safelaunch 1.0.33 → 1.0.37

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safelaunch",
-  "version": "1.0.33",
+  "version": "1.0.37",
   "description": "Backend Reliability Infrastructure - catch what breaks production before it breaks",
   "main": "index.js",
   "bin": {

package/src/scan.js

@@ -63,6 +63,56 @@ const IMPACTS = {
     impact: "Different tools read different copies. Behaviour is unpredictable — one service may use the wrong value.",
     fix:    `Remove the duplicate ${name} entry from your .env file.`,
   }),
+  WILDCARD_DEPENDENCY: (name) => ({
+    title:  `Wildcard version for ${name} in package.json`,
+    impact: "Using * or latest means npm can install any version, including breaking changes. Your build may work today and fail tomorrow.",
+    fix:    `Pin ${name} to a specific version, e.g. \"${name}\": \"1.2.3\".`,
+  }),
+  DEBUGGER_STATEMENT: (file, line) => ({
+    title:  `debugger statement left in ${file}`,
+    impact: "A debugger statement pauses execution in some environments and signals unfinished code. It should never ship to production.",
+    fix:    `Remove the debugger statement from ${file} line ${line}.`,
+  }),
+  WEAK_SECRET: (name, val) => ({
+    title:  `Weak secret value for ${name}`,
+    impact: "Predictable secrets can be guessed or brute-forced. This is a serious security vulnerability in production.",
+    fix:    `Replace the value of ${name} with a strong randomly generated secret.`,
+  }),
+  DEBUG_FLAG_ENABLED: (name) => ({
+    title:  `${name} is enabled in .env`,
+    impact: "Debug mode in production exposes stack traces, internal errors, and verbose logs to end users.",
+    fix:    `Set ${name}=false or remove it from your .env before deploying.`,
+  }),
+  MISSING_ENV_EXAMPLE: () => ({
+    title:  ".env.example is missing",
+    impact: "Other developers cloning this repo will not know what environment variables are required.",
+    fix:    "Create a .env.example file listing all required variables without their values.",
+  }),
+  MISSING_START_SCRIPT: () => ({
+    title:  "No start script in package.json",
+    impact: "Deployment platforms like Railway, Heroku, and Render use the start script to run your app. Without it, your deploy will fail.",
+    fix:    "Add a start script to package.json, e.g. \"start\": \"node src/index.js\".",
+  }),
+  MISSING_BUILD_SCRIPT: () => ({
+    title:  "No build script in package.json",
+    impact: "CI and deployment platforms expect a build script. Your deploy will likely fail or skip the build step.",
+    fix:    "Add a build script to package.json, e.g. \"build\": \"tsc\" or \"build\": \"vite build\".",
+  }),
+  CONSOLE_LOG_FOUND: (file, line) => ({
+    title:  `console.log left in ${file}`,
+    impact: "Debug logs expose internal data and clutter production output. They may leak sensitive information.",
+    fix:    `Remove or replace the console.log in ${file} line ${line} with a proper logger.`,
+  }),
+  HARDCODED_LOCALHOST: (file, line) => ({
+    title:  `Hardcoded localhost URL in ${file}`,
+    impact: "This will break in production — localhost only works on your machine.",
+    fix:    `Replace the localhost URL in ${file} line ${line} with an environment variable.`,
+  }),
+  ENV_NOT_GITIGNORED: () => ({
+    title:  ".env is not in .gitignore",
+    impact: "Your .env file could be committed to git, exposing secrets to anyone with repo access.",
+    fix:    "Add .env to your .gitignore file immediately.",
+  }),
   NODE_MODULES_STALE: () => ({
     title:  "node_modules may be out of date",
     impact: "package.json was modified after node_modules was last updated. You may be running old or missing dependencies.",
@@ -394,6 +444,214 @@ function renderInteractiveOutput(blockers, warnings, infos, elapsed) {
   return lines.join("\n");
 }
 
+
+function checkEnvGitignored(cwd) {
+  const issues = [];
+  if (!fileExists(path.join(cwd, ".env"))) return issues;
+  const gitignore = readFileSafe(path.join(cwd, ".gitignore"));
+  if (!gitignore) {
+    issues.push({ severity: "block", ...IMPACTS.ENV_NOT_GITIGNORED() });
+    return issues;
+  }
+  const lines = gitignore.split("\n").map(l => l.trim());
+  const ignored = lines.some(l => l === ".env" || l === "*.env" || l === ".env*");
+  if (!ignored) {
+    issues.push({ severity: "block", ...IMPACTS.ENV_NOT_GITIGNORED() });
+  }
+  return issues;
+}
+
+function checkHardcodedLocalhost(cwd) {
+  const issues = [];
+  const extensions = ['.js', '.ts', '.jsx', '.tsx', '.env.example', '.json', '.html'];
+  const ignore = ['node_modules', '.git', 'dist', 'build', '.next', '.vscode'];
+  const localhostRe = /https?:\/\/localhost[:/]/;
+
+  function walk(dir) {
+    let entries;
+    try { entries = fs.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (ignore.includes(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      if (!extensions.some(ext => entry.name.endsWith(ext))) continue;
+      const content = readFileSafe(full);
+      if (!content) continue;
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (localhostRe.test(lines[i])) {
+          const rel = path.relative(cwd, full);
+          issues.push({ severity: "warn", ...IMPACTS.HARDCODED_LOCALHOST(rel, i + 1) });
+          break; // one issue per file
+        }
+      }
+    }
+  }
+
+  walk(cwd);
+  return issues;
+}
+
+function checkConsoleLogs(cwd) {
+  const issues = [];
+  const extensions = ['.js', '.ts', '.jsx', '.tsx'];
+  const ignore = ['node_modules', '.git', 'dist', 'build', '.next', '.vscode'];
+  const consoleRe = /console\.log\s*\(/;
+
+  function walk(dir) {
+    let entries;
+    try { entries = require('fs').readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (ignore.includes(entry.name)) continue;
+      const full = require('path').join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      if (!extensions.some(ext => entry.name.endsWith(ext))) continue;
+      const src = readFileSafe(full);
+      if (!src) continue;
+      const lines = src.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (consoleRe.test(lines[i])) {
+          const rel = require('path').relative(cwd, full);
+          issues.push({ severity: "warn", ...IMPACTS.CONSOLE_LOG_FOUND(rel, i + 1) });
+          break;
+        }
+      }
+    }
+  }
+
+  walk(cwd);
+  return issues;
+}
+
+function checkBuildScript(cwd) {
+  const issues = [];
+  const pkgRaw = readFileSafe(require('path').join(cwd, "package.json"));
+  if (!pkgRaw) return issues;
+  try {
+    const pkg = JSON.parse(pkgRaw);
+    const scripts = pkg.scripts || {};
+    if (!scripts.build) {
+      issues.push({ severity: "warn", ...IMPACTS.MISSING_BUILD_SCRIPT() });
+    }
+  } catch {}
+  return issues;
+}
+
+function checkEnvExample(cwd) {
+  const issues = [];
+  const p = require('path');
+  if (!readFileSafe(p.join(cwd, ".env"))) return issues;
+  if (!readFileSafe(p.join(cwd, ".env.example")) && !readFileSafe(p.join(cwd, ".env.sample"))) {
+    issues.push({ severity: "info", ...IMPACTS.MISSING_ENV_EXAMPLE() });
+  }
+  return issues;
+}
+
+function checkDebugFlags(cwd) {
+  const issues = [];
+  const envVars = readFileSafe(require('path').join(cwd, ".env"));
+  if (!envVars) return issues;
+  const debugKeys = ['DEBUG', 'NODE_ENV'];
+  for (const line of envVars.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const [key, val] = trimmed.split('=');
+    if (!key || !val) continue;
+    const k = key.trim().toUpperCase();
+    const v = val.trim().toLowerCase();
+    if (k === 'DEBUG' && (v === 'true' || v === '1' || v === '*')) {
+      issues.push({ severity: "warn", ...IMPACTS.DEBUG_FLAG_ENABLED(key.trim()) });
+    }
+    if (k === 'NODE_ENV' && v === 'development') {
+      issues.push({ severity: "warn", ...IMPACTS.DEBUG_FLAG_ENABLED(key.trim()) });
+    }
+  }
+  return issues;
+}
+
+function checkStartScript(cwd) {
+  const issues = [];
+  const pkgRaw = readFileSafe(require('path').join(cwd, "package.json"));
+  if (!pkgRaw) return issues;
+  try {
+    const pkg = JSON.parse(pkgRaw);
+    const scripts = pkg.scripts || {};
+    if (!scripts.start) {
+      issues.push({ severity: "warn", ...IMPACTS.MISSING_START_SCRIPT() });
+    }
+  } catch {}
+  return issues;
+}
+
+function checkWeakSecrets(cwd) {
+  const issues = [];
+  const envVars = readFileSafe(require('path').join(cwd, ".env"));
+  if (!envVars) return issues;
+  const weakValues = ['secret', 'password', 'changeme', 'example', 'test', '123456', 'qwerty', 'abc123', 'letmein', 'admin', 'root', 'default'];
+  const secretKeys = ['secret', 'password', 'key', 'token', 'jwt', 'api_key', 'apikey', 'auth', 'pass'];
+  for (const line of envVars.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim().toLowerCase();
+    const val = trimmed.slice(eqIdx + 1).trim().toLowerCase();
+    if (!val) continue;
+    const isSecretKey = secretKeys.some(k => key.includes(k));
+    const isWeakVal = weakValues.includes(val);
+    if (isSecretKey && isWeakVal) {
+      issues.push({ severity: "block", ...IMPACTS.WEAK_SECRET(trimmed.slice(0, eqIdx).trim(), val) });
+    }
+  }
+  return issues;
+}
+
+function checkDebuggerStatements(cwd) {
+  const issues = [];
+  const extensions = ['.js', '.ts', '.jsx', '.tsx'];
+  const ignore = ['node_modules', '.git', 'dist', 'build', '.next', '.vscode'];
+  const debuggerRe = /^\s*debugger\s*;?\s*$/;
+
+  function walk(dir) {
+    let entries;
+    try { entries = require('fs').readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const entry of entries) {
+      if (ignore.includes(entry.name)) continue;
+      const full = require('path').join(dir, entry.name);
+      if (entry.isDirectory()) { walk(full); continue; }
+      if (!extensions.some(ext => entry.name.endsWith(ext))) continue;
+      const src = readFileSafe(full);
+      if (!src) continue;
+      const lines = src.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (debuggerRe.test(lines[i])) {
+          const rel = require('path').relative(cwd, full);
+          issues.push({ severity: "block", ...IMPACTS.DEBUGGER_STATEMENT(rel, i + 1) });
+          break;
+        }
+      }
+    }
+  }
+
+  walk(cwd);
+  return issues;
+}
+
+function checkWildcardDeps(cwd) {
+  const issues = [];
+  const pkgRaw = readFileSafe(require('path').join(cwd, "package.json"));
+  if (!pkgRaw) return issues;
+  try {
+    const pkg = JSON.parse(pkgRaw);
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    for (const [name, version] of Object.entries(allDeps)) {
+      if (version === '*' || version === 'latest') {
+        issues.push({ severity: "warn", ...IMPACTS.WILDCARD_DEPENDENCY(name) });
+      }
+    }
+  } catch {}
+  return issues;
+}
 async function runScan(options = {}) {
   const { hookMode = false, quiet = false, cwd = process.cwd() } = options;
   const start = Date.now();
@@ -408,6 +666,16 @@ async function runScan(options = {}) {
     ...checkLockfileSync(cwd),
     ...checkTypeScript(cwd),
     ...checkNpmAudit(cwd),
+    ...checkEnvGitignored(cwd),
+    ...checkHardcodedLocalhost(cwd),
+    ...checkConsoleLogs(cwd),
+    ...checkDebuggerStatements(cwd),
+    ...checkBuildScript(cwd),
+    ...checkStartScript(cwd),
+    ...checkWildcardDeps(cwd),
+    ...checkEnvExample(cwd),
+    ...checkDebugFlags(cwd),
+    ...checkWeakSecrets(cwd),
     ...checkNodeVersion(cwd),
     ...checkPythonVersion(cwd),
   ];