proof-of-commitment 1.35.0 → 1.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/index.js +14 -2
  2. package/package.json +1 -1
package/index.js CHANGED
@@ -1,6 +1,6 @@
1
1
  #!/usr/bin/env node
2
2
  /**
3
- * proof-of-commitment CLI v1.34.0
3
+ * proof-of-commitment CLI v1.36.0
4
4
  * Scores npm/PyPI/Cargo/Go packages on behavioral commitment signals.
5
5
  * Usage: npx proof-of-commitment [packages...] [options]
6
6
  */
@@ -491,6 +491,7 @@ function formatSarif(results, { filePath, ecosystem, version } = {}) {
491
491
  weeklyDownloads: pkg.weeklyDownloads,
492
492
  ageYears: pkg.ageYears,
493
493
  hasProvenance: pkg.hasProvenance || false,
494
+ hasStagedPublishing: pkg.hasStagedPublishing ?? null,
494
495
  riskFlags: pkg.riskFlags || [],
495
496
  },
496
497
  });
@@ -621,6 +622,15 @@ function printTable(results, { totalScanned, totalCritical, lockfile } = {}) {
621
622
  console.log(clr(c.dim, ` ↳ ${ghCount} GitHub contributors — publish-access concentration risk despite active community`));
622
623
  }
623
624
 
625
+ // Show Staged Publishing status for CRITICAL npm packages
626
+ if (hasCritical(pkg.riskFlags) && (pkg.ecosystem || 'npm') === 'npm') {
627
+ if (pkg.hasStagedPublishing) {
628
+ console.log(clr(c.green, ` 🛡️ Staged Publishing — compromised token can't push to latest`));
629
+ } else if (pkg.hasStagedPublishing === false) {
630
+ console.log(clr(c.dim, ` ↳ No Staged Publishing — npm stage publish would add a 2FA gate`));
631
+ }
632
+ }
633
+
624
634
  // Recently compromised warning
625
635
  if (pkg.compromised) {
626
636
  const atk = pkg.compromised;
@@ -1017,7 +1027,7 @@ async function inlineSignup(results, opts = {}) {
1017
1027
 
1018
1028
  function printHelp() {
1019
1029
  console.log(`
1020
- ${clr(c.bold, 'proof-of-commitment')} v1.34.0 — supply chain risk scorer
1030
+ ${clr(c.bold, 'proof-of-commitment')} v1.36.0 — supply chain risk scorer
1021
1031
 
1022
1032
  ${clr(c.bold, 'Usage:')}
1023
1033
  npx proof-of-commitment Auto-detect manifest in current dir
@@ -3043,10 +3053,12 @@ async function main() {
3043
3053
  if (jsonOutput) {
3044
3054
  const criticalCount = allResults.filter(r => hasCritical(r.riskFlags)).length;
3045
3055
  const provenanceCount = allResults.filter(r => r.hasProvenance).length;
3056
+ const stagedPublishingCount = allResults.filter(r => r.hasStagedPublishing === true).length;
3046
3057
  console.log(JSON.stringify({
3047
3058
  totalScanned: allResults.length,
3048
3059
  criticalCount,
3049
3060
  provenanceCount,
3061
+ stagedPublishingCount,
3050
3062
  failOn,
3051
3063
  rateLimited: !!batchRescue,
3052
3064
  results: allResults,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "proof-of-commitment",
3
- "version": "1.35.0",
3
+ "version": "1.36.0",
4
4
  "mcpName": "io.github.piiiico/proof-of-commitment",
5
5
  "description": "Supply chain security risk scorer for npm, PyPI, Cargo, and Go packages — behavioral signals that can't be faked",
6
6
  "type": "module",