npm-scan-plus 1.0.0

package/dist/lib/extended.js

@@ -0,0 +1,314 @@
+"use strict";
+/**
+ * Extended security analysis module
+ * Additional checks: license, repo validation, maintainer trust, download anomalies
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeLicense = analyzeLicense;
+exports.checkMaintainerTrust = checkMaintainerTrust;
+exports.validateRepository = validateRepository;
+exports.checkReleaseAnomalies = checkReleaseAnomalies;
+exports.analyzeDependencies = analyzeDependencies;
+exports.analyzeFileStructure = analyzeFileStructure;
+exports.extendedAnalysis = extendedAnalysis;
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+/** License risk classification */
+const LICENSE_RISK = {
+    // High risk - requires source sharing or has legal issues
+    'gpl-3.0': { level: 'high', reason: 'GPLv3 - copyleft, may affect proprietary code' },
+    'gpl-2.0': { level: 'medium', reason: 'GPLv2 - copyleft' },
+    'agpl-3.0': { level: 'high', reason: 'AGPLv3 - strong copyleft, SaaS exposure' },
+    'lgpl-3.0': { level: 'medium', reason: 'LGPLv3 - more permissive than GPL' },
+    'mpl-2.0': { level: 'low', reason: 'Mozilla Public License' },
+    ' EPL-2.0': { level: 'low', reason: 'Eclipse Public License' },
+    'eupl-1.2': { level: 'medium', reason: 'European Union Public License' },
+    // Low risk - permissive
+    'mit': { level: 'low', reason: 'Permissive' },
+    'bsd': { level: 'low', reason: 'Permissive' },
+    'apache-2.0': { level: 'low', reason: 'Permissive' },
+    'isc': { level: 'low', reason: 'Permissive' },
+    'unlicense': { level: 'low', reason: 'Public domain' },
+    // Suspicious - requires investigation
+    'custom': { level: 'medium', reason: 'Custom license - review required' },
+    'none': { level: 'high', reason: 'No license - copyright issues' },
+    'proprietary': { level: 'high', reason: 'Proprietary - may restrict use' }
+};
+/** Known package maintainers with trust scores */
+const TRUSTED_MAINTAINERS = new Set([
+    // Popular package maintainers
+    'ljharb', // Jordan Harband (lodash)
+    'sindresorhus', // Sindre Sohrus
+    'jdalton', // John-David Dalton (lodash creator)
+    'substack',
+    'juliangruber',
+    'rvagg',
+    'addaleax',
+    'bnb',
+    'fy',
+    'watson',
+    'leorom',
+    'd3',
+    'mbostock',
+    'mikaelbr',
+    'analog',
+    // Large organizations
+    'facebook',
+    'google',
+    'microsoft',
+    'amazon',
+    'netflix',
+    'stripe',
+    'paypal',
+    'twitter',
+    'uber'
+]);
+/** Suspicious TLDs for typosquatting detection */
+const SUSPICIOUS_TLDS = ['xyz', 'app', 'dev', 'io', 'co', 'sh', 'js', 'cn', 'ru'];
+/**
+ * Analyze license risk
+ */
+function analyzeLicense(license) {
+    if (!license) {
+        return {
+            risk: 'high',
+            details: 'No license specified - copyright issues',
+            permissive: false
+        };
+    }
+    // Normalize license string
+    const normalized = license.toString().replace(/^(\d+\.)+/, '').trim().toLowerCase();
+    const known = LICENSE_RISK[normalized];
+    if (known) {
+        return {
+            risk: known.level,
+            details: known.reason,
+            permissive: known.level === 'low'
+        };
+    }
+    // Check for OR patterns (multiple licenses)
+    if (license.includes(' OR ')) {
+        return {
+            risk: 'medium',
+            details: 'Multiple licenses - review required',
+            permissive: false
+        };
+    }
+    return {
+        risk: 'low',
+        details: 'Unknown but present',
+        permissive: true
+    };
+}
+/**
+ * Check if maintainer is trusted/known
+ */
+function checkMaintainerTrust(maintainers, publisher) {
+    const allAuthors = [...(maintainers || []), publisher].filter(Boolean);
+    const names = allAuthors.map(m => m.username || m.name).filter(Boolean);
+    if (names.length === 0) {
+        return {
+            score: 0,
+            isTrusted: false,
+            details: 'No maintainers identified'
+        };
+    }
+    // Check if any trusted maintainer
+    const trustedCount = names.filter(n => TRUSTED_MAINTAINERS.has(n.toLowerCase())).length;
+    const trustRatio = trustedCount / names.length;
+    if (trustRatio > 0.5) {
+        return {
+            score: 100,
+            isTrusted: true,
+            details: `${trustedCount} trusted maintainer(s): ${names.join(', ')}`
+        };
+    }
+    if (trustedCount > 0) {
+        return {
+            score: 50,
+            isTrusted: false,
+            details: `Some trusted maintainer(s): ${names.join(', ')}`
+        };
+    }
+    return {
+        score: 20,
+        isTrusted: false,
+        details: `Unknown maintainer(s): ${names.join(', ')}`
+    };
+}
+/**
+ * Validate repository URL exists and matches package
+ */
+async function validateRepository(repoUrl, packageName) {
+    const issues = [];
+    if (!repoUrl) {
+        return {
+            valid: false,
+            details: 'No repository URL',
+            issues: ['missing repository']
+        };
+    }
+    // Parse different repo formats
+    let normalizedUrl = repoUrl;
+    // Handle shorthand
+    if (!repoUrl.startsWith('http')) {
+        if (repoUrl.startsWith('github:')) {
+            normalizedUrl = 'https://' + repoUrl.replace('github:', '');
+        }
+        else if (repoUrl.startsWith('gist:')) {
+            normalizedUrl = 'https://gist.github.com/' + repoUrl.replace('gist:', '');
+        }
+        else if (repoUrl.startsWith('bitbucket:')) {
+            normalizedUrl = 'https://bitbucket.org/' + repoUrl.replace('bitbucket:', '');
+        }
+        else if (repoUrl.startsWith('gitlab:')) {
+            normalizedUrl = 'https://gitlab.com/' + repoUrl.replace('gitlab:', '');
+        }
+        else {
+            normalizedUrl = 'https://' + repoUrl;
+        }
+    }
+    // Extract owner/repo for GitHub
+    const githubMatch = normalizedUrl.match(/github\.com[/:]([\w-]+)\/([\w-.]+)/);
+    if (githubMatch) {
+        const [, owner, repo] = githubMatch;
+        const cleanRepo = repo.replace(/\.git$/, '');
+        // Check if repo name roughly matches package name
+        const expectedPackage = packageName.replace(/^@[\w-]+\//, ''); // Handle scoped packages
+        const nameMatch = cleanRepo.toLowerCase() === expectedPackage.toLowerCase() ||
+            cleanRepo.toLowerCase() === expectedPackage.replace(/[-_]/g, '').toLowerCase();
+        if (!nameMatch) {
+            issues.push(`repo name "${cleanRepo}" != package "${expectedPackage}"`);
+        }
+    }
+    // Check for suspicious domains
+    const url = new URL(normalizedUrl);
+    if (SUSPICIOUS_TLDS.includes(url.hostname.split('.').pop() || '')) {
+        issues.push(`suspicious TLD: ${url.hostname}`);
+    }
+    return {
+        valid: issues.length === 0,
+        details: normalizedUrl,
+        issues
+    };
+}
+/**
+ * Check for release anomalies (sudden popularity spike = typosquatting indicator)
+ */
+async function checkReleaseAnomalies(packageName, metadata) {
+    const metrics = {
+        versionCount: 0,
+        hasNewVersions: false,
+        rapidRelease: false
+    };
+    try {
+        // Fetch full package data
+        const response = await fetch(`${NPM_REGISTRY}/${packageName}`);
+        const data = await response.json();
+        const versions = Object.keys(data.versions || {});
+        metrics.versionCount = versions.length;
+        // Check for recent rapid releases (potential automated publishing)
+        if (data.time) {
+            const timeKeys = Object.keys(data.time).filter(k => k !== 'created' && k !== 'modified');
+            if (timeKeys.length > 1) {
+                const sorted = timeKeys.sort((a, b) => new Date(data.time[a]).getTime() - new Date(data.time[b]).getTime());
+                // Check if multiple releases within hours
+                if (sorted.length >= 2) {
+                    const lastRelease = new Date(data.time[sorted[sorted.length - 1]]);
+                    const prevRelease = new Date(data.time[sorted[sorted.length - 2]]);
+                    const hoursApart = (lastRelease.getTime() - prevRelease.getTime()) / (1000 * 60 * 60);
+                    if (hoursApart < 1) {
+                        metrics.rapidRelease = true;
+                        metrics.hoursApart = hoursApart;
+                    }
+                }
+            }
+        }
+    }
+    catch (e) {
+        // Ignore - just for metrics
+    }
+    const suspicious = metrics.rapidRelease;
+    return {
+        suspicious,
+        details: suspicious ? 'Unusual rapid release pattern' : 'Normal release pattern',
+        metrics
+    };
+}
+/**
+ * Analyze dependencies for freshness and known issues
+ */
+function analyzeDependencies(dependencies, devDependencies) {
+    const allDeps = { ...dependencies, ...devDependencies };
+    const issues = [];
+    const details = [];
+    if (!allDeps || Object.keys(allDeps).length === 0) {
+        return { outdatedCount: 0, issues: [], details: [] };
+    }
+    // Check for very old/deprecated packages
+    const deprecated = [
+        'request', // Deprecated in favor of fetch, axios
+        'moment', // Deprecated in favor of date-fns, dayjs
+        'lodash', // Should use lodash-es for tree-shaking
+        'querystring', // Built into Node.js
+        'underscore' // Use lodash or native
+    ];
+    for (const [dep, ver] of Object.entries(allDeps)) {
+        if (deprecated.includes(dep)) {
+            issues.push(`${dep} is deprecated or not recommended`);
+            details.push(`${dep}@${ver}: consider alternatives`);
+        }
+        // Check for very old major versions still in use
+        if (ver.startsWith('^0.') || ver.startsWith('~0.')) {
+            issues.push(`${dep} using old major version`);
+            details.push(`${dep}@${ver}: may have vulnerabilities`);
+        }
+    }
+    return {
+        outdatedCount: issues.length,
+        issues,
+        details
+    };
+}
+/**
+ * Check file structure for suspicious patterns
+ */
+function analyzeFileStructure(files) {
+    const issues = [];
+    // Check for hidden files that shouldn't be there
+    const suspiciousFiles = [
+        /^\./,
+        /\.sh$/,
+        /\.bash$/,
+        / bash/,
+        /script/i
+    ];
+    // Check for common attack vectors
+    const suspiciousPaths = [
+        /proc\/self/,
+        /\/etc\//,
+        /~\/ /,
+        /\$HOME/,
+        /\.ssh\//
+    ];
+    for (const file of files) {
+        for (const pattern of suspiciousPaths) {
+            if (pattern.test(file)) {
+                issues.push(`suspicious path: ${file}`);
+            }
+        }
+    }
+    return {
+        suspicious: issues.length > 0,
+        issues
+    };
+}
+/**
+ * Combined extended analysis (sync parts only)
+ */
+function extendedAnalysis(packageName, metadata) {
+    const license = analyzeLicense(metadata.license);
+    const maintainer = checkMaintainerTrust(metadata.maintainers, metadata.publisher);
+    const dependencies = analyzeDependencies(metadata.dependencies, metadata.devDependencies);
+    return { license, maintainer, repository: { valid: true, details: '', issues: [] }, dependencies };
+}
+//# sourceMappingURL=extended.js.map

package/dist/lib/extended.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"extended.js","sourceRoot":"","sources":["../../src/lib/extended.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAiEH,wCAuCC;AAKD,oDAyCC;AAKD,gDA+DC;AAKD,sDAsDC;AAKD,kDA2CC;AAKD,oDAoCC;AAKD,4CASC;AAvXD,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAElD,kCAAkC;AAClC,MAAM,YAAY,GAAG;IACnB,0DAA0D;IAC1D,SAAS,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,+CAA+C,EAAE;IACrF,SAAS,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,kBAAkB,EAAE;IAC1D,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,yCAAyC,EAAE;IAChF,UAAU,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,mCAAmC,EAAE;IAC5E,SAAS,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE;IAC7D,UAAU,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE;IAC9D,UAAU,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,+BAA+B,EAAE;IACxE,wBAAwB;IACxB,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE;IAC7C,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE;IAC7C,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE;IACpD,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE;IAC7C,WAAW,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE;IACtD,sCAAsC;IACtC,QAAQ,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,kCAAkC,EAAE;IACzE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,+BAA+B,EAAE;IAClE,aAAa,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,gCAAgC,EAAE;CAC3E,CAAC;AAEF,kDAAkD;AAClD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,8BAA8B;IAC9B,QAAQ,EAAE,0BAA0B;IACpC,cAAc,EAAE,gBAAgB;IAChC,SAAS,EAAE,qCAAqC;IAChD,UAAU;IACV,cAAc;IACd,OAAO;IACP,UAAU;IACV,KAAK;IACL,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,UAAU;IACV,UAAU;IACV,QAAQ;IACR,sBAAsB;IACtB,UAAU;IACV,QAAQ;IACR,WAAW;IACX,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,MAAM;CACP,CAAC,CAAC;AAEH,kDAAkD;AAClD,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;AAElF;;GAEG;AACH,SAAgB,cAAc,CAAC,OAA2B;IAKxD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,MAAM;YACZ,OAAO,EAAE,yCAAyC;YAClD,UAAU,EAAE,KAAK;SAClB,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACpF,MAAM,KAAK,GAAG,YAAY,CAAC,UAAuC,CAAC,CAAC;IAEpE,IAAI,KAAK,EAAE,CAAC;QACV,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,KAAY;YACxB,OAAO,EAAE,KAAK,CAAC,MAAM;YACrB,UAAU,EAAE,KAAK,CAAC,KAAK,KAAK,KAAK;SAClC,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,qCAAqC;YAC9C,UAAU,EAAE,KAAK;SAClB,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK;QACX,OAAO,EAAE,qBAAqB;QAC9B,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,WAAkB,EAAE,SAAc;IAKrE,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAExE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO;YACL,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,2BAA2B;SACrC,CAAC;IACJ,CAAC;IAED,kCAAkC;IAClC,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;IACxF,MAAM,UAAU,GAAG,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC;IAE/C,IAAI,UAAU,GAAG,GAAG,EAAE,CAAC;QACrB,OAAO;YACL,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,IAAI;YACf,OAAO,EAAE,GAAG,YAAY,2BAA2B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SACtE,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,OAAO;YACL,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,KAAK;YAChB,OAAO,EAAE,+BAA+B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;SAC3D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,KAAK;QAChB,OAAO,EAAE,0BAA0B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;KACtD,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,OAA2B,EAC3B,WAAmB;IAMnB,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,mBAAmB;YAC5B,MAAM,EAAE,CAAC,oBAAoB,CAAC;SAC/B,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,IAAI,aAAa,GAAG,OAAO,CAAC;IAE5B,mBAAmB;IACnB,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAClC,aAAa,GAAG,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC9D,CAAC;aAAM,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,aAAa,GAAG,0BAA0B,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAC5E,CAAC;aAAM,IAAI,OAAO,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAC5C,aAAa,GAAG,wBAAwB,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAC/E,CAAC;aAAM,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACzC,aAAa,GAAG,qBAAqB,GAAG,OAAO,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACzE,CAAC;aAAM,CAAC;YACN,aAAa,GAAG,UAAU,GAAG,OAAO,CAAC;QACvC,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;IAC9E,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,WAAW,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAE7C,kDAAkD;QAClD,MAAM,eAAe,GAAG,WAAW,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC,yBAAyB;QACxF,MAAM,SAAS,GAAG,SAAS,CAAC,WAAW,EAAE,KAAK,eAAe,CAAC,WAAW,EAAE;YACzE,SAAS,CAAC,WAAW,EAAE,KAAK,eAAe,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAEjF,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,cAAc,SAAS,iBAAiB,eAAe,GAAG,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC;IACnC,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAClE,MAAM,CAAC,IAAI,CAAC,mBAAmB,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,OAAO,EAAE,aAAa;QACtB,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,qBAAqB,CACzC,WAAmB,EACnB,QAAa;IAMb,MAAM,OAAO,GAAQ;QACnB,YAAY,EAAE,CAAC;QACf,cAAc,EAAE,KAAK;QACrB,YAAY,EAAE,KAAK;KACpB,CAAC;IAEF,IAAI,CAAC;QACH,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,IAAI,WAAW,EAAE,CAAC,CAAC;QAC/D,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAExC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC;QAEvC,mEAAmE;QACnE,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,UAAU,CAAC,CAAC;YACzF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACpC,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CACpE,CAAC;gBAEF,0CAA0C;gBAC1C,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;oBACvB,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnE,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACnE,MAAM,UAAU,GAAG,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;oBAEtF,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;wBACnB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC;wBAC5B,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;oBAClC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,4BAA4B;IAC9B,CAAC;IAED,MAAM,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC;IAExC,OAAO;QACL,UAAU;QACV,OAAO,EAAE,UAAU,CAAC,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAC,wBAAwB;QAChF,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CACjC,YAAgD,EAChD,eAAmD;IAMnD,MAAM,OAAO,GAAG,EAAE,GAAG,YAAY,EAAE,GAAG,eAAe,EAAE,CAAC;IACxD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,IAAI,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,aAAa,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACvD,CAAC;IAED,yCAAyC;IACzC,MAAM,UAAU,GAAG;QACjB,SAAS,EAAE,sCAAsC;QACjD,QAAQ,EAAE,yCAAyC;QACnD,QAAQ,EAAE,wCAAwC;QAClD,aAAa,EAAE,qBAAqB;QACpC,YAAY,CAAC,uBAAuB;KACrC,CAAC;IAEF,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACjD,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,mCAAmC,CAAC,CAAC;YACvD,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,GAAG,yBAAyB,CAAC,CAAC;QACvD,CAAC;QAED,iDAAiD;QACjD,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,0BAA0B,CAAC,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,GAAG,4BAA4B,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,OAAO;QACL,aAAa,EAAE,MAAM,CAAC,MAAM;QAC5B,MAAM;QACN,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,KAAe;IAIlD,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,iDAAiD;IACjD,MAAM,eAAe,GAAG;QACtB,KAAK;QACL,OAAO;QACP,SAAS;QACT,OAAO;QACP,SAAS;KACV,CAAC;IAEF,kCAAkC;IAClC,MAAM,eAAe,GAAG;QACtB,YAAY;QACZ,SAAS;QACT,MAAM;QACN,QAAQ;QACR,SAAS;KACV,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;YACtC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC;YAC1C,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,UAAU,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC;QAC7B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAC9B,WAAmB,EACnB,QAAa;IAEb,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,oBAAoB,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;IAClF,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,YAAY,EAAE,QAAQ,CAAC,eAAe,CAAC,CAAC;IAE1F,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,YAAY,EAAE,CAAC;AACrG,CAAC"}

package/dist/lib/integrity.js

@@ -0,0 +1,247 @@
+"use strict";
+/**
+ * Package integrity verification
+ * Hash verification, signature checking, tarball analysis
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyIntegrity = verifyIntegrity;
+exports.analyzePackageSize = analyzePackageSize;
+exports.analyzeTarball = analyzeTarball;
+exports.fullIntegrityCheck = fullIntegrityCheck;
+const crypto = __importStar(require("crypto"));
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const tar = __importStar(require("tar"));
+const NPM_REGISTRY = 'https://registry.npmjs.org';
+/**
+ * Verify package integrity using npm registry integrity field
+ */
+async function verifyIntegrity(packageName, version, registry = NPM_REGISTRY) {
+    try {
+        const response = await fetch(`${registry}/${packageName}/${version}`);
+        const data = await response.json();
+        const expectedHash = data.dist?.integrity || null;
+        if (!expectedHash) {
+            return {
+                valid: true,
+                expectedHash: null,
+                actualHash: null,
+                algorithm: 'none',
+                details: 'No integrity hash in registry'
+            };
+        }
+        const algorithm = expectedHash.startsWith('sha512') ? 'sha512' : 'sha256';
+        const tarballUrl = data.dist?.tarball;
+        if (!tarballUrl) {
+            return {
+                valid: false,
+                expectedHash,
+                actualHash: null,
+                algorithm,
+                details: 'No tarball URL found'
+            };
+        }
+        const tarballResponse = await fetch(tarballUrl);
+        const buffer = Buffer.from(await tarballResponse.arrayBuffer());
+        const actualHash = algorithm === 'sha512'
+            ? 'sha512-' + crypto.createHash('sha512').update(buffer).digest('base64')
+            : 'sha256-' + crypto.createHash('sha256').update(buffer).digest('base64');
+        const valid = actualHash === expectedHash;
+        return {
+            valid,
+            expectedHash,
+            actualHash,
+            algorithm,
+            details: valid ? 'Integrity verified' : 'Integrity mismatch!'
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            expectedHash: null,
+            actualHash: null,
+            algorithm: 'none',
+            details: `Verification failed: ${error.message}`
+        };
+    }
+}
+/**
+ * Analyze package size for anomalies
+ */
+async function analyzePackageSize(packageName, version, registry = NPM_REGISTRY) {
+    const THRESHOLD_MB = 50;
+    try {
+        const response = await fetch(`${registry}/${packageName}/${version}`);
+        const data = await response.json();
+        const size = data.dist?.unpackedSize || data.dist?.size || 0;
+        const sizeFormatted = formatBytes(size);
+        return {
+            size,
+            sizeFormatted,
+            suspicious: size > THRESHOLD_MB * 1024 * 1024,
+            threshold: THRESHOLD_MB,
+            details: size > THRESHOLD_MB * 1024 * 1024
+                ? `Package size ${sizeFormatted} exceeds ${THRESHOLD_MB}MB threshold`
+                : `Package size ${sizeFormatted} is normal`
+        };
+    }
+    catch (error) {
+        return {
+            size: 0,
+            sizeFormatted: '0 B',
+            suspicious: false,
+            threshold: THRESHOLD_MB,
+            details: 'Could not determine package size'
+        };
+    }
+}
+/**
+ * Extract and analyze package.json from tarball
+ */
+async function analyzeTarball(packageName, version, registry = NPM_REGISTRY) {
+    const tempDir = path.join(os.tmpdir(), `npm-scan-tarball-${Date.now()}`);
+    const tarballPath = path.join(tempDir, 'package.tgz');
+    try {
+        const response = await fetch(`${registry}/${packageName}/${version}`);
+        const data = await response.json();
+        const tarballUrl = data.dist?.tarball;
+        if (!tarballUrl) {
+            return {
+                hasPkgJson: false,
+                main: null,
+                bin: {},
+                files: [],
+                fileCount: 0,
+                hasNativeCode: false,
+                details: 'No tarball URL'
+            };
+        }
+        fs.mkdirSync(tempDir, { recursive: true });
+        const tarballResponse = await fetch(tarballUrl);
+        fs.writeFileSync(tarballPath, Buffer.from(await tarballResponse.arrayBuffer()));
+        const extractDir = path.join(tempDir, 'extracted');
+        fs.mkdirSync(extractDir, { recursive: true });
+        await tar.extract({
+            file: tarballPath,
+            cwd: extractDir
+        });
+        const entries = fs.readdirSync(extractDir);
+        const pkgDir = entries.find(e => e.startsWith('package'));
+        const packageJsonPath = path.join(extractDir, pkgDir || '', 'package.json');
+        if (!fs.existsSync(packageJsonPath)) {
+            return {
+                hasPkgJson: false,
+                main: null,
+                bin: {},
+                files: [],
+                fileCount: 0,
+                hasNativeCode: false,
+                details: 'package.json not found in tarball'
+            };
+        }
+        const pkgJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+        const allFiles = getAllFiles(path.join(extractDir, pkgDir || ''));
+        const nativeExtensions = ['.node', '.dll', '.dylib', '.so', '.a', '.o'];
+        const hasNativeCode = allFiles.some(f => nativeExtensions.some(ext => f.endsWith(ext)));
+        return {
+            hasPkgJson: true,
+            main: pkgJson.main || null,
+            bin: pkgJson.bin || {},
+            files: allFiles,
+            fileCount: allFiles.length,
+            hasNativeCode,
+            details: hasNativeCode ? 'Contains native code' : 'Pure JavaScript'
+        };
+    }
+    catch (error) {
+        return {
+            hasPkgJson: false,
+            main: null,
+            bin: {},
+            files: [],
+            fileCount: 0,
+            hasNativeCode: false,
+            details: `Analysis failed: ${error.message}`
+        };
+    }
+    finally {
+        try {
+            fs.rmSync(tempDir, { recursive: true, force: true });
+        }
+        catch (e) { }
+    }
+}
+function formatBytes(bytes) {
+    if (bytes === 0)
+        return '0 B';
+    const units = ['B', 'KB', 'MB', 'GB'];
+    let unitIndex = 0;
+    let size = bytes;
+    while (size >= 1024 && unitIndex < units.length - 1) {
+        size = size / 1024;
+        unitIndex++;
+    }
+    return size.toFixed(2) + ' ' + units[unitIndex];
+}
+function getAllFiles(dir, baseDir) {
+    const files = [];
+    const base = baseDir || dir;
+    try {
+        const entries = fs.readdirSync(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = path.join(dir, entry.name);
+            const relativePath = path.relative(base, fullPath);
+            if (entry.isDirectory()) {
+                files.push(...getAllFiles(fullPath, base));
+            }
+            else if (entry.isFile()) {
+                files.push(relativePath);
+            }
+        }
+    }
+    catch (e) { }
+    return files;
+}
+async function fullIntegrityCheck(packageName, version, registry) {
+    const [integrity, size, tarball] = await Promise.all([
+        verifyIntegrity(packageName, version, registry),
+        analyzePackageSize(packageName, version, registry),
+        analyzeTarball(packageName, version, registry)
+    ]);
+    return { integrity, size, tarball };
+}
+//# sourceMappingURL=integrity.js.map

package/dist/lib/integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"integrity.js","sourceRoot":"","sources":["../../src/lib/integrity.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaH,0CA2DC;AAKD,gDAgCC;AAKD,wCAoFC;AAuCD,gDAYC;AAvPD,+CAAiC;AACjC,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,yCAA2B;AAE3B,MAAM,YAAY,GAAG,4BAA4B,CAAC;AAElD;;GAEG;AACI,KAAK,UAAU,eAAe,CACnC,WAAmB,EACnB,OAAe,EACf,WAAmB,YAAY;IAE/B,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,IAAI,WAAW,IAAI,OAAO,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAExC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,IAAI,IAAI,CAAC;QAElD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,IAAI;gBACX,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,IAAI;gBAChB,SAAS,EAAE,MAAM;gBACjB,OAAO,EAAE,+BAA+B;aACzC,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;QAC1E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC;QAEtC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,YAAY;gBACZ,UAAU,EAAE,IAAI;gBAChB,SAAS;gBACT,OAAO,EAAE,sBAAsB;aAChC,CAAC;QACJ,CAAC;QAED,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,CAAC;QAEhE,MAAM,UAAU,GAAG,SAAS,KAAK,QAAQ;YACvC,CAAC,CAAC,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC;YACzE,CAAC,CAAC,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAE5E,MAAM,KAAK,GAAG,UAAU,KAAK,YAAY,CAAC;QAE1C,OAAO;YACL,KAAK;YACL,YAAY;YACZ,UAAU;YACV,SAAS;YACT,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,qBAAqB;SAC9D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,IAAI;YAChB,SAAS,EAAE,MAAM;YACjB,OAAO,EAAE,wBAAwB,KAAK,CAAC,OAAO,EAAE;SACjD,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,OAAe,EACf,WAAmB,YAAY;IAE/B,MAAM,YAAY,GAAG,EAAE,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,IAAI,WAAW,IAAI,OAAO,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAExC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,YAAY,IAAI,IAAI,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,CAAC;QAC7D,MAAM,aAAa,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAExC,OAAO;YACL,IAAI;YACJ,aAAa;YACb,UAAU,EAAE,IAAI,GAAG,YAAY,GAAG,IAAI,GAAG,IAAI;YAC7C,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,IAAI,GAAG,YAAY,GAAG,IAAI,GAAG,IAAI;gBACxC,CAAC,CAAC,gBAAgB,aAAa,YAAY,YAAY,cAAc;gBACrE,CAAC,CAAC,gBAAgB,aAAa,YAAY;SAC9C,CAAC;IACJ,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO;YACL,IAAI,EAAE,CAAC;YACP,aAAa,EAAE,KAAK;YACpB,UAAU,EAAE,KAAK;YACjB,SAAS,EAAE,YAAY;YACvB,OAAO,EAAE,kCAAkC;SAC5C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,cAAc,CAClC,WAAmB,EACnB,OAAe,EACf,WAAmB,YAAY;IAE/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,oBAAoB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACzE,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,QAAQ,IAAI,WAAW,IAAI,OAAO,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAExC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC;QACtC,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,IAAI,EAAE,IAAI;gBACV,GAAG,EAAE,EAAE;gBACP,KAAK,EAAE,EAAE;gBACT,SAAS,EAAE,CAAC;gBACZ,aAAa,EAAE,KAAK;gBACpB,OAAO,EAAE,gBAAgB;aAC1B,CAAC;QACJ,CAAC;QAED,EAAE,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE3C,MAAM,eAAe,GAAG,MAAM,KAAK,CAAC,UAAU,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,eAAe,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;QAEhF,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QACnD,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE9C,MAAM,GAAG,CAAC,OAAO,CAAC;YAChB,IAAI,EAAE,WAAW;YACjB,GAAG,EAAE,UAAU;SAChB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QAC1D,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,EAAE,EAAE,cAAc,CAAC,CAAC;QAE5E,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,OAAO;gBACL,UAAU,EAAE,KAAK;gBACjB,IAAI,EAAE,IAAI;gBACV,GAAG,EAAE,EAAE;gBACP,KAAK,EAAE,EAAE;gBACT,SAAS,EAAE,CAAC;gBACZ,aAAa,EAAE,KAAK;gBACpB,OAAO,EAAE,mCAAmC;aAC7C,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,IAAI,EAAE,CAAC,CAAC,CAAC;QAElE,MAAM,gBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACxE,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAExF,OAAO;YACL,UAAU,EAAE,IAAI;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,IAAI;YAC1B,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,EAAE;YACtB,KAAK,EAAE,QAAQ;YACf,SAAS,EAAE,QAAQ,CAAC,MAAM;YAC1B,aAAa;YACb,OAAO,EAAE,aAAa,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,iBAAiB;SACpE,CAAC;IACJ,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO;YACL,UAAU,EAAE,KAAK;YACjB,IAAI,EAAE,IAAI;YACV,GAAG,EAAE,EAAE;YACP,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,CAAC;YACZ,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,oBAAoB,KAAK,CAAC,OAAO,EAAE;SAC7C,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IAChB,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9B,MAAM,KAAK,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,OAAO,IAAI,IAAI,IAAI,IAAI,SAAS,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;QACnB,SAAS,EAAE,CAAC;IACd,CAAC;IAED,OAAO,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,WAAW,CAAC,GAAW,EAAE,OAAgB;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,IAAI,GAAG,OAAO,IAAI,GAAG,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAE7D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAC5C,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YAEnD,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;YAC7C,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC1B,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC,CAAA,CAAC;IAEd,OAAO,KAAK,CAAC;AACf,CAAC;AAEM,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,OAAe,EACf,QAAiB;IAEjB,MAAM,CAAC,SAAS,EAAE,IAAI,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACnD,eAAe,CAAC,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC;QAC/C,kBAAkB,CAAC,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC;QAClD,cAAc,CAAC,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC;KAC/C,CAAC,CAAC;IAEH,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AACtC,CAAC"}

package/dist/lib/patterns.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Detection patterns for malicious code, obfuscation, and suspicious behavior
+ */
+import type { FileThreat, ThreatType } from '../types';
+declare const OBFUSCATION_PATTERNS: ({
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "high";
+    message: string;
+} | {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "medium";
+    message: string;
+} | {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "low";
+    message: string;
+})[];
+declare const SUSPICIOUS_PATTERNS: ({
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "critical";
+    message: string;
+} | {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "high";
+    message: string;
+} | {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "medium";
+    message: string;
+} | {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: "low";
+    message: string;
+})[];
+declare const SUSPICIOUS_SCRIPTS: ({
+    script: string;
+    severity: "high";
+    message: string;
+} | {
+    script: string;
+    severity: "medium";
+    message: string;
+} | {
+    script: string;
+    severity: "low";
+    message: string;
+})[];
+declare const SENSITIVE_FILES: RegExp[];
+declare const CODE_EXTENSIONS: string[];
+export interface PatternMatch {
+    pattern: RegExp;
+    type: ThreatType;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    message: string;
+}
+/**
+ * Scan a single file for suspicious patterns
+ */
+export declare function scanFile(filePath: string, content: string): FileThreat[];
+/**
+ * Check package.json scripts for suspicious behavior
+ */
+export declare function scanPackageJsonScripts(scripts: Record<string, string>): FileThreat[];
+/**
+ * Scan directory for all files
+ */
+export declare function scanDirectory(dirPath: string, extensions?: string[]): Map<string, string>;
+export { OBFUSCATION_PATTERNS, SUSPICIOUS_PATTERNS, SUSPICIOUS_SCRIPTS, SENSITIVE_FILES, CODE_EXTENSIONS };
+//# sourceMappingURL=patterns.d.ts.map

package/dist/lib/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/lib/patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAGvD,QAAA,MAAM,oBAAoB;;UAGC,UAAU;;;;;UAkBV,UAAU;;;;;UAwBV,UAAU;;;IAIpC,CAAC;AAGF,QAAA,MAAM,mBAAmB;;UAGM,UAAU;;;;;UAMV,UAAU;;;;;UAkBV,UAAU;;;;;UAYV,UAAU;;;IAkExC,CAAC;AAGF,QAAA,MAAM,kBAAkB;;;;;;;;;;;;IAmDvB,CAAC;AAGF,QAAA,MAAM,eAAe,UAsBpB,CAAC;AAGF,QAAA,MAAM,eAAe,UAKpB,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,CAwDxE;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,UAAU,EAAE,CAyBpF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAuCzF;AAED,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,kBAAkB,EAClB,eAAe,EACf,eAAe,EAChB,CAAC"}