mitnick-cli 1.0.0

package/dist/analyzers/typosquatting/index.js

@@ -0,0 +1,127 @@
+/**
+ * Typosquatting Analyzer — detects package names that are suspiciously
+ * similar to popular npm packages via Levenshtein distance and common
+ * character substitutions.
+ */
+import { POPULAR_PACKAGES } from './popular-packages.js';
+import { logger } from '../../utils/logger.js';
+/** Common character substitutions used in typosquatting. */
+const SUBSTITUTIONS = [
+    { from: '0', to: 'o' },
+    { from: 'o', to: '0' },
+    { from: '1', to: 'l' },
+    { from: 'l', to: '1' },
+    { from: 'rn', to: 'm' },
+    { from: 'm', to: 'rn' },
+    { from: '-', to: '_' },
+    { from: '_', to: '-' },
+];
+// ─── Levenshtein ──────────────────────────────────────────
+function levenshteinDistance(a, b) {
+    const la = a.length;
+    const lb = b.length;
+    if (la === 0)
+        return lb;
+    if (lb === 0)
+        return la;
+    // Use two-row approach for memory efficiency
+    let previousRow = Array.from({ length: lb + 1 }, (_, i) => i);
+    let currentRow = new Array(lb + 1);
+    for (let i = 1; i <= la; i++) {
+        currentRow[0] = i;
+        for (let j = 1; j <= lb; j++) {
+            const cost = a[i - 1] === b[j - 1] ? 0 : 1;
+            const deletion = (previousRow[j] ?? 0) + 1;
+            const insertion = (currentRow[j - 1] ?? 0) + 1;
+            const substitution = (previousRow[j - 1] ?? 0) + cost;
+            currentRow[j] = Math.min(deletion, insertion, substitution);
+        }
+        [previousRow, currentRow] = [currentRow, previousRow];
+    }
+    return previousRow[lb] ?? la;
+}
+// ─── Substitution check ──────────────────────────────────
+function applySubstitutions(name) {
+    const variants = [];
+    for (const { from, to } of SUBSTITUTIONS) {
+        let idx = name.indexOf(from);
+        while (idx !== -1) {
+            const variant = name.slice(0, idx) + to + name.slice(idx + from.length);
+            variants.push(variant);
+            idx = name.indexOf(from, idx + 1);
+        }
+    }
+    return variants;
+}
+// ─── Analyzer ─────────────────────────────────────────────
+export class TyposquattingAnalyzer {
+    name = 'typosquatting';
+    description = 'Detects package names that may be typosquatting popular npm packages';
+    analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const packageName = context.packageName;
+            // Skip scoped packages — they can't easily typosquat unscoped ones
+            // and skip if the name exactly matches a popular package
+            const normalizedName = packageName.replace(/^@[^/]+\//, '');
+            if (POPULAR_PACKAGES.includes(normalizedName)) {
+                return Promise.resolve({
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                });
+            }
+            // Check Levenshtein distance against all popular packages
+            const alreadyFlagged = new Set();
+            for (const popular of POPULAR_PACKAGES) {
+                // Skip packages with very different lengths (distance would be too high)
+                if (Math.abs(normalizedName.length - popular.length) > 2)
+                    continue;
+                const distance = levenshteinDistance(normalizedName, popular);
+                if (distance === 1) {
+                    findings.push(this.createFinding(normalizedName, popular, 'high', distance));
+                    alreadyFlagged.add(popular);
+                }
+                else if (distance === 2) {
+                    findings.push(this.createFinding(normalizedName, popular, 'medium', distance));
+                    alreadyFlagged.add(popular);
+                }
+            }
+            // Check common character substitutions
+            const variants = applySubstitutions(normalizedName);
+            for (const variant of variants) {
+                if (POPULAR_PACKAGES.includes(variant) && !alreadyFlagged.has(variant)) {
+                    findings.push({
+                        analyzer: this.name,
+                        severity: 'high',
+                        title: `Possible typosquat of "${variant}"`,
+                        description: `Package name "${normalizedName}" uses a common character substitution ` +
+                            `that makes it look like the popular package "${variant}".`,
+                        recommendation: `Verify you intended to install "${normalizedName}" and not "${variant}".`,
+                    });
+                    alreadyFlagged.add(variant);
+                }
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return Promise.resolve({
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        });
+    }
+    createFinding(name, popular, severity, distance) {
+        return {
+            analyzer: this.name,
+            severity,
+            title: `Possible typosquat of "${popular}" (distance: ${distance})`,
+            description: `Package name "${name}" has a Levenshtein distance of ${distance} from ` +
+                `the popular package "${popular}" (potential typosquatting).`,
+            recommendation: `Verify you intended to install "${name}" and not "${popular}".`,
+        };
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/typosquatting/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/typosquatting/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAS/C,4DAA4D;AAC5D,MAAM,aAAa,GAAgC;IACjD,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;IACtB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;IACtB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;IACtB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;IACtB,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE;IACvB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE;IACvB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;IACtB,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE,EAAE,GAAG,EAAE;CACvB,CAAC;AAEF,6DAA6D;AAE7D,SAAS,mBAAmB,CAAC,CAAS,EAAE,CAAS;IAC/C,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC;IACpB,MAAM,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC;IAEpB,IAAI,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACxB,IAAI,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAExB,6CAA6C;IAC7C,IAAI,WAAW,GAAa,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;IACxE,IAAI,UAAU,GAAa,IAAI,KAAK,CAAS,EAAE,GAAG,CAAC,CAAC,CAAC;IAErD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC3C,MAAM,SAAS,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YAC/C,MAAM,YAAY,GAAG,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;YACtD,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;QAC9D,CAAC;QACD,CAAC,WAAW,EAAE,UAAU,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,WAAW,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,4DAA4D;AAE5D,SAAS,kBAAkB,CAAC,IAAY;IACtC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7B,OAAO,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;YAClB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;YACxE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,eAAe,CAAC;IACvB,WAAW,GAAG,sEAAsE,CAAC;IAE9F,OAAO,CAAC,OAAwB;QAC9B,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;YAExC,mEAAmE;YACnE,yDAAyD;YACzD,MAAM,cAAc,GAAG,WAAW,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YAE5D,IAAI,gBAAgB,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC9C,OAAO,OAAO,CAAC,OAAO,CAAC;oBACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC,CAAC;YACL,CAAC;YAED,0DAA0D;YAC1D,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;YAEzC,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;gBACvC,yEAAyE;gBACzE,IAAI,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAEnE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;gBAE9D,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC7E,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC9B,CAAC;qBAAM,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;oBAC1B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;oBAC/E,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;YAED,uCAAuC;YACvC,MAAM,QAAQ,GAAG,kBAAkB,CAAC,cAAc,CAAC,CAAC;YACpD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACvE,QAAQ,CAAC,IAAI,CAAC;wBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;wBACnB,QAAQ,EAAE,MAAM;wBAChB,KAAK,EAAE,0BAA0B,OAAO,GAAG;wBAC3C,WAAW,EACT,iBAAiB,cAAc,yCAAyC;4BACxE,gDAAgD,OAAO,IAAI;wBAC7D,cAAc,EAAE,mCAAmC,cAAc,cAAc,OAAO,IAAI;qBAC3F,CAAC,CAAC;oBACH,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO,OAAO,CAAC,OAAO,CAAC;YACrB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC,CAAC;IACL,CAAC;IAEO,aAAa,CACnB,IAAY,EACZ,OAAe,EACf,QAAkB,EAClB,QAAgB;QAEhB,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,KAAK,EAAE,0BAA0B,OAAO,gBAAgB,QAAQ,GAAG;YACnE,WAAW,EACT,iBAAiB,IAAI,mCAAmC,QAAQ,QAAQ;gBACxE,wBAAwB,OAAO,8BAA8B;YAC/D,cAAc,EAAE,mCAAmC,IAAI,cAAc,OAAO,IAAI;SACjF,CAAC;IACJ,CAAC;CACF"}

package/dist/analyzers/typosquatting/popular-packages.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Top 200 most popular npm package names.
+ *
+ * Used by the TyposquattingAnalyzer to detect package names that are
+ * suspiciously similar to well-known packages. This list is curated from
+ * npm download statistics and ecosystem prominence.
+ */
+export declare const POPULAR_PACKAGES: readonly string[];
+//# sourceMappingURL=popular-packages.d.ts.map

package/dist/analyzers/typosquatting/popular-packages.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"popular-packages.d.ts","sourceRoot":"","sources":["../../../src/analyzers/typosquatting/popular-packages.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,eAAO,MAAM,gBAAgB,EAAE,SAAS,MAAM,EAsPpC,CAAC"}

package/dist/analyzers/typosquatting/popular-packages.js

@@ -0,0 +1,236 @@
+/**
+ * Top 200 most popular npm package names.
+ *
+ * Used by the TyposquattingAnalyzer to detect package names that are
+ * suspiciously similar to well-known packages. This list is curated from
+ * npm download statistics and ecosystem prominence.
+ */
+export const POPULAR_PACKAGES = [
+    // Frameworks & runtimes
+    'express',
+    'next',
+    'nuxt',
+    'react',
+    'react-dom',
+    'react-router',
+    'react-router-dom',
+    'vue',
+    'angular',
+    'svelte',
+    'preact',
+    'fastify',
+    'koa',
+    'hapi',
+    'nest',
+    'gatsby',
+    'remix',
+    // Bundlers & build tools
+    'webpack',
+    'vite',
+    'rollup',
+    'esbuild',
+    'parcel',
+    'turbo',
+    'tsup',
+    'swc',
+    // Transpilers & compilers
+    'typescript',
+    'babel-core',
+    '@babel/core',
+    '@babel/preset-env',
+    'coffeescript',
+    // Utilities
+    'lodash',
+    'underscore',
+    'ramda',
+    'rxjs',
+    'immer',
+    'date-fns',
+    'moment',
+    'dayjs',
+    'uuid',
+    'nanoid',
+    'ms',
+    // HTTP & networking
+    'axios',
+    'got',
+    'node-fetch',
+    'request',
+    'superagent',
+    'undici',
+    'ky',
+    // CLI
+    'commander',
+    'yargs',
+    'minimist',
+    'meow',
+    'inquirer',
+    'prompts',
+    'chalk',
+    'ora',
+    'cli-table3',
+    'figlet',
+    'boxen',
+    'listr2',
+    // Testing
+    'jest',
+    'mocha',
+    'chai',
+    'sinon',
+    'vitest',
+    'ava',
+    'tap',
+    'nyc',
+    'istanbul',
+    'cypress',
+    'playwright',
+    'puppeteer',
+    // Linting & formatting
+    'eslint',
+    'prettier',
+    'stylelint',
+    'standard',
+    'husky',
+    'lint-staged',
+    // Logging
+    'debug',
+    'winston',
+    'pino',
+    'bunyan',
+    'morgan',
+    'loglevel',
+    // Validation & schemas
+    'zod',
+    'joi',
+    'yup',
+    'ajv',
+    'validator',
+    'class-validator',
+    // Database & ORMs
+    'mongoose',
+    'sequelize',
+    'typeorm',
+    'prisma',
+    'knex',
+    'pg',
+    'mysql2',
+    'redis',
+    'ioredis',
+    'mongodb',
+    'sqlite3',
+    'better-sqlite3',
+    // Auth & security
+    'jsonwebtoken',
+    'bcrypt',
+    'bcryptjs',
+    'passport',
+    'helmet',
+    'cors',
+    'csurf',
+    'express-rate-limit',
+    // File & streams
+    'fs-extra',
+    'glob',
+    'globby',
+    'chokidar',
+    'rimraf',
+    'mkdirp',
+    'tar',
+    'archiver',
+    'unzipper',
+    'sharp',
+    'multer',
+    // Parsing
+    'cheerio',
+    'jsdom',
+    'marked',
+    'markdown-it',
+    'yaml',
+    'csv-parser',
+    'xml2js',
+    'fast-xml-parser',
+    'json5',
+    'toml',
+    // Process & system
+    'dotenv',
+    'cross-env',
+    'execa',
+    'shelljs',
+    'concurrently',
+    'nodemon',
+    'pm2',
+    'forever',
+    // Templating
+    'handlebars',
+    'ejs',
+    'pug',
+    'nunjucks',
+    'mustache',
+    // WebSocket & real-time
+    'socket.io',
+    'ws',
+    // Crypto
+    'crypto-js',
+    'tweetnacl',
+    'node-forge',
+    // Configuration
+    'config',
+    'convict',
+    'cosmiconfig',
+    'rc',
+    // Misc popular
+    'semver',
+    'minimatch',
+    'micromatch',
+    'picomatch',
+    'ansi-styles',
+    'ansi-regex',
+    'strip-ansi',
+    'supports-color',
+    'color-convert',
+    'wrap-ansi',
+    'string-width',
+    'cliui',
+    'escalade',
+    'escape-string-regexp',
+    'has-flag',
+    'p-limit',
+    'p-queue',
+    'yocto-queue',
+    'lru-cache',
+    'which',
+    'path-to-regexp',
+    'qs',
+    'query-string',
+    'form-data',
+    'mime',
+    'mime-types',
+    'content-type',
+    'accepts',
+    'negotiator',
+    'bytes',
+    'body-parser',
+    'cookie',
+    'cookie-parser',
+    'express-session',
+    'compression',
+    'serve-static',
+    'http-proxy',
+    'http-proxy-middleware',
+    'https-proxy-agent',
+    'proxy-agent',
+    'agent-base',
+    'depd',
+    'on-finished',
+    'raw-body',
+    'type-is',
+    'tslib',
+    'source-map',
+    'source-map-support',
+    'regenerator-runtime',
+    'core-js',
+    'async',
+    'bluebird',
+    'eventemitter3',
+];
+//# sourceMappingURL=popular-packages.js.map

package/dist/analyzers/typosquatting/popular-packages.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"popular-packages.js","sourceRoot":"","sources":["../../../src/analyzers/typosquatting/popular-packages.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAsB;IACjD,wBAAwB;IACxB,SAAS;IACT,MAAM;IACN,MAAM;IACN,OAAO;IACP,WAAW;IACX,cAAc;IACd,kBAAkB;IAClB,KAAK;IACL,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,KAAK;IACL,MAAM;IACN,MAAM;IACN,QAAQ;IACR,OAAO;IAEP,yBAAyB;IACzB,SAAS;IACT,MAAM;IACN,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,OAAO;IACP,MAAM;IACN,KAAK;IAEL,0BAA0B;IAC1B,YAAY;IACZ,YAAY;IACZ,aAAa;IACb,mBAAmB;IACnB,cAAc;IAEd,YAAY;IACZ,QAAQ;IACR,YAAY;IACZ,OAAO;IACP,MAAM;IACN,OAAO;IACP,UAAU;IACV,QAAQ;IACR,OAAO;IACP,MAAM;IACN,QAAQ;IACR,IAAI;IAEJ,oBAAoB;IACpB,OAAO;IACP,KAAK;IACL,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,IAAI;IAEJ,MAAM;IACN,WAAW;IACX,OAAO;IACP,UAAU;IACV,MAAM;IACN,UAAU;IACV,SAAS;IACT,OAAO;IACP,KAAK;IACL,YAAY;IACZ,QAAQ;IACR,OAAO;IACP,QAAQ;IAER,UAAU;IACV,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,QAAQ;IACR,KAAK;IACL,KAAK;IACL,KAAK;IACL,UAAU;IACV,SAAS;IACT,YAAY;IACZ,WAAW;IAEX,uBAAuB;IACvB,QAAQ;IACR,UAAU;IACV,WAAW;IACX,UAAU;IACV,OAAO;IACP,aAAa;IAEb,UAAU;IACV,OAAO;IACP,SAAS;IACT,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,UAAU;IAEV,uBAAuB;IACvB,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,WAAW;IACX,iBAAiB;IAEjB,kBAAkB;IAClB,UAAU;IACV,WAAW;IACX,SAAS;IACT,QAAQ;IACR,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,OAAO;IACP,SAAS;IACT,SAAS;IACT,SAAS;IACT,gBAAgB;IAEhB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,UAAU;IACV,UAAU;IACV,QAAQ;IACR,MAAM;IACN,OAAO;IACP,oBAAoB;IAEpB,iBAAiB;IACjB,UAAU;IACV,MAAM;IACN,QAAQ;IACR,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,UAAU;IACV,UAAU;IACV,OAAO;IACP,QAAQ;IAER,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,aAAa;IACb,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,iBAAiB;IACjB,OAAO;IACP,MAAM;IAEN,mBAAmB;IACnB,QAAQ;IACR,WAAW;IACX,OAAO;IACP,SAAS;IACT,cAAc;IACd,SAAS;IACT,KAAK;IACL,SAAS;IAET,aAAa;IACb,YAAY;IACZ,KAAK;IACL,KAAK;IACL,UAAU;IACV,UAAU;IAEV,wBAAwB;IACxB,WAAW;IACX,IAAI;IAEJ,SAAS;IACT,WAAW;IACX,WAAW;IACX,YAAY;IAEZ,gBAAgB;IAChB,QAAQ;IACR,SAAS;IACT,aAAa;IACb,IAAI;IAEJ,eAAe;IACf,QAAQ;IACR,WAAW;IACX,YAAY;IACZ,WAAW;IACX,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,gBAAgB;IAChB,eAAe;IACf,WAAW;IACX,cAAc;IACd,OAAO;IACP,UAAU;IACV,sBAAsB;IACtB,UAAU;IACV,SAAS;IACT,SAAS;IACT,aAAa;IACb,WAAW;IACX,OAAO;IACP,gBAAgB;IAChB,IAAI;IACJ,cAAc;IACd,WAAW;IACX,MAAM;IACN,YAAY;IACZ,cAAc;IACd,SAAS;IACT,YAAY;IACZ,OAAO;IACP,aAAa;IACb,QAAQ;IACR,eAAe;IACf,iBAAiB;IACjB,aAAa;IACb,cAAc;IACd,YAAY;IACZ,uBAAuB;IACvB,mBAAmB;IACnB,aAAa;IACb,YAAY;IACZ,MAAM;IACN,aAAa;IACb,UAAU;IACV,SAAS;IACT,OAAO;IACP,YAAY;IACZ,oBAAoB;IACpB,qBAAqB;IACrB,SAAS;IACT,OAAO;IACP,UAAU;IACV,eAAe;CACP,CAAC"}

package/dist/analyzers/vulnerability/index.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Vulnerability Analyzer — queries the OSV API for known CVEs affecting
+ * the target package version.
+ */
+import type { Analyzer } from '../analyzer.interface.js';
+import type { AnalysisContext, AnalyzerResult } from '../../core/types.js';
+export declare class VulnerabilityAnalyzer implements Analyzer {
+    readonly name = "vulnerability-scanner";
+    readonly description = "Checks for known CVEs and security advisories via the OSV database";
+    analyze(context: AnalysisContext): Promise<AnalyzerResult>;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/vulnerability/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/vulnerability/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAqB,MAAM,qBAAqB,CAAC;AAoI9F,qBAAa,qBAAsB,YAAW,QAAQ;IACpD,QAAQ,CAAC,IAAI,2BAA2B;IACxC,QAAQ,CAAC,WAAW,wEAAwE;IAEtF,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;CA0DjE"}

package/dist/analyzers/vulnerability/index.js

@@ -0,0 +1,147 @@
+/**
+ * Vulnerability Analyzer — queries the OSV API for known CVEs affecting
+ * the target package version.
+ */
+import { fetchJson } from '../../utils/http.js';
+import { logger } from '../../utils/logger.js';
+// ─── Helpers ──────────────────────────────────────────────
+const OSV_API_URL = 'https://api.osv.dev/v1/query';
+function extractCveId(vuln) {
+    if (vuln.id.startsWith('CVE-'))
+        return vuln.id;
+    const alias = vuln.aliases?.find((a) => a.startsWith('CVE-'));
+    return alias ?? vuln.id;
+}
+function mapOsvSeverity(vuln) {
+    const severityEntries = vuln.severity;
+    if (!severityEntries || severityEntries.length === 0)
+        return 'medium';
+    // Look for CVSS v3 score first
+    for (const entry of severityEntries) {
+        if (entry.type === 'CVSS_V3') {
+            const score = parseCvssScore(entry.score);
+            if (score !== null) {
+                if (score >= 9.0)
+                    return 'critical';
+                if (score >= 7.0)
+                    return 'high';
+                if (score >= 4.0)
+                    return 'medium';
+                return 'low';
+            }
+        }
+    }
+    // Check database_specific for npm severity strings
+    const dbSeverity = vuln.database_specific?.['severity'];
+    if (typeof dbSeverity === 'string') {
+        const lower = dbSeverity.toLowerCase();
+        if (lower === 'critical')
+            return 'critical';
+        if (lower === 'high')
+            return 'high';
+        if (lower === 'moderate' || lower === 'medium')
+            return 'medium';
+        if (lower === 'low')
+            return 'low';
+    }
+    return 'medium';
+}
+function parseCvssScore(vector) {
+    // CVSS vector strings can start with "CVSS:3.x/" and may end with
+    // a score, or we need to parse from the vector itself.
+    // Some OSV entries put the numeric score directly.
+    const numeric = parseFloat(vector);
+    if (!isNaN(numeric) && numeric >= 0 && numeric <= 10)
+        return numeric;
+    // Try to extract base score from a CVSS vector by looking for a pattern
+    // Since full CVSS parsing is complex, we fall back to null
+    return null;
+}
+function buildAffectedVersionsString(vuln) {
+    const affected = vuln.affected;
+    if (!affected || affected.length === 0)
+        return 'See advisory for details';
+    const versions = [];
+    for (const entry of affected) {
+        if (entry.versions && entry.versions.length > 0) {
+            versions.push(...entry.versions.slice(0, 5));
+            if (entry.versions.length > 5) {
+                versions.push(`... and ${entry.versions.length - 5} more`);
+            }
+        }
+        if (entry.ranges) {
+            for (const range of entry.ranges) {
+                if (range.events) {
+                    const parts = [];
+                    for (const event of range.events) {
+                        const introduced = event['introduced'];
+                        const fixed = event['fixed'];
+                        if (introduced !== undefined)
+                            parts.push(`>= ${introduced}`);
+                        if (fixed !== undefined)
+                            parts.push(`< ${fixed}`);
+                    }
+                    if (parts.length > 0)
+                        versions.push(parts.join(', '));
+                }
+            }
+        }
+    }
+    return versions.length > 0 ? versions.join('; ') : 'See advisory for details';
+}
+// ─── Analyzer ─────────────────────────────────────────────
+export class VulnerabilityAnalyzer {
+    name = 'vulnerability-scanner';
+    description = 'Checks for known CVEs and security advisories via the OSV database';
+    async analyze(context) {
+        const start = performance.now();
+        const findings = [];
+        try {
+            const requestBody = {
+                package: {
+                    name: context.packageName,
+                    ecosystem: 'npm',
+                },
+                version: context.version,
+            };
+            const result = await fetchJson(OSV_API_URL, {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify(requestBody),
+                timeout: 15_000,
+            });
+            if (!result.ok) {
+                // API error — return empty findings, don't crash
+                logger.warn(`[${this.name}] OSV API error: ${result.message} (${result.error})`);
+                return {
+                    analyzer: this.name,
+                    findings: [],
+                    duration: performance.now() - start,
+                };
+            }
+            const vulns = result.data.vulns ?? [];
+            for (const vuln of vulns) {
+                const cveId = extractCveId(vuln);
+                const severity = mapOsvSeverity(vuln);
+                const summary = vuln.summary ?? vuln.details ?? 'No description available';
+                const affectedVersions = buildAffectedVersionsString(vuln);
+                findings.push({
+                    analyzer: this.name,
+                    severity,
+                    title: `${cveId} in ${context.packageName}@${context.version}`,
+                    description: summary,
+                    recommendation: `Upgrade to a non-affected version. Affected: ${affectedVersions}`,
+                });
+            }
+        }
+        catch (error) {
+            logger.warn(`[${this.name}] Unexpected error: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        return {
+            analyzer: this.name,
+            findings,
+            duration: performance.now() - start,
+        };
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/vulnerability/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/vulnerability/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AA6C/C,6DAA6D;AAE7D,MAAM,WAAW,GAAG,8BAA8B,CAAC;AAEnD,SAAS,YAAY,CAAC,IAAsB;IAC1C,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAC,EAAE,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IAC9D,OAAO,KAAK,IAAI,IAAI,CAAC,EAAE,CAAC;AAC1B,CAAC;AAED,SAAS,cAAc,CAAC,IAAsB;IAC5C,MAAM,eAAe,GAAG,IAAI,CAAC,QAAQ,CAAC;IACtC,IAAI,CAAC,eAAe,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEtE,+BAA+B;IAC/B,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;YAC1C,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBACnB,IAAI,KAAK,IAAI,GAAG;oBAAE,OAAO,UAAU,CAAC;gBACpC,IAAI,KAAK,IAAI,GAAG;oBAAE,OAAO,MAAM,CAAC;gBAChC,IAAI,KAAK,IAAI,GAAG;oBAAE,OAAO,QAAQ,CAAC;gBAClC,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,mDAAmD;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,EAAE,CAAC,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,KAAK,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QAC5C,IAAI,KAAK,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QACpC,IAAI,KAAK,KAAK,UAAU,IAAI,KAAK,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAChE,IAAI,KAAK,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;IACpC,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,kEAAkE;IAClE,uDAAuD;IACvD,mDAAmD;IACnD,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,CAAC,IAAI,OAAO,IAAI,EAAE;QAAE,OAAO,OAAO,CAAC;IAErE,wEAAwE;IACxE,2DAA2D;IAC3D,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,2BAA2B,CAAC,IAAsB;IACzD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAC/B,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,0BAA0B,CAAC;IAE1E,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,IAAI,KAAK,CAAC,QAAQ,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,QAAQ,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;oBACjB,MAAM,KAAK,GAAa,EAAE,CAAC;oBAC3B,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;wBACjC,MAAM,UAAU,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC;wBACvC,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;wBAC7B,IAAI,UAAU,KAAK,SAAS;4BAAE,KAAK,CAAC,IAAI,CAAC,MAAM,UAAU,EAAE,CAAC,CAAC;wBAC7D,IAAI,KAAK,KAAK,SAAS;4BAAE,KAAK,CAAC,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC,CAAC;oBACpD,CAAC;oBACD,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;wBAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,0BAA0B,CAAC;AAChF,CAAC;AAED,6DAA6D;AAE7D,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,uBAAuB,CAAC;IAC/B,WAAW,GAAG,oEAAoE,CAAC;IAE5F,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC;YACH,MAAM,WAAW,GAAoB;gBACnC,OAAO,EAAE;oBACP,IAAI,EAAE,OAAO,CAAC,WAAW;oBACzB,SAAS,EAAE,KAAK;iBACjB;gBACD,OAAO,EAAE,OAAO,CAAC,OAAO;aACzB,CAAC;YAEF,MAAM,MAAM,GAAG,MAAM,SAAS,CAAmB,WAAW,EAAE;gBAC5D,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC;gBACjC,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBACf,iDAAiD;gBACjD,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,oBAAoB,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC;gBACjF,OAAO;oBACL,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ,EAAE,EAAE;oBACZ,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;iBACpC,CAAC;YACJ,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAEtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;gBACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,IAAI,0BAA0B,CAAC;gBAC3E,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,IAAI,CAAC,CAAC;gBAE3D,QAAQ,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,QAAQ;oBACR,KAAK,EAAE,GAAG,KAAK,OAAO,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,OAAO,EAAE;oBAC9D,WAAW,EAAE,OAAO;oBACpB,cAAc,EAAE,gDAAgD,gBAAgB,EAAE;iBACnF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,OAAO,KAAc,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CACT,IAAI,IAAI,CAAC,IAAI,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ;YACR,QAAQ,EAAE,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK;SACpC,CAAC;IACJ,CAAC;CACF"}

package/dist/cli/commands/check.d.ts

@@ -0,0 +1,21 @@
+/**
+ * "check" command handler.
+ *
+ * Parses package specifiers, fetches metadata and tarballs from the
+ * npm registry, runs the analysis engine, and outputs formatted results.
+ */
+import type { CheckOptions } from '../../core/types.js';
+/**
+ * Execute the "check" command for one or more packages.
+ *
+ * For each package:
+ * 1. Fetch metadata from npm registry
+ * 2. Download and extract tarball to temp directory
+ * 3. Run all analyzers via the engine
+ * 4. Format and output results
+ *
+ * Returns true if all packages pass (no findings at or above --fail-on),
+ * false if any package fails the threshold check.
+ */
+export declare function executeCheck(options: CheckOptions): Promise<boolean>;
+//# sourceMappingURL=check.d.ts.map

package/dist/cli/commands/check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/check.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,OAAO,KAAK,EAEV,YAAY,EAIb,MAAM,qBAAqB,CAAC;AA0E7B;;;;;;;;;;;GAWG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAuI1E"}