np-audit 1.5.1 → 2.1.0

package/src/marshallers/hexEscapes.js

@@ -0,0 +1,27 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class HexEscapesMarshaller extends Marshaller {
+  constructor() {
+    super('hex-escape-density', 'Dense hex/unicode escape detection');
+  }
+
+  check(code) {
+    const hexMatches     = (code.match(/\\x[0-9a-fA-F]{2}/g) || []).length;
+    const unicodeMatches = (code.match(/\\u[0-9a-fA-F]{4}/g) || []).length
+                         + (code.match(/\\u\{[0-9a-fA-F]+\}/g) || []).length;
+    const total = hexMatches + unicodeMatches;
+    if (total < 10) return null;
+    let score = 5;
+    if (total > 1000) score = 50;
+    else if (total > 200) score = 30;
+    else if (total > 50) score = 15;
+    const detail = unicodeMatches > 0
+      ? `${hexMatches} \\xNN + ${unicodeMatches} \\uXXXX escapes found`
+      : `${hexMatches} \\xNN hex escapes found`;
+    return { name: this.name, score, detail };
+  }
+}
+
+module.exports = new HexEscapesMarshaller();

package/src/marshallers/highEntropy.js

@@ -0,0 +1,70 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+const { shannonEntropy } = require('../utils/entropy');
+
+class HighEntropyMarshaller extends Marshaller {
+  constructor() {
+    super('high-entropy-string', 'High-entropy string detection');
+  }
+
+  check(code) {
+    let maxEntropy = 0;
+    let worst = '';
+    const minLen = 50;
+
+    for (const quote of ['"', "'", '`']) {
+      let pos = 0;
+      while (pos < code.length) {
+        const start = code.indexOf(quote, pos);
+        if (start === -1) break;
+
+        let end = start + 1;
+        while (end < code.length) {
+          if (code[end] === '\\') { end += 2; continue; }
+          if (code[end] === quote) break;
+          end++;
+        }
+
+        if (end < code.length && end - start - 1 >= minLen) {
+          const s = code.slice(start + 1, end);
+          const e = shannonEntropy(s);
+          if (e > maxEntropy) { maxEntropy = e; worst = s.slice(0, 40); }
+        }
+        pos = end + 1;
+      }
+    }
+
+    if (maxEntropy >= 4.5) {
+      return {
+        name: this.name,
+        score: 6,
+        detail: `Entropy ${maxEntropy.toFixed(2)} in string "${worst}…"`,
+      };
+    }
+
+    const concatChainRe = /(?:['"`][^'"`\n]{0,40}['"`]\s*\+\s*){5,}['"`][^'"`\n]{0,40}['"`]/g;
+    let m;
+    let bestChain = '';
+    while ((m = concatChainRe.exec(code)) !== null) {
+      const literals = m[0].match(/['"`]([^'"`\n]{0,40})['"`]/g) || [];
+      const joined = literals.map(l => l.slice(1, -1)).join('');
+      if (joined.length >= 40) {
+        const e = shannonEntropy(joined);
+        if (e > maxEntropy) { maxEntropy = e; bestChain = joined.slice(0, 40); }
+      }
+    }
+
+    if (maxEntropy >= 4.5) {
+      return {
+        name: this.name,
+        score: 6,
+        detail: `Entropy ${maxEntropy.toFixed(2)} in concatenated literals "${bestChain}…"`,
+      };
+    }
+
+    return null;
+  }
+}
+
+module.exports = new HighEntropyMarshaller();

package/src/marshallers/index.js

@@ -0,0 +1,25 @@
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+
+const MARSHALLERS_DIR = __dirname;
+const EXCLUDE = new Set(['index.js', 'base.js', 'cve.js']);
+
+let _staticMarshallers = null;
+
+function getStaticMarshallers() {
+  if (_staticMarshallers) return _staticMarshallers;
+
+  _staticMarshallers = fs.readdirSync(MARSHALLERS_DIR)
+    .filter(f => f.endsWith('.js') && !EXCLUDE.has(f))
+    .map(f => require(path.join(MARSHALLERS_DIR, f)));
+
+  return _staticMarshallers;
+}
+
+function getPackageMarshallers() {
+  return [require('./cve')];
+}
+
+module.exports = { getStaticMarshallers, getPackageMarshallers };

package/src/marshallers/networkCalls.js

@@ -0,0 +1,30 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class NetworkCallsMarshaller extends Marshaller {
+  constructor() {
+    super('network-call', 'Suspicious network call detection');
+  }
+
+  check(code) {
+    const patterns = [
+      /require\s*\(\s*['"]https?['"]\s*\)/,
+      /require\s*\(\s*['"]net['"]\s*\)/,
+      /require\s*\(\s*['"]dns['"]\s*\)/,
+      /require\s*\(\s*['"]tls['"]\s*\)/,
+      /require\s*\(\s*['"]dgram['"]\s*\)/,
+      /require\s*\(\s*['"]http2['"]\s*\)/,
+      /\bfetch\s*\(/,
+      /XMLHttpRequest/,
+      /\.request\s*\(/,
+      /require\s*\(\s*['"]node:(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
+      /import\s*\(\s*['"](?:node:)?(?:https?|net|dns|tls|dgram|http2)['"]\s*\)/,
+    ];
+    const matched = patterns.filter(p => p.test(code));
+    if (matched.length === 0) return null;
+    return { name: this.name, score: 4, detail: `Network call found (${matched.length} pattern(s))` };
+  }
+}
+
+module.exports = new NetworkCallsMarshaller();

package/src/marshallers/obfuscatorIo.js

@@ -0,0 +1,22 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ObfuscatorIoMarshaller extends Marshaller {
+  constructor() {
+    super('obfuscator.io', 'Obfuscator.io signature detection');
+  }
+
+  check(code) {
+    const matches = code.match(/_0x[0-9a-fA-F]+/g) || [];
+    if (matches.length < 3) return null;
+    let score = 9;
+    if (matches.length > 1000) score = 80;
+    else if (matches.length > 200) score = 50;
+    else if (matches.length > 50) score = 30;
+    else if (matches.length > 10) score = 15;
+    return { name: this.name, score, detail: `${matches.length} _0x identifiers found` };
+  }
+}
+
+module.exports = new ObfuscatorIoMarshaller();

package/src/marshallers/processEnv.js

@@ -0,0 +1,17 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class ProcessEnvMarshaller extends Marshaller {
+  constructor() {
+    super('process-env', 'Process environment access detection');
+  }
+
+  check(code) {
+    const matches = (code.match(/process\.env\b/g) || []).length;
+    if (matches === 0) return null;
+    return { name: this.name, score: 3, detail: `${matches} process.env access(es)` };
+  }
+}
+
+module.exports = new ProcessEnvMarshaller();

package/src/marshallers/runtimeDownload.js

@@ -0,0 +1,73 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class RuntimeDownloadMarshaller extends Marshaller {
+  constructor() {
+    super('runtime-download', 'External runtime download and execution');
+  }
+
+  check(code) {
+    // Detect downloading external runtimes (common evasion: use Bun/Deno to bypass Node-based tools)
+    const runtimePatterns = [
+      /bun-(?:linux|darwin|windows)/i,
+      /oven-sh\/bun/i,
+      /deno\.land/i,
+      /denoland\/deno/i,
+      /BUN_VERSION/,
+      /DENO_VERSION/,
+      /bun\.exe/,
+      /deno\.exe/,
+    ];
+
+    // Detect execution of downloaded binaries
+    const execPatterns = [
+      /execFileSync\s*\(\s*\w*[Bb]un/,
+      /execFileSync\s*\(\s*\w*[Dd]eno/,
+      /execFile\s*\(\s*\w*[Bb]un/,
+      /execFile\s*\(\s*\w*[Dd]eno/,
+      /spawn\s*\(\s*\w*[Bb]un/,
+      /spawn\s*\(\s*\w*[Dd]eno/,
+      // Generic: download + chmod + exec pattern
+      /chmodSync\s*\([^)]*0o?755\)[\s\S]{0,500}execFileSync/,
+      /chmod[\s\S]{0,200}exec(?:File)?(?:Sync)?\s*\(/,
+    ];
+
+    // Detect download URLs for binaries combined with execution
+    const downloadExecPatterns = [
+      /https:\/\/github\.com\/[^/]+\/[^/]+\/releases\/download[\s\S]{0,1000}exec(?:File)?(?:Sync)?\s*\(/,
+      /downloadToFile[\s\S]{0,2000}exec(?:File)?(?:Sync)?\s*\(/,
+      /createWriteStream[\s\S]{0,2000}exec(?:File)?(?:Sync)?\s*\(/,
+    ];
+
+    const runtimeMatches = runtimePatterns.filter(p => p.test(code));
+    const execMatches = execPatterns.filter(p => p.test(code));
+    const downloadExecMatches = downloadExecPatterns.filter(p => p.test(code));
+
+    if (runtimeMatches.length === 0 && downloadExecMatches.length === 0) return null;
+
+    const details = [];
+
+    if (runtimeMatches.length > 0) {
+      details.push(`external runtime reference (${runtimeMatches.length} pattern(s))`);
+    }
+    if (execMatches.length > 0) {
+      details.push(`executes downloaded binary (${execMatches.length} pattern(s))`);
+    }
+    if (downloadExecMatches.length > 0) {
+      details.push('downloads and executes remote binary');
+    }
+
+    // High score: downloading a runtime to execute code is a major evasion technique
+    let score = 9;
+    if (runtimeMatches.length > 0 && (execMatches.length > 0 || downloadExecMatches.length > 0)) {
+      score = 50;
+    } else if (downloadExecMatches.length > 0) {
+      score = 30;
+    }
+
+    return { name: this.name, score, detail: details.join('; ') };
+  }
+}
+
+module.exports = new RuntimeDownloadMarshaller();

package/src/marshallers/vscodeTasks.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const { Marshaller } = require('./base');
+
+class VscodeTasksMarshaller extends Marshaller {
+  constructor() {
+    super('vscode-autorun', 'VS Code tasks with automatic execution');
+  }
+
+  check(code) {
+    // Detect tasks.json content with runOn: folderOpen (auto-executes on project open)
+    if (!code.includes('runOn') && !code.includes('folderOpen')) return null;
+
+    const hasFolderOpen = /["']runOn["']\s*:\s*["']folderOpen["']/.test(code);
+    if (!hasFolderOpen) return null;
+
+    // Extract the command being auto-run
+    const commandMatch = code.match(/["']command["']\s*:\s*["']([^"']+)["']/);
+    const command = commandMatch ? commandMatch[1] : 'unknown';
+
+    return {
+      name: this.name,
+      score: 30,
+      detail: `VS Code task auto-executes on folder open: "${command}"`,
+    };
+  }
+}
+
+module.exports = new VscodeTasksMarshaller();

package/src/utils/config.js

@@ -17,6 +17,8 @@ const DEFAULT_CONFIG = Object.freeze({
   silent:          false,
   scanSelf:        true,
   maxTarballSize:  '50MB', // Max unpacked tarball size (e.g. '5MB', '1GB', or bytes as number)
+  checkVulnerabilities: true,
+  deepResolve: false,
 });
 
 const VALID_KEYS = new Set(Object.keys(DEFAULT_CONFIG));

package/src/utils/entropy.js

@@ -0,0 +1,15 @@
+'use strict';
+
+function shannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+module.exports = { shannonEntropy };

package/src/utils/fetcher.js

@@ -9,10 +9,10 @@ const MAX_REDIRECTS = 5;
 const DEFAULT_TIMEOUT = 30000;
 
 /**
- * Perform an HTTP/HTTPS GET and collect the response body as a Buffer.
+ * Perform an HTTP/HTTPS request and collect the response body as a Buffer.
  * Follows redirects up to MAX_REDIRECTS.
  * @param {string} rawUrl
- * @param {object} opts  { timeout?, headers? }
+ * @param {object} opts  { timeout?, headers?, method?, body? }
  * @returns {Promise<Buffer>}
  */
 function fetch(rawUrl, opts = {}) {
@@ -28,7 +28,7 @@ function fetch(rawUrl, opts = {}) {
         hostname: parsed.hostname,
         port:     parsed.port || (isHttps ? 443 : 80),
         path:     parsed.pathname + parsed.search,
-        method:   'GET',
+        method:   opts.method || 'GET',
         headers:  Object.assign({
           'User-Agent': 'npa/1.0.0 (npm-auditor)',
           'Accept':     '*/*',
@@ -61,6 +61,7 @@ function fetch(rawUrl, opts = {}) {
       });
 
       req.on('error', reject);
+      if (opts.body) req.write(opts.body);
       req.end();
     }
 
@@ -87,7 +88,7 @@ function fetchTarball(tarballUrl, opts = {}) {
 async function fetchJSON(jsonUrl, opts = {}) {
   const buf = await fetch(jsonUrl, {
     ...opts,
-    headers: { 'Accept': 'application/json' },
+    headers: { 'Accept': 'application/json', ...opts.headers },
   });
   return JSON.parse(buf.toString('utf8'));
 }

package/src/utils/output.js

@@ -29,10 +29,12 @@ function cyan(text) { return c(CYAN, text); }
 function white(text) { return c(WHITE, text); }
 
 function error(msg) {
+  if (process.stderr.isTTY) process.stderr.write('\r\x1b[2K');
   process.stderr.write(red(`✖ ${msg}`) + '\n');
 }
 
 function warn(msg) {
+  if (process.stderr.isTTY) process.stderr.write('\r\x1b[2K');
   process.stderr.write(yellow(`⚠ ${msg}`) + '\n');
 }
 
@@ -67,12 +69,17 @@ const ASCII_LOGO = `
 
 function printScanHeader(silent = false) {
   if (silent) return;
-  log(blue(ASCII_LOGO));
-  log(dim('  npm package auditor — static obfuscation detection'));
+  log('');
   log(dim('─'.repeat(60)));
   log('');
 }
 
+function printLogo(version) {
+  log(blue(ASCII_LOGO));
+  log(dim(`  npm package auditor v${version}`));
+  log('');
+}
+
 function printPackageResult(pkg, result) {
   const badge = verdictBadge(result.verdict);
   const name = bold(`${pkg.name}@${pkg.version}`);
@@ -86,22 +93,45 @@ function printPackageResult(pkg, result) {
 function printSummary(results) {
   const blocked = results.filter(r => r.verdict === 'BLOCK').length;
   const warned  = results.filter(r => r.verdict === 'WARN').length;
-  const ok      = results.filter(r => r.verdict === 'OK').length;
-  const skipped = results.skippedCount || 0;
+  const total   = results.totalPackages || results.length;
+  const ok      = total - blocked - warned;
 
   log('');
   log(dim('─'.repeat(60)));
-  let summary = `  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`;
-  if (skipped > 0) {
-    summary += `   ${dim(String(skipped) + ' skipped (no install scripts)')}`;
-  }
-  log(summary);
+  log(`  ${green(String(ok))} clean   ${yellow(String(warned))} warnings   ${red(String(blocked))} blocked`);
   log('');
 }
 
+const SPINNER_FRAMES = ['▉', '▊', '▋', '▌', '▍', '▎', '▏', '▎', '▍', '▌', '▋', '▊', '▉'];
+
+function createSpinner(message) {
+  if (NO_COLOR || !process.stderr.isTTY) {
+    return { start() {}, stop() {} };
+  }
+  let i = 0;
+  let timer = null;
+  const clear = () => process.stderr.write('\r\x1b[2K');
+  return {
+    start() {
+      process.stderr.write(`\x1b[?25l`);
+      process.stderr.write(`  ${cyan(SPINNER_FRAMES[0])} ${white(message)}`);
+      timer = setInterval(() => {
+        i = (i + 1) % SPINNER_FRAMES.length;
+        process.stderr.write(`\r\x1b[2K  ${cyan(SPINNER_FRAMES[i])} ${white(message)}`);
+      }, 60);
+    },
+    stop() {
+      if (timer) clearInterval(timer);
+      clear();
+      process.stderr.write(`\x1b[?25h`);
+    },
+  };
+}
+
 module.exports = {
   bold, dim, red, green, yellow, blue, cyan, white,
   error, warn, info, success, log,
   verdictBadge, printScanHeader, printPackageResult, printSummary,
+  printLogo, createSpinner,
   RESET, BOLD, DIM, RED, GREEN, YELLOW, BLUE, CYAN,
 };