npm-scan-plus 1.0.2 → 1.0.3

package/bin/npm-scan-wrap

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 
 /**
- * npm-scan wrapper - Automatically scans before and after npm install
- * Usage: npm-scan-wrap install <packages>
- *        npm-scan-wrap install
+ * npm-scan-plus wrapper - Automatically scans before and after npm install
+ * Usage: npm-scan-plus-wrap install <packages>
+ *        npm-scan-plus-wrap install
  */
 
 const { spawn } = require('child_process');
@@ -14,9 +14,16 @@ const SCANNER_PATH = path.join(__dirname, '../dist/cli/index.js');
 
 async function runScanner(args) {
   return new Promise((resolve, reject) => {
-    const scanner = spawn('node', [SCANNER_PATH, ...args], {
-      stdio: 'inherit',
-      shell: true
+    // Properly quote arguments to prevent injection
+    const safeArgs = args.map(arg => {
+      if (arg.includes(' ') || arg.includes('"') || arg.includes("'")) {
+        return `"${arg.replace(/"/g, '\\"')}"`;
+      }
+      return arg;
+    });
+
+    const scanner = spawn('node', [SCANNER_PATH, ...safeArgs], {
+      stdio: 'inherit'
     });
 
     scanner.on('close', (code) => {
@@ -28,10 +35,11 @@ async function runScanner(args) {
 
 async function runNpm(args) {
   return new Promise((resolve, reject) => {
-    const npm = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-    const install = spawn(npm, args, {
+    // Use npm.cmd on Windows, avoid shell: true
+    const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+
+    const install = spawn(npmCmd, args, {
       stdio: 'inherit',
-      shell: true,
       env: { ...process.env, NPM_CONFIG_AUDIT: 'false' }
     });
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "npm-scan-plus",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Security scanner for npm packages - pre and post-install scanning for malicious code, supply chain attacks, and obfuscated code",
   "main": "dist/lib/index.js",
   "types": "dist/lib/index.d.ts",