npm-scan-plus 1.0.0

package/dist/lib/vuln.js

@@ -0,0 +1,284 @@
+"use strict";
+/**
+ * Vulnerability databases API integration
+ * OSV, GitHub Advisory, npm Audit
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.npmAuditClient = exports.githubAdvisoryClient = exports.osvClient = exports.VulnerabilityChecker = exports.NpmAuditClient = exports.GitHubAdvisoryClient = exports.OSVClient = void 0;
+exports.createVulnerabilityChecker = createVulnerabilityChecker;
+const OSV_API = 'https://api.osv.dev/v1/query';
+const GITHUB_ADVISORIES_API = 'https://api.github.com/advisories';
+const NPM_AUDIT_API = 'https://registry.npmjs.org/-/npm/v1/security/advisors';
+/**
+ * OSV (Open Source Vulnerabilities) API client
+ * Free database maintained by Google
+ */
+class OSVClient {
+    apiUrl = OSV_API;
+    /**
+     * Query OSV for vulnerabilities in a package
+     */
+    async checkPackage(packageName, version) {
+        const query = {
+            package: {
+                name: packageName,
+                ecosystem: 'npm'
+            }
+        };
+        if (version) {
+            query.version = version;
+        }
+        try {
+            const response = await fetch(this.apiUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json'
+                },
+                body: JSON.stringify(query)
+            });
+            if (!response.ok) {
+                return [];
+            }
+            const data = await response.json();
+            const vulns = data.vulns || [];
+            return vulns.map(v => ({
+                id: v.id,
+                source: 'osv',
+                severity: this.mapSeverity(v.severity),
+                summary: v.summary,
+                details: v.details,
+                aliases: v.aliases,
+                patched_versions: this.getPatchedVersions(v.affected),
+                affected_versions: this.getAffectedVersions(v.affected),
+                references: v.references?.map((r) => r.url),
+                published: v.published,
+                modified: v.modified
+            }));
+        }
+        catch (error) {
+            console.error('OSV API error:', error);
+            return [];
+        }
+    }
+    /**
+     * Map OSV severity to our severity
+     */
+    mapSeverity(severity) {
+        const s = String(severity || '').toLowerCase();
+        if (s === 'critical')
+            return 'critical';
+        if (s === 'high')
+            return 'high';
+        if (s === 'medium')
+            return 'medium';
+        return 'low';
+    }
+    /**
+     * Extract patched versions from OSV affected field
+     */
+    getPatchedVersions(affected) {
+        if (!affected || affected.length === 0)
+            return undefined;
+        for (const a of affected) {
+            if (a.versions && a.ranges) {
+                for (const range of a.ranges) {
+                    if (range.type === 'semver' && range.events) {
+                        for (const event of range.events) {
+                            if (event.introduced || event.fixed) {
+                                return event.fixed || '<' + event.introduced;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Get affected versions string
+     */
+    getAffectedVersions(affected) {
+        if (!affected || affected.length === 0)
+            return undefined;
+        const versions = affected.map(a => a.package?.version).filter(Boolean);
+        return versions.length > 0 ? versions.join(', ') : undefined;
+    }
+}
+exports.OSVClient = OSVClient;
+/**
+ * GitHub Advisory Database API client
+ * Requires authentication for higher rate limits
+ */
+class GitHubAdvisoryClient {
+    token;
+    apiUrl = GITHUB_ADVISORIES_API;
+    constructor(token) {
+        this.token = token || process.env.GITHUB_TOKEN;
+    }
+    /**
+     * Fetch advisories for a specific package
+     */
+    async checkPackage(packageName) {
+        // GitHub advisories are fetched from the ecosystem-wide list
+        // We filter by package name client-side
+        try {
+            const response = await fetch(`${this.apiUrl}?ecosystem=npm&package=${packageName}`, {
+                headers: this.getHeaders()
+            });
+            if (!response.ok) {
+                if (response.status === 403) {
+                    console.warn('GitHub API rate limited. Set GITHUB_TOKEN for higher limits.');
+                }
+                return [];
+            }
+            const data = await response.json();
+            const advisories = data.advisories || [];
+            return advisories.map((a) => ({
+                id: a.ghsa_id || a.cve_id,
+                source: 'github',
+                severity: this.mapSeverity(a.severity),
+                summary: a.summary,
+                details: a.description,
+                aliases: a.cve_id ? [a.cve_id] : [],
+                patched_versions: a.vulnerabilities?.[0]?.patched_versions,
+                affected_versions: a.vulnerabilities?.[0]?.vulnerable_version_range,
+                references: a.references?.map((r) => r.url),
+                published: a.published_at,
+                modified: a.updated_at
+            }));
+        }
+        catch (error) {
+            console.error('GitHub Advisory API error:', error);
+            return [];
+        }
+    }
+    /**
+     * Map GitHub severity to our severity
+     */
+    mapSeverity(severity) {
+        const s = String(severity || '').toLowerCase();
+        if (s === 'critical')
+            return 'critical';
+        if (s === 'high')
+            return 'high';
+        if (s === 'medium')
+            return 'medium';
+        return 'low';
+    }
+    /**
+     * Get HTTP headers
+     */
+    getHeaders() {
+        const headers = {
+            'Accept': 'application/vnd.github+json',
+            'X-GitHub-Api-Version': '2022-11-28'
+        };
+        if (this.token) {
+            headers['Authorization'] = `Bearer ${this.token}`;
+        }
+        return headers;
+    }
+}
+exports.GitHubAdvisoryClient = GitHubAdvisoryClient;
+/**
+ * npm Audit API client
+ * Official npm security advisories
+ */
+class NpmAuditClient {
+    apiUrl = NPM_AUDIT_API;
+    /**
+     * Fetch advisories from npm
+     */
+    async checkPackage(packageName) {
+        try {
+            const response = await fetch(`${this.apiUrl}?package=${packageName}`, {
+                headers: {
+                    'Accept': 'application/json'
+                }
+            });
+            if (!response.ok) {
+                return [];
+            }
+            const data = await response.json();
+            const advisories = data.data || [];
+            return advisories.map((a) => ({
+                id: a.id,
+                source: 'npm',
+                severity: this.mapSeverity(a.severity),
+                summary: a.title,
+                details: a.url,
+                patched_versions: a.patched_versions,
+                affected_versions: a.vulnerable_versions,
+                references: [a.url].filter(Boolean),
+                published: a.published,
+                modified: a.modified
+            }));
+        }
+        catch (error) {
+            console.error('npm Audit API error:', error);
+            return [];
+        }
+    }
+    /**
+     * Map npm severity to our severity
+     */
+    mapSeverity(severity) {
+        const s = String(severity || '').toLowerCase();
+        if (s === 'critical')
+            return 'critical';
+        if (s === 'high')
+            return 'high';
+        if (s === 'medium')
+            return 'medium';
+        return 'low';
+    }
+}
+exports.NpmAuditClient = NpmAuditClient;
+/**
+ * Combined vulnerability checker
+ * Queries all three sources
+ */
+class VulnerabilityChecker {
+    osv;
+    github;
+    npmAudit;
+    constructor(githubToken) {
+        this.osv = new OSVClient();
+        this.github = new GitHubAdvisoryClient(githubToken);
+        this.npmAudit = new NpmAuditClient();
+    }
+    /**
+     * Check a package against all vulnerability databases
+     */
+    async checkPackage(packageName, version) {
+        const [osvVulns, githubVulns, npmVulns] = await Promise.all([
+            this.osv.checkPackage(packageName, version).catch(() => []),
+            this.github.checkPackage(packageName).catch(() => []),
+            this.npmAudit.checkPackage(packageName).catch(() => [])
+        ]);
+        // Deduplicate by CVE ID
+        const seen = new Set();
+        const combined = [];
+        for (const v of [...osvVulns, ...githubVulns, ...npmVulns]) {
+            const id = v.id || v.aliases?.[0];
+            if (id && !seen.has(id)) {
+                seen.add(id);
+                combined.push(v);
+            }
+        }
+        return {
+            packageName,
+            vulnerabilities: combined,
+            checkedAt: new Date().toISOString()
+        };
+    }
+}
+exports.VulnerabilityChecker = VulnerabilityChecker;
+// Export factory functions
+function createVulnerabilityChecker(token) {
+    return new VulnerabilityChecker(token);
+}
+exports.osvClient = new OSVClient();
+exports.githubAdvisoryClient = new GitHubAdvisoryClient();
+exports.npmAuditClient = new NpmAuditClient();
+//# sourceMappingURL=vuln.js.map

package/dist/lib/vuln.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vuln.js","sourceRoot":"","sources":["../../src/lib/vuln.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAuTH,gEAEC;AAvTD,MAAM,OAAO,GAAG,8BAA8B,CAAC;AAC/C,MAAM,qBAAqB,GAAG,mCAAmC,CAAC;AAClE,MAAM,aAAa,GAAG,uDAAuD,CAAC;AAsB9E;;;GAGG;AACH,MAAa,SAAS;IACZ,MAAM,GAAG,OAAO,CAAC;IAEzB;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB,EAAE,OAAgB;QACtD,MAAM,KAAK,GAAQ;YACjB,OAAO,EAAE;gBACP,IAAI,EAAE,WAAW;gBACjB,SAAS,EAAE,KAAK;aACjB;SACF,CAAC;QAEF,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE;gBACxC,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;aAC5B,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAE/B,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACrB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,MAAM,EAAE,KAAc;gBACtB,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,gBAAgB,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACrD,iBAAiB,EAAE,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACvD,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;gBAChD,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;YACvC,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,QAAa;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QACxC,IAAI,CAAC,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QAChC,IAAI,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,QAAe;QACxC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QAEzD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;gBAC3B,KAAK,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;oBAC7B,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;wBAC5C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;4BACjC,IAAI,KAAK,CAAC,UAAU,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gCACpC,OAAO,KAAK,CAAC,KAAK,IAAI,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC;4BAC/C,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,QAAe;QACzC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAC;QACzD,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACvE,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/D,CAAC;CACF;AA9FD,8BA8FC;AAED;;;GAGG;AACH,MAAa,oBAAoB;IACvB,KAAK,CAAqB;IAC1B,MAAM,GAAG,qBAAqB,CAAC;IAEvC,YAAY,KAAc;QACxB,IAAI,CAAC,KAAK,GAAG,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACjD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB;QACpC,6DAA6D;QAC7D,wCAAwC;QACxC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,MAAM,0BAA0B,WAAW,EAAE,EACrD;gBACE,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE;aAC3B,CACF,CAAC;YAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;gBAC/E,CAAC;gBACD,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;YAEzC,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBACjC,EAAE,EAAE,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,MAAM;gBACzB,MAAM,EAAE,QAAiB;gBACzB,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,OAAO,EAAE,CAAC,CAAC,WAAW;gBACtB,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE;gBACnC,gBAAgB,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB;gBAC1D,iBAAiB,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,wBAAwB;gBACnE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;gBAChD,SAAS,EAAE,CAAC,CAAC,YAAY;gBACzB,QAAQ,EAAE,CAAC,CAAC,UAAU;aACvB,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;YACnD,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,QAAa;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QACxC,IAAI,CAAC,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QAChC,IAAI,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,UAAU;QAChB,MAAM,OAAO,GAA2B;YACtC,QAAQ,EAAE,6BAA6B;YACvC,sBAAsB,EAAE,YAAY;SACrC,CAAC;QACF,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,eAAe,CAAC,GAAG,UAAU,IAAI,CAAC,KAAK,EAAE,CAAC;QACpD,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AA3ED,oDA2EC;AAED;;;GAGG;AACH,MAAa,cAAc;IACjB,MAAM,GAAG,aAAa,CAAC;IAE/B;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,IAAI,CAAC,MAAM,YAAY,WAAW,EAAE,EACvC;gBACE,OAAO,EAAE;oBACP,QAAQ,EAAE,kBAAkB;iBAC7B;aACF,CACF,CAAC;YAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,MAAM,IAAI,GAAQ,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACxC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;YAEnC,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBACjC,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,MAAM,EAAE,KAAc;gBACtB,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACtC,OAAO,EAAE,CAAC,CAAC,KAAK;gBAChB,OAAO,EAAE,CAAC,CAAC,GAAG;gBACd,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;gBACpC,iBAAiB,EAAE,CAAC,CAAC,mBAAmB;gBACxC,UAAU,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBACnC,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,KAAK,CAAC,CAAC;YAC7C,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,QAAa;QAC/B,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QACxC,IAAI,CAAC,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QAChC,IAAI,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;CACF;AApDD,wCAoDC;AAED;;;GAGG;AACH,MAAa,oBAAoB;IACvB,GAAG,CAAY;IACf,MAAM,CAAuB;IAC7B,QAAQ,CAAiB;IAEjC,YAAY,WAAoB;QAC9B,IAAI,CAAC,GAAG,GAAG,IAAI,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,MAAM,GAAG,IAAI,oBAAoB,CAAC,WAAW,CAAC,CAAC;QACpD,IAAI,CAAC,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,WAAmB,EAAE,OAAgB;QACtD,MAAM,CAAC,QAAQ,EAAE,WAAW,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YAC1D,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YAC3D,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;SACxD,CAAC,CAAC;QAEH,wBAAwB;QACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,QAAQ,GAAoB,EAAE,CAAC;QAErC,KAAK,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,EAAE,GAAG,WAAW,EAAE,GAAG,QAAQ,CAAC,EAAE,CAAC;YAC3D,MAAM,EAAE,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBACb,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO;YACL,WAAW;YACX,eAAe,EAAE,QAAQ;YACzB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;IACJ,CAAC;CACF;AAvCD,oDAuCC;AAED,2BAA2B;AAC3B,SAAgB,0BAA0B,CAAC,KAAc;IACvD,OAAO,IAAI,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAEY,QAAA,SAAS,GAAG,IAAI,SAAS,EAAE,CAAC;AAC5B,QAAA,oBAAoB,GAAG,IAAI,oBAAoB,EAAE,CAAC;AAClD,QAAA,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,85 @@
+/**
+ * npm-scan type definitions
+ */
+export interface PackageMetadata {
+    name: string;
+    version: string;
+    description?: string;
+    publisher?: {
+        username: string;
+        email: string;
+    };
+    maintainers?: Array<{
+        username: string;
+        email: string;
+    }>;
+    repository?: {
+        type: string;
+        url: string;
+    };
+    homepage?: string;
+    license?: string;
+    dependencies?: Record<string, string>;
+    devDependencies?: Record<string, string>;
+    peerDependencies?: Record<string, string>;
+    scripts?: Record<string, string>;
+    latest?: string;
+    time?: {
+        created: string;
+        modified: string;
+    };
+}
+export interface ScanResult {
+    packageName: string;
+    version: string;
+    status: 'safe' | 'warning' | 'danger' | 'blocked';
+    threats: Threat[];
+    metadata?: PackageMetadata;
+    score: number;
+}
+export interface Threat {
+    type: ThreatType;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    message: string;
+    details?: string;
+    location?: string;
+}
+export type ThreatType = 'blocklisted' | 'vulnerability' | 'obfuscation' | 'suspicious_code' | 'typosquatting' | 'supply_chain' | 'suspicious_script' | 'unknown_publisher' | 'dependency_confusion';
+export interface BlocklistEntry {
+    package: string;
+    reason: string;
+    addedAt: string;
+    severity: 'high' | 'critical';
+    source?: string;
+}
+export interface ScanOptions {
+    registry?: string;
+    blocklist?: string[];
+    checkVulnerabilities?: boolean;
+    checkObfuscation?: boolean;
+    checkPatterns?: boolean;
+    timeout?: number;
+}
+export interface PostInstallScanResult {
+    scannedPackages: number;
+    threats: FileThreat[];
+    duration: number;
+}
+export interface FileThreat {
+    package: string;
+    file: string;
+    type: ThreatType;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    message: string;
+    line?: number;
+    code?: string;
+}
+export interface CliOptions {
+    command: 'pre' | 'post' | 'scan' | 'blocklist';
+    subcommand?: 'add' | 'remove' | 'list';
+    package?: string;
+    version?: string;
+    folder?: string;
+    verbose?: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE;QACV,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,WAAW,CAAC,EAAE,KAAK,CAAC;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,KAAK,EAAE,MAAM,CAAC;KACf,CAAC,CAAC;IACH,UAAU,CAAC,EAAE;QACX,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtC,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACzC,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,MAAM,CAAC;QAChB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,MAAM,WAAW,UAAU;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;IAClD,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,UAAU,GAClB,aAAa,GACb,eAAe,GACf,aAAa,GACb,iBAAiB,GACjB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,mBAAmB,GACnB,sBAAsB,CAAC;AAE3B,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,GAAG,UAAU,CAAC;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,qBAAqB;IACpC,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,UAAU,CAAC;IACjB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,WAAW,CAAC;IAC/C,UAAU,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACvC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB"}

package/dist/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * npm-scan type definitions
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";AAAA;;GAEG"}

package/jest.config.js

@@ -0,0 +1,18 @@
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  roots: ['<rootDir>/tests'],
+  testMatch: ['**/*.test.ts'],
+  collectCoverageFrom: [
+    'src/lib/**/*.ts',
+    '!src/**/*.d.ts'
+  ],
+  coverageDirectory: 'coverage',
+  coverageReporters: ['text', 'lcov', 'html'],
+  moduleFileExtensions: ['ts', 'js', 'json'],
+  transform: {
+    '^.+\\.ts$': 'ts-jest'
+  },
+  verbose: true,
+  testTimeout: 30000
+};

package/package.json

@@ -0,0 +1,56 @@
+{
+  "name": "npm-scan-plus",
+  "version": "1.0.0",
+  "description": "Security scanner for npm packages - pre and post-install scanning for malicious code, supply chain attacks, and obfuscated code",
+  "main": "dist/lib/index.js",
+  "types": "dist/lib/index.d.ts",
+  "bin": {
+    "npm-scan": "./bin/npm-scan.js",
+    "npm-scan-wrap": "./bin/npm-scan-wrap"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "jest",
+    "lint": "eslint src tests --ext .ts",
+    "lint:fix": "eslint src tests --ext .ts --fix",
+    "format": "prettier --write src tests",
+    "prepare": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "npm",
+    "scanner",
+    "malware",
+    "supply-chain",
+    "obfuscation",
+    "vulnerabilities",
+    "infosec"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/cbuntingde/npm-scan.git"
+  },
+  "author": "Chris Bunting <cbuntingde@github.com>",
+  "license": "MIT",
+  "dependencies": {
+    "tar": "^6.2.1",
+    "semver": "^7.6.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "@types/tar": "^6.1.11",
+    "@types/semver": "^7.5.6",
+    "@typescript-eslint/eslint-plugin": "^6.21.0",
+    "@typescript-eslint/parser": "^6.21.0",
+    "eslint": "^8.56.0",
+    "prettier": "^3.2.5",
+    "typescript": "^5.3.3",
+    "jest": "^29.7.0",
+    "@types/jest": "^29.5.12",
+    "ts-jest": "^29.1.2",
+    "ts-node": "^10.9.2"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}