safe-pkg 1.0.0

package/dist/scanner/heuristicAnalyzer.js

@@ -0,0 +1,228 @@
+/**
+ * Popular legitimate packages (for typosquatting detection)
+ */
+const POPULAR_PACKAGES = [
+    "react",
+    "vue",
+    "angular",
+    "express",
+    "lodash",
+    "axios",
+    "moment",
+    "webpack",
+    "babel",
+    "eslint",
+    "prettier",
+    "typescript",
+    "jquery",
+    "chalk",
+    "commander",
+    "next",
+    "gatsby",
+    "nuxt",
+    "svelte",
+    "redux",
+];
+/**
+ * Suspicious keywords in package names
+ */
+const SUSPICIOUS_KEYWORDS = [
+    "hack",
+    "crack",
+    "keygen",
+    "exploit",
+    "backdoor",
+    "malware",
+    "virus",
+    "trojan",
+    "stealer",
+    "miner",
+    "cryptominer",
+    "bitcoin",
+    "wallet-stealer",
+    "free-premium",
+    "pro-unlimited",
+    "cracked",
+];
+/**
+ * Suspicious patterns in package names
+ */
+const SUSPICIOUS_PATTERNS = [
+    /^[a-z0-9-]{50,}$/, // Extremely long random names
+    /^[0-9]+$/, // All numbers
+    /([a-z])\1{4,}/, // Repeated characters (aaaaa)
+    /^(test|tmp|temp|demo|sample)-/, // Temporary/test packages
+    /-+admin-*$/i, // Ends with admin
+    /-+pro-*max/i, // Contains "pro max" marketing spam
+    /free.*premium/i, // "free premium" scam
+    /unlimited.*crack/i, // "unlimited crack"
+];
+/**
+ * Analyze package name using heuristic patterns
+ */
+export function analyzeHeuristics(packageName) {
+    const suspiciousPatterns = [];
+    let riskScore = 0;
+    // Check for suspicious keywords
+    const foundKeywords = checkSuspiciousKeywords(packageName);
+    if (foundKeywords.length > 0) {
+        suspiciousPatterns.push(`Suspicious keywords: ${foundKeywords.join(", ")}`);
+        riskScore += foundKeywords.length * 3; // 3 points per suspicious keyword
+    }
+    // Check for suspicious patterns
+    const foundPatterns = checkSuspiciousPatterns(packageName);
+    if (foundPatterns.length > 0) {
+        suspiciousPatterns.push(...foundPatterns);
+        riskScore += foundPatterns.length * 2; // 2 points per pattern
+    }
+    // Check for typosquatting
+    const typosquatResult = checkTyposquatting(packageName);
+    if (typosquatResult.isPotentialTyposquat) {
+        suspiciousPatterns.push(`Possible typosquatting of: ${typosquatResult.similarTo}`);
+        riskScore += 4; // High risk for typosquatting
+    }
+    // Check for excessive hyphens/numbers
+    const hyphenCount = (packageName.match(/-/g) || []).length;
+    const numberCount = (packageName.match(/[0-9]/g) || []).length;
+    if (hyphenCount > 4) {
+        suspiciousPatterns.push(`Excessive hyphens (${hyphenCount})`);
+        riskScore += 1;
+    }
+    if (numberCount > packageName.length / 2) {
+        suspiciousPatterns.push("Too many numbers in name");
+        riskScore += 1;
+    }
+    // Check for mixed case spam (e.g., "rEaCt-FrEe")
+    if (/[A-Z]/.test(packageName) && /[a-z]/.test(packageName)) {
+        const upperCount = (packageName.match(/[A-Z]/g) || []).length;
+        const lowerCount = (packageName.match(/[a-z]/g) || []).length;
+        if (upperCount > 2 && upperCount < lowerCount) {
+            suspiciousPatterns.push("Mixed case pattern (possible spam)");
+            riskScore += 1;
+        }
+    }
+    // Cap score at 10
+    riskScore = Math.min(riskScore, 10);
+    return {
+        suspiciousPatterns,
+        isPotentialTyposquat: typosquatResult.isPotentialTyposquat,
+        riskScore: riskScore,
+    };
+}
+/**
+ * Check for suspicious keywords in package name
+ */
+function checkSuspiciousKeywords(packageName) {
+    const lowerName = packageName.toLowerCase();
+    return SUSPICIOUS_KEYWORDS.filter((keyword) => lowerName.includes(keyword));
+}
+/**
+ * Check for suspicious patterns in package name
+ */
+function checkSuspiciousPatterns(packageName) {
+    const patterns = [];
+    for (const pattern of SUSPICIOUS_PATTERNS) {
+        if (pattern.test(packageName)) {
+            patterns.push(`Matches suspicious pattern: ${pattern.source}`);
+        }
+    }
+    return patterns;
+}
+/**
+ * Check if package name is potentially typosquatting a popular package
+ */
+function checkTyposquatting(packageName) {
+    const lowerName = packageName.toLowerCase();
+    for (const popularPkg of POPULAR_PACKAGES) {
+        // Exact match is not typosquatting
+        if (lowerName === popularPkg.toLowerCase()) {
+            continue;
+        }
+        // Check Levenshtein distance
+        const distance = levenshteinDistance(lowerName, popularPkg.toLowerCase());
+        // If distance is 1-2, it's likely typosquatting
+        if (distance <= 2 && distance > 0) {
+            return {
+                isPotentialTyposquat: true,
+                similarTo: popularPkg,
+            };
+        }
+        // Check for common typosquatting techniques
+        if (checkCommonTyposquattingTechniques(lowerName, popularPkg)) {
+            return {
+                isPotentialTyposquat: true,
+                similarTo: popularPkg,
+            };
+        }
+    }
+    return {
+        isPotentialTyposquat: false,
+    };
+}
+/**
+ * Calculate Levenshtein distance between two strings
+ */
+function levenshteinDistance(str1, str2) {
+    const len1 = str1.length;
+    const len2 = str2.length;
+    // Create matrix with proper initialization
+    const matrix = [];
+    for (let i = 0; i <= len1; i++) {
+        matrix[i] = new Array(len2 + 1).fill(0);
+    }
+    // Initialize first column and row
+    for (let i = 0; i <= len1; i++) {
+        const row = matrix[i];
+        if (row)
+            row[0] = i;
+    }
+    for (let j = 0; j <= len2; j++) {
+        const row = matrix[0];
+        if (row)
+            row[j] = j;
+    }
+    // Fill matrix
+    for (let i = 1; i <= len1; i++) {
+        for (let j = 1; j <= len2; j++) {
+            const cost = str1[i - 1] === str2[j - 1] ? 0 : 1;
+            const currentRow = matrix[i];
+            const prevRow = matrix[i - 1];
+            if (currentRow && prevRow) {
+                const deletion = (prevRow[j] ?? 0) + 1;
+                const insertion = (currentRow[j - 1] ?? 0) + 1;
+                const substitution = (prevRow[j - 1] ?? 0) + cost;
+                currentRow[j] = Math.min(deletion, insertion, substitution);
+            }
+        }
+    }
+    const finalRow = matrix[len1];
+    return finalRow ? finalRow[len2] ?? 0 : 0;
+}
+/**
+ * Check for common typosquatting techniques
+ */
+function checkCommonTyposquattingTechniques(packageName, popularPkg) {
+    // Adding prefix/suffix
+    if (packageName.startsWith(popularPkg) || packageName.endsWith(popularPkg)) {
+        const diff = packageName.replace(popularPkg, "");
+        // If the difference is small and looks like spam
+        if (diff.length <= 5 && /^[-_0-9]+$/.test(diff)) {
+            return true;
+        }
+    }
+    // Character substitution (l -> 1, o -> 0, etc.)
+    const normalized = packageName
+        .replace(/1/g, "l")
+        .replace(/0/g, "o")
+        .replace(/5/g, "s");
+    if (normalized === popularPkg) {
+        return true;
+    }
+    // Extra hyphen/underscore
+    const withoutSeparators = packageName.replace(/[-_]/g, "");
+    if (withoutSeparators === popularPkg.replace(/[-_]/g, "")) {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=heuristicAnalyzer.js.map

package/dist/scanner/heuristicAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"heuristicAnalyzer.js","sourceRoot":"","sources":["../../src/scanner/heuristicAnalyzer.ts"],"names":[],"mappings":"AAEA;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACxB,OAAO;IACP,KAAK;IACL,SAAS;IACT,SAAS;IACT,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,SAAS;IACT,OAAO;IACP,QAAQ;IACR,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,OAAO;IACP,WAAW;IACX,MAAM;IACN,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,OAAO;CACP,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC3B,MAAM;IACN,OAAO;IACP,QAAQ;IACR,SAAS;IACT,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,SAAS;IACT,OAAO;IACP,aAAa;IACb,SAAS;IACT,gBAAgB;IAChB,cAAc;IACd,eAAe;IACf,SAAS;CACT,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC3B,kBAAkB,EAAE,8BAA8B;IAClD,UAAU,EAAE,cAAc;IAC1B,eAAe,EAAE,8BAA8B;IAC/C,+BAA+B,EAAE,0BAA0B;IAC3D,aAAa,EAAE,kBAAkB;IACjC,aAAa,EAAE,oCAAoC;IACnD,gBAAgB,EAAE,sBAAsB;IACxC,mBAAmB,EAAE,oBAAoB;CACzC,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACpD,MAAM,kBAAkB,GAAa,EAAE,CAAC;IACxC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,gCAAgC;IAChC,MAAM,aAAa,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IAC3D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,kBAAkB,CAAC,IAAI,CAAC,wBAAwB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC5E,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,kCAAkC;IAC1E,CAAC;IAED,gCAAgC;IAChC,MAAM,aAAa,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;IAC3D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,kBAAkB,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC,CAAC;QAC1C,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,uBAAuB;IAC/D,CAAC;IAED,0BAA0B;IAC1B,MAAM,eAAe,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;IACxD,IAAI,eAAe,CAAC,oBAAoB,EAAE,CAAC;QAC1C,kBAAkB,CAAC,IAAI,CACtB,8BAA8B,eAAe,CAAC,SAAS,EAAE,CACzD,CAAC;QACF,SAAS,IAAI,CAAC,CAAC,CAAC,8BAA8B;IAC/C,CAAC;IAED,sCAAsC;IACtC,MAAM,WAAW,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAC3D,MAAM,WAAW,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAE/D,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACrB,kBAAkB,CAAC,IAAI,CAAC,sBAAsB,WAAW,GAAG,CAAC,CAAC;QAC9D,SAAS,IAAI,CAAC,CAAC;IAChB,CAAC;IAED,IAAI,WAAW,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,kBAAkB,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACpD,SAAS,IAAI,CAAC,CAAC;IAChB,CAAC;IAED,iDAAiD;IACjD,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5D,MAAM,UAAU,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC9D,MAAM,UAAU,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;QAC9D,IAAI,UAAU,GAAG,CAAC,IAAI,UAAU,GAAG,UAAU,EAAE,CAAC;YAC/C,kBAAkB,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YAC9D,SAAS,IAAI,CAAC,CAAC;QAChB,CAAC;IACF,CAAC;IAED,kBAAkB;IAClB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAEpC,OAAO;QACN,kBAAkB;QAClB,oBAAoB,EAAE,eAAe,CAAC,oBAAoB;QAC1D,SAAS,EAAE,SAAS;KACpB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,WAAmB;IACnD,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAC5C,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAC7E,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,WAAmB;IACnD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC,+BAA+B,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAChE,CAAC;IACF,CAAC;IAED,OAAO,QAAQ,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,WAAmB;IAI9C,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;IAE5C,KAAK,MAAM,UAAU,IAAI,gBAAgB,EAAE,CAAC;QAC3C,mCAAmC;QACnC,IAAI,SAAS,KAAK,UAAU,CAAC,WAAW,EAAE,EAAE,CAAC;YAC5C,SAAS;QACV,CAAC;QAED,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,SAAS,EAAE,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;QAE1E,gDAAgD;QAChD,IAAI,QAAQ,IAAI,CAAC,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO;gBACN,oBAAoB,EAAE,IAAI;gBAC1B,SAAS,EAAE,UAAU;aACrB,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,IAAI,kCAAkC,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;YAC/D,OAAO;gBACN,oBAAoB,EAAE,IAAI;gBAC1B,SAAS,EAAE,UAAU;aACrB,CAAC;QACH,CAAC;IACF,CAAC;IAED,OAAO;QACN,oBAAoB,EAAE,KAAK;KAC3B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,IAAY,EAAE,IAAY;IACtD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;IACzB,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;IAEzB,2CAA2C;IAC3C,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,kCAAkC;IAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,GAAG;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,GAAG;YAAE,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAED,cAAc;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAE9B,IAAI,UAAU,IAAI,OAAO,EAAE,CAAC;gBAC3B,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBACvC,MAAM,SAAS,GAAG,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC/C,MAAM,YAAY,GAAG,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;gBAClD,UAAU,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;YAC7D,CAAC;QACF,CAAC;IACF,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;IAC9B,OAAO,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAS,kCAAkC,CAC1C,WAAmB,EACnB,UAAkB;IAElB,uBAAuB;IACvB,IAAI,WAAW,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5E,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACjD,iDAAiD;QACjD,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAED,gDAAgD;IAChD,MAAM,UAAU,GAAG,WAAW;SAC5B,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;SAClB,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAErB,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC;IACb,CAAC;IAED,0BAA0B;IAC1B,MAAM,iBAAiB,GAAG,WAAW,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC3D,IAAI,iBAAiB,KAAK,UAAU,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC;QAC3D,OAAO,IAAI,CAAC;IACb,CAAC;IAED,OAAO,KAAK,CAAC;AACd,CAAC"}

package/dist/scanner/index.d.ts

@@ -0,0 +1,6 @@
+export * from "./analyzePackage.js";
+export { analyzeWithAudit, analyzePackageAudit } from "./auditAnalyzer.js";
+export * from "./metadataAnalyzer.js";
+export * from "./scriptAnalyzer.js";
+export * from "./heuristicAnalyzer.js";
+export * from "./aiAnalyzer.js";

package/dist/scanner/index.js

@@ -0,0 +1,8 @@
+// Scanner barrel exports
+export * from "./analyzePackage.js";
+export { analyzeWithAudit, analyzePackageAudit } from "./auditAnalyzer.js";
+export * from "./metadataAnalyzer.js";
+export * from "./scriptAnalyzer.js";
+export * from "./heuristicAnalyzer.js";
+export * from "./aiAnalyzer.js";
+//# sourceMappingURL=index.js.map

package/dist/scanner/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scanner/index.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,cAAc,qBAAqB,CAAC;AACpC,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC3E,cAAc,uBAAuB,CAAC;AACtC,cAAc,qBAAqB,CAAC;AACpC,cAAc,wBAAwB,CAAC;AACvC,cAAc,iBAAiB,CAAC"}

package/dist/scanner/metadataAnalyzer.d.ts

@@ -0,0 +1,5 @@
+import type { MetadataScore } from "../types.js";
+/**
+ * Analyze package metadata from npm registry
+ */
+export declare function analyzeMetadata(packageName: string): Promise<MetadataScore>;

package/dist/scanner/metadataAnalyzer.js

@@ -0,0 +1,136 @@
+/**
+ * Analyze package metadata from npm registry
+ */
+export async function analyzeMetadata(packageName) {
+    try {
+        // Fetch package data from npm registry
+        const packageData = await fetchPackageData(packageName);
+        const downloads = await fetchDownloadsData(packageName);
+        // Calculate metadata score
+        return calculateMetadataScore(packageData, downloads);
+    }
+    catch (error) {
+        // If fetching fails, return a default risky score
+        return createDefaultMetadataScore();
+    }
+}
+/**
+ * Fetch package information from npm registry
+ */
+async function fetchPackageData(packageName) {
+    const response = await fetch(`https://registry.npmjs.org/${encodeURIComponent(packageName)}`);
+    if (!response.ok) {
+        throw new Error(`Package not found: ${packageName}`);
+    }
+    return response.json();
+}
+/**
+ * Fetch download statistics from npm API
+ */
+async function fetchDownloadsData(packageName) {
+    const response = await fetch(`https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`);
+    if (!response.ok) {
+        // No download data available, return zero
+        return {
+            downloads: 0,
+            start: "",
+            end: "",
+            package: packageName,
+        };
+    }
+    return response.json();
+}
+/**
+ * Calculate metadata risk score based on package data
+ */
+function calculateMetadataScore(packageData, downloadsData) {
+    const now = new Date();
+    const weeklyDownloads = downloadsData.downloads;
+    // Get latest version publish date
+    const latestVersion = packageData["dist-tags"]?.latest || "";
+    const publishDateStr = packageData.time?.[latestVersion];
+    const lastPublishDate = publishDateStr ? new Date(publishDateStr) : now;
+    // Get package creation date (first version)
+    const createdDateStr = packageData.time?.created;
+    const createdDate = createdDateStr ? new Date(createdDateStr) : now;
+    // Calculate package age in days
+    const packageAge = Math.floor((now.getTime() - createdDate.getTime()) / (1000 * 60 * 60 * 24));
+    // Calculate days since last publish
+    const daysSincePublish = Math.floor((now.getTime() - lastPublishDate.getTime()) / (1000 * 60 * 60 * 24));
+    // Get maintainer info
+    const maintainerCount = packageData.maintainers?.length || 0;
+    const hasLicense = Boolean(packageData.license);
+    // Calculate risk score (0-10, higher = more risky)
+    let riskScore = 0;
+    // Downloads score (0-3 points)
+    if (weeklyDownloads < 100) {
+        riskScore += 3; // Very low downloads - very risky
+    }
+    else if (weeklyDownloads < 1000) {
+        riskScore += 2; // Low downloads - risky
+    }
+    else if (weeklyDownloads < 10000) {
+        riskScore += 1; // Moderate downloads - slight risk
+    }
+    // Over 10k downloads = 0 points (safe)
+    // Last publish date score (0-3 points)
+    if (daysSincePublish > 730) {
+        // > 2 years
+        riskScore += 3; // Abandoned
+    }
+    else if (daysSincePublish > 365) {
+        // > 1 year
+        riskScore += 2; // Stale
+    }
+    else if (daysSincePublish > 180) {
+        // > 6 months
+        riskScore += 1; // Moderately maintained
+    }
+    // Updated within 6 months = 0 points (well maintained)
+    // Package age score (0-2 points)
+    if (packageAge < 30) {
+        // Less than 1 month old
+        riskScore += 2; // Too new, unproven
+    }
+    else if (packageAge < 90) {
+        // Less than 3 months old
+        riskScore += 1; // Relatively new
+    }
+    // Older than 3 months = 0 points (established)
+    // Maintainer count score (0-1 point)
+    if (maintainerCount === 0) {
+        riskScore += 1; // No maintainers listed
+    }
+    // Has maintainers = 0 points
+    // License score (0-1 point)
+    if (!hasLicense) {
+        riskScore += 1; // No license
+    }
+    // Has license = 0 points
+    // Cap score at 10
+    riskScore = Math.min(riskScore, 10);
+    return {
+        version: packageData["dist-tags"]?.latest ?? "unknown",
+        downloads: weeklyDownloads,
+        lastPublishDate,
+        maintainerCount,
+        hasLicense,
+        packageAge,
+        riskScore: riskScore,
+    };
+}
+/**
+ * Create default metadata score for when fetching fails
+ */
+function createDefaultMetadataScore() {
+    return {
+        version: "unknown",
+        downloads: 0,
+        lastPublishDate: new Date(),
+        maintainerCount: 0,
+        hasLicense: false,
+        packageAge: 0,
+        riskScore: 8, // High risk when we can't verify metadata
+    };
+}
+//# sourceMappingURL=metadataAnalyzer.js.map

package/dist/scanner/metadataAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"metadataAnalyzer.js","sourceRoot":"","sources":["../../src/scanner/metadataAnalyzer.ts"],"names":[],"mappings":"AA6BA;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACpC,WAAmB;IAEnB,IAAI,CAAC;QACJ,uCAAuC;QACvC,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;QACxD,MAAM,SAAS,GAAG,MAAM,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAExD,2BAA2B;QAC3B,OAAO,sBAAsB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,kDAAkD;QAClD,OAAO,0BAA0B,EAAE,CAAC;IACrC,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC3B,8BAA8B,kBAAkB,CAAC,WAAW,CAAC,EAAE,CAC/D,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA6B,CAAC;AACnD,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAChC,WAAmB;IAEnB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC3B,mDAAmD,kBAAkB,CAAC,WAAW,CAAC,EAAE,CACpF,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,0CAA0C;QAC1C,OAAO;YACN,SAAS,EAAE,CAAC;YACZ,KAAK,EAAE,EAAE;YACT,GAAG,EAAE,EAAE;YACP,OAAO,EAAE,WAAW;SACpB,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA+B,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC9B,WAA2B,EAC3B,aAA+B;IAE/B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,eAAe,GAAG,aAAa,CAAC,SAAS,CAAC;IAEhD,kCAAkC;IAClC,MAAM,aAAa,GAAG,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,IAAI,EAAE,CAAC;IAC7D,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,aAAa,CAAC,CAAC;IACzD,MAAM,eAAe,GAAG,cAAc,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAExE,4CAA4C;IAC5C,MAAM,cAAc,GAAG,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC;IACjD,MAAM,WAAW,GAAG,cAAc,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAEpE,gCAAgC;IAChC,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC5B,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAC/D,CAAC;IAEF,oCAAoC;IACpC,MAAM,gBAAgB,GAAG,IAAI,CAAC,KAAK,CAClC,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CACnE,CAAC;IAEF,sBAAsB;IACtB,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,EAAE,MAAM,IAAI,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAEhD,mDAAmD;IACnD,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,+BAA+B;IAC/B,IAAI,eAAe,GAAG,GAAG,EAAE,CAAC;QAC3B,SAAS,IAAI,CAAC,CAAC,CAAC,kCAAkC;IACnD,CAAC;SAAM,IAAI,eAAe,GAAG,IAAI,EAAE,CAAC;QACnC,SAAS,IAAI,CAAC,CAAC,CAAC,wBAAwB;IACzC,CAAC;SAAM,IAAI,eAAe,GAAG,KAAK,EAAE,CAAC;QACpC,SAAS,IAAI,CAAC,CAAC,CAAC,mCAAmC;IACpD,CAAC;IACD,uCAAuC;IAEvC,uCAAuC;IACvC,IAAI,gBAAgB,GAAG,GAAG,EAAE,CAAC;QAC5B,YAAY;QACZ,SAAS,IAAI,CAAC,CAAC,CAAC,YAAY;IAC7B,CAAC;SAAM,IAAI,gBAAgB,GAAG,GAAG,EAAE,CAAC;QACnC,WAAW;QACX,SAAS,IAAI,CAAC,CAAC,CAAC,QAAQ;IACzB,CAAC;SAAM,IAAI,gBAAgB,GAAG,GAAG,EAAE,CAAC;QACnC,aAAa;QACb,SAAS,IAAI,CAAC,CAAC,CAAC,wBAAwB;IACzC,CAAC;IACD,uDAAuD;IAEvD,iCAAiC;IACjC,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;QACrB,wBAAwB;QACxB,SAAS,IAAI,CAAC,CAAC,CAAC,oBAAoB;IACrC,CAAC;SAAM,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;QAC5B,yBAAyB;QACzB,SAAS,IAAI,CAAC,CAAC,CAAC,iBAAiB;IAClC,CAAC;IACD,+CAA+C;IAE/C,qCAAqC;IACrC,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QAC3B,SAAS,IAAI,CAAC,CAAC,CAAC,wBAAwB;IACzC,CAAC;IACD,6BAA6B;IAE7B,4BAA4B;IAC5B,IAAI,CAAC,UAAU,EAAE,CAAC;QACjB,SAAS,IAAI,CAAC,CAAC,CAAC,aAAa;IAC9B,CAAC;IACD,yBAAyB;IAEzB,kBAAkB;IAClB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAEpC,OAAO;QACN,OAAO,EAAE,WAAW,CAAC,WAAW,CAAC,EAAE,MAAM,IAAI,SAAS;QACtD,SAAS,EAAE,eAAe;QAC1B,eAAe;QACf,eAAe;QACf,UAAU;QACV,UAAU;QACV,SAAS,EAAE,SAAS;KACpB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B;IAClC,OAAO;QACN,OAAO,EAAE,SAAS;QAClB,SAAS,EAAE,CAAC;QACZ,eAAe,EAAE,IAAI,IAAI,EAAE;QAC3B,eAAe,EAAE,CAAC;QAClB,UAAU,EAAE,KAAK;QACjB,UAAU,EAAE,CAAC;QACb,SAAS,EAAE,CAAC,EAAE,0CAA0C;KACxD,CAAC;AACH,CAAC"}

package/dist/scanner/scriptAnalyzer.d.ts

@@ -0,0 +1,5 @@
+import type { ScriptRisk } from "../types.js";
+/**
+ * Analyze package.json scripts for security risks
+ */
+export declare function analyzeScripts(packageName: string): Promise<ScriptRisk>;

package/dist/scanner/scriptAnalyzer.js

@@ -0,0 +1,187 @@
+/**
+ * Dangerous commands that are red flags in package scripts
+ */
+const DANGEROUS_COMMANDS = [
+    "curl",
+    "wget",
+    "eval",
+    "chmod",
+    "chown",
+    "sudo",
+    "rm -rf",
+    "dd if=",
+    "mkfs",
+    ":(){ :|:& };:", // Fork bomb
+    "/dev/sda",
+    "/dev/null",
+    ">/dev/",
+    "format c:",
+];
+/**
+ * Suspicious commands that warrant investigation
+ */
+const SUSPICIOUS_COMMANDS = [
+    "nc ", // netcat
+    "telnet",
+    "ssh",
+    "scp",
+    "ftp",
+    "base64",
+    "exec",
+    "child_process",
+    "execSync",
+    "spawn",
+    ".decrypt",
+    "crypto",
+];
+/**
+ * Network-related commands
+ */
+const NETWORK_COMMANDS = [
+    "http://",
+    "https://",
+    "fetch(",
+    "axios",
+    "request(",
+    "download",
+];
+/**
+ * Lifecycle hooks that run automatically
+ */
+const LIFECYCLE_HOOKS = [
+    "preinstall",
+    "install",
+    "postinstall",
+    "preuninstall",
+    "uninstall",
+    "postuninstall",
+    "preversion",
+    "version",
+    "postversion",
+];
+/**
+ * Analyze package.json scripts for security risks
+ */
+export async function analyzeScripts(packageName) {
+    try {
+        // Fetch package.json from npm registry
+        const packageJson = await fetchPackageJson(packageName);
+        if (!packageJson.scripts) {
+            // No scripts = safe
+            return createSafeScriptResult();
+        }
+        // Analyze the scripts
+        return analyzePackageScripts(packageJson.scripts);
+    }
+    catch (error) {
+        // If fetching fails, assume safe (no scripts to analyze)
+        return createSafeScriptResult();
+    }
+}
+/**
+ * Fetch package.json from npm registry
+ */
+async function fetchPackageJson(packageName) {
+    const response = await fetch(`https://registry.npmjs.org/${encodeURIComponent(packageName)}/latest`);
+    if (!response.ok) {
+        throw new Error(`Package not found: ${packageName}`);
+    }
+    return response.json();
+}
+/**
+ * Analyze scripts object for suspicious patterns
+ */
+function analyzePackageScripts(scripts) {
+    const suspiciousScripts = [];
+    const dangerousCommands = [];
+    let riskScore = 0;
+    // Check each script
+    for (const [scriptName, scriptContent] of Object.entries(scripts)) {
+        const analysis = analyzeScript(scriptName, scriptContent);
+        if (analysis.isDangerous) {
+            suspiciousScripts.push(`${scriptName}: ${analysis.reason || "dangerous command"}`);
+            dangerousCommands.push(...analysis.commands);
+            riskScore += analysis.riskPoints;
+        }
+    }
+    // Check for automatic lifecycle hooks
+    const hasLifecycleHooks = LIFECYCLE_HOOKS.some((hook) => Object.keys(scripts).includes(hook));
+    if (hasLifecycleHooks) {
+        const lifecycleScripts = LIFECYCLE_HOOKS.filter((hook) => Object.keys(scripts).includes(hook));
+        suspiciousScripts.push(`Automatic lifecycle hooks: ${lifecycleScripts.join(", ")}`);
+        riskScore += 2; // Additional risk for automatic execution
+    }
+    // Cap the score at 10
+    riskScore = Math.min(riskScore, 10);
+    const hasSuspiciousScripts = suspiciousScripts.length > 0;
+    return {
+        hasSuspiciousScripts,
+        suspiciousScripts,
+        dangerousCommands: [...new Set(dangerousCommands)], // Remove duplicates
+        riskScore: riskScore,
+    };
+}
+/**
+ * Analyze individual script for suspicious patterns
+ */
+function analyzeScript(scriptName, scriptContent) {
+    const lowerContent = scriptContent.toLowerCase();
+    const foundCommands = [];
+    let riskPoints = 0;
+    let reason = "";
+    // Check for dangerous commands
+    for (const cmd of DANGEROUS_COMMANDS) {
+        if (lowerContent.includes(cmd.toLowerCase())) {
+            foundCommands.push(cmd);
+            riskPoints += 5; // Very high risk
+            reason = `dangerous command: ${cmd}`;
+        }
+    }
+    // Check for suspicious commands
+    for (const cmd of SUSPICIOUS_COMMANDS) {
+        if (lowerContent.includes(cmd.toLowerCase())) {
+            foundCommands.push(cmd);
+            riskPoints += 2; // Medium risk
+            if (!reason)
+                reason = `suspicious command: ${cmd}`;
+        }
+    }
+    // Check for network commands
+    for (const cmd of NETWORK_COMMANDS) {
+        if (lowerContent.includes(cmd.toLowerCase())) {
+            foundCommands.push(cmd);
+            riskPoints += 1; // Low risk (network calls are common)
+            if (!reason)
+                reason = `network activity: ${cmd}`;
+        }
+    }
+    // Check for obfuscated code patterns
+    if (lowerContent.includes("\\x") ||
+        lowerContent.includes("\\u") ||
+        lowerContent.match(/[a-z0-9]{50,}/) // Long random strings
+    ) {
+        foundCommands.push("obfuscated code");
+        riskPoints += 3;
+        if (!reason)
+            reason = "potentially obfuscated code";
+    }
+    const isDangerous = foundCommands.length > 0;
+    return {
+        isDangerous,
+        reason,
+        commands: foundCommands,
+        riskPoints,
+    };
+}
+/**
+ * Create a safe script result (no suspicious scripts found)
+ */
+function createSafeScriptResult() {
+    return {
+        hasSuspiciousScripts: false,
+        suspiciousScripts: [],
+        dangerousCommands: [],
+        riskScore: 0,
+    };
+}
+//# sourceMappingURL=scriptAnalyzer.js.map

package/dist/scanner/scriptAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scriptAnalyzer.js","sourceRoot":"","sources":["../../src/scanner/scriptAnalyzer.ts"],"names":[],"mappings":"AAWA;;GAEG;AACH,MAAM,kBAAkB,GAAG;IAC1B,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,eAAe,EAAE,YAAY;IAC7B,UAAU;IACV,WAAW;IACX,QAAQ;IACR,WAAW;CACX,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC3B,KAAK,EAAE,SAAS;IAChB,QAAQ;IACR,KAAK;IACL,KAAK;IACL,KAAK;IACL,QAAQ;IACR,MAAM;IACN,eAAe;IACf,UAAU;IACV,OAAO;IACP,UAAU;IACV,QAAQ;CACR,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACxB,SAAS;IACT,UAAU;IACV,QAAQ;IACR,OAAO;IACP,UAAU;IACV,UAAU;CACV,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG;IACvB,YAAY;IACZ,SAAS;IACT,aAAa;IACb,cAAc;IACd,WAAW;IACX,eAAe;IACf,YAAY;IACZ,SAAS;IACT,aAAa;CACb,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,WAAmB;IACvD,IAAI,CAAC;QACJ,uCAAuC;QACvC,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAExD,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YAC1B,oBAAoB;YACpB,OAAO,sBAAsB,EAAE,CAAC;QACjC,CAAC;QAED,sBAAsB;QACtB,OAAO,qBAAqB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QAChB,yDAAyD;QACzD,OAAO,sBAAsB,EAAE,CAAC;IACjC,CAAC;AACF,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IAClD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC3B,8BAA8B,kBAAkB,CAAC,WAAW,CAAC,SAAS,CACtE,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAA0B,CAAC;AAChD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAA+B;IAC7D,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,oBAAoB;IACpB,KAAK,MAAM,CAAC,UAAU,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACnE,MAAM,QAAQ,GAAG,aAAa,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;QAE1D,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC1B,iBAAiB,CAAC,IAAI,CACrB,GAAG,UAAU,KAAK,QAAQ,CAAC,MAAM,IAAI,mBAAmB,EAAE,CAC1D,CAAC;YACF,iBAAiB,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC7C,SAAS,IAAI,QAAQ,CAAC,UAAU,CAAC;QAClC,CAAC;IACF,CAAC;IAED,sCAAsC;IACtC,MAAM,iBAAiB,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACvD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CACnC,CAAC;IAEF,IAAI,iBAAiB,EAAE,CAAC;QACvB,MAAM,gBAAgB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CACxD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CACnC,CAAC;QACF,iBAAiB,CAAC,IAAI,CACrB,8BAA8B,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3D,CAAC;QACF,SAAS,IAAI,CAAC,CAAC,CAAC,0CAA0C;IAC3D,CAAC;IAED,sBAAsB;IACtB,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAEpC,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,MAAM,GAAG,CAAC,CAAC;IAE1D,OAAO;QACN,oBAAoB;QACpB,iBAAiB;QACjB,iBAAiB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,iBAAiB,CAAC,CAAC,EAAE,oBAAoB;QACxE,SAAS,EAAE,SAAS;KACpB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACrB,UAAkB,EAClB,aAAqB;IAOrB,MAAM,YAAY,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;IACjD,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,+BAA+B;IAC/B,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACtC,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC9C,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,UAAU,IAAI,CAAC,CAAC,CAAC,iBAAiB;YAClC,MAAM,GAAG,sBAAsB,GAAG,EAAE,CAAC;QACtC,CAAC;IACF,CAAC;IAED,gCAAgC;IAChC,KAAK,MAAM,GAAG,IAAI,mBAAmB,EAAE,CAAC;QACvC,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC9C,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,UAAU,IAAI,CAAC,CAAC,CAAC,cAAc;YAC/B,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,uBAAuB,GAAG,EAAE,CAAC;QACpD,CAAC;IACF,CAAC;IAED,6BAA6B;IAC7B,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACpC,IAAI,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAC9C,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxB,UAAU,IAAI,CAAC,CAAC,CAAC,sCAAsC;YACvD,IAAI,CAAC,MAAM;gBAAE,MAAM,GAAG,qBAAqB,GAAG,EAAE,CAAC;QAClD,CAAC;IACF,CAAC;IAED,qCAAqC;IACrC,IACC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC5B,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC5B,YAAY,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,sBAAsB;MACzD,CAAC;QACF,aAAa,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACtC,UAAU,IAAI,CAAC,CAAC;QAChB,IAAI,CAAC,MAAM;YAAE,MAAM,GAAG,6BAA6B,CAAC;IACrD,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC;IAE7C,OAAO;QACN,WAAW;QACX,MAAM;QACN,QAAQ,EAAE,aAAa;QACvB,UAAU;KACV,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB;IAC9B,OAAO;QACN,oBAAoB,EAAE,KAAK;QAC3B,iBAAiB,EAAE,EAAE;QACrB,iBAAiB,EAAE,EAAE;QACrB,SAAS,EAAE,CAAC;KACZ,CAAC;AACH,CAAC"}

package/dist/scanner-project/batchAnalyze.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scanner-project/batchAnalyze.js

@@ -0,0 +1,4 @@
+export {};
+// Batch package analyzer
+// Will be implemented in Phase 5
+//# sourceMappingURL=batchAnalyze.js.map

package/dist/scanner-project/batchAnalyze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"batchAnalyze.js","sourceRoot":"","sources":["../../src/scanner-project/batchAnalyze.ts"],"names":[],"mappings":";AAAA,yBAAyB;AACzB,iCAAiC"}

package/dist/scanner-project/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./readDependencies.js";
+export * from "./scanProject.js";
+export * from "./scanNodeModules.js";
+export * from "./batchAnalyze.js";

package/dist/scanner-project/index.js

@@ -0,0 +1,6 @@
+// Project scanner barrel exports
+export * from "./readDependencies.js";
+export * from "./scanProject.js";
+export * from "./scanNodeModules.js";
+export * from "./batchAnalyze.js";
+//# sourceMappingURL=index.js.map

package/dist/scanner-project/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scanner-project/index.ts"],"names":[],"mappings":"AAAA,iCAAiC;AACjC,cAAc,uBAAuB,CAAC;AACtC,cAAc,kBAAkB,CAAC;AACjC,cAAc,sBAAsB,CAAC;AACrC,cAAc,mBAAmB,CAAC"}

package/dist/scanner-project/readDependencies.d.ts

@@ -0,0 +1,5 @@
+import type { DependencyList } from "../types.js";
+/**
+ * Read dependencies from package.json in the project
+ */
+export declare function readDependencies(cwd: string): DependencyList;