np-audit 1.2.1 → 1.4.0

package/src/commands/index.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const commands = new Map();
+
+// Load all command modules from this directory
+const files = fs.readdirSync(__dirname).filter(f => f !== 'index.js' && f.endsWith('.js'));
+
+for (const file of files) {
+  const cmd = require(path.join(__dirname, file));
+  commands.set(cmd.name, cmd);
+  for (const alias of cmd.aliases || []) {
+    commands.set(alias, cmd);
+  }
+}
+
+module.exports = {
+  commands,
+
+  get(name) {
+    return commands.get(name);
+  },
+
+  list() {
+    const seen = new Set();
+    const result = [];
+    for (const cmd of commands.values()) {
+      if (!seen.has(cmd.name)) {
+        seen.add(cmd.name);
+        result.push(cmd);
+      }
+    }
+    return result;
+  },
+};

package/src/commands/install.js

@@ -0,0 +1,109 @@
+'use strict';
+
+const { scan } = require('../core/scanner');
+const { runAware, runNpm } = require('../utils/review');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'install',
+  aliases: ['i'],
+  description: 'Audit then run npm install',
+
+  help() {
+    return `
+  npa install — Audit dependencies then run npm install
+
+  Usage:
+    npa install [package] [options]
+
+  Options:
+    --review, -r   Interactive mode: review and allow/deny scripts
+    --json        Output scan results as JSON
+    --no-dev      Skip devDependencies in scan
+    --verbose     Show detailed findings
+    -h, --help    Show this help
+
+  Examples:
+    npa install                Install all deps after audit
+    npa install lodash         Add lodash after auditing it
+    npa install --review        Review scripts interactively
+`;
+  },
+
+  async run({ args, flags, config, cwd }) {
+    const packages = args.filter(a => !a.startsWith('-'));
+
+    const results = await scan({
+      cwd,
+      config,
+      noDev:         flags.noDev,
+      verbose:       flags.verbose,
+      packages:      packages.length > 0 ? packages : null,
+    });
+
+    const hasIssues = results.some(r => r.verdict !== 'OK');
+    const silent = config.silent && !hasIssues;
+
+    output.printScanHeader(silent);
+
+    if (flags.json) {
+      process.stdout.write(JSON.stringify(toJsonReport(results), null, 2) + '\n');
+    } else {
+      printResults(results, silent);
+    }
+
+    const blocked = results.filter(r => r.verdict === 'BLOCK');
+
+    if (blocked.length > 0 && !flags.review) {
+      output.error(`${blocked.length} package(s) blocked due to obfuscated install scripts.`);
+      output.log(output.dim('  Run with --review to interactively decide which scripts to allow.'));
+      process.exit(1);
+    }
+
+    const npmArgs = packages.length > 0 ? packages : [];
+
+    if (flags.review) {
+      const packagesWithScripts = results.filter(r => r.verdict !== 'OK' || r.scripts.length > 0);
+      const exit = await runAware({
+        results: packagesWithScripts.length > 0 ? packagesWithScripts : results,
+        command: 'install',
+        npmArgs,
+        cwd,
+      });
+      process.exit(exit);
+    } else {
+      const exit = runNpm('install', npmArgs, cwd);
+      process.exit(exit);
+    }
+  },
+};
+
+function printResults(results, silent = false) {
+  if (silent) return;
+  if (results.length === 0) {
+    output.success('No packages with install scripts found.');
+    return;
+  }
+  for (const r of results) {
+    output.printPackageResult(r.pkg, r);
+  }
+}
+
+function toJsonReport(results) {
+  return {
+    summary: {
+      total:   results.length,
+      blocked: results.filter(r => r.verdict === 'BLOCK').length,
+      warned:  results.filter(r => r.verdict === 'WARN').length,
+      ok:      results.filter(r => r.verdict === 'OK').length,
+    },
+    packages: results.map(r => ({
+      name:     r.pkg.name,
+      version:  r.pkg.version,
+      verdict:  r.verdict,
+      score:    r.score,
+      findings: r.findings,
+      scripts:  r.scripts.map(s => ({ lifecycle: s.lifecycle, file: s.file, score: s.score })),
+    })),
+  };
+}

package/src/commands/scan.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const { scan } = require('../core/scanner');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'scan',
+  aliases: ['s'],
+  description: 'Scan only, no npm invocation',
+
+  help() {
+    return `
+  npa scan — Scan dependencies for obfuscated install scripts
+
+  Usage:
+    npa scan [package] [options]
+
+  Options:
+    --json        Output results as JSON
+    --no-dev      Skip devDependencies
+    --verbose     Show detailed findings
+    -h, --help    Show this help
+
+  Examples:
+    npa scan              Scan all dependencies
+    npa scan lodash       Scan a specific package before installing
+    npa scan --no-dev     Scan production dependencies only
+    npa scan --json       Output machine-readable JSON
+`;
+  },
+
+  async run({ args, flags, config, cwd }) {
+    const packages = args.filter(a => !a.startsWith('-'));
+    const results = await scan({ cwd, config, noDev: flags.noDev, verbose: flags.verbose, packages: packages.length > 0 ? packages : null });
+    const hasIssues = results.some(r => r.verdict !== 'OK');
+    const silent = config.silent && !hasIssues;
+
+    output.printScanHeader(silent);
+
+    if (flags.json) {
+      process.stdout.write(JSON.stringify(toJsonReport(results), null, 2) + '\n');
+      const hasBlock = results.some(r => r.verdict === 'BLOCK');
+      process.exit(hasBlock ? 1 : 0);
+    }
+
+    printResults(results, silent);
+    if (!silent) output.printSummary(results);
+
+    const hasBlock = results.some(r => r.verdict === 'BLOCK');
+    process.exit(hasBlock ? 1 : 0);
+  },
+};
+
+function printResults(results, silent = false) {
+  if (silent) return;
+  if (results.length === 0) {
+    output.success('No packages with install scripts found.');
+    return;
+  }
+  for (const r of results) {
+    output.printPackageResult(r.pkg, r);
+  }
+}
+
+function toJsonReport(results) {
+  return {
+    summary: {
+      total:   results.length,
+      blocked: results.filter(r => r.verdict === 'BLOCK').length,
+      warned:  results.filter(r => r.verdict === 'WARN').length,
+      ok:      results.filter(r => r.verdict === 'OK').length,
+    },
+    packages: results.map(r => ({
+      name:     r.pkg.name,
+      version:  r.pkg.version,
+      verdict:  r.verdict,
+      score:    r.score,
+      findings: r.findings,
+      scripts:  r.scripts.map(s => ({ lifecycle: s.lifecycle, file: s.file, score: s.score })),
+    })),
+  };
+}

package/src/{detector.js → core/detector.js}

@@ -1,5 +1,9 @@
 'use strict';
 
+// ─── Constants ───────────────────────────────────────────────────────────────
+
+const MAX_CODE_SIZE = 500000; // 500KB - chunk larger files
+
 // ─── Individual detection checks ─────────────────────────────────────────────
 
 /**
@@ -22,31 +26,57 @@ function checkEval(code) {
 
 /**
  * Detect obfuscator.io signature: _0x variable naming.
+ * Score scales with density of obfuscation.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkObfuscatorIo(code) {
   const matches = code.match(/_0x[0-9a-fA-F]+/g) || [];
   if (matches.length < 3) return null;
-  return { name: 'obfuscator.io', score: 9, detail: `${matches.length} _0x identifiers found` };
+  // Scale score: 3-10 = 9, 11-50 = 15, 51-200 = 30, 201-1000 = 50, 1000+ = 80
+  let score = 9;
+  if (matches.length > 1000) score = 80;
+  else if (matches.length > 200) score = 50;
+  else if (matches.length > 50) score = 30;
+  else if (matches.length > 10) score = 15;
+  return { name: 'obfuscator.io', score, detail: `${matches.length} _0x identifiers found` };
 }
 
 /**
  * Detect high-entropy strings (likely encoded/encrypted payloads).
+ * Uses indexOf-based extraction to avoid regex stack overflow on large files.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkHighEntropy(code) {
-  // Extract string literals (single, double, template)
-  const stringRe = /(?:"([^"\\]|\\.){50,}"|'([^'\\]|\\.){50,}'|`([^`\\]|\\.){50,}`)/g;
-  let match;
   let maxEntropy = 0;
   let worst = '';
-  while ((match = stringRe.exec(code)) !== null) {
-    const s = match[0].slice(1, -1);
-    const e = shannonEntropy(s);
-    if (e > maxEntropy) { maxEntropy = e; worst = s.slice(0, 40); }
+  const minLen = 50;
+
+  // Simple string extraction without complex regex
+  for (const quote of ['"', "'", '`']) {
+    let pos = 0;
+    while (pos < code.length) {
+      const start = code.indexOf(quote, pos);
+      if (start === -1) break;
+
+      // Find end quote (skip escaped quotes)
+      let end = start + 1;
+      while (end < code.length) {
+        if (code[end] === '\\') { end += 2; continue; }
+        if (code[end] === quote) break;
+        end++;
+      }
+
+      if (end < code.length && end - start - 1 >= minLen) {
+        const s = code.slice(start + 1, end);
+        const e = shannonEntropy(s);
+        if (e > maxEntropy) { maxEntropy = e; worst = s.slice(0, 40); }
+      }
+      pos = end + 1;
+    }
   }
+
   if (maxEntropy < 4.5) return null;
   return {
     name: 'high-entropy-string',
@@ -57,13 +87,19 @@ function checkHighEntropy(code) {
 
 /**
  * Detect dense hex escape sequences (\x41).
+ * Score scales with volume.
  * @param {string} code
  * @returns {Finding|null}
  */
 function checkHexEscapes(code) {
   const hexMatches = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
   if (hexMatches < 10) return null;
-  return { name: 'hex-escape-density', score: 5, detail: `${hexMatches} \\xNN hex escapes found` };
+  // Scale: 10-50 = 5, 51-200 = 15, 201-1000 = 30, 1000+ = 50
+  let score = 5;
+  if (hexMatches > 1000) score = 50;
+  else if (hexMatches > 200) score = 30;
+  else if (hexMatches > 50) score = 15;
+  return { name: 'hex-escape-density', score, detail: `${hexMatches} \\xNN hex escapes found` };
 }
 
 /**
@@ -119,6 +155,7 @@ function checkChildProcess(code) {
 
 /**
  * Detect large hex literal arrays (common in minified obfuscated code).
+ * Score scales with volume.
  * @param {string} code
  * @returns {Finding|null}
  */
@@ -126,7 +163,12 @@ function checkHexArray(code) {
   // Count 0x1234-style literals
   const hexLiterals = (code.match(/\b0x[0-9a-fA-F]+\b/g) || []).length;
   if (hexLiterals < 20) return null;
-  return { name: 'hex-array', score: 7, detail: `${hexLiterals} hex literal values found` };
+  // Scale: 20-100 = 7, 101-500 = 20, 501-2000 = 40, 2000+ = 60
+  let score = 7;
+  if (hexLiterals > 2000) score = 60;
+  else if (hexLiterals > 500) score = 40;
+  else if (hexLiterals > 100) score = 20;
+  return { name: 'hex-array', score, detail: `${hexLiterals} hex literal values found` };
 }
 
 /**
@@ -190,22 +232,45 @@ const CHECKS = [
 
 /**
  * Run all checks against a code string.
+ * For large files, analyzes multiple chunks and aggregates results.
  * @param {string} code
  * @param {object} config  { blockScore, warnScore }
  * @returns {{ score: number, findings: Finding[], verdict: 'BLOCK'|'WARN'|'OK' }}
  */
-function detectObfuscation(code, config = { blockScore: 7, warnScore: 4 }) {
+function detectObfuscation(code, config = { blockScore: 50, warnScore: 20 }) {
   if (!code || typeof code !== 'string') {
     return { score: 0, findings: [], verdict: 'OK' };
   }
 
-  const findings = [];
-  for (const check of CHECKS) {
-    const result = check(code);
-    if (result) findings.push(result);
+  // For large files, analyze chunks and take worst results
+  const chunks = [];
+  if (code.length > MAX_CODE_SIZE) {
+    // Analyze start, middle, and end chunks
+    chunks.push(code.slice(0, MAX_CODE_SIZE));
+    const mid = Math.floor(code.length / 2) - Math.floor(MAX_CODE_SIZE / 2);
+    chunks.push(code.slice(mid, mid + MAX_CODE_SIZE));
+    chunks.push(code.slice(-MAX_CODE_SIZE));
+  } else {
+    chunks.push(code);
   }
 
-  // Score = highest individual finding score (weighted max — avoid double-penalizing)
+  const allFindings = new Map(); // Dedupe by name, keep highest score
+
+  for (const chunk of chunks) {
+    for (const check of CHECKS) {
+      const result = check(chunk);
+      if (result) {
+        const existing = allFindings.get(result.name);
+        if (!existing || result.score > existing.score) {
+          allFindings.set(result.name, result);
+        }
+      }
+    }
+  }
+
+  const findings = Array.from(allFindings.values());
+
+  // Score = highest individual finding score
   const score = findings.length > 0
     ? Math.max(...findings.map(f => f.score))
     : 0;

package/src/{scanner.js → core/scanner.js}

@@ -2,11 +2,11 @@
 
 const fs      = require('fs');
 const path    = require('path');
-const { parseLockfile }                = require('./lockfile');
-const { fetchTarball, buildTarballUrl, verifyIntegrity } = require('./fetcher');
-const { parseTarGz, extractFile, getPackageJson }        = require('./tarball');
+const { parseLockfile }                = require('../utils/lockfile');
+const { fetchTarball, buildTarballUrl, verifyIntegrity } = require('../utils/fetcher');
+const { parseTarGz, extractFile, getPackageJson }        = require('../utils/tarball');
 const { detectObfuscation }            = require('./detector');
-const output                           = require('./output');
+const output                           = require('../utils/output');
 
 /**
  * Main scan orchestrator.
@@ -15,16 +15,33 @@ const output                           = require('./output');
  * @param {object}  opts.config
  * @param {boolean} opts.noDev
  * @param {boolean} opts.verbose
- * @param {string|null} opts.singlePackage  name for single-package mode
+ * @param {string|null} opts.singlePackage  name for single-package mode (deprecated, use packages)
+ * @param {string[]|null} opts.packages  package names to scan
  * @returns {Promise<ScanResult[]>}
  */
 async function scan(opts) {
-  const { cwd, config, noDev, verbose, singlePackage } = opts;
+  const { cwd, config, noDev, verbose, singlePackage, packages: packageList } = opts;
 
   let packages;
   let lockfileVersion = 1;
-  if (singlePackage) {
-    packages = await resolveSinglePackage(singlePackage, config);
+  let explicitPackageNames = new Set();
+
+  // Support both single package (legacy) and multiple packages
+  const targetPackages = packageList || (singlePackage ? [singlePackage] : null);
+
+  if (targetPackages && targetPackages.length > 0) {
+    // Scan specific packages from registry
+    const allPackages = [];
+    for (const pkg of targetPackages) {
+      const resolved = await resolveSinglePackage(pkg, config);
+      // Mark the first package (the explicitly requested one) as explicit
+      if (resolved.length > 0) {
+        const pkgName = pkg.includes('@') && !pkg.startsWith('@') ? pkg.split('@')[0] : pkg;
+        explicitPackageNames.add(pkgName);
+      }
+      allPackages.push(...resolved);
+    }
+    packages = allPackages;
   } else {
     const lockPath = path.join(cwd, 'package-lock.json');
     if (fs.existsSync(lockPath)) {
@@ -37,6 +54,9 @@ async function scan(opts) {
     }
   }
 
+  // Track packages without install scripts (for skipped count)
+  let skippedCount = 0;
+
   // Apply skip filters
   packages = packages.filter(pkg => {
     if (noDev && pkg.dev) return false;
@@ -47,6 +67,14 @@ async function scan(opts) {
         if (pkg.name.startsWith(scope + '/') || pkg.name === scope) return false;
       }
     }
+    // For explicit packages, always include them but track if they have no scripts
+    if (explicitPackageNames.has(pkg.name)) {
+      if (!pkg.hasInstallScript) {
+        skippedCount++;
+        return false;
+      }
+      return true;
+    }
     // v2/v3 lockfiles reliably report hasInstallScript — skip definitive negatives
     if (lockfileVersion >= 2 && pkg.hasInstallScript === false) return false;
     return true;
@@ -59,7 +87,13 @@ async function scan(opts) {
     return scanPackage(pkg, cwd, config, verbose);
   });
 
-  return results.filter(Boolean);
+  const scanned = results.filter(Boolean);
+  // Add packages that returned null from scanPackage (no scripts found during scan)
+  skippedCount += results.filter(r => r === null).length;
+
+  // Attach metadata to results array
+  scanned.skippedCount = skippedCount;
+  return scanned;
 }
 
 /**
@@ -269,7 +303,8 @@ function extractSemver(range) {
 async function resolveFromPackageJson(cwd, config, noDev) {
   const pkgPath = path.join(cwd, 'package.json');
   if (!fs.existsSync(pkgPath)) {
-    throw new Error(`package.json not found in ${cwd}`);
+    // No package.json — nothing to scan (e.g. empty directory)
+    return [];
   }
 
   let pkgJson;
@@ -285,7 +320,7 @@ async function resolveFromPackageJson(cwd, config, noDev) {
   }
 
   const packages = [];
-  const { fetchJSON } = require('./fetcher');
+  const { fetchJSON } = require('../utils/fetcher');
 
   for (const [name, range] of Object.entries(deps)) {
     const version = extractSemver(range);
@@ -327,7 +362,7 @@ async function resolveSinglePackage(packageSpec, config) {
     ? packageSpec.split('@')
     : [packageSpec, 'latest'];
 
-  const { fetchJSON } = require('./fetcher');
+  const { fetchJSON } = require('../utils/fetcher');
   let meta;
   try {
     meta = await fetchJSON(`${config.registry}/${encodeURIComponent(name)}`, { timeout: config.timeout });

package/src/{config.js → utils/config.js}

@@ -14,6 +14,7 @@ const DEFAULT_CONFIG = Object.freeze({
   parallelFetches: 5,
   skipScopes:      [],
   skipPackages:    [],
+  silent:          false,
 });
 
 const VALID_KEYS = new Set(Object.keys(DEFAULT_CONFIG));
@@ -43,6 +44,8 @@ function coerce(obj) {
     } else if (typeof def === 'number') {
       const n = Number(val);
       if (!isNaN(n)) result[key] = n;
+    } else if (typeof def === 'boolean') {
+      result[key] = val === true || val === 'true' || val === '1';
     } else {
       result[key] = val;
     }

package/src/{output.js → utils/output.js}

@@ -49,16 +49,26 @@ function log(msg) {
 }
 
 function verdictBadge(verdict) {
-  if (NO_COLOR) return `[${verdict}]`;
-  if (verdict === 'BLOCK') return `${BG_RED}${BOLD} BLOCK ${RESET}`;
+  if (NO_COLOR) return verdict === 'BLOCK' ? '[DANGER]' : `[${verdict}]`;
+  if (verdict === 'BLOCK') return `${BG_RED}${WHITE}${BOLD} DANGER ${RESET}`;
   if (verdict === 'WARN')  return `${BG_YELLOW}\x1b[30m WARN  ${RESET}`;
   return `${GREEN} OK    ${RESET}`;
 }
 
-function printScanHeader() {
-  log('');
-  log(bold(cyan('npa') + ' — npm package auditor'));
-  log(dim('Static obfuscation detection for install scripts'));
+const ASCII_LOGO = `
+
+  ███╗   ██╗██████╗  █████╗
+  ████╗  ██║██╔══██╗██╔══██╗
+  ██╔██╗ ██║██████╔╝███████║
+  ██║╚██╗██║██╔═══╝ ██╔══██║
+  ██║ ╚████║██║     ██║  ██║
+  ╚═╝  ╚═══╝╚═╝     ╚═╝  ╚═╝
+`;
+
+function printScanHeader(silent = false) {
+  if (silent) return;
+  log(blue(ASCII_LOGO));
+  log(dim('  npm package auditor — static obfuscation detection'));
   log(dim('─'.repeat(60)));
   log('');
 }
@@ -77,10 +87,15 @@ function printSummary(results) {
   const blocked = results.filter(r => r.verdict === 'BLOCK').length;
   const warned  = results.filter(r => r.verdict === 'WARN').length;
   const ok      = results.filter(r => r.verdict === 'OK').length;
+  const skipped = results.skippedCount || 0;
 
   log('');
   log(dim('─'.repeat(60)));
-  log(`  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`);
+  let summary = `  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`;
+  if (skipped > 0) {
+    summary += `   ${dim(String(skipped) + ' skipped (no install scripts)')}`;
+  }
+  log(summary);
   log('');
 }