proof-of-commitment 1.32.0 → 1.33.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +52 -5
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.33.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -313,6 +313,40 @@ function hasCritical(flags) {
|
|
|
313
313
|
return flags && flags.some(f => typeof f === 'string' && f.startsWith('CRITICAL'));
|
|
314
314
|
}
|
|
315
315
|
|
|
316
|
+
/**
|
|
317
|
+
* Footer-calibration helper — diagnoses when the CRITICAL count is so dense
|
|
318
|
+
* that the label has lost actionable meaning, and produces a reframe.
|
|
319
|
+
*
|
|
320
|
+
* Why this exists. Lockfile audits on real Node projects routinely report
|
|
321
|
+
* 40–60% of scanned packages as CRITICAL — the threshold (sole publisher +
|
|
322
|
+
* >10M weekly downloads) is structurally widespread in npm. When the footer
|
|
323
|
+
* says "157 CRITICAL packages found" without context, a new user reads it as
|
|
324
|
+
* either alarmist noise (close the tab) or as an unbounded ask (157 things
|
|
325
|
+
* to investigate — uninstall the tool). Both kill activation.
|
|
326
|
+
*
|
|
327
|
+
* The dogfood signal: 2026-06-16 commit-landing-v2 lockfile, authenticated,
|
|
328
|
+
* 326 scanned, 157 CRITICAL (48%). Reflection: "label loses meaning when
|
|
329
|
+
* half the tree is red." Calibration reframes 157-of-326 as "typical npm
|
|
330
|
+
* baseline; act on the top 3-5 by impact" — preserves the data and gives
|
|
331
|
+
* the user a concrete next step. Threshold 20% chosen because that's the
|
|
332
|
+
* point at which per-package action stops being feasible.
|
|
333
|
+
*
|
|
334
|
+
* Returns null when calibration shouldn't fire (low ratio, no scan total,
|
|
335
|
+
* trivially small scan). Returns a `{ ratio, percent, baseline }` object
|
|
336
|
+
* otherwise — caller decides how to render it.
|
|
337
|
+
*/
|
|
338
|
+
function summarizeCriticalConcentration(criticalCount, totalScanned) {
|
|
339
|
+
if (!totalScanned || totalScanned < 10) return null;
|
|
340
|
+
if (!criticalCount || criticalCount <= 0) return null;
|
|
341
|
+
const ratio = criticalCount / totalScanned;
|
|
342
|
+
if (ratio < 0.20) return null;
|
|
343
|
+
return {
|
|
344
|
+
ratio,
|
|
345
|
+
percent: Math.round(ratio * 100),
|
|
346
|
+
baseline: true,
|
|
347
|
+
};
|
|
348
|
+
}
|
|
349
|
+
|
|
316
350
|
function riskColor(flags, score) {
|
|
317
351
|
if (hasCritical(flags)) return c.red + c.bold;
|
|
318
352
|
if (score < 40) return c.yellow + c.bold;
|
|
@@ -592,9 +626,22 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
592
626
|
|
|
593
627
|
const effectiveCritical = totalCritical !== undefined ? totalCritical : criticalInDisplay;
|
|
594
628
|
if (effectiveCritical > 0) {
|
|
595
|
-
const
|
|
596
|
-
|
|
597
|
-
|
|
629
|
+
const conc = summarizeCriticalConcentration(effectiveCritical, totalScanned);
|
|
630
|
+
if (conc) {
|
|
631
|
+
// High-density reframe: at ≥20% CRITICAL the per-package alarm framing
|
|
632
|
+
// loses meaning (the user can't audit a third of their tree). Recast as
|
|
633
|
+
// ecosystem baseline + actionable shortlist. Pinned by
|
|
634
|
+
// test/cli-critical-concentration.test.ts.
|
|
635
|
+
console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL packages (${conc.percent}% of ${totalScanned} scanned).`));
|
|
636
|
+
console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads.'));
|
|
637
|
+
console.log(clr(c.dim, ' At this density you\'re seeing npm\'s baseline — most popular packages have'));
|
|
638
|
+
console.log(clr(c.dim, ' one publisher. Watch the top 3-5 above (highest impact); pin your lockfile'));
|
|
639
|
+
console.log(clr(c.dim, ' and audit deltas for the rest — concentration you can\'t avoid per-dep.'));
|
|
640
|
+
} else {
|
|
641
|
+
const suffix = totalScanned ? ` (in ${totalScanned} packages scanned)` : '';
|
|
642
|
+
console.log('\n' + clr(c.red + c.bold, `⚠ ${effectiveCritical} CRITICAL package${effectiveCritical > 1 ? 's' : ''} found${suffix}.`));
|
|
643
|
+
console.log(clr(c.dim, ' CRITICAL = sole npm publisher + >10M weekly downloads (publish-access concentration risk)'));
|
|
644
|
+
}
|
|
598
645
|
if (provenanceCount > 0 && provenanceCount < results.length) {
|
|
599
646
|
console.log(clr(c.cyan, ` 🔐 ${provenanceCount}/${results.length} use Trusted Publishing (OIDC provenance) — partial mitigation`));
|
|
600
647
|
}
|
|
@@ -942,7 +989,7 @@ async function inlineSignup(results, opts = {}) {
|
|
|
942
989
|
|
|
943
990
|
function printHelp() {
|
|
944
991
|
console.log(`
|
|
945
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
992
|
+
${clr(c.bold, 'proof-of-commitment')} v1.33.0 — supply chain risk scorer
|
|
946
993
|
|
|
947
994
|
${clr(c.bold, 'Usage:')}
|
|
948
995
|
npx proof-of-commitment Auto-detect manifest in current dir
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.33.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|