np-audit 1.5.0 → 1.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/core/scanner.js +15 -6
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "np-audit",
3
- "version": "1.5.0",
3
+ "version": "1.5.1",
4
4
  "description": "Static obfuscation detector for npm lifecycle scripts — supply chain attack prevention",
5
5
  "bin": {
6
6
  "npa": "bin/npa.js",
package/src/core/scanner.js CHANGED
@@ -54,7 +54,8 @@ async function scan(opts) {
54
54
  const resolved = await resolveSinglePackage(pkg, config);
55
55
  // Mark the first package (the explicitly requested one) as explicit
56
56
  if (resolved.length > 0) {
57
- const pkgName = pkg.includes('@') && !pkg.startsWith('@') ? pkg.split('@')[0] : pkg;
57
+ const lastAt = pkg.lastIndexOf('@');
58
+ const pkgName = lastAt > 0 ? pkg.slice(0, lastAt) : pkg;
58
59
  explicitPackageNames.add(pkgName);
59
60
  }
60
61
  allPackages.push(...resolved);
@@ -585,7 +586,8 @@ async function resolveFromPackageJson(cwd, config, noDev) {
585
586
  if (!version) continue;
586
587
 
587
588
  try {
588
- const meta = await fetchJSON(`${config.registry}/${encodeURIComponent(name)}`, { timeout: config.timeout });
589
+ const encodedName = name.startsWith('@') ? `@${encodeURIComponent(name.slice(1))}` : encodeURIComponent(name);
590
+ const meta = await fetchJSON(`${config.registry}/${encodedName}`, { timeout: config.timeout });
589
591
  const versionData = meta.versions && meta.versions[version];
590
592
  if (!versionData) continue;
591
593
 
@@ -616,14 +618,21 @@ async function resolveFromPackageJson(cwd, config, noDev) {
616
618
  * @returns {Promise<PackageDescriptor[]>}
617
619
  */
618
620
  async function resolveSinglePackage(packageSpec, config) {
619
- const [name, version] = packageSpec.includes('@') && !packageSpec.startsWith('@')
620
- ? packageSpec.split('@')
621
- : [packageSpec, 'latest'];
621
+ let name, version;
622
+ const lastAt = packageSpec.lastIndexOf('@');
623
+ if (lastAt > 0) {
624
+ name = packageSpec.slice(0, lastAt);
625
+ version = packageSpec.slice(lastAt + 1);
626
+ } else {
627
+ name = packageSpec;
628
+ version = 'latest';
629
+ }
622
630
 
623
631
  const { fetchJSON } = require('../utils/fetcher');
624
632
  let meta;
625
633
  try {
626
- meta = await fetchJSON(`${config.registry}/${encodeURIComponent(name)}`, { timeout: config.timeout });
634
+ const encodedName = name.startsWith('@') ? `@${encodeURIComponent(name.slice(1))}` : encodeURIComponent(name);
635
+ meta = await fetchJSON(`${config.registry}/${encodedName}`, { timeout: config.timeout });
627
636
  } catch (err) {
628
637
  throw new Error(`Could not fetch registry metadata for "${name}": ${err.message}`);
629
638
  }