npm - proof-of-commitment - Versions diffs - 1.2.0 → 1.4.0 - Mend

proof-of-commitment 1.2.0 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -8,18 +8,21 @@ npx proof-of-commitment axios zod chalk
 ```
 ──────────────────────────────────────────────────────────────────────────
-Package               Risk            Score    Maintainers  Downloads     Age
+Package               Risk            Score    Publishers   Downloads     Age
 ──────────────────────────────────────────────────────────────────────────
 axios                 🔴 CRITICAL      89       1            102.0M/wk     11.6y
-  └ longevity=25 momentum=25 releases=20 maintainers=4 github=15
+  ↳ 30+ GitHub contributors — publish-access concentration risk despite active community
+  └ longevity=25 momentum=25 releases=20 publishers=4 github=15
 zod                   🔴 CRITICAL      83       1            154.0M/wk     6.1y
-  └ longevity=25 momentum=25 releases=18 maintainers=4 github=11
+  ↳ 30+ GitHub contributors — publish-access concentration risk despite active community
+  └ longevity=25 momentum=25 releases=18 publishers=4 github=11
 chalk                 🔴 CRITICAL      75       1            414.6M/wk     12.7y
-  └ longevity=25 momentum=22 releases=13 maintainers=4 github=11
+  ↳ 30+ GitHub contributors — publish-access concentration risk despite active community
+  └ longevity=25 momentum=22 releases=13 publishers=4 github=11
 ──────────────────────────────────────────────────────────────────────────
 ⚠  3 CRITICAL packages found.
-   CRITICAL = sole maintainer + >10M weekly downloads (high-value attack target)
+   CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
    Full breakdown: https://getcommit.dev/audit?packages=axios,zod,chalk
 ```
@@ -27,16 +30,16 @@ chalk                 🔴 CRITICAL      75       1            414.6M/wk     12.
 `npm audit` finds *known* CVEs — vulnerabilities already catalogued in a database. This scores *structural risk before it becomes a CVE*.
-The axios attack on April 1st, 2026: `npm audit` showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1 maintainer, 96M downloads/week) — the exact profile that made it a high-value target.
+The axios attack on April 1st, 2026: `npm audit` showed zero issues beforehand. Proof of Commitment flagged axios as CRITICAL (1 npm publisher, 96M downloads/week) — the exact publish-access concentration profile that made it a high-value target.
 **Score dimensions:**
 - **Longevity** (25 pts) — years in production
 - **Download Momentum** (25 pts) — weekly download trend
 - **Release Consistency** (20 pts) — days since last release
-- **Maintainer Depth** (15 pts) — team size
+- **Publisher Depth** (15 pts) — npm publish-access holders
 - **GitHub Backing** (15 pts) — organization/team support
-**CRITICAL** = sole maintainer + >10M weekly downloads (high-value attack target)
+**CRITICAL** = sole npm publisher + >10M weekly downloads (publish-access concentration risk)
 ## Usage

package/index.js CHANGED Viewed

@@ -65,7 +65,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     padEnd(clr(c.bold, 'Package'), COL.name),
     padEnd(clr(c.bold, 'Risk'), COL.risk),
     padEnd(clr(c.bold, 'Score'), COL.score),
-    padEnd(clr(c.bold, 'Maintainers'), COL.maintainers),
+    padEnd(clr(c.bold, 'Publishers'), COL.maintainers),
     padEnd(clr(c.bold, 'Downloads'), COL.downloads),
     padEnd(clr(c.bold, 'Age'), COL.age),
   ].join('  ');
@@ -98,12 +98,18 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
     console.log(row);
+    // Show GitHub contributor context for CRITICAL packages with active communities
+    if (pkg.riskFlags && pkg.riskFlags.includes('CRITICAL') && pkg.githubContributors && pkg.githubContributors > 1) {
+      const ghCount = pkg.githubContributors === 35 ? '30+' : pkg.githubContributors;
+      console.log(clr(c.dim, `  ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
+    }
     // Score breakdown if available
     if (pkg.scoreBreakdown) {
       const b = pkg.scoreBreakdown;
       const breakdown = clr(c.dim,
         `  └ longevity=${b.longevity} momentum=${b.downloadMomentum} ` +
-        `releases=${b.releaseConsistency} maintainers=${b.maintainerDepth} github=${b.githubBacking}`
+        `releases=${b.releaseConsistency} publishers=${b.maintainerDepth} github=${b.githubBacking}`
       );
       console.log(breakdown);
     }
@@ -115,7 +121,7 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
   if (effectiveCritical > 0) {
     const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
     console.log('\n' + clr(c.red + c.bold, `⚠  ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
-    console.log(clr(c.dim, '   CRITICAL = sole maintainer + >10M weekly downloads (high-value attack target)'));
+    console.log(clr(c.dim, '   CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
   } else {
     const suffix = totalScanned ? ` (${totalScanned} packages scanned)` : '';
     console.log('\n' + clr(c.green, `✓  No CRITICAL packages found${suffix}.`));
@@ -140,20 +146,26 @@ ${clr(c.bold, 'Usage:')}
   npx proof-of-commitment --file pnpm-lock.yaml Audit from pnpm lock file
   npx proof-of-commitment --file requirements.txt  Audit Python packages
+${clr(c.bold, 'Options:')}
+  --json        Output results as JSON (exits 1 if any CRITICAL found — useful in CI)
+  --pypi        Score PyPI packages instead of npm
+  --file, -f    Read packages from package.json, lock file, or requirements.txt
 ${clr(c.bold, 'Examples:')}
   npx proof-of-commitment axios zod chalk
   npx proof-of-commitment --pypi litellm langchain requests
   npx proof-of-commitment --file package.json
   npx proof-of-commitment --file package-lock.json   # scans ALL transitive deps
+  npx proof-of-commitment axios chalk --json | jq '.criticalCount'
 ${clr(c.bold, 'Score meaning:')}
-  🔴 CRITICAL  Sole maintainer + >10M downloads/wk (high-value attack target)
+  🔴 CRITICAL  Sole npm publisher + >10M downloads/wk (publish-access concentration risk)
   🟠 HIGH      Score < 40
   🟡 MODERATE  Score 40–59
   🟡 GOOD      Score 60–74
   🟢 HEALTHY   Score 75+
-${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · maintainer depth · GitHub backing
+${clr(c.bold, 'Score dimensions:')} longevity · download momentum · release consistency · publisher depth · GitHub backing
 ${clr(c.bold, 'Web:')}  ${WEB}
 ${clr(c.bold, 'MCP:')}  ${clr(c.dim, 'Add to Claude Desktop / Cursor for AI-assisted auditing')}
@@ -321,12 +333,14 @@ async function main() {
   let filePath = null;
   let isLockfile = false;
   let totalInFile = 0;
+  let jsonOutput = false;
   let i = 0;
   while (i < args.length) {
     const a = args[i];
     if (a === '--pypi') { ecosystem = 'pypi'; i++; }
     else if (a === '--npm') { ecosystem = 'npm'; i++; }
+    else if (a === '--json') { jsonOutput = true; i++; }
     else if (a === '--file' || a === '-f') {
       filePath = args[++i];
       i++;
@@ -345,7 +359,7 @@ async function main() {
       ecosystem = result.ecosystem;
       isLockfile = result.lockfile || false;
       totalInFile = result.totalInFile || packages.length;
-      console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
+      if (!jsonOutput) console.log(clr(c.dim, `Detected ${totalInFile} packages from ${filePath} (${ecosystem})`));
     } catch (err) {
       console.error(`Error reading ${filePath}: ${err.message}`);
       process.exit(1);
@@ -363,7 +377,7 @@ async function main() {
   if (packages.length <= 20) {
     // Single batch — existing behavior
-    process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
+    if (!jsonOutput) process.stdout.write(clr(c.dim, `Scoring ${packages.length} ${ecosystem} package${packages.length > 1 ? 's' : ''}...`));
     try {
       const res = await fetch(API, {
@@ -383,12 +397,12 @@ async function main() {
     }
     const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
-    process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
+    if (!jsonOutput) process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
   } else {
     // Multi-batch for lock files
     const batches = Math.ceil(packages.length / 20);
-    process.stdout.write(clr(c.dim, `Scanning ${packages.length} packages (${batches} batches in parallel)...`));
+    if (!jsonOutput) process.stdout.write(clr(c.dim, `Scanning ${packages.length} packages (${batches} batches in parallel)...`));
     let lastPct = 0;
     try {
@@ -407,24 +421,46 @@ async function main() {
     }
     const elapsed = ((Date.now() - t0) / 1000).toFixed(1);
-    process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
+    if (!jsonOutput) process.stdout.write(clr(c.dim, ` done in ${elapsed}s\n`));
+    // JSON output: emit all results with summary
+    if (jsonOutput) {
+      const criticalCount = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
+      console.log(JSON.stringify({
+        totalScanned: allResults.length,
+        criticalCount,
+        results: allResults,
+      }, null, 2));
+      process.exit(criticalCount > 0 ? 1 : 0);
+    }
     // For lock files: show top 25 highest-risk packages
     const MAX_DISPLAY = 25;
     const displayed = allResults.slice(0, MAX_DISPLAY);
-    const criticalCount = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
-    const highRiskCount = allResults.filter(r => !r.riskFlags?.includes('CRITICAL') && r.score < 40).length;
     const criticalTotal = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
     printTable(displayed, { totalScanned: allResults.length, totalCritical: criticalTotal, lockfile: true });
     return;
   }
   if (!allResults || allResults.length === 0) {
-    console.log('No results returned. Check package names and try again.');
+    if (jsonOutput) {
+      console.log(JSON.stringify({ totalScanned: 0, criticalCount: 0, results: [] }, null, 2));
+    } else {
+      console.log('No results returned. Check package names and try again.');
+    }
     process.exit(0);
   }
+  if (jsonOutput) {
+    const criticalCount = allResults.filter(r => r.riskFlags?.includes('CRITICAL')).length;
+    console.log(JSON.stringify({
+      totalScanned: allResults.length,
+      criticalCount,
+      results: allResults,
+    }, null, 2));
+    process.exit(criticalCount > 0 ? 1 : 0);
+  }
   printTable(allResults);
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "proof-of-commitment",
-  "version": "1.2.0",
+  "version": "1.4.0",
   "description": "Supply chain risk scorer for npm and PyPI packages — behavioral signals that can't be faked",
   "type": "module",
   "bin": {
@@ -22,7 +22,8 @@
     "risk",
     "behavioral",
     "commitment",
-    "maintainer"
+    "maintainer",
+    "publisher"
   ],
   "author": "piiiico",
   "license": "MIT",