npxconfuse 1.0.0 → 1.1.0

package/bin/cli.js

@@ -85,8 +85,9 @@ program
 program
   .command("github <org>")
   .description("Scan a GitHub organization for npx confusion vulnerabilities")
-  .option("--max-repos <number>", "Maximum repos to scan", "1000")
+  .option("--max-repos <number>", "Maximum repos to fetch", "5000")
   .option("--github-enterprise <url>", "GitHub Enterprise base URL")
+  .option("--all", "Scan ALL repos regardless of language")
   .action(async (org, cmdOpts) => {
     const opts = { ...program.opts(), ...cmdOpts };
     logger.banner();
@@ -97,6 +98,7 @@ program
       const files = await scanGitHub(org, {
         maxRepos: parseInt(opts.maxRepos, 10),
         githubEnterprise: opts.githubEnterprise,
+        allLanguages: opts.all || false,
       });
       spinner.succeed(`Found ${files.length} files from GitHub`);
 

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "npxconfuse",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Detect npx confusion vulnerabilities — find unclaimed npm package names in your codebase, GitHub orgs, and web domains before attackers do.",
   "type": "module",
   "bin": {
-    "npxconfuse": "./bin/cli.js"
+    "npxconfuse": "bin/cli.js"
   },
   "main": "./src/analyzer.js",
   "files": [
@@ -30,7 +30,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/cybershaykh/npxconfuse"
+    "url": "git+https://github.com/cybershaykh/npxconfuse.git"
   },
   "engines": {
     "node": ">=18.0.0"

package/src/sources/github.js

@@ -3,14 +3,21 @@ import pLimit from "p-limit";
 import logger from "../utils/logger.js";
 import { GITHUB_DEFAULTS } from "../utils/constants.js";
 
+/**
+ * Languages that indicate a JavaScript/Node.js project.
+ */
+const JS_LANGUAGES = new Set(["JavaScript", "TypeScript"]);
+
 /**
  * Scan a GitHub organization for package.json manifests.
+ * Automatically filters repos to JavaScript/TypeScript projects.
  *
  * @param {string} org - GitHub organization name
  * @param {object} options
- * @param {number} options.maxRepos - Max repos to scan (default 1000)
- * @param {number} options.concurrency - Parallel repo scans (default 5)
+ * @param {number} options.maxRepos - Max repos to scan (default 5000)
+ * @param {number} options.concurrency - Parallel repo scans (default 10)
  * @param {string} options.githubEnterprise - Base URL for GHE
+ * @param {boolean} options.allLanguages - Scan ALL repos regardless of language
  * @returns {Promise<Array<{filepath: string, content: string, type: string}>>}
  */
 export async function scanGitHub(org, options = {}) {
@@ -30,7 +37,8 @@ export async function scanGitHub(org, options = {}) {
 
   const octokit = new Octokit(octokitOpts);
   const maxRepos = options.maxRepos || GITHUB_DEFAULTS.maxRepos;
-  const concurrency = options.concurrency || 5;
+  const concurrency = options.concurrency || 10;
+  const allLanguages = options.allLanguages || false;
   const limit = pLimit(concurrency);
 
   logger.info(`Scanning GitHub organization: ${org}`);
@@ -71,13 +79,37 @@ export async function scanGitHub(org, options = {}) {
     }
   }
 
-  logger.info(`Found ${repos.length} repositories in ${org}`);
+  logger.info(`Fetched ${repos.length} total repositories in ${org}`);
+
+  // ── 2. Filter to JavaScript/TypeScript repos ──
+  let targets;
+  if (allLanguages) {
+    targets = repos;
+  } else {
+    targets = repos.filter((repo) => JS_LANGUAGES.has(repo.language));
+    const skipped = repos.length - targets.length;
+    const langBreakdown = {};
+    for (const r of repos) {
+      const lang = r.language || "Unknown";
+      langBreakdown[lang] = (langBreakdown[lang] || 0) + 1;
+    }
+    logger.info(
+      `Filtered to ${targets.length} JavaScript/TypeScript repos ` +
+        `(skipped ${skipped} non-JS repos)`,
+    );
+    logger.debug(`Language breakdown: ${JSON.stringify(langBreakdown)}`);
+  }
+
+  if (targets.length === 0) {
+    logger.warn("No JavaScript/TypeScript repos found in this org.");
+    return [];
+  }
 
-  // ── 2. Search each repo for relevant files ──
+  // ── 3. Scan each JS repo for package.json ──
   const results = [];
   let processed = 0;
 
-  const tasks = repos.slice(0, maxRepos).map((repo) =>
+  const tasks = targets.map((repo) =>
     limit(async () => {
       try {
         const repoFiles = await scanRepo(octokit, org, repo.name);
@@ -87,9 +119,9 @@ export async function scanGitHub(org, options = {}) {
       }
 
       processed++;
-      if (processed % 10 === 0 || processed === repos.length) {
+      if (processed % 10 === 0 || processed === targets.length) {
         logger.info(
-          `Progress: ${processed}/${repos.length} repos scanned (${results.length} files found)`,
+          `Progress: ${processed}/${targets.length} JS repos scanned (${results.length} files found)`,
         );
       }
     }),
@@ -97,7 +129,7 @@ export async function scanGitHub(org, options = {}) {
 
   await Promise.all(tasks);
   logger.success(
-    `GitHub scan complete: ${results.length} files from ${repos.length} repos`,
+    `GitHub scan complete: ${results.length} files from ${targets.length} JS repos`,
   );
 
   return results;

package/src/utils/constants.js

@@ -177,5 +177,5 @@ export const WEB_PROBE_PATHS = [
 // GitHub API defaults
 export const GITHUB_DEFAULTS = {
   perPage: 100,
-  maxRepos: 1000,
+  maxRepos: 5000,
 };