proof-of-commitment 1.29.0 → 1.29.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +22 -2
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -845,10 +845,11 @@ async function inlineSignup(results, opts = {}) {
|
|
|
845
845
|
|
|
846
846
|
function printHelp() {
|
|
847
847
|
console.log(`
|
|
848
|
-
${clr(c.bold, 'proof-of-commitment')} v1.29.
|
|
848
|
+
${clr(c.bold, 'proof-of-commitment')} v1.29.1 — supply chain risk scorer
|
|
849
849
|
|
|
850
850
|
${clr(c.bold, 'Usage:')}
|
|
851
851
|
npx proof-of-commitment Auto-detect manifest in current dir
|
|
852
|
+
npx proof-of-commitment audit Same — verb-first alias (also: scan, check)
|
|
852
853
|
npx proof-of-commitment [packages...] Score npm packages
|
|
853
854
|
npx proof-of-commitment --pypi [pkgs...] Score PyPI packages
|
|
854
855
|
npx proof-of-commitment --cargo [crates...] Score Rust crates
|
|
@@ -2465,7 +2466,26 @@ async function main() {
|
|
|
2465
2466
|
}
|
|
2466
2467
|
|
|
2467
2468
|
// Subcommands
|
|
2468
|
-
|
|
2469
|
+
let subcmd = args[0];
|
|
2470
|
+
|
|
2471
|
+
// Transparent aliases: every other package manager (`npm audit`, `yarn audit`,
|
|
2472
|
+
// `pnpm audit`, `cargo audit`, `pip-audit`) puts the verb first. Users —
|
|
2473
|
+
// including readers of our own blog post at npm-trust-q2-2026 line 559 — type
|
|
2474
|
+
// `npx proof-of-commitment audit` and expect it to scan cwd's manifest.
|
|
2475
|
+
//
|
|
2476
|
+
// Without this branch the CLI parses `audit` as a POSITIONAL PACKAGE NAME,
|
|
2477
|
+
// which is a 13.9y-old npmjs.com/package/audit utility — silently scoring
|
|
2478
|
+
// the wrong package while burning the caller's daily quota. Caught during
|
|
2479
|
+
// 2026-06-11 buyer-journey dogfood (full transcript in reflection).
|
|
2480
|
+
//
|
|
2481
|
+
// We shift the verb off and fall through to the main parser so all flags
|
|
2482
|
+
// (--file, --pypi, --cargo, --golang, --json, --sarif, --fail-on) continue
|
|
2483
|
+
// to work positionally: `proof-of-commitment audit lodash --json` still
|
|
2484
|
+
// means "scan lodash, JSON output".
|
|
2485
|
+
if (subcmd === 'audit' || subcmd === 'scan' || subcmd === 'check') {
|
|
2486
|
+
args.shift();
|
|
2487
|
+
subcmd = args[0];
|
|
2488
|
+
}
|
|
2469
2489
|
|
|
2470
2490
|
if (subcmd === 'init') {
|
|
2471
2491
|
await cmdInit();
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.29.
|
|
3
|
+
"version": "1.29.1",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|