proof-of-commitment 1.34.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +20 -2
  2. package/package.json +1 -1
package/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- * proof-of-commitment CLI v1.34.0
3
+ * proof-of-commitment CLI v1.36.0
4
4
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
5
5
  * Usage: npx proof-of-commitment [packages...] [options]
6
6
  */
@@ -491,6 +491,7 @@ function formatSarif(results, { filePath, ecosystem, version } = {}) {
491
491
  weeklyDownloads: pkg.weeklyDownloads,
492
492
  ageYears: pkg.ageYears,
493
493
  hasProvenance: pkg.hasProvenance || false,
494
+ hasStagedPublishing: pkg.hasStagedPublishing ?? null,
494
495
  riskFlags: pkg.riskFlags || [],
495
496
  },
496
497
  });
@@ -621,6 +622,15 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
621
622
  console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
622
623
  }
623
624
 
625
+ // Show Staged Publishing status for CRITICAL npm packages
626
+ if (hasCritical(pkg.riskFlags) && (pkg.ecosystem || 'npm') === 'npm') {
627
+ if (pkg.hasStagedPublishing) {
628
+ console.log(clr(c.green, ` 🛡️ Staged Publishing — compromised token can't push to latest`));
629
+ } else if (pkg.hasStagedPublishing === false) {
630
+ console.log(clr(c.dim, ` ↳ No Staged Publishing — npm stage publish would add a 2FA gate`));
631
+ }
632
+ }
633
+
624
634
  // Recently compromised warning
625
635
  if (pkg.compromised) {
626
636
  const atk = pkg.compromised;
@@ -642,6 +652,12 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
642
652
  );
643
653
  console.log(breakdown);
644
654
  }
655
+
656
+ // Show WARN-level risk flags inline (dormant publishers, stale releases, etc.)
657
+ const warnFlags = (pkg.riskFlags || []).filter(f => f.startsWith('WARN:'));
658
+ for (const flag of warnFlags) {
659
+ console.log(clr(c.yellow, ` ⚠ ${flag}`));
660
+ }
645
661
  }
646
662
 
647
663
  console.log(divider);
@@ -1011,7 +1027,7 @@ async function inlineSignup(results, opts = {}) {
1011
1027
 
1012
1028
  function printHelp() {
1013
1029
  console.log(`
1014
- ${clr(c.bold, 'proof-of-commitment')} v1.34.0 — supply chain risk scorer
1030
+ ${clr(c.bold, 'proof-of-commitment')} v1.36.0 — supply chain risk scorer
1015
1031
 
1016
1032
  ${clr(c.bold, 'Usage:')}
1017
1033
  npx proof-of-commitment Auto-detect manifest in current dir
@@ -3037,10 +3053,12 @@ async function main() {
3037
3053
  if (jsonOutput) {
3038
3054
  const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
3039
3055
  const provenanceCount = allResults.filter(r => r.hasProvenance).length;
3056
+ const stagedPublishingCount = allResults.filter(r => r.hasStagedPublishing === true).length;
3040
3057
  console.log(JSON.stringify({
3041
3058
  totalScanned: allResults.length,
3042
3059
  criticalCount,
3043
3060
  provenanceCount,
3061
+ stagedPublishingCount,
3044
3062
  failOn,
3045
3063
  rateLimited: !!batchRescue,
3046
3064
  results: allResults,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "proof-of-commitment",
3
- "version": "1.34.0",
3
+ "version": "1.36.0",
4
4
  "mcpName": "io.github.piiiico/proof-of-commitment",
5
5
  "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
6
6
  "type": "module",