ohdear-npm-audit 1.3.0 → 1.4.0

package/README.md

@@ -33,7 +33,13 @@ export default withOhDearHealth({
 });
 ```
 
-The wrapper generates the manifest automatically when the config is evaluated (before the build starts). It also checks for critical vulnerabilities at build time and logs the results.
+The wrapper generates the manifest automatically when the config is evaluated (before the build starts). It also checks for critical vulnerabilities at build time and logs enriched results including dependency chains and vulnerable version ranges:
+
+```
+ohdear-npm-audit: 1 critical vulnerabilities:
+  - form-data@1.0.0 (via axios → form-data): unsafe random function
+    vulnerable: <1.0.1 — https://github.com/advisories/GHSA-xxx
+```
 
 ```js
 withOhDearHealth(nextConfig, {
@@ -72,8 +78,8 @@ This must match the secret configured in Oh Dear for your application health che
 
 ## How it works
 
-1. **Build time** — The CLI or Next.js wrapper runs `pnpm list` / `npm ls` to extract all production dependencies (including transitive) and writes them to a JSON manifest. When using the Next.js wrapper, a build-time vulnerability check is also performed and results are logged
-2. **Runtime** — On each GET request, the handler verifies the Oh Dear secret header, POSTs the manifest to the [npm bulk advisory API](https://docs.npmjs.com/about-audit-reports), filters for critical severity, and returns the result in the [Oh Dear health check format](https://ohdear.app/docs/features/application-health-monitoring)
+1. **Build time** — The CLI or Next.js wrapper runs `pnpm list` / `npm ls` to extract all production dependencies (including transitive) and writes them to a JSON manifest that includes a reverse dependency map for tracing dependency chains. When using the Next.js wrapper, a build-time vulnerability check is performed and results are logged with the full dependency chain (e.g. `axios → form-data`) and vulnerable version ranges
+2. **Runtime** — On each GET request, the handler verifies the Oh Dear secret header, POSTs the manifest to the [npm bulk advisory API](https://docs.npmjs.com/about-audit-reports), filters for critical severity, and returns the result in the [Oh Dear health check format](https://ohdear.app/docs/features/application-health-monitoring). Each vulnerability includes installed versions, vulnerable version range, and the dependency chain
 
 ### Response format
 
@@ -93,6 +99,19 @@ This must match the secret configured in Oh Dear for your application health che
 }
 ```
 
+When vulnerabilities are found, `meta.vulnerabilities` contains an array of:
+
+```json
+{
+  "package": "form-data",
+  "installedVersions": ["1.0.0"],
+  "title": "form-data uses unsafe random function",
+  "url": "https://github.com/advisories/GHSA-xxx",
+  "vulnerableVersions": "<1.0.1",
+  "dependencyChain": ["axios", "form-data"]
+}
+```
+
 `status` is `"ok"` when there are no critical vulnerabilities, `"warning"` when the npm advisory API is unreachable, `"failed"` otherwise.
 
 ## API
@@ -132,7 +151,7 @@ Defaults to `deps-manifest.json` in the current directory. Detects the package m
 ```
 src/
 ├── types.ts      # Shared types (DepsManifest, Vulnerability, HealthCheckResponse)
-├── generate.ts   # Manifest generation logic (build-time, execSync)
+├── generate.ts   # Manifest + reverse dep map generation (build-time, execSync)
 ├── handler.ts    # createHealthHandler factory — main export "."
 ├── next.ts       # withOhDearHealth wrapper — export "./next"
 └── bin.ts        # CLI entry point — bin "ohdear-deps-manifest"

package/dist/bin.js

@@ -11,5 +11,5 @@ if (outputIdx !== -1 && args[outputIdx + 1]) {
 }
 const cwd = process.cwd();
 const outputPath = (0, node_path_1.resolve)(cwd, output);
-const { manifest } = (0, generate_js_1.writeManifest)(outputPath, cwd);
-console.log(`deps-manifest.json: ${Object.keys(manifest).length} packages written`);
+const manifest = (0, generate_js_1.writeManifest)(outputPath, cwd);
+console.log(`${output}: ${Object.keys(manifest.packages).length} packages written`);

package/dist/generate.d.ts

@@ -1,11 +1,3 @@
 import type { DepsManifest } from "./types.js";
-export interface GenerateResult {
-    manifest: DepsManifest;
-    reverseDeps: Record<string, string[]>;
-}
-export declare function generateManifest(cwd: string): GenerateResult;
-export interface WriteManifestResult {
-    manifest: DepsManifest;
-    reverseMapPath: string;
-}
-export declare function writeManifest(outputPath: string, cwd: string): WriteManifestResult;
+export declare function generateManifest(cwd: string): DepsManifest;
+export declare function writeManifest(outputPath: string, cwd: string): DepsManifest;

package/dist/generate.js

@@ -23,9 +23,9 @@ function walkDeps(deps, acc, reverseDeps, parent) {
         if (!acc[name])
             acc[name] = new Set();
         acc[name].add(info.version);
+        if (!reverseDeps[name])
+            reverseDeps[name] = new Set();
         if (parent !== "root") {
-            if (!reverseDeps[name])
-                reverseDeps[name] = new Set();
             reverseDeps[name].add(parent);
         }
         walkDeps(info.dependencies, acc, reverseDeps, name);
@@ -75,21 +75,19 @@ function generateManifest(cwd) {
     const acc = {};
     const reverseAcc = {};
     walkDeps(tree.dependencies, acc, reverseAcc, "root");
-    const manifest = {};
+    const packages = {};
     for (const [name, versions] of Object.entries(acc)) {
-        manifest[name] = [...versions];
+        packages[name] = [...versions];
     }
     const reverseDeps = {};
     for (const [name, parents] of Object.entries(reverseAcc)) {
         reverseDeps[name] = [...parents];
     }
-    return { manifest, reverseDeps };
+    return { packages, reverseDeps };
 }
 function writeManifest(outputPath, cwd) {
-    const { manifest, reverseDeps } = generateManifest(cwd);
+    const manifest = generateManifest(cwd);
     (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(outputPath), { recursive: true });
     (0, node_fs_1.writeFileSync)(outputPath, JSON.stringify(manifest, null, 2) + "\n");
-    const reverseMapPath = (0, node_path_1.resolve)((0, node_path_1.dirname)(outputPath), "deps-reverse-map.json");
-    (0, node_fs_1.writeFileSync)(reverseMapPath, JSON.stringify(reverseDeps, null, 2) + "\n");
-    return { manifest, reverseMapPath };
+    return manifest;
 }

package/dist/handler.js

@@ -3,6 +3,25 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.createHealthHandler = createHealthHandler;
 const NPM_BULK_ADVISORY_URL = "https://registry.npmjs.org/-/npm/v1/security/advisories/bulk";
 const FETCH_TIMEOUT_MS = 8_000;
+/** BFS from pkg up through reverseMap to find the shortest chain to a root dep. */
+function buildChain(pkg, reverseMap) {
+    const queue = [[pkg]];
+    const visited = new Set([pkg]);
+    while (queue.length > 0) {
+        const path = queue.shift();
+        const current = path[path.length - 1];
+        const parents = reverseMap[current];
+        if (!parents || parents.length === 0)
+            return [...path].reverse();
+        for (const parent of parents) {
+            if (visited.has(parent))
+                continue;
+            visited.add(parent);
+            queue.push([...path, parent]);
+        }
+    }
+    return [pkg];
+}
 function makeWarningResponse(message) {
     return {
         finishedAt: Math.floor(Date.now() / 1000),
@@ -36,7 +55,7 @@ function createHealthHandler(manifest, options) {
             res = await fetch(NPM_BULK_ADVISORY_URL, {
                 method: "POST",
                 headers: { "Content-Type": "application/json" },
-                body: JSON.stringify(manifest),
+                body: JSON.stringify(manifest.packages),
                 signal: AbortSignal.timeout(FETCH_TIMEOUT_MS),
             });
         }
@@ -60,14 +79,16 @@ function createHealthHandler(manifest, options) {
         for (const [pkg, entries] of Object.entries(advisories)) {
             for (const entry of entries) {
                 if (entry.severity === "critical") {
-                    const versions = manifest[pkg] ?? [];
-                    critical.push({
+                    const versions = manifest.packages[pkg] ?? [];
+                    const vuln = {
                         package: pkg,
-                        installedVersion: versions.join(", "),
+                        installedVersions: versions,
                         title: entry.title,
                         url: entry.url,
                         vulnerableVersions: entry.vulnerable_versions ?? "",
-                    });
+                        dependencyChain: buildChain(pkg, manifest.reverseDeps),
+                    };
+                    critical.push(vuln);
                 }
             }
         }

package/dist/next.js

@@ -52,14 +52,21 @@ function hasRecentLock(output) {
  */
 function buildChainScript() {
     return [
-        `function buildChain(pkg, reverseMap, visited) {`,
-        `  if (visited.has(pkg)) return [pkg];`,
-        `  visited.add(pkg);`,
-        `  const parents = reverseMap[pkg];`,
-        `  if (!parents || parents.length === 0) return [pkg];`,
-        `  const chain = buildChain(parents[0], reverseMap, visited);`,
-        `  chain.push(pkg);`,
-        `  return chain;`,
+        `function buildChain(pkg, reverseMap) {`,
+        `  const queue = [[pkg]];`,
+        `  const visited = new Set([pkg]);`,
+        `  while (queue.length > 0) {`,
+        `    const path = queue.shift();`,
+        `    const current = path[path.length - 1];`,
+        `    const parents = reverseMap[current];`,
+        `    if (!parents || parents.length === 0) return path.slice().reverse();`,
+        `    for (const parent of parents) {`,
+        `      if (visited.has(parent)) continue;`,
+        `      visited.add(parent);`,
+        `      queue.push([...path, parent]);`,
+        `    }`,
+        `  }`,
+        `  return [pkg];`,
         `}`,
     ].join("\n");
 }
@@ -68,18 +75,18 @@ function buildChainScript() {
  * API. Output is inherited so logs appear in the build output. Does not
  * block the build — the subprocess runs in parallel with Next.js compilation.
  */
-function checkVulnerabilities(manifestPath, reverseMapPath) {
-    const safeManifestPath = JSON.stringify(manifestPath);
-    const safeReverseMapPath = JSON.stringify(reverseMapPath);
+function checkVulnerabilities(manifestPath) {
+    const safePath = JSON.stringify(manifestPath);
     const script = [
         `const fs = require("fs");`,
-        `const manifest = JSON.parse(fs.readFileSync(${safeManifestPath}, "utf-8"));`,
-        `const reverseMap = JSON.parse(fs.readFileSync(${safeReverseMapPath}, "utf-8"));`,
+        `const data = JSON.parse(fs.readFileSync(${safePath}, "utf-8"));`,
+        `const packages = data.packages;`,
+        `const reverseMap = data.reverseDeps;`,
         buildChainScript(),
         `fetch("https://registry.npmjs.org/-/npm/v1/security/advisories/bulk", {`,
         `  method: "POST",`,
         `  headers: { "Content-Type": "application/json" },`,
-        `  body: JSON.stringify(manifest),`,
+        `  body: JSON.stringify(packages),`,
         `  signal: AbortSignal.timeout(8000),`,
         `})`,
         `.then(r => { if (!r.ok) throw new Error("HTTP " + r.status); return r.json(); })`,
@@ -88,8 +95,8 @@ function checkVulnerabilities(manifestPath, reverseMapPath) {
         `  for (const [pkg, entries] of Object.entries(data)) {`,
         `    for (const e of entries) {`,
         `      if (e.severity !== "critical") continue;`,
-        `      const versions = manifest[pkg] || [];`,
-        `      const chain = buildChain(pkg, reverseMap, new Set());`,
+        `      const versions = packages[pkg] || [];`,
+        `      const chain = buildChain(pkg, reverseMap);`,
         `      const versionStr = versions.join(", ");`,
         `      const chainStr = chain.length > 1 ? " (via " + chain.join(" \\u2192 ") + ")" : "";`,
         `      let line = "  - " + pkg + "@" + versionStr + chainStr + ": " + e.title;`,
@@ -106,7 +113,7 @@ function checkVulnerabilities(manifestPath, reverseMapPath) {
         `    console.log("ohdear-npm-audit: no critical vulnerabilities \\u2713");`,
         `  }`,
         `})`,
-        `.catch(() => {});`,
+        `.catch(err => console.warn("ohdear-npm-audit: build-time vulnerability check failed:", err.message || err));`,
     ].join("\n");
     const child = (0, node_child_process_1.spawn)("node", ["-e", script], {
         stdio: "inherit",
@@ -121,8 +128,8 @@ function withOhDearHealth(nextConfig, options) {
     if (hasRecentLock(output))
         return nextConfig;
     try {
-        const { manifest, reverseMapPath } = (0, generate_js_1.writeManifest)(output, cwd);
-        console.log(`ohdear-npm-audit: ${Object.keys(manifest).length} packages written → ${output}`);
+        const manifest = (0, generate_js_1.writeManifest)(output, cwd);
+        console.log(`ohdear-npm-audit: ${Object.keys(manifest.packages).length} packages written → ${output}`);
         const routePath = deriveRoutePath((0, node_path_1.relative)(cwd, output));
         const domain = process.env.VERCEL_PROJECT_PRODUCTION_URL;
         if (routePath && domain) {
@@ -138,7 +145,7 @@ function withOhDearHealth(nextConfig, options) {
             console.warn("ohdear-npm-audit: OHDEAR_HEALTH_SECRET is not set — health check will reject all requests.");
         }
         if (options?.checkOnBuild !== false) {
-            checkVulnerabilities(output, reverseMapPath);
+            checkVulnerabilities(output);
         }
     }
     catch (err) {

package/dist/types.d.ts

@@ -1,7 +1,10 @@
-export type DepsManifest = Record<string, string[]>;
+export interface DepsManifest {
+    packages: Record<string, string[]>;
+    reverseDeps: Record<string, string[]>;
+}
 export interface Vulnerability {
     package: string;
-    installedVersion: string;
+    installedVersions: string[];
     title: string;
     url: string;
     vulnerableVersions: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ohdear-npm-audit",
-  "version": "1.3.0",
+  "version": "1.4.0",
   "description": "Oh Dear Application Health check for npm audit critical vulnerabilities",
   "main": "./dist/handler.js",
   "types": "./dist/handler.d.ts",