proof-of-commitment 1.35.0 → 1.36.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +14 -2
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
/**
|
|
3
|
-
* proof-of-commitment CLI v1.
|
|
3
|
+
* proof-of-commitment CLI v1.36.0
|
|
4
4
|
* Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
|
|
5
5
|
* Usage: npx proof-of-commitment [packages...] [options]
|
|
6
6
|
*/
|
|
@@ -491,6 +491,7 @@ function formatSarif(results, { filePath, ecosystem, version } = {}) {
|
|
|
491
491
|
weeklyDownloads: pkg.weeklyDownloads,
|
|
492
492
|
ageYears: pkg.ageYears,
|
|
493
493
|
hasProvenance: pkg.hasProvenance || false,
|
|
494
|
+
hasStagedPublishing: pkg.hasStagedPublishing ?? null,
|
|
494
495
|
riskFlags: pkg.riskFlags || [],
|
|
495
496
|
},
|
|
496
497
|
});
|
|
@@ -621,6 +622,15 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
|
|
|
621
622
|
console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
|
|
622
623
|
}
|
|
623
624
|
|
|
625
|
+
// Show Staged Publishing status for CRITICAL npm packages
|
|
626
|
+
if (hasCritical(pkg.riskFlags) && (pkg.ecosystem || 'npm') === 'npm') {
|
|
627
|
+
if (pkg.hasStagedPublishing) {
|
|
628
|
+
console.log(clr(c.green, ` 🛡️ Staged Publishing — compromised token can't push to latest`));
|
|
629
|
+
} else if (pkg.hasStagedPublishing === false) {
|
|
630
|
+
console.log(clr(c.dim, ` ↳ No Staged Publishing — npm stage publish would add a 2FA gate`));
|
|
631
|
+
}
|
|
632
|
+
}
|
|
633
|
+
|
|
624
634
|
// Recently compromised warning
|
|
625
635
|
if (pkg.compromised) {
|
|
626
636
|
const atk = pkg.compromised;
|
|
@@ -1017,7 +1027,7 @@ async function inlineSignup(results, opts = {}) {
|
|
|
1017
1027
|
|
|
1018
1028
|
function printHelp() {
|
|
1019
1029
|
console.log(`
|
|
1020
|
-
${clr(c.bold, 'proof-of-commitment')} v1.
|
|
1030
|
+
${clr(c.bold, 'proof-of-commitment')} v1.36.0 — supply chain risk scorer
|
|
1021
1031
|
|
|
1022
1032
|
${clr(c.bold, 'Usage:')}
|
|
1023
1033
|
npx proof-of-commitment Auto-detect manifest in current dir
|
|
@@ -3043,10 +3053,12 @@ async function main() {
|
|
|
3043
3053
|
if (jsonOutput) {
|
|
3044
3054
|
const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
|
|
3045
3055
|
const provenanceCount = allResults.filter(r => r.hasProvenance).length;
|
|
3056
|
+
const stagedPublishingCount = allResults.filter(r => r.hasStagedPublishing === true).length;
|
|
3046
3057
|
console.log(JSON.stringify({
|
|
3047
3058
|
totalScanned: allResults.length,
|
|
3048
3059
|
criticalCount,
|
|
3049
3060
|
provenanceCount,
|
|
3061
|
+
stagedPublishingCount,
|
|
3050
3062
|
failOn,
|
|
3051
3063
|
rateLimited: !!batchRescue,
|
|
3052
3064
|
results: allResults,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "proof-of-commitment",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.36.0",
|
|
4
4
|
"mcpName": "io.github.piiiico/proof-of-commitment",
|
|
5
5
|
"description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
|
|
6
6
|
"type": "module",
|