proof-of-commitment 1.34.0 → 1.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +20 -2
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.36.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -491,6 +491,7 @@ function formatSarif(results, { filePath, ecosystem, version } = {}) {
|
|
|
491
491
|
weeklyDownloads: pkg.weeklyDownloads,
|
|
492
492
|
ageYears: pkg.ageYears,
|
|
493
493
|
hasProvenance: pkg.hasProvenance || false,
|
|
494
|
+
hasStagedPublishing: pkg.hasStagedPublishing ?? null,
|
|
494
495
|
riskFlags: pkg.riskFlags || [],
|
|
495
496
|
},
|
|
496
497
|
});
|
|
@@ -621,6 +622,15 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
621
622
|
console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
|
|
622
623
|
}
|
|
623
624
|
|
|
625
|
+
// Show Staged Publishing status for CRITICAL npm packages
|
|
626
|
+
if (hasCritical(pkg.riskFlags) && (pkg.ecosystem || 'npm') === 'npm') {
|
|
627
|
+
if (pkg.hasStagedPublishing) {
|
|
628
|
+
console.log(clr(c.green, ` 🛡️ Staged Publishing — compromised token can't push to latest`));
|
|
629
|
+
} else if (pkg.hasStagedPublishing === false) {
|
|
630
|
+
console.log(clr(c.dim, ` ↳ No Staged Publishing — npm stage publish would add a 2FA gate`));
|
|
631
|
+
}
|
|
632
|
+
}
|
|
633
|
+
|
|
624
634
|
// Recently compromised warning
|
|
625
635
|
if (pkg.compromised) {
|
|
626
636
|
const atk = pkg.compromised;
|
|
@@ -642,6 +652,12 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
642
652
|
);
|
|
643
653
|
console.log(breakdown);
|
|
644
654
|
}
|
|
655
|
+
|
|
656
|
+
// Show WARN-level risk flags inline (dormant publishers, stale releases, etc.)
|
|
657
|
+
const warnFlags = (pkg.riskFlags || []).filter(f => f.startsWith('WARN:'));
|
|
658
|
+
for (const flag of warnFlags) {
|
|
659
|
+
console.log(clr(c.yellow, ` ⚠ ${flag}`));
|
|
660
|
+
}
|
|
645
661
|
}
|
|
646
662
|
|
|
647
663
|
console.log(divider);
|
|
@@ -1011,7 +1027,7 @@ async function inlineSignup(results, opts = {}) {
|
|
|
1011
1027
|
|
|
1012
1028
|
function printHelp() {
|
|
1013
1029
|
console.log(`
|
|
1014
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
1030
|
+
${clr(c.bold, 'proof-of-commitment')} v1.36.0 — supply chain risk scorer
|
|
1015
1031
|
|
|
1016
1032
|
${clr(c.bold, 'Usage:')}
|
|
1017
1033
|
npx proof-of-commitment Auto-detect manifest in current dir
|
|
@@ -3037,10 +3053,12 @@ async function main() {
|
|
|
3037
3053
|
if (jsonOutput) {
|
|
3038
3054
|
const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
|
|
3039
3055
|
const provenanceCount = allResults.filter(r => r.hasProvenance).length;
|
|
3056
|
+
const stagedPublishingCount = allResults.filter(r => r.hasStagedPublishing === true).length;
|
|
3040
3057
|
console.log(JSON.stringify({
|
|
3041
3058
|
totalScanned: allResults.length,
|
|
3042
3059
|
criticalCount,
|
|
3043
3060
|
provenanceCount,
|
|
3061
|
+
stagedPublishingCount,
|
|
3044
3062
|
failOn,
|
|
3045
3063
|
rateLimited: !!batchRescue,
|
|
3046
3064
|
results: allResults,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.36.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|