react-doctor 0.2.4 → 0.2.5

package/dist/index.js

@@ -7,11 +7,11 @@ import path from "node:path";
 import { spawn, spawnSync } from "node:child_process";
 import reactDoctorPlugin, { ALL_REACT_DOCTOR_RULE_KEYS, FRAMEWORK_SPECIFIC_RULE_KEYS, MOTION_LIBRARY_PACKAGES, REACT_COMPILER_RULES, REACT_DOCTOR_RULES } from "oxlint-plugin-react-doctor";
 import * as Cause from "effect/Cause";
-import * as NodeHttpClient from "@effect/platform-node/NodeHttpClient";
 import * as Config$1 from "effect/Config";
 import * as Effect from "effect/Effect";
 import * as Layer from "effect/Layer";
 import * as Redacted from "effect/Redacted";
+import * as FetchHttpClient from "effect/unstable/http/FetchHttpClient";
 import * as Otlp from "effect/unstable/observability/Otlp";
 import * as Context from "effect/Context";
 import * as Filter from "effect/Filter";
@@ -20,7 +20,9 @@ import * as Ref from "effect/Ref";
 import * as Stream from "effect/Stream";
 import * as Cache from "effect/Cache";
 import * as Console from "effect/Console";
-import * as NodeServices from "@effect/platform-node/NodeServices";
+import * as NodeChildProcessSpawner from "@effect/platform-node-shared/NodeChildProcessSpawner";
+import * as NodeFileSystem from "@effect/platform-node-shared/NodeFileSystem";
+import * as NodePath from "@effect/platform-node-shared/NodePath";
 import * as ChildProcess from "effect/unstable/process/ChildProcess";
 import { ChildProcessSpawner } from "effect/unstable/process/ChildProcessSpawner";
 import os from "node:os";
@@ -3005,6 +3007,7 @@ const STAGED_FILES_PROJECT_CONFIG_FILENAMES = [
 ];
 const OXLINT_OUTPUT_MAX_BYTES = 50 * 1024 * 1024;
 const OXLINT_SPAWN_TIMEOUT_MS = 6e4;
+const RECOMMENDED_PNPM_MINIMUM_RELEASE_AGE_MINUTES = 10080;
 const MAX_GLOB_PATTERN_LENGTH_CHARS = 1024;
 var InvalidGlobPatternError = class extends Error {
 	pattern;
@@ -3716,7 +3719,7 @@ const layerOtlp = Layer.unwrap(Effect.gen(function* () {
 		baseUrl: endpoint.value,
 		resource: { serviceName: TRACER_PROJECT_NAME },
 		headers
-	}).pipe(Layer.provide(NodeHttpClient.layerUndici));
+	}).pipe(Layer.provide(FetchHttpClient.layer));
 }).pipe(Effect.orDie));
 Schema.String.pipe(Schema.brand("OxlintBinaryPath"));
 Schema.String.pipe(Schema.brand("NodeBinaryPath"));
@@ -3729,6 +3732,120 @@ Context.Reference("react-doctor/OxlintSpawnTimeoutMs", { defaultValue: () => {
 } });
 Context.Reference("react-doctor/OxlintOutputMaxBytes", { defaultValue: () => OXLINT_OUTPUT_MAX_BYTES });
 Context.Reference("react-doctor/StagedFilesTempDirPrefix", { defaultValue: () => "react-doctor-staged-" });
+const PNPM_WORKSPACE_FILE = "pnpm-workspace.yaml";
+const PNPM_LOCKFILE = "pnpm-lock.yaml";
+const PACKAGE_JSON_FILE = "package.json";
+const PNPM_HARDENING_RULE_KEY = "require-pnpm-hardening";
+const UTF8_BOM_CHAR = "";
+const HARDENING_SETTING_KEYS = new Set([
+	"minimumReleaseAge",
+	"blockExoticSubdeps",
+	"trustPolicy"
+]);
+const stripInlineComment = (rawValue) => {
+	let activeQuote = null;
+	for (let charIndex = 0; charIndex < rawValue.length; charIndex += 1) {
+		const currentChar = rawValue[charIndex];
+		if (activeQuote !== null) {
+			if (currentChar === activeQuote) activeQuote = null;
+			continue;
+		}
+		if (currentChar === "\"" || currentChar === "'") {
+			activeQuote = currentChar;
+			continue;
+		}
+		if (currentChar !== "#") continue;
+		const previousChar = rawValue[charIndex - 1];
+		if (charIndex === 0 || previousChar !== void 0 && /\s/.test(previousChar)) return rawValue.slice(0, charIndex);
+	}
+	return rawValue;
+};
+const unquote = (rawValue) => rawValue.replace(/^["']|["']$/g, "");
+const stripBom = (rawContent) => rawContent.startsWith(UTF8_BOM_CHAR) ? rawContent.slice(1) : rawContent;
+const parseHardeningSettings = (content) => {
+	let minimumReleaseAge = null;
+	let blockExoticSubdeps = null;
+	let trustPolicy = null;
+	const lines = stripBom(content).split(/\r?\n/);
+	for (let lineIndex = 0; lineIndex < lines.length; lineIndex += 1) {
+		const lineText = lines[lineIndex];
+		if (lineText === void 0) continue;
+		if (lineText.search(/\S/) !== 0) continue;
+		const trimmedLine = lineText.trim();
+		if (trimmedLine.startsWith("#")) continue;
+		const colonIndex = trimmedLine.indexOf(":");
+		if (colonIndex <= 0) continue;
+		const settingKey = unquote(trimmedLine.slice(0, colonIndex).trim());
+		if (!HARDENING_SETTING_KEYS.has(settingKey)) continue;
+		const inlineValue = stripInlineComment(trimmedLine.slice(colonIndex + 1)).trim();
+		if (inlineValue.length === 0) continue;
+		const scalar = {
+			value: unquote(inlineValue),
+			line: lineIndex + 1,
+			column: lineText.search(/\S/) + 1
+		};
+		if (settingKey === "minimumReleaseAge") minimumReleaseAge = scalar;
+		else if (settingKey === "blockExoticSubdeps") blockExoticSubdeps = scalar;
+		else if (settingKey === "trustPolicy") trustPolicy = scalar;
+	}
+	return {
+		minimumReleaseAge,
+		blockExoticSubdeps,
+		trustPolicy
+	};
+};
+const isPnpmManagedProject = (rootDirectory) => {
+	if (isFile(path.join(rootDirectory, PNPM_LOCKFILE))) return true;
+	if (isFile(path.join(rootDirectory, PNPM_WORKSPACE_FILE))) return true;
+	const packageJsonPath = path.join(rootDirectory, PACKAGE_JSON_FILE);
+	if (!isFile(packageJsonPath)) return false;
+	try {
+		const packageJsonRaw = fs.readFileSync(packageJsonPath, "utf-8");
+		const packageJson = JSON.parse(packageJsonRaw);
+		if (packageJson !== null && typeof packageJson === "object" && "packageManager" in packageJson && typeof packageJson.packageManager === "string" && packageJson.packageManager.startsWith("pnpm@")) return true;
+	} catch {
+		return false;
+	}
+	return false;
+};
+const buildHardeningDiagnostic = (input) => ({
+	filePath: PNPM_WORKSPACE_FILE,
+	plugin: "react-doctor",
+	rule: PNPM_HARDENING_RULE_KEY,
+	severity: "warning",
+	message: input.message,
+	help: input.help,
+	line: input.line ?? 0,
+	column: input.column ?? 0,
+	category: "Security"
+});
+const checkPnpmHardening = (rootDirectory) => {
+	if (!isPnpmManagedProject(rootDirectory)) return [];
+	const workspacePath = path.join(rootDirectory, PNPM_WORKSPACE_FILE);
+	const settings = parseHardeningSettings(isFile(workspacePath) ? fs.readFileSync(workspacePath, "utf-8") : "");
+	const diagnostics = [];
+	if (settings.minimumReleaseAge === null) diagnostics.push(buildHardeningDiagnostic({
+		message: "pnpm-workspace.yaml is missing `minimumReleaseAge` — newly published versions can ship malware that gets caught and unpublished within hours",
+		help: `Add \`minimumReleaseAge: ${RECOMMENDED_PNPM_MINIMUM_RELEASE_AGE_MINUTES}\` (7 days) to pnpm-workspace.yaml to delay installs until releases have had time to be vetted`
+	}));
+	if (settings.blockExoticSubdeps !== null && settings.blockExoticSubdeps.value.toLowerCase() === "false") diagnostics.push(buildHardeningDiagnostic({
+		line: settings.blockExoticSubdeps.line,
+		column: settings.blockExoticSubdeps.column,
+		message: "`blockExoticSubdeps: false` allows transitive deps from `git:`, `file:`, or tarball URLs — a known supply-chain bypass of the npm registry",
+		help: "Set `blockExoticSubdeps: true` (the default in recent pnpm v11) so transitive deps must come from the registry"
+	}));
+	if (settings.trustPolicy === null) diagnostics.push(buildHardeningDiagnostic({
+		message: "pnpm-workspace.yaml is missing `trustPolicy` — without `no-downgrade`, pnpm silently accepts packages whose trust signals (provenance, signatures) weaken between updates",
+		help: "Add `trustPolicy: no-downgrade` to pnpm-workspace.yaml"
+	}));
+	else if (settings.trustPolicy.value !== "no-downgrade") diagnostics.push(buildHardeningDiagnostic({
+		line: settings.trustPolicy.line,
+		column: settings.trustPolicy.column,
+		message: `\`trustPolicy: ${settings.trustPolicy.value}\` is weaker than \`no-downgrade\` — packages may lose trust signals between updates without you noticing`,
+		help: "Set `trustPolicy: no-downgrade` so pnpm refuses to downgrade trust between resolutions"
+	}));
+	return diagnostics;
+};
 const REDUCED_MOTION_GREP_PATTERN = "prefers-reduced-motion|useReducedMotion|MotionConfig|reducedMotion";
 const REDUCED_MOTION_FILE_GLOBS = [
 	"*.ts",
@@ -4489,7 +4606,7 @@ var Git = class Git extends Context.Service()("react-doctor/Git") {
 				};
 			})
 		});
-	})).pipe(Layer.provide(NodeServices.layer));
+	})).pipe(Layer.provide(NodeChildProcessSpawner.layer.pipe(Layer.provide(Layer.mergeAll(NodeFileSystem.layer, NodePath.layer)))));
 	/**
 	* Test layer driven by a deterministic snapshot. Each key is a
 	* convenience pre-canned response so tests don't have to enumerate
@@ -5912,7 +6029,7 @@ const fileReader = (filesService, rootDirectory) => (filePath) => {
 *   Config.resolve(directory)
 *     -> Project.discover(resolvedDirectory)
 *     -> Git metadata for score attribution
-*     -> Stream.fromIterable(checkReducedMotion env diagnostics)
+*     -> Stream.fromIterable(env diagnostics: reduced-motion + pnpm hardening)
 *     -> Stream.concat(Linter.run(...))    [folds ReactDoctorError into Ref]
 *     -> Stream.concat(DeadCode.run(...))  [folds Error into Ref]
 *     -> Stream.filterMap(perElementPipeline.apply)  [auto-suppress / severity / ignore / inline]
@@ -5972,7 +6089,7 @@ const runInspect = (input, hooks = {}) => Effect.gen(function* () {
 		readFileLinesSync: fileReader(filesService, scanDirectory),
 		respectInlineDisables: input.respectInlineDisables
 	});
-	const environmentDiagnostics = isDiffMode ? [] : checkReducedMotion(scanDirectory);
+	const environmentDiagnostics = isDiffMode ? [] : [...checkReducedMotion(scanDirectory), ...checkPnpmHardening(scanDirectory)];
 	const emptyDiagnosticStream = Stream.empty;
 	const rawLintStream = linterService.run({
 		rootDirectory: scanDirectory,

package/dist/rolldown-runtime-uZX_iqCz.js

@@ -0,0 +1,35 @@
+import { createRequire } from "node:module";
+//#region \0rolldown/runtime.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+		key = keys[i];
+		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+			get: ((k) => from[k]).bind(null, key),
+			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+		});
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+//#endregion
+export { __toESM as i, __exportAll as n, __require as r, __commonJSMin as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-doctor",
-  "version": "0.2.4",
+  "version": "0.2.5",
   "description": "Diagnose and fix React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",
@@ -49,22 +49,23 @@
     }
   },
   "dependencies": {
-    "@effect/platform-node": "4.0.0-beta.70",
+    "@effect/platform-node-shared": "4.0.0-beta.70",
     "agent-install": "0.0.5",
+    "conf": "^15.1.0",
     "deslop-js": "^0.0.12",
     "effect": "4.0.0-beta.70",
     "oxlint": "^1.66.0",
     "prompts": "^2.4.2",
     "typescript": ">=5.0.4 <7",
-    "oxlint-plugin-react-doctor": "0.2.4"
+    "oxlint-plugin-react-doctor": "0.2.5"
   },
   "devDependencies": {
     "@types/prompts": "^2.4.9",
     "commander": "^14.0.3",
     "eslint-plugin-react-hooks": "^7.1.1",
     "ora": "^9.4.0",
-    "@react-doctor/api": "0.2.4",
-    "@react-doctor/core": "0.2.4"
+    "@react-doctor/api": "0.2.5",
+    "@react-doctor/core": "0.2.5"
   },
   "peerDependencies": {
     "eslint-plugin-react-hooks": "^6 || ^7"
@@ -75,7 +76,7 @@
     }
   },
   "engines": {
-    "node": ">=22.13.0"
+    "node": "^20.19.0 || >=22.12.0"
   },
   "scripts": {
     "dev": "vp pack --watch",