proof-of-commitment 1.22.0 → 1.22.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +14 -1
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.22.1
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -272,9 +272,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
272
272
|
|
|
273
273
|
let criticalInDisplay = 0;
|
|
274
274
|
let provenanceCount = 0;
|
|
275
|
+
let compromisedCount = 0;
|
|
275
276
|
|
|
276
277
|
for (const pkg of results) {
|
|
277
278
|
const rc = riskColor(pkg.riskFlags, pkg.score);
|
|
279
|
+
if (pkg.compromised) compromisedCount++;
|
|
278
280
|
const label = riskLabel(pkg.riskFlags, pkg.score);
|
|
279
281
|
if (hasCritical(pkg.riskFlags)) criticalInDisplay++;
|
|
280
282
|
if (pkg.hasProvenance) provenanceCount++;
|
|
@@ -310,6 +312,12 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
310
312
|
console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
|
|
311
313
|
}
|
|
312
314
|
|
|
315
|
+
// Recently compromised warning
|
|
316
|
+
if (pkg.compromised) {
|
|
317
|
+
const atk = pkg.compromised;
|
|
318
|
+
console.log(clr(c.red, ` ⚠ COMPROMISED — ${atk.attack} (${atk.date}) — ${atk.url}`));
|
|
319
|
+
}
|
|
320
|
+
|
|
313
321
|
// Score breakdown if available
|
|
314
322
|
if (pkg.scoreBreakdown) {
|
|
315
323
|
const b = pkg.scoreBreakdown;
|
|
@@ -342,6 +350,11 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
342
350
|
console.log('\n' + clr(c.green, `✓ No CRITICAL packages found${suffix}.`));
|
|
343
351
|
}
|
|
344
352
|
|
|
353
|
+
if (compromisedCount > 0) {
|
|
354
|
+
console.log(clr(c.red + c.bold, `\n⚠ ${compromisedCount} package${compromisedCount > 1 ? 's' : ''} recently compromised in supply chain attacks.`));
|
|
355
|
+
console.log(clr(c.dim, ' Verify you are on clean versions. See URLs above for incident details.'));
|
|
356
|
+
}
|
|
357
|
+
|
|
345
358
|
// Footer with web link + CI integration CTA
|
|
346
359
|
const topPkgs = results.slice(0, 10).map(r => r.name).join(',');
|
|
347
360
|
const utm = 'utm_source=cli&utm_medium=audit';
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.22.
|
|
3
|
+
"version": "1.22.1",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|