
-    const now = new Date();
-    const diffMonths = (now - lastUpdate) / (1000 * 60 * 60 * 24 * 30);
+    if (pkg.downloads > 1_000_000) score -= 2;
+    if (pkg.downloads > 5_000_000) score -= 1;
 
-    if (diffMonths > 12) {
-        score += 3;
-        warnings.push("Not updated in over a year");
-    } else if (diffMonths > 6) {
-        score += 1;
-        warnings.push("Not updated recently");
+    // ── Update recency ────────────────────────────
+    if (pkg.lastPublished) {
+        const diffMonths = (now - new Date(pkg.lastPublished)) / (1000 * 60 * 60 * 24 * 30);
+        if (diffMonths > 24) {
+            score += 3;
+            checks.push({ label: "Last Updated", status: "fail", detail: "Not updated in over 2 years" });
+        } else if (diffMonths > 12) {
+            score += 2;
+            checks.push({ label: "Last Updated", status: "warn", detail: "Not updated in over a year" });
+        } else if (diffMonths > 6) {
+            score += 1;
+            checks.push({ label: "Last Updated", status: "warn", detail: "Not updated in 6+ months" });
+        } else {
+            checks.push({ label: "Last Updated", status: "pass", detail: "Recently updated" });
+        }
     }
 
-    // 🔴 Install scripts (HIGH RISK)
+    // ── Install scripts ───────────────────────────
     if (pkg.hasInstallScript) {
         score += 3;
-        warnings.push("Uses install/postinstall scripts");
+        checks.push({ label: "Install Scripts", status: "fail", detail: "Has install/postinstall scripts" });
+    } else {
+        checks.push({ label: "Install Scripts", status: "pass", detail: "No install scripts" });
+    }
+
+    // ── Maintainers ───────────────────────────────
+    const maintainerCount = pkg.maintainers?.length || 0;
+    if (maintainerCount === 0) {
+        score += 2;
+        checks.push({ label: "Maintainers", status: "fail", detail: "No maintainers listed" });
+    } else if (maintainerCount === 1) {
+        score += 1;
+        checks.push({ label: "Maintainers", status: "warn", detail: "Single maintainer" });
+    } else {
+        checks.push({ label: "Maintainers", status: "pass", detail: `${maintainerCount} maintainers` });
+    }
+
+    // ── License ───────────────────────────────────
+    const license = (typeof pkg.license === "string" ? pkg.license : pkg.license?.type) || "Unknown";
+    const permissive = ["MIT", "ISC", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "0BSD", "Unlicense"];
+    if (license === "Unknown" || license === "UNLICENSED") {
+        score += 2;
+        checks.push({ label: "License", status: "fail", detail: "No license specified" });
+    } else if (permissive.includes(license)) {
+        checks.push({ label: "License", status: "pass", detail: license });
+    } else {
+        score += 1;
+        checks.push({ label: "License", status: "warn", detail: `${license} (review recommended)` });
+    }
+
+    // ── Repository ────────────────────────────────
+    if (!pkg.repository) {
+        score += 1;
+        checks.push({ label: "Repository", status: "warn", detail: "No repository URL" });
+    } else {
+        checks.push({ label: "Repository", status: "pass", detail: "Has repository link" });
+    }
+
+    // ── Package age ───────────────────────────────
+    if (pkg.firstPublished) {
+        const ageDays = (now - new Date(pkg.firstPublished)) / (1000 * 60 * 60 * 24);
+        if (ageDays < 30) {
+            score += 2;
+            checks.push({ label: "Package Age", status: "fail", detail: "Published less than 30 days ago" });
+        } else if (ageDays < 180) {
+            score += 1;
+            checks.push({ label: "Package Age", status: "warn", detail: "Published less than 6 months ago" });
+        } else {
+            const years = Math.floor(ageDays / 365);
+            checks.push({ label: "Package Age", status: "pass", detail: years > 0 ? `${years}+ year(s) old` : "6+ months old" });
+        }
+    }
+
+    // ── Dependency count ──────────────────────────
+    if (pkg.dependencies > 20) {
+        score += 1;
+        checks.push({ label: "Dependencies", status: "warn", detail: `${pkg.dependencies} direct dependencies (high)` });
+    } else {
+        checks.push({ label: "Dependencies", status: "pass", detail: `${pkg.dependencies} direct dependencies` });
     }
 
-    // 🟢 High trust signal
-    if (pkg.downloads > 1000000) {
-        score -= 2; // reduce risk
+    // ── Deprecated ────────────────────────────────
+    if (pkg.deprecated) {
+        score += 3;
+        checks.push({
+            label: "Deprecated",
+            status: "fail",
+            detail: typeof pkg.deprecated === "string" ? pkg.deprecated : "Package is deprecated",
+        });
     }
 
-    if (pkg.downloads > 5000000) {
-        score -= 2;
+    // ── Typosquatting ─────────────────────────────
+    const typosquatMatch = checkTyposquat(pkg.name);
+    if (typosquatMatch) {
+        score += 3;
+        checks.push({ label: "Typosquatting", status: "fail", detail: `Name is suspiciously similar to "${typosquatMatch}"` });
     }
 
     // Normalize
-    if (score < 0) score = 0;
-    if (score > 10) score = 10;
+    score = Math.max(0, Math.min(10, score));
+    const level = score <= 3 ? "low" : score <= 6 ? "medium" : "high";
 
-    return { score, warnings };
+    return { score, checks, level };
 }

package/src/typosquat.js

@@ -0,0 +1,50 @@
+const POPULAR_PACKAGES = [
+  "express", "react", "vue", "angular", "lodash", "axios", "moment",
+  "webpack", "babel", "typescript", "eslint", "prettier", "jest",
+  "mocha", "chai", "next", "nuxt", "gatsby", "svelte", "jquery",
+  "underscore", "async", "chalk", "commander", "inquirer", "ora",
+  "nodemon", "dotenv", "cors", "mongoose", "sequelize", "prisma",
+  "socket.io", "passport", "bcrypt", "jsonwebtoken", "uuid",
+  "mysql", "pg", "redis", "mongodb", "fastify", "koa", "hapi",
+  "request", "node-fetch", "got", "cheerio", "puppeteer",
+  "sharp", "multer", "helmet", "morgan", "winston", "debug",
+  "bluebird", "rxjs", "ramda", "date-fns", "dayjs", "zod",
+  "yup", "ajv", "joi", "class-validator", "formik",
+  "tailwindcss", "bootstrap", "sass", "less", "styled-components",
+  "vite", "esbuild", "rollup", "parcel", "turbo",
+];
+
+function levenshtein(a, b) {
+  const m = a.length;
+  const n = b.length;
+  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] =
+        a[i - 1] === b[j - 1]
+          ? dp[i - 1][j - 1]
+          : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+
+  return dp[m][n];
+}
+
+export function checkTyposquat(name) {
+  const lower = name.toLowerCase();
+
+  if (POPULAR_PACKAGES.includes(lower)) return null;
+
+  for (const popular of POPULAR_PACKAGES) {
+    const dist = levenshtein(lower, popular);
+    if (dist > 0 && dist <= 2 && Math.abs(lower.length - popular.length) <= 2) {
+      return popular;
+    }
+  }
+
+  return null;
+}