np-audit 1.0.0 → 1.2.1

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "np-audit",
-  "version": "1.0.0",
+  "version": "1.2.1",
   "description": "Static obfuscation detector for npm lifecycle scripts — supply chain attack prevention",
   "bin": {
-    "npa": "./bin/npa.js",
-    "np-audit": "./bin/npa.js"
+    "npa": "bin/npa.js",
+    "np-audit": "bin/npa.js"
   },
   "main": "./src/cli.js",
   "files": [

package/src/cli.js

@@ -35,10 +35,6 @@ const HELP = `
     parallelFetches  Concurrent downloads (default: ${DEFAULT_CONFIG.parallelFetches})
     skipScopes       Array of @scopes to skip
     skipPackages     Array of package names to skip
-
-  Install:
-    npm install -g np-audit
-    npx np-audit scan
 `;
 
 function parseArgs(argv) {
@@ -60,7 +56,8 @@ function parseArgs(argv) {
       case '--json':     flags.json    = true; break;
       case '--no-dev':   flags.noDev   = true; break;
       case '--verbose':  flags.verbose = true; break;
-      case '--version':  flags.version = true; break;
+      case '--version':
+      case '-v':         flags.version = true; break;
       case '--help':
       case '-h':         flags.help    = true; break;
       default:

package/src/scanner.js

@@ -26,9 +26,15 @@ async function scan(opts) {
   if (singlePackage) {
     packages = await resolveSinglePackage(singlePackage, config);
   } else {
-    const parsed = parseLockfile(cwd);
-    packages = parsed.packages;
-    lockfileVersion = parsed.lockfileVersion;
+    const lockPath = path.join(cwd, 'package-lock.json');
+    if (fs.existsSync(lockPath)) {
+      const parsed = parseLockfile(cwd);
+      packages = parsed.packages;
+      lockfileVersion = parsed.lockfileVersion;
+    } else {
+      // No lockfile — resolve from package.json
+      packages = await resolveFromPackageJson(cwd, config, noDev);
+    }
   }
 
   // Apply skip filters
@@ -242,6 +248,74 @@ function verdictFromScore(score, config) {
   return 'OK';
 }
 
+/**
+ * Extract the first clean X.Y.Z (or X.Y or X) semver from a range string.
+ * Returns null if no clean version can be found.
+ * Examples: "^5.1.0" → "5.1.0", "4.22.1 || ^5" → "4.22.1", "2" → "2", "*" → null
+ */
+function extractSemver(range) {
+  const match = range.match(/(\d+\.\d+\.\d+(?:-[\w.]+)?|\d+\.\d+|\d+)(?!\S*-)/);
+  if (match) return match[1];
+  return null;
+}
+
+/**
+ * Resolve dependencies from package.json when no lockfile exists.
+ * @param {string} cwd
+ * @param {object} config
+ * @param {boolean} noDev
+ * @returns {Promise<PackageDescriptor[]>}
+ */
+async function resolveFromPackageJson(cwd, config, noDev) {
+  const pkgPath = path.join(cwd, 'package.json');
+  if (!fs.existsSync(pkgPath)) {
+    throw new Error(`package.json not found in ${cwd}`);
+  }
+
+  let pkgJson;
+  try {
+    pkgJson = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  } catch (err) {
+    throw new Error(`Failed to parse package.json: ${err.message}`);
+  }
+
+  const deps = { ...pkgJson.dependencies };
+  if (!noDev && pkgJson.devDependencies) {
+    Object.assign(deps, pkgJson.devDependencies);
+  }
+
+  const packages = [];
+  const { fetchJSON } = require('./fetcher');
+
+  for (const [name, range] of Object.entries(deps)) {
+    const version = extractSemver(range);
+    if (!version) continue;
+
+    try {
+      const meta = await fetchJSON(`${config.registry}/${encodeURIComponent(name)}`, { timeout: config.timeout });
+      const versionData = meta.versions && meta.versions[version];
+      if (!versionData) continue;
+
+      packages.push({
+        name,
+        version,
+        resolved: versionData.dist && versionData.dist.tarball,
+        integrity: versionData.dist && versionData.dist.integrity || '',
+        hasInstallScript: !!(versionData.scripts &&
+          (versionData.scripts.preinstall || versionData.scripts.postinstall || versionData.scripts.install)),
+        dev: !!(pkgJson.devDependencies && pkgJson.devDependencies[name]),
+        optional: false,
+        inBundle: false,
+        link: false,
+      });
+    } catch {
+      // Skip packages we can't fetch metadata for
+    }
+  }
+
+  return packages;
+}
+
 /**
  * Resolve a single package's dependency tree via the npm registry.
  * @param {string} packageSpec  e.g. "express" or "express@4.18.0"
@@ -275,17 +349,19 @@ async function resolveSinglePackage(packageSpec, config) {
     for (const [depName, range] of Object.entries(deps || {})) {
       if (seen.has(depName)) continue;
       seen.add(depName);
-      // We don't resolve ranges here — just list direct deps; full tree would need more registry calls
+      // Extract the first clean semver from the range (e.g. "4.22.1 || ^5" → "4.22.1", "^5.1.0" → "5.1.0")
+      const exactVersion = extractSemver(range);
+      if (!exactVersion) continue; // skip unresolvable ranges — lockfile scan will cover them
       packages.push({
-        name: depName,
-        version: range.replace(/^[\^~>=<]/, ''),
-        resolved: buildTarballUrl(depName, range.replace(/^[\^~>=<]/, ''), config.registry),
-        integrity: '',
+        name:             depName,
+        version:          exactVersion,
+        resolved:         buildTarballUrl(depName, exactVersion, config.registry),
+        integrity:        '',
         hasInstallScript: false,
-        dev: false,
-        optional: false,
-        inBundle: false,
-        link: false,
+        dev:              false,
+        optional:         false,
+        inBundle:         false,
+        link:             false,
       });
     }
   }