mcp-security-scanner 1.0.0

package/dist/deps/index.js

@@ -0,0 +1,308 @@
+import { z } from "zod";
+import { join } from "node:path";
+import { text } from "../types/index.js";
+import { parseLockfile, parsePackageJson } from "./lockfile-parser.js";
+import { checkTyposquatting, typosquatFindings } from "./typosquat-checker.js";
+import { detectInstallScripts, installScriptFindings } from "./install-script-detector.js";
+import { safeReadJson, fileExists } from "../utils/fs-helpers.js";
+function formatFindings(findings) {
+    if (findings.length === 0)
+        return "No findings.";
+    const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const f of findings)
+        bySeverity[f.severity]++;
+    let output = `${findings.length} finding(s): ${bySeverity.critical} critical, ${bySeverity.high} high, ${bySeverity.medium} medium, ${bySeverity.low} low, ${bySeverity.info} info\n\n`;
+    for (const f of findings) {
+        output += `[${f.severity.toUpperCase()}] ${f.id}: ${f.title}\n`;
+        if (f.file)
+            output += `  File: ${f.file}\n`;
+        output += `  OWASP: ${f.owasp_mcp} — ${f.owasp_mcp_title}\n`;
+        output += `  Evidence: ${f.evidence}\n`;
+        output += `  Remediation: ${f.remediation}\n\n`;
+    }
+    return output.trim();
+}
+const depAuditLockfile = {
+    name: "dep_audit_lockfile",
+    description: "Parse lockfile (package-lock.json v2/v3, bun.lock) and list all dependencies with versions. Provides dependency tree overview for manual review.",
+    schema: {
+        path: z.string().describe("Project directory containing lockfile"),
+    },
+    async execute(args) {
+        const lockfile = await parseLockfile(args.path);
+        if (!lockfile)
+            return text(`No lockfile found in ${args.path}. Check that package-lock.json or bun.lock exists.`);
+        let output = `Lockfile: ${lockfile.lockfilePath} (${lockfile.lockfileType})\n`;
+        output += `Dependencies: ${lockfile.dependencies.length}\n\n`;
+        if (lockfile.dependencies.length > 0) {
+            const direct = lockfile.dependencies.filter(d => !d.name.includes(" > "));
+            const transitive = lockfile.dependencies.filter(d => d.name.includes(" > "));
+            output += `Direct: ${direct.length}, Transitive: ${transitive.length}\n\n`;
+            for (const dep of direct.slice(0, 100)) {
+                output += `  ${dep.name}@${dep.version}${dep.dev ? " (dev)" : ""}\n`;
+            }
+            if (direct.length > 100) {
+                output += `  ... and ${direct.length - 100} more\n`;
+            }
+        }
+        return text(output.trim());
+    },
+};
+const depCheckTyposquatting = {
+    name: "dep_check_typosquatting",
+    description: "Check all dependency names against top popular npm packages using: Levenshtein distance, keyboard-adjacent substitution, vowel swapping, separator confusion, scope squatting.",
+    schema: {
+        path: z.string().describe("Project directory containing package.json"),
+        ecosystem: z.string().optional().describe("Package ecosystem (default: npm)"),
+    },
+    async execute(args) {
+        const deps = await parsePackageJson(args.path);
+        if (!deps)
+            return text(`No package.json found in ${args.path}`);
+        const depNames = Object.keys(deps);
+        const matches = checkTyposquatting(depNames);
+        if (matches.length === 0) {
+            return text(`Checked ${depNames.length} dependencies — no typosquatting detected.`);
+        }
+        const findings = typosquatFindings(matches, join(args.path, "package.json"));
+        return text(formatFindings(findings));
+    },
+};
+const depCheckUnpinned = {
+    name: "dep_check_unpinned",
+    description: "Detect dependencies with unpinned version ranges: caret (^), tilde (~), star (*), greater-than (>=). Unpinned versions allow silent malicious updates.",
+    schema: {
+        path: z.string().describe("Project directory containing package.json"),
+    },
+    async execute(args) {
+        const deps = await parsePackageJson(args.path);
+        if (!deps)
+            return text(`No package.json found in ${args.path}`);
+        const findings = [];
+        let counter = 0;
+        const pkgJsonPath = join(args.path, "package.json");
+        // Check if lockfile exists
+        const hasLockfile = await fileExists(join(args.path, "package-lock.json")) ||
+            await fileExists(join(args.path, "bun.lock")) ||
+            await fileExists(join(args.path, "bun.lockb"));
+        if (!hasLockfile) {
+            counter++;
+            findings.push({
+                id: `DEP-PIN-${String(counter).padStart(3, "0")}`,
+                title: "No Lockfile Found",
+                severity: "high",
+                owasp_mcp: "MCP04",
+                owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                category: "deps",
+                file: pkgJsonPath,
+                evidence: "No package-lock.json or bun.lock found — dependency resolution is non-deterministic",
+                remediation: "Run npm install or bun install to generate a lockfile. Commit the lockfile to version control.",
+                cwe: "CWE-1357",
+            });
+        }
+        for (const [name, version] of Object.entries(deps)) {
+            let issue = null;
+            if (version === "*" || version === "latest") {
+                issue = `"${version}" — matches ANY version`;
+            }
+            else if (version.startsWith("^")) {
+                issue = `"${version}" — caret range allows minor/patch updates`;
+            }
+            else if (version.startsWith("~")) {
+                issue = `"${version}" — tilde range allows patch updates`;
+            }
+            else if (version.startsWith(">=") || version.startsWith(">")) {
+                issue = `"${version}" — open-ended range`;
+            }
+            if (issue) {
+                counter++;
+                findings.push({
+                    id: `DEP-PIN-${String(counter).padStart(3, "0")}`,
+                    title: `Unpinned Version: ${name}`,
+                    severity: version === "*" || version === "latest" ? "high" : "low",
+                    owasp_mcp: "MCP04",
+                    owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                    category: "deps",
+                    file: pkgJsonPath,
+                    evidence: `${name}: ${issue}`,
+                    remediation: hasLockfile
+                        ? "Version range is mitigated by lockfile presence. For maximum security, pin to exact versions."
+                        : "Pin to exact version (e.g. \"1.2.3\" without ^ or ~). Generate and commit a lockfile.",
+                    cwe: "CWE-1357",
+                });
+            }
+        }
+        return text(formatFindings(findings));
+    },
+};
+const depCheckInstallScripts = {
+    name: "dep_check_install_scripts",
+    description: "Detect dependencies with lifecycle scripts (preinstall, install, postinstall, prepare) that execute during npm/bun install with full system access.",
+    schema: {
+        path: z.string().describe("Project directory with node_modules"),
+    },
+    async execute(args) {
+        const results = await detectInstallScripts(args.path);
+        if (results.length === 0) {
+            return text("No dependencies with install scripts found.");
+        }
+        const lockfile = await parseLockfile(args.path);
+        const lockfilePath = lockfile?.lockfilePath ?? join(args.path, "package.json");
+        const findings = installScriptFindings(results, lockfilePath);
+        return text(formatFindings(findings));
+    },
+};
+const depCheckMcpSdkVersion = {
+    name: "dep_check_mcp_sdk_version",
+    description: "Check the installed @modelcontextprotocol/sdk version against known vulnerable versions and latest features (OAuth 2.1 support, etc).",
+    schema: {
+        path: z.string().describe("Project directory"),
+    },
+    async execute(args) {
+        const findings = [];
+        let counter = 0;
+        // Check package.json for declared version
+        const deps = await parsePackageJson(args.path);
+        const sdkVersion = deps?.["@modelcontextprotocol/sdk"];
+        if (!sdkVersion) {
+            return text("@modelcontextprotocol/sdk not found in dependencies.");
+        }
+        // Check installed version from node_modules
+        const installedPkgPath = join(args.path, "node_modules", "@modelcontextprotocol", "sdk", "package.json");
+        const installedPkg = await safeReadJson(installedPkgPath);
+        const installedVersion = installedPkg?.version;
+        const pkgJsonPath = join(args.path, "package.json");
+        let output = `@modelcontextprotocol/sdk\n`;
+        output += `  Declared: ${sdkVersion}\n`;
+        output += `  Installed: ${installedVersion ?? "not installed"}\n\n`;
+        // Known vulnerable versions (CVE-2025-6514 affects mcp-remote, not core SDK, but flag old versions)
+        if (installedVersion) {
+            const [major, minor, patch] = installedVersion.split(".").map(Number);
+            if (major === 0 || (major === 1 && minor < 10)) {
+                counter++;
+                findings.push({
+                    id: `DEP-SDK-${String(counter).padStart(3, "0")}`,
+                    title: "Outdated MCP SDK Version",
+                    severity: "medium",
+                    owasp_mcp: "MCP04",
+                    owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                    category: "deps",
+                    file: pkgJsonPath,
+                    evidence: `@modelcontextprotocol/sdk@${installedVersion} — pre-1.10 versions may lack security fixes`,
+                    remediation: "Update to the latest @modelcontextprotocol/sdk version for security patches and OAuth 2.1 support.",
+                    cwe: "CWE-1104",
+                });
+            }
+        }
+        output += formatFindings(findings);
+        return text(output);
+    },
+};
+const depCheckDeprecated = {
+    name: "dep_check_deprecated",
+    description: "Detect deprecated dependencies by checking package.json 'deprecated' field in node_modules. Deprecated packages no longer receive security patches.",
+    schema: {
+        path: z.string().describe("Project directory with node_modules"),
+    },
+    async execute(args) {
+        const findings = [];
+        let counter = 0;
+        const lockfile = await parseLockfile(args.path);
+        if (!lockfile || lockfile.dependencies.length === 0) {
+            return text("No lockfile or dependencies found.");
+        }
+        const pkgJsonPath = join(args.path, "package.json");
+        for (const dep of lockfile.dependencies) {
+            // Only check direct deps (not transitive)
+            if (dep.name.includes(" > "))
+                continue;
+            const depPkgPath = join(args.path, "node_modules", dep.name, "package.json");
+            const depPkg = await safeReadJson(depPkgPath);
+            if (!depPkg)
+                continue;
+            if (depPkg.deprecated) {
+                counter++;
+                findings.push({
+                    id: `DEP-DEPR-${String(counter).padStart(3, "0")}`,
+                    title: `Deprecated Package: ${dep.name}`,
+                    severity: "medium",
+                    owasp_mcp: "MCP04",
+                    owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                    category: "deps",
+                    file: pkgJsonPath,
+                    evidence: `${dep.name}@${dep.version} — ${String(depPkg.deprecated).substring(0, 200)}`,
+                    remediation: `Replace ${dep.name} with its recommended successor or remove it.`,
+                    cwe: "CWE-1104",
+                });
+            }
+        }
+        return text(formatFindings(findings));
+    },
+};
+const depCheckLicense = {
+    name: "dep_check_license",
+    description: "Audit dependency licenses: copyleft (GPL, AGPL), unknown/missing licenses, non-OSI-approved licenses. Important for MCP servers in enterprise environments.",
+    schema: {
+        path: z.string().describe("Project directory with node_modules"),
+    },
+    async execute(args) {
+        const findings = [];
+        let counter = 0;
+        const lockfile = await parseLockfile(args.path);
+        if (!lockfile || lockfile.dependencies.length === 0) {
+            return text("No lockfile or dependencies found.");
+        }
+        const pkgJsonPath = join(args.path, "package.json");
+        const COPYLEFT = ["GPL", "AGPL", "LGPL", "SSPL", "EUPL", "MPL"];
+        for (const dep of lockfile.dependencies) {
+            if (dep.name.includes(" > "))
+                continue;
+            const depPkgPath = join(args.path, "node_modules", dep.name, "package.json");
+            const depPkg = await safeReadJson(depPkgPath);
+            if (!depPkg)
+                continue;
+            const license = depPkg.license;
+            if (!license) {
+                counter++;
+                findings.push({
+                    id: `DEP-LIC-${String(counter).padStart(3, "0")}`,
+                    title: `Missing License: ${dep.name}`,
+                    severity: "low",
+                    owasp_mcp: "MCP04",
+                    owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                    category: "deps",
+                    file: pkgJsonPath,
+                    evidence: `${dep.name}@${dep.version} — no license field in package.json`,
+                    remediation: `Verify the license of ${dep.name} manually. Missing license may indicate usage restrictions.`,
+                    cwe: "CWE-1357",
+                });
+            }
+            else if (COPYLEFT.some(c => license.toUpperCase().includes(c))) {
+                counter++;
+                findings.push({
+                    id: `DEP-LIC-${String(counter).padStart(3, "0")}`,
+                    title: `Copyleft License: ${dep.name} (${license})`,
+                    severity: "info",
+                    owasp_mcp: "MCP04",
+                    owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                    category: "deps",
+                    file: pkgJsonPath,
+                    evidence: `${dep.name}@${dep.version} — license: ${license} (copyleft)`,
+                    remediation: `Review copyleft obligations for ${license}. Copyleft licenses may require source disclosure.`,
+                    cwe: "CWE-1357",
+                });
+            }
+        }
+        return text(formatFindings(findings));
+    },
+};
+export const depsTools = [
+    depAuditLockfile,
+    depCheckTyposquatting,
+    depCheckUnpinned,
+    depCheckInstallScripts,
+    depCheckMcpSdkVersion,
+    depCheckDeprecated,
+    depCheckLicense,
+];
+//# sourceMappingURL=index.js.map

package/dist/deps/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/deps/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,IAAI,EAAQ,MAAM,mBAAmB,CAAC;AAE/C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC3F,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAElE,SAAS,cAAc,CAAC,QAAmB;IACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,cAAc,CAAC;IACjD,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACxE,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IACnD,IAAI,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,gBAAgB,UAAU,CAAC,QAAQ,cAAc,UAAU,CAAC,IAAI,UAAU,UAAU,CAAC,MAAM,YAAY,UAAU,CAAC,GAAG,SAAS,UAAU,CAAC,IAAI,WAAW,CAAC;IACxL,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,IAAI,CAAC;QAChE,IAAI,CAAC,CAAC,IAAI;YAAE,MAAM,IAAI,WAAW,CAAC,CAAC,IAAI,IAAI,CAAC;QAC5C,MAAM,IAAI,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,CAAC,eAAe,IAAI,CAAC;QAC7D,MAAM,IAAI,eAAe,CAAC,CAAC,QAAQ,IAAI,CAAC;QACxC,MAAM,IAAI,kBAAkB,CAAC,CAAC,WAAW,MAAM,CAAC;IAClD,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;AACvB,CAAC;AAED,MAAM,gBAAgB,GAAY;IAChC,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EACT,kJAAkJ;IACpJ,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,uCAAuC,CAAC;KACnE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,wBAAwB,IAAI,CAAC,IAAI,oDAAoD,CAAC,CAAC;QAElH,IAAI,MAAM,GAAG,aAAa,QAAQ,CAAC,YAAY,KAAK,QAAQ,CAAC,YAAY,KAAK,CAAC;QAC/E,MAAM,IAAI,iBAAiB,QAAQ,CAAC,YAAY,CAAC,MAAM,MAAM,CAAC;QAE9D,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1E,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAE7E,MAAM,IAAI,WAAW,MAAM,CAAC,MAAM,iBAAiB,UAAU,CAAC,MAAM,MAAM,CAAC;YAE3E,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;gBACvC,MAAM,IAAI,KAAK,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC;YACvE,CAAC;YAED,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACxB,MAAM,IAAI,aAAa,MAAM,CAAC,MAAM,GAAG,GAAG,SAAS,CAAC;YACtD,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7B,CAAC;CACF,CAAC;AAEF,MAAM,qBAAqB,GAAY;IACrC,IAAI,EAAE,yBAAyB;IAC/B,WAAW,EACT,gLAAgL;IAClL,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;QACtE,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,kCAAkC,CAAC;KAC9E;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,4BAA4B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAEhE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnC,MAAM,OAAO,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAE7C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,WAAW,QAAQ,CAAC,MAAM,4CAA4C,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC,CAAC;QACvF,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,gBAAgB,GAAY;IAChC,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EACT,wJAAwJ;IAC1J,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2CAA2C,CAAC;KACvE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC,4BAA4B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAEhE,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC;QAE9D,2BAA2B;QAC3B,MAAM,WAAW,GACf,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,mBAAmB,CAAC,CAAC;YAChE,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,UAAU,CAAC,CAAC;YACvD,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,WAAW,CAAC,CAAC,CAAC;QAE3D,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACjD,KAAK,EAAE,mBAAmB;gBAC1B,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,OAAO;gBAClB,eAAe,EAAE,2CAA2C;gBAC5D,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,qFAAqF;gBAC/F,WAAW,EAAE,gGAAgG;gBAC7G,GAAG,EAAE,UAAU;aAChB,CAAC,CAAC;QACL,CAAC;QAED,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,IAAI,KAAK,GAAkB,IAAI,CAAC;YAEhC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC5C,KAAK,GAAG,IAAI,OAAO,yBAAyB,CAAC;YAC/C,CAAC;iBAAM,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,KAAK,GAAG,IAAI,OAAO,4CAA4C,CAAC;YAClE,CAAC;iBAAM,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,KAAK,GAAG,IAAI,OAAO,sCAAsC,CAAC;YAC5D,CAAC;iBAAM,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/D,KAAK,GAAG,IAAI,OAAO,sBAAsB,CAAC;YAC5C,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACjD,KAAK,EAAE,qBAAqB,IAAI,EAAE;oBAClC,QAAQ,EAAE,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;oBAClE,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,2CAA2C;oBAC5D,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,GAAG,IAAI,KAAK,KAAK,EAAE;oBAC7B,WAAW,EAAE,WAAW;wBACtB,CAAC,CAAC,+FAA+F;wBACjG,CAAC,CAAC,uFAAuF;oBAC3F,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,sBAAsB,GAAY;IACtC,IAAI,EAAE,2BAA2B;IACjC,WAAW,EACT,qJAAqJ;IACvJ,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;KACjE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QAEhE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,6CAA6C,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QAC1D,MAAM,YAAY,GAAG,QAAQ,EAAE,YAAY,IAAI,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC;QACzF,MAAM,QAAQ,GAAG,qBAAqB,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QAE9D,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,qBAAqB,GAAY;IACrC,IAAI,EAAE,2BAA2B;IACjC,WAAW,EACT,uIAAuI;IACzI,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;KAC/C;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,0CAA0C;QAC1C,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,EAAE,CAAC,2BAA2B,CAAC,CAAC;QAEvD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,sDAAsD,CAAC,CAAC;QACtE,CAAC;QAED,4CAA4C;QAC5C,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,EAAE,uBAAuB,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QACnH,MAAM,YAAY,GAAG,MAAM,YAAY,CAA0B,gBAAgB,CAAC,CAAC;QACnF,MAAM,gBAAgB,GAAG,YAAY,EAAE,OAA6B,CAAC;QAErE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC;QAE9D,IAAI,MAAM,GAAG,6BAA6B,CAAC;QAC3C,MAAM,IAAI,eAAe,UAAU,IAAI,CAAC;QACxC,MAAM,IAAI,gBAAgB,gBAAgB,IAAI,eAAe,MAAM,CAAC;QAEpE,oGAAoG;QACpG,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,gBAAgB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAEtE,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC,EAAE,CAAC;gBAC/C,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACjD,KAAK,EAAE,0BAA0B;oBACjC,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,2CAA2C;oBAC5D,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,6BAA6B,gBAAgB,8CAA8C;oBACrG,WAAW,EAAE,oGAAoG;oBACjH,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,MAAM,IAAI,cAAc,CAAC,QAAQ,CAAC,CAAC;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;CACF,CAAC;AAEF,MAAM,kBAAkB,GAAY;IAClC,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EACT,qJAAqJ;IACvJ,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;KACjE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC;QAE9D,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YACxC,0CAA0C;YAC1C,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAEvC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,EAAE,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,MAAM,YAAY,CAA0B,UAAU,CAAC,CAAC;YACvE,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBAClD,KAAK,EAAE,uBAAuB,GAAG,CAAC,IAAI,EAAE;oBACxC,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,2CAA2C;oBAC5D,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACvF,WAAW,EAAE,WAAW,GAAG,CAAC,IAAI,+CAA+C;oBAC/E,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,eAAe,GAAY;IAC/B,IAAI,EAAE,mBAAmB;IACzB,WAAW,EACT,6JAA6J;IAC/J,MAAM,EAAE;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,qCAAqC,CAAC;KACjE;IACD,KAAK,CAAC,OAAO,CAAC,IAAI;QAChB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAc,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpD,OAAO,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAEhE,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAAE,SAAS;YAEvC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,IAAc,EAAE,cAAc,EAAE,GAAG,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,MAAM,YAAY,CAA0B,UAAU,CAAC,CAAC;YACvE,IAAI,CAAC,MAAM;gBAAE,SAAS;YAEtB,MAAM,OAAO,GAAG,MAAM,CAAC,OAA6B,CAAC;YAErD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACjD,KAAK,EAAE,oBAAoB,GAAG,CAAC,IAAI,EAAE;oBACrC,QAAQ,EAAE,KAAK;oBACf,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,2CAA2C;oBAC5D,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,qCAAqC;oBACzE,WAAW,EAAE,yBAAyB,GAAG,CAAC,IAAI,6DAA6D;oBAC3G,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjE,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACjD,KAAK,EAAE,qBAAqB,GAAG,CAAC,IAAI,KAAK,OAAO,GAAG;oBACnD,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,2CAA2C;oBAC5D,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,WAAW;oBACjB,QAAQ,EAAE,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,eAAe,OAAO,aAAa;oBACvE,WAAW,EAAE,mCAAmC,OAAO,oDAAoD;oBAC3G,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxC,CAAC;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,SAAS,GAAc;IAClC,gBAAgB;IAChB,qBAAqB;IACrB,gBAAgB;IAChB,sBAAsB;IACtB,qBAAqB;IACrB,kBAAkB;IAClB,eAAe;CAChB,CAAC"}

package/dist/deps/install-script-detector.d.ts

@@ -0,0 +1,9 @@
+import type { Finding } from "../types/findings.js";
+export interface InstallScriptResult {
+    package: string;
+    version: string;
+    scripts: Record<string, string>;
+}
+export declare function detectInstallScripts(projectPath: string): Promise<InstallScriptResult[]>;
+export declare function installScriptFindings(results: InstallScriptResult[], lockfilePath: string): Finding[];
+//# sourceMappingURL=install-script-detector.d.ts.map

package/dist/deps/install-script-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-script-detector.d.ts","sourceRoot":"","sources":["../../src/deps/install-script-detector.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAIpD,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED,wBAAsB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAqC9F;AA0BD,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,mBAAmB,EAAE,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,EAAE,CAkCrG"}

package/dist/deps/install-script-detector.js

@@ -0,0 +1,98 @@
+import { join } from "node:path";
+import { safeReadJson } from "../utils/fs-helpers.js";
+import { readdir } from "node:fs/promises";
+const DANGEROUS_SCRIPTS = ["preinstall", "install", "postinstall", "prepare"];
+export async function detectInstallScripts(projectPath) {
+    const results = [];
+    const nodeModulesPath = join(projectPath, "node_modules");
+    let entries;
+    try {
+        entries = await readdir(nodeModulesPath, { withFileTypes: true });
+    }
+    catch {
+        return results;
+    }
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        if (entry.name.startsWith("@")) {
+            // Scoped package — look one level deeper
+            const scopePath = join(nodeModulesPath, entry.name);
+            let scopeEntries;
+            try {
+                scopeEntries = await readdir(scopePath, { withFileTypes: true });
+            }
+            catch {
+                continue;
+            }
+            for (const scopeEntry of scopeEntries) {
+                if (!scopeEntry.isDirectory())
+                    continue;
+                const fullName = `${entry.name}/${scopeEntry.name}`;
+                const result = await checkPackageScripts(nodeModulesPath, fullName);
+                if (result)
+                    results.push(result);
+            }
+        }
+        else if (!entry.name.startsWith(".")) {
+            const result = await checkPackageScripts(nodeModulesPath, entry.name);
+            if (result)
+                results.push(result);
+        }
+    }
+    return results;
+}
+async function checkPackageScripts(nodeModulesPath, packageName) {
+    const pkgJsonPath = join(nodeModulesPath, packageName, "package.json");
+    const pkg = await safeReadJson(pkgJsonPath);
+    if (!pkg)
+        return null;
+    const scripts = pkg.scripts;
+    if (!scripts)
+        return null;
+    const dangerousScripts = {};
+    for (const scriptName of DANGEROUS_SCRIPTS) {
+        if (scripts[scriptName]) {
+            dangerousScripts[scriptName] = scripts[scriptName];
+        }
+    }
+    if (Object.keys(dangerousScripts).length === 0)
+        return null;
+    return {
+        package: packageName,
+        version: pkg.version ?? "unknown",
+        scripts: dangerousScripts,
+    };
+}
+export function installScriptFindings(results, lockfilePath) {
+    const findings = [];
+    let counter = 0;
+    for (const result of results) {
+        for (const [scriptName, scriptContent] of Object.entries(result.scripts)) {
+            counter++;
+            // Determine severity based on script content
+            let severity = "medium";
+            const lowerContent = scriptContent.toLowerCase();
+            if (/curl|wget|http|eval|exec|\.sh|bash|powershell|cmd/.test(lowerContent)) {
+                severity = "high";
+            }
+            if (/rm\s+-rf|del\s+\/|format\s+/.test(lowerContent)) {
+                severity = "critical";
+            }
+            findings.push({
+                id: `DEP-SCRIPT-${String(counter).padStart(3, "0")}`,
+                title: `Install Script in ${result.package}: ${scriptName}`,
+                severity,
+                owasp_mcp: "MCP04",
+                owasp_mcp_title: "Supply Chain & Dependency Vulnerabilities",
+                category: "deps",
+                file: lockfilePath,
+                evidence: `${result.package}@${result.version} — ${scriptName}: "${scriptContent.substring(0, 200)}"`,
+                remediation: `Review the ${scriptName} script in ${result.package}. Consider using --ignore-scripts during install if the script is unnecessary.`,
+                cwe: "CWE-829",
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=install-script-detector.js.map

package/dist/deps/install-script-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-script-detector.js","sourceRoot":"","sources":["../../src/deps/install-script-detector.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAG3C,MAAM,iBAAiB,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,aAAa,EAAE,SAAS,CAAC,CAAC;AAQ9E,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,WAAmB;IAC5D,MAAM,OAAO,GAA0B,EAAE,CAAC;IAC1C,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAE1D,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,eAAe,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;YAAE,SAAS;QAEnC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/B,yCAAyC;YACzC,MAAM,SAAS,GAAG,IAAI,CAAC,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACpD,IAAI,YAAY,CAAC;YACjB,IAAI,CAAC;gBACH,YAAY,GAAG,MAAM,OAAO,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YACnE,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;gBACtC,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE;oBAAE,SAAS;gBACxC,MAAM,QAAQ,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC;gBACpD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;gBACpE,IAAI,MAAM;oBAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACtE,IAAI,MAAM;gBAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,eAAuB,EAAE,WAAmB;IAC7E,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;IACvE,MAAM,GAAG,GAAG,MAAM,YAAY,CAA0B,WAAW,CAAC,CAAC;IACrE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,OAAO,GAAG,GAAG,CAAC,OAA6C,CAAC;IAClE,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,MAAM,gBAAgB,GAA2B,EAAE,CAAC;IACpD,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;QAC3C,IAAI,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACxB,gBAAgB,CAAC,UAAU,CAAC,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5D,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,OAAO,EAAG,GAAG,CAAC,OAAkB,IAAI,SAAS;QAC7C,OAAO,EAAE,gBAAgB;KAC1B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,OAA8B,EAAE,YAAoB;IACxF,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YACzE,OAAO,EAAE,CAAC;YAEV,6CAA6C;YAC7C,IAAI,QAAQ,GAAwB,QAAQ,CAAC;YAC7C,MAAM,YAAY,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;YACjD,IAAI,mDAAmD,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC3E,QAAQ,GAAG,MAAM,CAAC;YACpB,CAAC;YACD,IAAI,6BAA6B,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;gBACrD,QAAQ,GAAG,UAAU,CAAC;YACxB,CAAC;YAED,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACpD,KAAK,EAAE,qBAAqB,MAAM,CAAC,OAAO,KAAK,UAAU,EAAE;gBAC3D,QAAQ;gBACR,SAAS,EAAE,OAAO;gBAClB,eAAe,EAAE,2CAA2C;gBAC5D,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,GAAG,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,MAAM,UAAU,MAAM,aAAa,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG;gBACrG,WAAW,EAAE,cAAc,UAAU,cAAc,MAAM,CAAC,OAAO,gFAAgF;gBACjJ,GAAG,EAAE,SAAS;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/deps/lockfile-parser.d.ts

@@ -0,0 +1,15 @@
+export interface ParsedDependency {
+    name: string;
+    version: string;
+    resolved?: string;
+    integrity?: string;
+    dev?: boolean;
+}
+export interface LockfileResult {
+    lockfileType: "package-lock-v2" | "package-lock-v3" | "bun-lock" | "unknown";
+    lockfilePath: string;
+    dependencies: ParsedDependency[];
+}
+export declare function parseLockfile(projectPath: string): Promise<LockfileResult | null>;
+export declare function parsePackageJson(projectPath: string): Promise<Record<string, string> | null>;
+//# sourceMappingURL=lockfile-parser.d.ts.map

package/dist/deps/lockfile-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lockfile-parser.d.ts","sourceRoot":"","sources":["../../src/deps/lockfile-parser.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,iBAAiB,GAAG,iBAAiB,GAAG,UAAU,GAAG,SAAS,CAAC;IAC7E,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,gBAAgB,EAAE,CAAC;CAClC;AAED,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CA8BvF;AAqFD,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,CAalG"}

package/dist/deps/lockfile-parser.js

@@ -0,0 +1,123 @@
+import { join } from "node:path";
+import { safeReadJson, safeReadFile, fileExists } from "../utils/fs-helpers.js";
+export async function parseLockfile(projectPath) {
+    // Try package-lock.json first
+    const npmLockPath = join(projectPath, "package-lock.json");
+    if (await fileExists(npmLockPath)) {
+        const data = await safeReadJson(npmLockPath);
+        if (data) {
+            return parseNpmLock(data, npmLockPath);
+        }
+    }
+    // Try bun.lock (JSONC format or text)
+    const bunLockPath = join(projectPath, "bun.lock");
+    if (await fileExists(bunLockPath)) {
+        const content = await safeReadFile(bunLockPath);
+        if (content) {
+            return parseBunLock(content, bunLockPath);
+        }
+    }
+    // Try bun.lockb (binary — can't parse, just note it exists)
+    const bunLockbPath = join(projectPath, "bun.lockb");
+    if (await fileExists(bunLockbPath)) {
+        return {
+            lockfileType: "bun-lock",
+            lockfilePath: bunLockbPath,
+            dependencies: [],
+        };
+    }
+    return null;
+}
+function parseNpmLock(data, path) {
+    const version = data.lockfileVersion ?? 1;
+    const deps = [];
+    if (version >= 2 && data.packages) {
+        // v2/v3 format uses "packages" map
+        const packages = data.packages;
+        for (const [key, pkg] of Object.entries(packages)) {
+            if (!key || key === "")
+                continue; // Skip root
+            // Key format: "node_modules/pkg-name" or "node_modules/@scope/pkg-name"
+            const name = key.replace(/^node_modules\//, "").replace(/\/node_modules\//g, " > ");
+            const pkgVersion = pkg.version ?? "unknown";
+            deps.push({
+                name,
+                version: pkgVersion,
+                resolved: pkg.resolved,
+                integrity: pkg.integrity,
+                dev: pkg.dev,
+            });
+        }
+    }
+    else if (data.dependencies) {
+        // v1 format
+        const dependencies = data.dependencies;
+        for (const [name, pkg] of Object.entries(dependencies)) {
+            deps.push({
+                name,
+                version: pkg.version ?? "unknown",
+                resolved: pkg.resolved,
+                integrity: pkg.integrity,
+                dev: pkg.dev,
+            });
+        }
+    }
+    return {
+        lockfileType: version >= 3 ? "package-lock-v3" : "package-lock-v2",
+        lockfilePath: path,
+        dependencies: deps,
+    };
+}
+function parseBunLock(content, path) {
+    const deps = [];
+    // Bun.lock is a JSONC-like format. Try to parse it.
+    try {
+        // Strip comments and parse
+        const cleaned = content.replace(/\/\/.*$/gm, "").replace(/\/\*[\s\S]*?\*\//g, "");
+        const data = JSON.parse(cleaned);
+        if (data.packages) {
+            const packages = data.packages;
+            for (const [key, value] of Object.entries(packages)) {
+                if (Array.isArray(value)) {
+                    // Bun lock format: [version, url, hash, ...]
+                    deps.push({
+                        name: key,
+                        version: value[0] ?? "unknown",
+                        resolved: value[1],
+                        integrity: value[2],
+                    });
+                }
+            }
+        }
+    }
+    catch {
+        // If JSON parsing fails, try line-by-line extraction
+        const lines = content.split("\n");
+        for (const line of lines) {
+            const match = line.match(/"([^"]+)":\s*\["([^"]+)"/);
+            if (match) {
+                deps.push({ name: match[1], version: match[2] });
+            }
+        }
+    }
+    return {
+        lockfileType: "bun-lock",
+        lockfilePath: path,
+        dependencies: deps,
+    };
+}
+export async function parsePackageJson(projectPath) {
+    const pkgPath = join(projectPath, "package.json");
+    const pkg = await safeReadJson(pkgPath);
+    if (!pkg)
+        return null;
+    const allDeps = {};
+    const deps = pkg.dependencies;
+    const devDeps = pkg.devDependencies;
+    if (deps)
+        Object.assign(allDeps, deps);
+    if (devDeps)
+        Object.assign(allDeps, devDeps);
+    return allDeps;
+}
+//# sourceMappingURL=lockfile-parser.js.map

package/dist/deps/lockfile-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lockfile-parser.js","sourceRoot":"","sources":["../../src/deps/lockfile-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAgBhF,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,WAAmB;IACrD,8BAA8B;IAC9B,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IAC3D,IAAI,MAAM,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,MAAM,YAAY,CAA0B,WAAW,CAAC,CAAC;QACtE,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,YAAY,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;IAClD,IAAI,MAAM,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAC;QAChD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,YAAY,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IACpD,IAAI,MAAM,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,YAAY,EAAE,UAAU;YACxB,YAAY,EAAE,YAAY;YAC1B,YAAY,EAAE,EAAE;SACjB,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,YAAY,CAAC,IAA6B,EAAE,IAAY;IAC/D,MAAM,OAAO,GAAI,IAAI,CAAC,eAA0B,IAAI,CAAC,CAAC;IACtD,MAAM,IAAI,GAAuB,EAAE,CAAC;IAEpC,IAAI,OAAO,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClC,mCAAmC;QACnC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAmD,CAAC;QAC1E,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,EAAE;gBAAE,SAAS,CAAC,YAAY;YAC9C,wEAAwE;YACxE,MAAM,IAAI,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,KAAK,CAAC,CAAC;YACpF,MAAM,UAAU,GAAI,GAAG,CAAC,OAAkB,IAAI,SAAS,CAAC;YAExD,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI;gBACJ,OAAO,EAAE,UAAU;gBACnB,QAAQ,EAAE,GAAG,CAAC,QAA8B;gBAC5C,SAAS,EAAE,GAAG,CAAC,SAA+B;gBAC9C,GAAG,EAAE,GAAG,CAAC,GAA0B;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;QAC7B,YAAY;QACZ,MAAM,YAAY,GAAG,IAAI,CAAC,YAAuD,CAAC;QAClF,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI;gBACJ,OAAO,EAAG,GAAG,CAAC,OAAkB,IAAI,SAAS;gBAC7C,QAAQ,EAAE,GAAG,CAAC,QAA8B;gBAC5C,SAAS,EAAE,GAAG,CAAC,SAA+B;gBAC9C,GAAG,EAAE,GAAG,CAAC,GAA0B;aACpC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY,EAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,iBAAiB;QAClE,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,OAAe,EAAE,IAAY;IACjD,MAAM,IAAI,GAAuB,EAAE,CAAC;IAEpC,oDAAoD;IACpD,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;QAClF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAEjC,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAmC,CAAC;YAC1D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACpD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBACzB,6CAA6C;oBAC7C,IAAI,CAAC,IAAI,CAAC;wBACR,IAAI,EAAE,GAAG;wBACT,OAAO,EAAG,KAAK,CAAC,CAAC,CAAY,IAAI,SAAS;wBAC1C,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAuB;wBACxC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAuB;qBAC1C,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;QACrD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YACrD,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY,EAAE,UAAU;QACxB,YAAY,EAAE,IAAI;QAClB,YAAY,EAAE,IAAI;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACxD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;IAClD,MAAM,GAAG,GAAG,MAAM,YAAY,CAA0B,OAAO,CAAC,CAAC;IACjE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,YAAkD,CAAC;IACpE,MAAM,OAAO,GAAG,GAAG,CAAC,eAAqD,CAAC;IAE1E,IAAI,IAAI;QAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACvC,IAAI,OAAO;QAAE,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAE7C,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/deps/typosquat-checker.d.ts

@@ -0,0 +1,10 @@
+import type { Finding } from "../types/findings.js";
+export interface TyposquatMatch {
+    dependency: string;
+    target: string;
+    method: string;
+    distance?: number;
+}
+export declare function checkTyposquatting(depNames: string[]): TyposquatMatch[];
+export declare function typosquatFindings(matches: TyposquatMatch[], filePath: string): Finding[];
+//# sourceMappingURL=typosquat-checker.d.ts.map

package/dist/deps/typosquat-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"typosquat-checker.d.ts","sourceRoot":"","sources":["../../src/deps/typosquat-checker.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD,MAAM,WAAW,cAAc;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,cAAc,EAAE,CA0EvE;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,cAAc,EAAE,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAaxF"}