np-audit 1.3.0 → 1.5.0

package/src/commands/alias.js

@@ -0,0 +1,111 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const output = require('../utils/output');
+
+const BASH_HOOK = `# npa npm hook
+npm() { [[ -n "$NPA_RUNNING" ]] && { command npm "$@"; return; }; case "$1" in scan) npa scan "\${@:2}"; return;; install|i|add) command -v npa >/dev/null && { local pkgs=(); for a in "\${@:2}"; do [[ "$a" != -* ]] && pkgs+=("$a"); done; if [[ \${#pkgs[@]} -gt 0 ]]; then npa scan "\${pkgs[@]}" || { echo "[npa] Blocked. Use 'npa install --review'"; return 1; }; else npa scan || { echo "[npa] Blocked. Use 'npa install --review'"; return 1; }; fi; };; ci) command -v npa >/dev/null && { npa scan || { echo "[npa] Blocked. Use 'npa ci --review'"; return 1; }; };; esac; command npm "$@"; }`;
+
+const POWERSHELL_HOOK = `# npa npm hook
+function npm { if($env:NPA_RUNNING){& npm.cmd @args;return}; if($args[0] -eq 'scan'){& npa scan @($args|Select-Object -Skip 1);return}; if($args[0] -in @('install','i','add')){$pkgs=@($args|Where-Object{$_ -notmatch '^-'}|Select-Object -Skip 1); if($pkgs.Count -gt 0){& npa scan @pkgs; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}else{& npa scan; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}}; if($args[0] -eq 'ci'){& npa scan; if($LASTEXITCODE -ne 0){Write-Host "[npa] Blocked.";return 1}}; & npm.cmd @args }`;
+
+module.exports = {
+  name: 'alias',
+  aliases: [],
+  description: 'Shell hook to auto-scan before npm install/ci',
+
+  help() {
+    return `
+  npa alias — Shell hook to auto-scan before npm install/ci
+
+  Usage:
+    npa alias                Print the shell hook
+    npa alias --install      Add hook to shell profile (~/.zshrc or ~/.bashrc)
+    npa alias --uninstall    Remove hook from shell profile
+
+  The hook intercepts npm install/ci/add commands and runs npa scan first.
+  If issues are found, the install is blocked until resolved.
+
+  Examples:
+    npa alias                     Print hook for manual installation
+    npa alias --install           Auto-install to detected shell
+    eval "$(npa alias)"           Load hook in current session only
+`;
+  },
+
+  run({ rawArgs }) {
+    const install = rawArgs.includes('--install') || rawArgs.includes('-i');
+    const uninstall = rawArgs.includes('--uninstall') || rawArgs.includes('-u');
+
+    const { shell, hook, profilePath } = detectShell();
+
+    if (uninstall) {
+      return doUninstall(profilePath);
+    }
+
+    if (install) {
+      return doInstall(hook, profilePath);
+    }
+
+    // Print hook
+    process.stdout.write(hook + '\n');
+    output.log('');
+    output.log(output.dim(`  Add to your shell profile, or run: npa alias --install`));
+  },
+};
+
+function detectShell() {
+  if (process.platform === 'win32') {
+    return { shell: 'powershell', hook: POWERSHELL_HOOK, profilePath: null };
+  }
+
+  const userShell = process.env.SHELL || '';
+  if (userShell.includes('zsh')) {
+    return { shell: 'zsh', hook: BASH_HOOK, profilePath: path.join(os.homedir(), '.zshrc') };
+  }
+
+  return { shell: 'bash', hook: BASH_HOOK, profilePath: path.join(os.homedir(), '.bashrc') };
+}
+
+function doUninstall(profilePath) {
+  if (!profilePath) {
+    output.error('Auto-uninstall not supported for PowerShell. Remove manually from $PROFILE');
+    return;
+  }
+
+  if (!fs.existsSync(profilePath)) {
+    output.warn('No profile found at ' + profilePath);
+    return;
+  }
+
+  const content = fs.readFileSync(profilePath, 'utf8');
+  if (!content.includes('# npa npm hook')) {
+    output.warn('npa hook not found in ' + profilePath);
+    return;
+  }
+
+  const cleaned = content.replace(/\n*# npa npm hook\nnpm\(\)[^\n]+\n*/g, '\n');
+  fs.writeFileSync(profilePath, cleaned);
+  output.success(`Removed npa hook from ${profilePath}`);
+  output.log(output.dim('  Run: source ' + profilePath + ' (or restart your terminal)'));
+}
+
+function doInstall(hook, profilePath) {
+  if (!profilePath) {
+    output.error('Auto-install not supported for PowerShell. Copy the output manually to $PROFILE');
+    process.stdout.write('\n' + hook + '\n');
+    return;
+  }
+
+  const content = fs.existsSync(profilePath) ? fs.readFileSync(profilePath, 'utf8') : '';
+  if (content.includes('# npa npm hook')) {
+    output.warn('npa hook already installed in ' + profilePath);
+    return;
+  }
+
+  fs.appendFileSync(profilePath, '\n\n' + hook + '\n');
+  output.success(`Installed npa hook to ${profilePath}`);
+  output.log(output.dim('  Run: source ' + profilePath + ' (or restart your terminal)'));
+}

package/src/commands/ci.js

@@ -0,0 +1,90 @@
+'use strict';
+
+const { scan } = require('../core/scanner');
+const { runAware, runNpm } = require('../utils/review');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'ci',
+  aliases: [],
+  description: 'Audit then run npm ci',
+
+  help() {
+    return `
+  npa ci — Audit dependencies then run npm ci
+
+  Usage:
+    npa ci [options]
+
+  Options:
+    --review, -r   Interactive mode: review and allow/deny scripts
+    --json        Output scan results as JSON
+    --no-dev      Skip devDependencies in scan
+    --verbose     Show detailed findings
+    -h, --help    Show this help
+
+  Examples:
+    npa ci            Clean install after audit
+    npa ci --review    Review scripts interactively
+`;
+  },
+
+  async run({ flags, config, cwd }) {
+    const results = await scan({ cwd, config, noDev: flags.noDev, verbose: flags.verbose });
+    const hasIssues = results.some(r => r.verdict !== 'OK');
+    const silent = config.silent && !hasIssues;
+
+    output.printScanHeader(silent);
+
+    if (flags.json) {
+      process.stdout.write(JSON.stringify(toJsonReport(results), null, 2) + '\n');
+    } else {
+      printResults(results, silent);
+    }
+
+    const blocked = results.filter(r => r.verdict === 'BLOCK');
+
+    if (blocked.length > 0 && !flags.review) {
+      output.error(`${blocked.length} package(s) blocked due to obfuscated install scripts.`);
+      process.exit(1);
+    }
+
+    if (flags.review) {
+      const exit = await runAware({ results, command: 'ci', npmArgs: [], cwd });
+      process.exit(exit);
+    } else {
+      const exit = runNpm('ci', [], cwd);
+      process.exit(exit);
+    }
+  },
+};
+
+function printResults(results, silent = false) {
+  if (silent) return;
+  if (results.length === 0) {
+    output.success('No packages with install scripts found.');
+    return;
+  }
+  for (const r of results) {
+    output.printPackageResult(r.pkg, r);
+  }
+}
+
+function toJsonReport(results) {
+  return {
+    summary: {
+      total:   results.length,
+      blocked: results.filter(r => r.verdict === 'BLOCK').length,
+      warned:  results.filter(r => r.verdict === 'WARN').length,
+      ok:      results.filter(r => r.verdict === 'OK').length,
+    },
+    packages: results.map(r => ({
+      name:     r.pkg.name,
+      version:  r.pkg.version,
+      verdict:  r.verdict,
+      score:    r.score,
+      findings: r.findings,
+      scripts:  r.scripts.map(s => ({ lifecycle: s.lifecycle, file: s.file, score: s.score })),
+    })),
+  };
+}

package/src/commands/config.js

@@ -0,0 +1,71 @@
+'use strict';
+
+const { setGlobalConfig, getGlobalConfigPath, DEFAULT_CONFIG } = require('../utils/config');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'config',
+  aliases: ['c'],
+  description: 'View or modify npa configuration',
+
+  help() {
+    return `
+  npa config — View or modify npa configuration
+
+  Usage:
+    npa config get              Show all config values
+    npa config set <key> <val>  Set a config value
+
+  Config keys:
+    blockScore       Score threshold for hard block (default: ${DEFAULT_CONFIG.blockScore})
+    warnScore        Score threshold for warning (default: ${DEFAULT_CONFIG.warnScore})
+    registry         npm registry URL
+    timeout          HTTP timeout in ms (default: ${DEFAULT_CONFIG.timeout})
+    parallelFetches  Concurrent downloads (default: ${DEFAULT_CONFIG.parallelFetches})
+    skipScopes       Array of @scopes to skip (JSON)
+    skipPackages     Array of package names to skip (JSON)
+
+  Examples:
+    npa config get
+    npa config set blockScore 10
+    npa config set skipScopes '["@myorg"]'
+`;
+  },
+
+  async run({ args, config }) {
+    const subcommand = args[0];
+
+    if (subcommand === 'get') {
+      const globalPath = getGlobalConfigPath();
+      output.log(output.bold('  Current npa configuration'));
+      output.log(output.dim(`  (global: ${globalPath})`));
+      output.log('');
+      for (const [key, val] of Object.entries(config)) {
+        output.log(`  ${output.cyan(key.padEnd(18))} ${JSON.stringify(val)}`);
+      }
+      output.log('');
+      return;
+    }
+
+    if (subcommand === 'set') {
+      const key   = args[1];
+      const value = args[2];
+      if (!key || value === undefined) {
+        output.error('Usage: npa config set <key> <value>');
+        process.exit(1);
+      }
+      try {
+        const updated = setGlobalConfig(key, value);
+        output.success(`Set ${key} = ${JSON.stringify(updated[key])}`);
+        output.log(output.dim(`  Written to ${getGlobalConfigPath()}`));
+      } catch (err) {
+        output.error(err.message);
+        process.exit(1);
+      }
+      return;
+    }
+
+    output.error(`Unknown config subcommand: "${subcommand}". Use "get" or "set".`);
+    process.exit(1);
+  },
+};

package/src/commands/index.js

@@ -0,0 +1,37 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const commands = new Map();
+
+// Load all command modules from this directory
+const files = fs.readdirSync(__dirname).filter(f => f !== 'index.js' && f.endsWith('.js'));
+
+for (const file of files) {
+  const cmd = require(path.join(__dirname, file));
+  commands.set(cmd.name, cmd);
+  for (const alias of cmd.aliases || []) {
+    commands.set(alias, cmd);
+  }
+}
+
+module.exports = {
+  commands,
+
+  get(name) {
+    return commands.get(name);
+  },
+
+  list() {
+    const seen = new Set();
+    const result = [];
+    for (const cmd of commands.values()) {
+      if (!seen.has(cmd.name)) {
+        seen.add(cmd.name);
+        result.push(cmd);
+      }
+    }
+    return result;
+  },
+};

package/src/commands/install.js

@@ -0,0 +1,109 @@
+'use strict';
+
+const { scan } = require('../core/scanner');
+const { runAware, runNpm } = require('../utils/review');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'install',
+  aliases: ['i'],
+  description: 'Audit then run npm install',
+
+  help() {
+    return `
+  npa install — Audit dependencies then run npm install
+
+  Usage:
+    npa install [package] [options]
+
+  Options:
+    --review, -r   Interactive mode: review and allow/deny scripts
+    --json        Output scan results as JSON
+    --no-dev      Skip devDependencies in scan
+    --verbose     Show detailed findings
+    -h, --help    Show this help
+
+  Examples:
+    npa install                Install all deps after audit
+    npa install lodash         Add lodash after auditing it
+    npa install --review        Review scripts interactively
+`;
+  },
+
+  async run({ args, flags, config, cwd }) {
+    const packages = args.filter(a => !a.startsWith('-'));
+
+    const results = await scan({
+      cwd,
+      config,
+      noDev:         flags.noDev,
+      verbose:       flags.verbose,
+      packages:      packages.length > 0 ? packages : null,
+    });
+
+    const hasIssues = results.some(r => r.verdict !== 'OK');
+    const silent = config.silent && !hasIssues;
+
+    output.printScanHeader(silent);
+
+    if (flags.json) {
+      process.stdout.write(JSON.stringify(toJsonReport(results), null, 2) + '\n');
+    } else {
+      printResults(results, silent);
+    }
+
+    const blocked = results.filter(r => r.verdict === 'BLOCK');
+
+    if (blocked.length > 0 && !flags.review) {
+      output.error(`${blocked.length} package(s) blocked due to obfuscated install scripts.`);
+      output.log(output.dim('  Run with --review to interactively decide which scripts to allow.'));
+      process.exit(1);
+    }
+
+    const npmArgs = packages.length > 0 ? packages : [];
+
+    if (flags.review) {
+      const packagesWithScripts = results.filter(r => r.verdict !== 'OK' || r.scripts.length > 0);
+      const exit = await runAware({
+        results: packagesWithScripts.length > 0 ? packagesWithScripts : results,
+        command: 'install',
+        npmArgs,
+        cwd,
+      });
+      process.exit(exit);
+    } else {
+      const exit = runNpm('install', npmArgs, cwd);
+      process.exit(exit);
+    }
+  },
+};
+
+function printResults(results, silent = false) {
+  if (silent) return;
+  if (results.length === 0) {
+    output.success('No packages with install scripts found.');
+    return;
+  }
+  for (const r of results) {
+    output.printPackageResult(r.pkg, r);
+  }
+}
+
+function toJsonReport(results) {
+  return {
+    summary: {
+      total:   results.length,
+      blocked: results.filter(r => r.verdict === 'BLOCK').length,
+      warned:  results.filter(r => r.verdict === 'WARN').length,
+      ok:      results.filter(r => r.verdict === 'OK').length,
+    },
+    packages: results.map(r => ({
+      name:     r.pkg.name,
+      version:  r.pkg.version,
+      verdict:  r.verdict,
+      score:    r.score,
+      findings: r.findings,
+      scripts:  r.scripts.map(s => ({ lifecycle: s.lifecycle, file: s.file, score: s.score })),
+    })),
+  };
+}

package/src/commands/scan.js

@@ -0,0 +1,82 @@
+'use strict';
+
+const { scan } = require('../core/scanner');
+const output = require('../utils/output');
+
+module.exports = {
+  name: 'scan',
+  aliases: ['s'],
+  description: 'Scan only, no npm invocation',
+
+  help() {
+    return `
+  npa scan — Scan dependencies for obfuscated install scripts
+
+  Usage:
+    npa scan [package] [options]
+
+  Options:
+    --json        Output results as JSON
+    --no-dev      Skip devDependencies
+    --verbose     Show detailed findings
+    -h, --help    Show this help
+
+  Examples:
+    npa scan              Scan all dependencies
+    npa scan lodash       Scan a specific package before installing
+    npa scan --no-dev     Scan production dependencies only
+    npa scan --json       Output machine-readable JSON
+`;
+  },
+
+  async run({ args, flags, config, cwd }) {
+    const packages = args.filter(a => !a.startsWith('-'));
+    const results = await scan({ cwd, config, noDev: flags.noDev, verbose: flags.verbose, packages: packages.length > 0 ? packages : null });
+    const hasIssues = results.some(r => r.verdict !== 'OK');
+    const silent = config.silent && !hasIssues;
+
+    output.printScanHeader(silent);
+
+    if (flags.json) {
+      process.stdout.write(JSON.stringify(toJsonReport(results), null, 2) + '\n');
+      const hasBlock = results.some(r => r.verdict === 'BLOCK');
+      process.exit(hasBlock ? 1 : 0);
+    }
+
+    printResults(results, silent);
+    if (!silent) output.printSummary(results);
+
+    const hasBlock = results.some(r => r.verdict === 'BLOCK');
+    process.exit(hasBlock ? 1 : 0);
+  },
+};
+
+function printResults(results, silent = false) {
+  if (silent) return;
+  if (results.length === 0) {
+    output.success('No packages with install scripts found.');
+    return;
+  }
+  for (const r of results) {
+    output.printPackageResult(r.pkg, r);
+  }
+}
+
+function toJsonReport(results) {
+  return {
+    summary: {
+      total:   results.length,
+      blocked: results.filter(r => r.verdict === 'BLOCK').length,
+      warned:  results.filter(r => r.verdict === 'WARN').length,
+      ok:      results.filter(r => r.verdict === 'OK').length,
+    },
+    packages: results.map(r => ({
+      name:     r.pkg.name,
+      version:  r.pkg.version,
+      verdict:  r.verdict,
+      score:    r.score,
+      findings: r.findings,
+      scripts:  r.scripts.map(s => ({ lifecycle: s.lifecycle, file: s.file, score: s.score })),
+    })),
+  };
+}