npm - ohrisk - Versions diffs - 0.127.0 → 0.127.1 - Mend

ohrisk 0.127.0 → 0.127.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,23 @@
 # Changelog
+## 0.127.1 - 2026-06-20
+### Fixed
+- The default Node artifact fetcher now returns DNS lookup results in the shape
+  requested by Node's HTTP client, fixing `Invalid IP address: undefined`
+  failures when scanning real remote package tarballs.
+- Package tarball evidence now accepts npm tarballs that use a custom
+  top-level directory, such as `bun/package.json`, instead of only
+  `package/package.json`.
+- Registry metadata fallback now requests the exact package version endpoint
+  instead of the full package metadata document, avoiding oversized metadata
+  failures for packages with long histories such as `@types/node`.
+- Remote package tarballs that exceed Ohrisk's size limits now produce
+  unavailable package evidence instead of aborting the whole repository scan.
+- Package metadata now uses npm's normalized `bin` path form, avoiding publish
+  auto-correction warnings for the CLI entry.
 ## 0.127.0 - 2026-06-20
 ### Fixed

package/dist/cli.js CHANGED Viewed

@@ -15175,7 +15175,7 @@ function parseDiffArgs(argv) {
 }
 // src/cli/version.ts
-var OHRISK_VERSION = "0.127.0";
+var OHRISK_VERSION = "0.127.1";
 // src/diff/compare.ts
 function diffRiskFindings(input) {
@@ -15480,7 +15480,8 @@ function collectTarballEvidence(input) {
       tarball: unpacked.value,
       maxEntries: input.maxEntries ?? PACKAGE_TARBALL_MAX_ENTRIES
     });
-    const packageJsonEntry = entries.find((entry) => normalizePackagePath(entry.path) === "package.json");
+    const packageRoot = findPackageRoot(entries);
+    const packageJsonEntry = packageRoot === undefined ? undefined : entries.find((entry) => normalizePackagePath(entry.path, packageRoot) === "package.json");
     if (!packageJsonEntry) {
       return err(createError({
         code: "PACKAGE_JSON_PARSE_FAILED",
@@ -15498,7 +15499,7 @@ function collectTarballEvidence(input) {
     if (!packageJson.ok) {
       return err(packageJson.error);
     }
-    const files = collectTarEvidenceFiles(entries);
+    const files = collectTarEvidenceFiles(entries, packageRoot);
     const warnings = files.length === 0 ? ["No LICENSE, LICENCE, UNLICENSE, COPYING, or NOTICE file found."] : [];
     return ok({
       packageId: input.packageId,
@@ -15589,9 +15590,22 @@ function parseTarEntries(input) {
   }
   return entries;
 }
-function collectTarEvidenceFiles(entries) {
+function findPackageRoot(entries) {
+  if (entries.some((entry) => entry.path === "package.json")) {
+    return "";
+  }
+  const roots = entries.map((entry) => {
+    const match = /^([^/]+)\/package\.json$/.exec(entry.path);
+    return match?.[1];
+  }).filter((root) => root !== undefined).sort();
+  if (roots.includes("package")) {
+    return "package";
+  }
+  return roots[0];
+}
+function collectTarEvidenceFiles(entries, packageRoot) {
   return entries.map((entry) => {
-    const normalized = normalizePackagePath(entry.path);
+    const normalized = normalizePackagePath(entry.path, packageRoot);
     if (!isRootPackageFile(normalized)) {
       return;
     }
@@ -15622,8 +15636,11 @@ function readLicenseFields2(packageJson) {
 function isObjectRecord2(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 }
-function normalizePackagePath(path2) {
-  return path2.replace(/^package\//, "");
+function normalizePackagePath(path2, packageRoot) {
+  if (packageRoot === "") {
+    return path2;
+  }
+  return path2.startsWith(`${packageRoot}/`) ? path2.slice(packageRoot.length + 1) : path2;
 }
 function readNullTerminated(buffer, start, length) {
   const slice = buffer.subarray(start, start + length);
@@ -15911,7 +15928,7 @@ function localArtifactTooLargeError(input) {
   });
 }
 async function collectRegistryTarballEvidence(input) {
-  const metadataUrl = npmRegistryPackageUrl(input.node.name);
+  const metadataUrl = npmRegistryPackageVersionUrl(input.node.name, input.node.version);
   const metadataUrlPreflight = await preflightRemoteArtifactFetchTarget({
     code: "REGISTRY_METADATA_FETCH_FAILED",
     packageId: input.node.id,
@@ -16250,6 +16267,9 @@ async function collectRemoteTarballEvidence(input) {
       }
     });
     if (!tarball.ok) {
+      if (isPackageTarballTooLargeError(tarball.error)) {
+        return ok(unavailableOversizedTarballEvidence(input.packageId));
+      }
       return err(tarball.error);
     }
     const verified = verifyPackageIntegrity({
@@ -16266,6 +16286,9 @@ async function collectRemoteTarballEvidence(input) {
       tarball: tarball.value
     });
     if (!evidence.ok) {
+      if (isPackageTarballTooLargeError(evidence.error)) {
+        return ok(unavailableOversizedTarballEvidence(input.packageId));
+      }
       return err(evidence.error);
     }
     return ok(addIntegrityWarningWhenUnverified({
@@ -16285,6 +16308,19 @@ async function collectRemoteTarballEvidence(input) {
     }));
   }
 }
+function isPackageTarballTooLargeError(error) {
+  return error.code === "TARBALL_FETCH_FAILED" && error.message === "Package tarball response exceeded the maximum supported size." || error.code === "TARBALL_PARSE_FAILED" && error.message === "Failed to decompress package tarball evidence." && typeof error.details.maxUnpackedBytes === "number";
+}
+function unavailableOversizedTarballEvidence(packageId) {
+  return {
+    packageId,
+    files: [],
+    source: "unavailable",
+    warnings: [
+      "Package tarball evidence exceeded Ohrisk's size limit and was not scanned."
+    ]
+  };
+}
 function resolveExistingLocalArtifactPath(input) {
   const allowedRoot = realpathSync(resolveLocalArtifactRoot(input.projectRoot));
   const artifactPath = realpathSync(input.artifactPath);
@@ -16967,6 +17003,9 @@ function decodeIntegrityDigest(input) {
   const normalizedDecoded = decoded.toString("base64").replace(/=+$/, "");
   return normalizedDecoded === normalizedInput ? decoded : undefined;
 }
+function npmRegistryPackageVersionUrl(name, version) {
+  return `${npmRegistryPackageUrl(name)}/${encodeURIComponent(version)}`;
+}
 function npmRegistryPackageUrl(name) {
   return `https://registry.npmjs.org/${encodeURIComponent(name).replace(/^%40/, "@")}`;
 }
@@ -16974,6 +17013,10 @@ function readRegistryTarballUrl(metadata, version) {
   if (!isRecord(metadata)) {
     return;
   }
+  const dist = metadata.dist;
+  if (isRecord(dist) && typeof dist.tarball === "string") {
+    return dist.tarball;
+  }
   const versions = metadata.versions;
   if (!isRecord(versions)) {
     return;
@@ -16982,11 +17025,11 @@ function readRegistryTarballUrl(metadata, version) {
   if (!isRecord(versionMetadata)) {
     return;
   }
-  const dist = versionMetadata.dist;
-  if (!isRecord(dist) || typeof dist.tarball !== "string") {
+  const versionDist = versionMetadata.dist;
+  if (!isRecord(versionDist) || typeof versionDist.tarball !== "string") {
     return;
   }
-  return dist.tarball;
+  return versionDist.tarball;
 }
 function isRecord(value) {
   return typeof value === "object" && value !== null && !Array.isArray(value);
@@ -17028,29 +17071,63 @@ async function defaultArtifactHostResolver(hostname) {
 }
 function secureArtifactLookup(hostname, options, callback) {
   defaultArtifactHostResolver(hostname).then((resolutions) => {
-    if (resolutions.length === 0) {
-      callback(new Error(`Artifact host ${normalizeUrlHostname(hostname)} returned no DNS addresses.`), "", 0);
+    const selection = selectSecureArtifactLookupResponse(hostname, options, resolutions);
+    if (!selection.ok) {
+      respondToSecureArtifactLookupError(callback, options, selection.error);
       return;
     }
-    const requestedFamily = options.family === 4 || options.family === 6 ? options.family : undefined;
-    const familyResolutions = requestedFamily === undefined ? resolutions : resolutions.filter((resolution) => resolution.family === requestedFamily);
-    if (familyResolutions.length === 0) {
-      callback(new Error(`Artifact host ${normalizeUrlHostname(hostname)} returned no matching DNS addresses.`), "", 0);
+    if (selection.value.all) {
+      callback(null, selection.value.resolutions);
       return;
     }
-    for (const resolution of familyResolutions) {
-      const blockedReason = blockedRemoteArtifactHostReason(resolution.address);
-      if (blockedReason) {
-        callback(new Error(`Blocked artifact host resolution for ${normalizeUrlHostname(hostname)}: ${normalizeUrlHostname(resolution.address)} (${blockedReason}).`), "", 0);
-        return;
-      }
-    }
-    const selected = familyResolutions[0];
-    callback(null, selected.address, selected.family);
+    callback(null, selection.value.address, selection.value.family);
   }).catch((cause) => {
-    callback(cause instanceof Error ? cause : new Error(String(cause)), "", 0);
+    respondToSecureArtifactLookupError(callback, options, cause instanceof Error ? cause : new Error(String(cause)));
+  });
+}
+function selectSecureArtifactLookupResponse(hostname, options, resolutions) {
+  const normalizedOptions = normalizeArtifactLookupOptions(options);
+  const normalizedHostname = normalizeUrlHostname(hostname);
+  if (resolutions.length === 0) {
+    return err(new Error(`Artifact host ${normalizedHostname} returned no DNS addresses.`));
+  }
+  const familyResolutions = normalizedOptions.family === undefined ? resolutions : resolutions.filter((resolution) => resolution.family === normalizedOptions.family);
+  if (familyResolutions.length === 0) {
+    return err(new Error(`Artifact host ${normalizedHostname} returned no matching DNS addresses.`));
+  }
+  for (const resolution of familyResolutions) {
+    const blockedReason = blockedRemoteArtifactHostReason(resolution.address);
+    if (blockedReason) {
+      return err(new Error(`Blocked artifact host resolution for ${normalizedHostname}: ${normalizeUrlHostname(resolution.address)} (${blockedReason}).`));
+    }
+  }
+  if (normalizedOptions.all) {
+    return ok({
+      all: true,
+      resolutions: familyResolutions
+    });
+  }
+  const selected = familyResolutions[0];
+  return ok({
+    all: false,
+    address: selected.address,
+    family: selected.family
   });
 }
+function normalizeArtifactLookupOptions(options) {
+  const family = typeof options === "number" ? options : options?.family;
+  return {
+    all: typeof options === "object" && options?.all === true,
+    family: family === 4 || family === 6 ? family : undefined
+  };
+}
+function respondToSecureArtifactLookupError(callback, options, error) {
+  if (normalizeArtifactLookupOptions(options).all) {
+    callback(error, []);
+    return;
+  }
+  callback(error, "", 0);
+}
 function headersForIncomingMessage(headers) {
   return {
     get: (name) => {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ohrisk",
-  "version": "0.127.0",
+  "version": "0.127.1",
   "description": "Catch open-source license risk before your PR ships.",
   "license": "MIT",
   "type": "module",
@@ -9,7 +9,7 @@
     "node": ">=20.0.0"
   },
   "bin": {
-    "ohrisk": "./dist/cli.js"
+    "ohrisk": "dist/cli.js"
   },
   "repository": {
     "type": "git",