toolip 1.0.6 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +157 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/alternatives.d.ts +2 -0
- package/dist/src/commands/alternatives.js +17 -0
- package/dist/src/commands/alternatives.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/compare.d.ts +2 -0
- package/dist/src/commands/compare.js +19 -0
- package/dist/src/commands/compare.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/doctor.d.ts +2 -0
- package/dist/src/commands/doctor.js +42 -0
- package/dist/src/commands/doctor.js.map +1 -0
- package/dist/src/commands/git-audit.d.ts +2 -0
- package/dist/src/commands/git-audit.js +37 -0
- package/dist/src/commands/git-audit.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/hook.d.ts +2 -0
- package/dist/src/commands/hook.js +16 -0
- package/dist/src/commands/hook.js.map +1 -0
- package/dist/src/commands/inspect.d.ts +2 -0
- package/dist/src/commands/inspect.js +24 -0
- package/dist/src/commands/inspect.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/learn.d.ts +2 -0
- package/dist/src/commands/learn.js +42 -0
- package/dist/src/commands/learn.js.map +1 -0
- package/dist/src/commands/licenses.d.ts +2 -0
- package/dist/src/commands/licenses.js +40 -0
- package/dist/src/commands/licenses.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/pre-commit.d.ts +2 -0
- package/dist/src/commands/pre-commit.js +37 -0
- package/dist/src/commands/pre-commit.js.map +1 -0
- package/dist/src/commands/profile.d.ts +2 -0
- package/dist/src/commands/profile.js +18 -0
- package/dist/src/commands/profile.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/scan.d.ts +2 -0
- package/dist/src/commands/scan.js +48 -0
- package/dist/src/commands/scan.js.map +1 -0
- package/dist/src/commands/score.d.ts +2 -0
- package/dist/src/commands/score.js +24 -0
- package/dist/src/commands/score.js.map +1 -0
- package/dist/src/commands/self-test.d.ts +2 -0
- package/dist/src/commands/self-test.js +63 -0
- package/dist/src/commands/self-test.js.map +1 -0
- package/dist/src/commands/tree.d.ts +2 -0
- package/dist/src/commands/tree.js +21 -0
- package/dist/src/commands/tree.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vault.d.ts +2 -0
- package/dist/src/commands/vault.js +86 -0
- package/dist/src/commands/vault.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/config/version.d.ts +6 -0
- package/dist/src/config/version.js +29 -0
- package/dist/src/config/version.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/alternatives.d.ts +8 -0
- package/dist/src/core/alternatives.js +35 -0
- package/dist/src/core/alternatives.js.map +1 -0
- package/dist/src/core/analyze-package.d.ts +2 -0
- package/dist/src/core/analyze-package.js +49 -0
- package/dist/src/core/analyze-package.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/compare-packages.d.ts +7 -0
- package/dist/src/core/compare-packages.js +19 -0
- package/dist/src/core/compare-packages.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/dependency-scan.d.ts +17 -0
- package/dist/src/core/dependency-scan.js +70 -0
- package/dist/src/core/dependency-scan.js.map +1 -0
- package/dist/src/core/dependency-tree.d.ts +16 -0
- package/dist/src/core/dependency-tree.js +19 -0
- package/dist/src/core/dependency-tree.js.map +1 -0
- package/dist/src/core/dependency-types.d.ts +17 -0
- package/dist/src/core/dependency-types.js +2 -0
- package/dist/src/core/dependency-types.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/file-walker.d.ts +6 -0
- package/dist/src/core/file-walker.js +27 -0
- package/dist/src/core/file-walker.js.map +1 -0
- package/dist/src/core/git-audit.d.ts +12 -0
- package/dist/src/core/git-audit.js +111 -0
- package/dist/src/core/git-audit.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/hooks.d.ts +1 -0
- package/dist/src/core/hooks.js +14 -0
- package/dist/src/core/hooks.js.map +1 -0
- package/dist/src/core/learn.d.ts +11 -0
- package/dist/src/core/learn.js +163 -0
- package/dist/src/core/learn.js.map +1 -0
- package/dist/src/core/license-analysis.d.ts +18 -0
- package/dist/src/core/license-analysis.js +98 -0
- package/dist/src/core/license-analysis.js.map +1 -0
- package/dist/src/core/load-toolip-ignore.d.ts +5 -0
- package/dist/src/core/load-toolip-ignore.js +35 -0
- package/dist/src/core/load-toolip-ignore.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/npm-registry.d.ts +3 -0
- package/dist/src/core/npm-registry.js +5 -0
- package/dist/src/core/npm-registry.js.map +1 -0
- package/dist/src/core/pre-commit.d.ts +11 -0
- package/dist/src/core/pre-commit.js +22 -0
- package/dist/src/core/pre-commit.js.map +1 -0
- package/dist/src/core/profile-project.d.ts +23 -0
- package/dist/src/core/profile-project.js +119 -0
- package/dist/src/core/profile-project.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/read-dependencies.d.ts +2 -0
- package/dist/src/core/read-dependencies.js +24 -0
- package/dist/src/core/read-dependencies.js.map +1 -0
- package/dist/src/core/report-writer.d.ts +5 -0
- package/dist/src/core/report-writer.js +61 -0
- package/dist/src/core/report-writer.js.map +1 -0
- package/dist/src/core/report.d.ts +34 -0
- package/dist/src/core/report.js +26 -0
- package/dist/src/core/report.js.map +1 -0
- package/dist/src/core/risk-score.d.ts +5 -0
- package/dist/src/core/risk-score.js +14 -0
- package/dist/src/core/risk-score.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/scanner-context.d.ts +12 -0
- package/dist/src/core/scanner-context.js +27 -0
- package/dist/src/core/scanner-context.js.map +1 -0
- package/dist/src/core/score.d.ts +13 -0
- package/dist/src/core/score.js +44 -0
- package/dist/src/core/score.js.map +1 -0
- package/dist/src/core/security-doctor.d.ts +12 -0
- package/dist/src/core/security-doctor.js +158 -0
- package/dist/src/core/security-doctor.js.map +1 -0
- package/dist/src/core/security-patterns.d.ts +14 -0
- package/dist/src/core/security-patterns.js +139 -0
- package/dist/src/core/security-patterns.js.map +1 -0
- package/dist/src/core/typosquat.d.ts +6 -0
- package/dist/src/core/typosquat.js +50 -0
- package/dist/src/core/typosquat.js.map +1 -0
- package/dist/src/core/vault.d.ts +48 -0
- package/dist/src/core/vault.js +127 -0
- package/dist/src/core/vault.js.map +1 -0
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/errors/toolip-error.d.ts +8 -0
- package/dist/src/errors/toolip-error.js +11 -0
- package/dist/src/errors/toolip-error.js.map +1 -0
- package/dist/src/index.d.ts +2 -0
- package/dist/src/index.js +89 -0
- package/dist/src/index.js.map +1 -0
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/dist/src/utils/error-handler.d.ts +1 -0
- package/dist/src/utils/error-handler.js +24 -0
- package/dist/src/utils/error-handler.js.map +1 -0
- package/dist/src/utils/output.d.ts +6 -0
- package/dist/src/utils/output.js +72 -0
- package/dist/src/utils/output.js.map +1 -0
- package/dist/src/utils/package-output.d.ts +4 -0
- package/dist/src/utils/package-output.js +40 -0
- package/dist/src/utils/package-output.js.map +1 -0
- package/package.json +13 -8
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export const toolipConfigSchema = z.object({
|
|
3
|
+
schemaVersion: z.literal('1.0').default('1.0'),
|
|
4
|
+
include: z.array(z.string()).default([]),
|
|
5
|
+
exclude: z.array(z.string()).default([]),
|
|
6
|
+
rules: z
|
|
7
|
+
.record(z.object({
|
|
8
|
+
enabled: z.boolean().optional(),
|
|
9
|
+
severity: z
|
|
10
|
+
.enum([
|
|
11
|
+
'critical',
|
|
12
|
+
'high',
|
|
13
|
+
'medium',
|
|
14
|
+
'low',
|
|
15
|
+
'info'
|
|
16
|
+
])
|
|
17
|
+
.optional(),
|
|
18
|
+
paths: z
|
|
19
|
+
.array(z.object({
|
|
20
|
+
pattern: z.string(),
|
|
21
|
+
severity: z
|
|
22
|
+
.enum([
|
|
23
|
+
'critical',
|
|
24
|
+
'high',
|
|
25
|
+
'medium',
|
|
26
|
+
'low',
|
|
27
|
+
'info'
|
|
28
|
+
])
|
|
29
|
+
.optional(),
|
|
30
|
+
enabled: z.boolean().optional()
|
|
31
|
+
}))
|
|
32
|
+
.optional()
|
|
33
|
+
}))
|
|
34
|
+
.default({}),
|
|
35
|
+
suppressions: z
|
|
36
|
+
.array(z.object({
|
|
37
|
+
ruleId: z.string(),
|
|
38
|
+
path: z.string().optional(),
|
|
39
|
+
reason: z.string().min(3),
|
|
40
|
+
expiresAt: z.string().datetime().optional()
|
|
41
|
+
}))
|
|
42
|
+
.default([]),
|
|
43
|
+
history: z
|
|
44
|
+
.object({
|
|
45
|
+
enabled: z.boolean().default(true),
|
|
46
|
+
maxEntries: z.number().int().positive().max(5000).default(500)
|
|
47
|
+
})
|
|
48
|
+
.default({
|
|
49
|
+
enabled: true,
|
|
50
|
+
maxEntries: 500
|
|
51
|
+
}),
|
|
52
|
+
providers: z
|
|
53
|
+
.object({
|
|
54
|
+
osv: z
|
|
55
|
+
.object({
|
|
56
|
+
enabled: z.boolean().default(true),
|
|
57
|
+
timeoutMs: z.number().int().positive().default(20000)
|
|
58
|
+
})
|
|
59
|
+
.default({
|
|
60
|
+
enabled: true,
|
|
61
|
+
timeoutMs: 20000
|
|
62
|
+
}),
|
|
63
|
+
depsDev: z
|
|
64
|
+
.object({
|
|
65
|
+
enabled: z.boolean().default(true),
|
|
66
|
+
timeoutMs: z.number().int().positive().default(20000)
|
|
67
|
+
})
|
|
68
|
+
.default({
|
|
69
|
+
enabled: true,
|
|
70
|
+
timeoutMs: 20000
|
|
71
|
+
})
|
|
72
|
+
})
|
|
73
|
+
.default({
|
|
74
|
+
osv: {
|
|
75
|
+
enabled: true,
|
|
76
|
+
timeoutMs: 20000
|
|
77
|
+
},
|
|
78
|
+
depsDev: {
|
|
79
|
+
enabled: true,
|
|
80
|
+
timeoutMs: 20000
|
|
81
|
+
}
|
|
82
|
+
})
|
|
83
|
+
});
|
|
84
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/core/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,KAAK,EAAE,CAAC;SACL,MAAM,CACL,CAAC,CAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC;aACR,IAAI,CAAC;YACJ,UAAU;YACV,MAAM;YACN,QAAQ;YACR,KAAK;YACL,MAAM;SACP,CAAC;aACD,QAAQ,EAAE;QACb,KAAK,EAAE,CAAC;aACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,QAAQ,EAAE,CAAC;iBACR,IAAI,CAAC;gBACJ,UAAU;gBACV,MAAM;gBACN,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP,CAAC;iBACD,QAAQ,EAAE;YACb,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;SAChC,CAAC,CACH;aACA,QAAQ,EAAE;KACd,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;SACZ,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KAC5C,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KAC/D,CAAC;SACD,OAAO,CAAC;QACP,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,GAAG;KAChB,CAAC;IACJ,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;QACJ,OAAO,EAAE,CAAC;aACP,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;KACL,CAAC;SACD,OAAO,CAAC;QACP,GAAG,EAAE;YACH,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;QACD,OAAO,EAAE;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;KACF,CAAC;CACL,CAAC,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
function packageNameFromLockPath(lockPath) {
|
|
4
|
+
const marker = 'node_modules/';
|
|
5
|
+
const markerIndex = lockPath.lastIndexOf(marker);
|
|
6
|
+
if (markerIndex === -1)
|
|
7
|
+
return undefined;
|
|
8
|
+
return lockPath.slice(markerIndex + marker.length);
|
|
9
|
+
}
|
|
10
|
+
function isDirectPackagePath(lockPath) {
|
|
11
|
+
if (!lockPath.startsWith('node_modules/'))
|
|
12
|
+
return false;
|
|
13
|
+
const remainder = lockPath.slice('node_modules/'.length);
|
|
14
|
+
if (remainder.startsWith('@'))
|
|
15
|
+
return remainder.split('/').length === 2;
|
|
16
|
+
return !remainder.includes('/');
|
|
17
|
+
}
|
|
18
|
+
export async function readNpmDependencyInventory(root) {
|
|
19
|
+
const raw = await readFile(path.join(root, 'package-lock.json'), 'utf8');
|
|
20
|
+
const lockfile = JSON.parse(raw);
|
|
21
|
+
if (!lockfile.packages) {
|
|
22
|
+
throw new Error('Toolip requires package-lock.json lockfileVersion 2 or newer.');
|
|
23
|
+
}
|
|
24
|
+
const dependencies = new Map();
|
|
25
|
+
for (const [lockPath, entry] of Object.entries(lockfile.packages)) {
|
|
26
|
+
if (lockPath === '' || !entry.version)
|
|
27
|
+
continue;
|
|
28
|
+
const name = entry.name ?? packageNameFromLockPath(lockPath);
|
|
29
|
+
if (!name)
|
|
30
|
+
continue;
|
|
31
|
+
const identity = {
|
|
32
|
+
ecosystem: 'npm',
|
|
33
|
+
name,
|
|
34
|
+
version: entry.version,
|
|
35
|
+
direct: isDirectPackagePath(lockPath),
|
|
36
|
+
development: Boolean(entry.dev),
|
|
37
|
+
source: 'package-lock'
|
|
38
|
+
};
|
|
39
|
+
dependencies.set(`npm:${identity.name}@${identity.version}`, identity);
|
|
40
|
+
}
|
|
41
|
+
return [...dependencies.values()].sort((a, b) => `${a.name}@${a.version}`.localeCompare(`${b.name}@${b.version}`));
|
|
42
|
+
}
|
|
43
|
+
//# sourceMappingURL=inventory.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../../../src/core/dependencies/inventory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAmB7B,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,eAAe,CAAC;IAC/B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,OAAO,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACzD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACxE,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,IAAY;IAC3D,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE3D,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,IAAI,QAAQ,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,SAAS;QAChD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,QAAQ,GAAuB;YACnC,SAAS,EAAE,KAAK;YAChB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,mBAAmB,CAAC,QAAQ,CAAC;YACrC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;YAC/B,MAAM,EAAE,cAAc;SACvB,CAAC;QAEF,YAAY,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAC9C,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACjE,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
import type { PackageHealth } from './dependency-types.js';
|
|
2
|
+
import type { ToolipFinding } from './report.js';
|
|
3
|
+
export type DependencyScanResult = {
|
|
4
|
+
packages: PackageHealth[];
|
|
5
|
+
findings: ToolipFinding[];
|
|
6
|
+
summary: {
|
|
7
|
+
totalDependencies: number;
|
|
8
|
+
outdated: number;
|
|
9
|
+
deprecated: number;
|
|
10
|
+
highRisk: number;
|
|
11
|
+
mediumRisk: number;
|
|
12
|
+
lowRisk: number;
|
|
13
|
+
averageRiskScore: number;
|
|
14
|
+
};
|
|
15
|
+
};
|
|
16
|
+
export declare function scanDependencies(root: string): Promise<DependencyScanResult>;
|
|
17
|
+
export declare function packageToFindings(pkg: PackageHealth): ToolipFinding[];
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
import { readDependencies } from './read-dependencies.js';
|
|
2
|
+
import { analyzePackage } from './analyze-package.js';
|
|
3
|
+
export async function scanDependencies(root) {
|
|
4
|
+
const dependencies = await readDependencies(root);
|
|
5
|
+
const packages = await Promise.all(dependencies.map((dependency) => analyzePackage(dependency)));
|
|
6
|
+
const findings = packages.flatMap(packageToFindings);
|
|
7
|
+
return {
|
|
8
|
+
packages,
|
|
9
|
+
findings,
|
|
10
|
+
summary: {
|
|
11
|
+
totalDependencies: packages.length,
|
|
12
|
+
outdated: packages.filter((pkg) => pkg.outdated).length,
|
|
13
|
+
deprecated: packages.filter((pkg) => pkg.deprecated).length,
|
|
14
|
+
highRisk: packages.filter((pkg) => pkg.riskScore >= 70).length,
|
|
15
|
+
mediumRisk: packages.filter((pkg) => pkg.riskScore >= 40 && pkg.riskScore < 70).length,
|
|
16
|
+
lowRisk: packages.filter((pkg) => pkg.riskScore > 0 && pkg.riskScore < 40).length,
|
|
17
|
+
averageRiskScore: packages.length === 0
|
|
18
|
+
? 0
|
|
19
|
+
: Math.round(packages.reduce((total, pkg) => total + pkg.riskScore, 0) / packages.length)
|
|
20
|
+
}
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
export function packageToFindings(pkg) {
|
|
24
|
+
const findings = [];
|
|
25
|
+
if (pkg.deprecated) {
|
|
26
|
+
findings.push({
|
|
27
|
+
id: `TOOLIP-DEP-DEPRECATED-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
|
|
28
|
+
title: `Deprecated package: ${pkg.name}`,
|
|
29
|
+
severity: 'high',
|
|
30
|
+
category: 'supply-chain',
|
|
31
|
+
message: `${pkg.name} is marked as deprecated on the npm registry.`,
|
|
32
|
+
recommendation: 'Replace deprecated packages with maintained alternatives and review migration notes.',
|
|
33
|
+
evidence: pkg.latestVersion ?? undefined
|
|
34
|
+
});
|
|
35
|
+
}
|
|
36
|
+
if (pkg.outdated) {
|
|
37
|
+
findings.push({
|
|
38
|
+
id: `TOOLIP-DEP-OUTDATED-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
|
|
39
|
+
title: `Outdated package: ${pkg.name}`,
|
|
40
|
+
severity: 'medium',
|
|
41
|
+
category: 'supply-chain',
|
|
42
|
+
message: `${pkg.name} appears outdated. Installed: ${pkg.installedVersion}. Latest: ${pkg.latestVersion ?? 'unknown'}.`,
|
|
43
|
+
recommendation: 'Upgrade the package after checking changelogs, breaking changes, and test coverage.',
|
|
44
|
+
evidence: `${pkg.installedVersion} -> ${pkg.latestVersion ?? 'unknown'}`
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
if (pkg.maintainers === 0) {
|
|
48
|
+
findings.push({
|
|
49
|
+
id: `TOOLIP-DEP-NO-MAINTAINERS-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
|
|
50
|
+
title: `No visible maintainers: ${pkg.name}`,
|
|
51
|
+
severity: 'medium',
|
|
52
|
+
category: 'supply-chain',
|
|
53
|
+
message: `${pkg.name} has no visible maintainer metadata from the registry response.`,
|
|
54
|
+
recommendation: 'Review package ownership, repository activity, and whether a better-maintained alternative exists.'
|
|
55
|
+
});
|
|
56
|
+
}
|
|
57
|
+
if (pkg.ageInDays !== null && pkg.ageInDays > 730) {
|
|
58
|
+
findings.push({
|
|
59
|
+
id: `TOOLIP-DEP-STALE-${pkg.name.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
|
|
60
|
+
title: `Possibly stale package: ${pkg.name}`,
|
|
61
|
+
severity: 'low',
|
|
62
|
+
category: 'supply-chain',
|
|
63
|
+
message: `${pkg.name} has not had a detected latest publish in more than two years.`,
|
|
64
|
+
recommendation: 'Confirm whether the package is intentionally stable or abandoned before relying on it.',
|
|
65
|
+
evidence: `${pkg.ageInDays} days`
|
|
66
|
+
});
|
|
67
|
+
}
|
|
68
|
+
return findings;
|
|
69
|
+
}
|
|
70
|
+
//# sourceMappingURL=dependency-scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-scan.js","sourceRoot":"","sources":["../../../src/core/dependency-scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAkBtD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC,CAC7D,CAAC;IAEF,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAErD,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,OAAO,EAAE;YACP,iBAAiB,EAAE,QAAQ,CAAC,MAAM;YAClC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,MAAM;YACvD,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM;YAC3D,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,MAAM;YAC9D,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,IAAI,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC,MAAM;YACtF,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,IAAI,GAAG,CAAC,SAAS,GAAG,EAAE,CAAC,CAAC,MAAM;YACjF,gBAAgB,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;gBACrC,CAAC,CAAC,CAAC;gBACH,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,KAAK,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,GAAG,QAAQ,CAAC,MAAM,CAAC;SAC5F;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,GAAkB;IAClD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;QACnB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,yBAAyB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACnF,KAAK,EAAE,uBAAuB,GAAG,CAAC,IAAI,EAAE;YACxC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,+CAA+C;YACnE,cAAc,EAAE,sFAAsF;YACtG,QAAQ,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;SACzC,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,uBAAuB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACjF,KAAK,EAAE,qBAAqB,GAAG,CAAC,IAAI,EAAE;YACtC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,iCAAiC,GAAG,CAAC,gBAAgB,aAAa,GAAG,CAAC,aAAa,IAAI,SAAS,GAAG;YACvH,cAAc,EAAE,qFAAqF;YACrG,QAAQ,EAAE,GAAG,GAAG,CAAC,gBAAgB,OAAO,GAAG,CAAC,aAAa,IAAI,SAAS,EAAE;SACzE,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,6BAA6B,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YACvF,KAAK,EAAE,2BAA2B,GAAG,CAAC,IAAI,EAAE;YAC5C,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,iEAAiE;YACrF,cAAc,EAAE,oGAAoG;SACrH,CAAC,CAAC;IACL,CAAC;IAED,IAAI,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,oBAAoB,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YAC9E,KAAK,EAAE,2BAA2B,GAAG,CAAC,IAAI,EAAE;YAC5C,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,gEAAgE;YACpF,cAAc,EAAE,wFAAwF;YACxG,QAAQ,EAAE,GAAG,GAAG,CAAC,SAAS,OAAO;SAClC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
export type DependencyTreeNode = {
|
|
2
|
+
name: string;
|
|
3
|
+
version: string;
|
|
4
|
+
type: 'dependency' | 'devDependency';
|
|
5
|
+
children: DependencyTreeNode[];
|
|
6
|
+
};
|
|
7
|
+
export type DependencyTree = {
|
|
8
|
+
root: string;
|
|
9
|
+
dependencies: DependencyTreeNode[];
|
|
10
|
+
summary: {
|
|
11
|
+
direct: number;
|
|
12
|
+
transitive: number;
|
|
13
|
+
maxDepth: number;
|
|
14
|
+
};
|
|
15
|
+
};
|
|
16
|
+
export declare function buildDependencyTree(root: string): Promise<DependencyTree>;
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { readDependencies } from './read-dependencies.js';
|
|
2
|
+
export async function buildDependencyTree(root) {
|
|
3
|
+
const dependencies = await readDependencies(root);
|
|
4
|
+
return {
|
|
5
|
+
root,
|
|
6
|
+
dependencies: dependencies.map((dependency) => ({
|
|
7
|
+
name: dependency.name,
|
|
8
|
+
version: dependency.version,
|
|
9
|
+
type: dependency.type,
|
|
10
|
+
children: []
|
|
11
|
+
})),
|
|
12
|
+
summary: {
|
|
13
|
+
direct: dependencies.length,
|
|
14
|
+
transitive: 0,
|
|
15
|
+
maxDepth: dependencies.length > 0 ? 1 : 0
|
|
16
|
+
}
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=dependency-tree.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-tree.js","sourceRoot":"","sources":["../../../src/core/dependency-tree.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAmB1D,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAY;IACpD,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAElD,OAAO;QACL,IAAI;QACJ,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC9C,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,IAAI,EAAE,UAAU,CAAC,IAAI;YACrB,QAAQ,EAAE,EAAE;SACb,CAAC,CAAC;QACH,OAAO,EAAE;YACP,MAAM,EAAE,YAAY,CAAC,MAAM;YAC3B,UAAU,EAAE,CAAC;YACb,QAAQ,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;SAC1C;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
export type DependencyInfo = {
|
|
2
|
+
name: string;
|
|
3
|
+
version: string;
|
|
4
|
+
type: 'dependency' | 'devDependency';
|
|
5
|
+
};
|
|
6
|
+
export type PackageHealth = {
|
|
7
|
+
name: string;
|
|
8
|
+
latestVersion: string | null;
|
|
9
|
+
installedVersion: string;
|
|
10
|
+
outdated: boolean;
|
|
11
|
+
deprecated: boolean;
|
|
12
|
+
maintainers: number;
|
|
13
|
+
publishedAt: string | null;
|
|
14
|
+
ageInDays: number | null;
|
|
15
|
+
downloads: number | null;
|
|
16
|
+
riskScore: number;
|
|
17
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-types.js","sourceRoot":"","sources":["../../../src/core/dependency-types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export type SecurityDiffResult = {
|
|
2
|
+
base: string;
|
|
3
|
+
head: string;
|
|
4
|
+
files: string[];
|
|
5
|
+
packageManifestChanged: boolean;
|
|
6
|
+
lockfileChanged: boolean;
|
|
7
|
+
dockerfilesChanged: string[];
|
|
8
|
+
sourceFilesChanged: string[];
|
|
9
|
+
};
|
|
10
|
+
export declare function securityDiff(root: string, base: string, head: string): Promise<SecurityDiffResult>;
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { execFile } from 'node:child_process';
|
|
2
|
+
import { promisify } from 'node:util';
|
|
3
|
+
const execFileAsync = promisify(execFile);
|
|
4
|
+
export async function securityDiff(root, base, head) {
|
|
5
|
+
const { stdout } = await execFileAsync('git', ['diff', '--name-only', `${base}..${head}`], {
|
|
6
|
+
cwd: root,
|
|
7
|
+
encoding: 'utf8'
|
|
8
|
+
});
|
|
9
|
+
const files = stdout.split(/\r?\n/).filter(Boolean);
|
|
10
|
+
return {
|
|
11
|
+
base,
|
|
12
|
+
head,
|
|
13
|
+
files,
|
|
14
|
+
packageManifestChanged: files.some((file) => /(^|\/)package\.json$/.test(file)),
|
|
15
|
+
lockfileChanged: files.some((file) => /(^|\/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$/.test(file)),
|
|
16
|
+
dockerfilesChanged: files.filter((file) => /(^|\/)Dockerfile(?:\..+)?$/.test(file)),
|
|
17
|
+
sourceFilesChanged: files.filter((file) => /\.(js|jsx|ts|tsx|mjs|cjs)$/.test(file))
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=security-diff.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-diff.js","sourceRoot":"","sources":["../../../../src/core/diff/security-diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAY1C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,IAAY,EACZ,IAAY;IAEZ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,KAAK,EACL,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,KAAK,IAAI,EAAE,CAAC,EAC3C;QACE,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,MAAM;KACjB,CACF,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEpD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,KAAK;QACL,sBAAsB,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1G,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnF,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACpF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import path from 'node:path';
|
|
2
|
+
import fg from 'fast-glob';
|
|
3
|
+
import { loadToolipIgnore } from './load-toolip-ignore.js';
|
|
4
|
+
export async function walkProjectFiles(root) {
|
|
5
|
+
const absoluteRoot = path.resolve(root);
|
|
6
|
+
const toolipIgnore = await loadToolipIgnore(absoluteRoot);
|
|
7
|
+
const entries = await fg(['**/*'], {
|
|
8
|
+
cwd: absoluteRoot,
|
|
9
|
+
dot: true,
|
|
10
|
+
onlyFiles: true,
|
|
11
|
+
unique: true,
|
|
12
|
+
followSymbolicLinks: false,
|
|
13
|
+
ignore: toolipIgnore.patterns
|
|
14
|
+
});
|
|
15
|
+
return entries
|
|
16
|
+
.map((entry) => {
|
|
17
|
+
const absolutePath = path.join(absoluteRoot, entry);
|
|
18
|
+
return {
|
|
19
|
+
absolutePath,
|
|
20
|
+
relativePath: entry.replaceAll('\\', '/'),
|
|
21
|
+
extension: path.extname(entry).replace('.', '').toLowerCase()
|
|
22
|
+
};
|
|
23
|
+
})
|
|
24
|
+
.filter((file) => !toolipIgnore.ignores(file.absolutePath))
|
|
25
|
+
.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=file-walker.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"file-walker.js","sourceRoot":"","sources":["../../../src/core/file-walker.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAQ3D,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,MAAM,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAE1D,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,EAAE;QACjC,GAAG,EAAE,YAAY;QACjB,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,IAAI;QACf,MAAM,EAAE,IAAI;QACZ,mBAAmB,EAAE,KAAK;QAC1B,MAAM,EAAE,YAAY,CAAC,QAAQ;KAC9B,CAAC,CAAC;IAEH,OAAO,OAAO;SACX,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QACb,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO;YACL,YAAY;YACZ,YAAY,EAAE,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,GAAG,CAAC;YACzC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE;SAC9D,CAAC;IACJ,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1D,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;AAClE,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { ToolipFinding } from './report.js';
|
|
2
|
+
export type GitAuditResult = {
|
|
3
|
+
findings: ToolipFinding[];
|
|
4
|
+
summary: {
|
|
5
|
+
filesChecked: number;
|
|
6
|
+
dangerousFiles: number;
|
|
7
|
+
gitignorePresent: boolean;
|
|
8
|
+
envIgnored: boolean;
|
|
9
|
+
pemIgnored: boolean;
|
|
10
|
+
};
|
|
11
|
+
};
|
|
12
|
+
export declare function runGitAudit(root: string): Promise<GitAuditResult>;
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
import { access, readFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { walkProjectFiles } from './file-walker.js';
|
|
4
|
+
const dangerousFilePatterns = [
|
|
5
|
+
{
|
|
6
|
+
id: 'ENV-FILE',
|
|
7
|
+
regex: /(^|\/)\.env(\.|$|\/)?/i,
|
|
8
|
+
title: '.env file present',
|
|
9
|
+
severity: 'high',
|
|
10
|
+
message: 'A .env-style file exists in the project tree.',
|
|
11
|
+
recommendation: 'Keep .env files local, ensure they are ignored, and never commit real secrets.'
|
|
12
|
+
},
|
|
13
|
+
{
|
|
14
|
+
id: 'PEM-FILE',
|
|
15
|
+
regex: /\.pem$/i,
|
|
16
|
+
title: 'PEM file present',
|
|
17
|
+
severity: 'critical',
|
|
18
|
+
message: 'A PEM key file exists in the project tree.',
|
|
19
|
+
recommendation: 'Remove private key files from the repository and rotate affected credentials.'
|
|
20
|
+
},
|
|
21
|
+
{
|
|
22
|
+
id: 'KEY-FILE',
|
|
23
|
+
regex: /\.(key|p12|pfx)$/i,
|
|
24
|
+
title: 'Key/certificate file present',
|
|
25
|
+
severity: 'critical',
|
|
26
|
+
message: 'A key or certificate-like file exists in the project tree.',
|
|
27
|
+
recommendation: 'Do not store key material in source repositories.'
|
|
28
|
+
}
|
|
29
|
+
];
|
|
30
|
+
export async function runGitAudit(root) {
|
|
31
|
+
const files = await walkProjectFiles(root);
|
|
32
|
+
const relativePaths = files.map((file) => file.relativePath);
|
|
33
|
+
const gitignorePath = path.join(root, '.gitignore');
|
|
34
|
+
const gitignorePresent = await exists(gitignorePath);
|
|
35
|
+
const gitignoreContent = gitignorePresent ? await readFile(gitignorePath, 'utf8') : '';
|
|
36
|
+
const findings = [];
|
|
37
|
+
for (const file of relativePaths) {
|
|
38
|
+
for (const pattern of dangerousFilePatterns) {
|
|
39
|
+
if (!pattern.regex.test(file))
|
|
40
|
+
continue;
|
|
41
|
+
findings.push({
|
|
42
|
+
id: `TOOLIP-GIT-${pattern.id}-${file.toUpperCase().replaceAll(/[^A-Z0-9]/g, '-')}`,
|
|
43
|
+
title: pattern.title,
|
|
44
|
+
severity: pattern.severity,
|
|
45
|
+
category: 'git-security',
|
|
46
|
+
message: pattern.message,
|
|
47
|
+
recommendation: pattern.recommendation,
|
|
48
|
+
file
|
|
49
|
+
});
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
const envIgnored = ignoresPattern(gitignoreContent, '.env') || ignoresPattern(gitignoreContent, '.env.*');
|
|
53
|
+
const pemIgnored = ignoresPattern(gitignoreContent, '*.pem') || ignoresPattern(gitignoreContent, '.pem');
|
|
54
|
+
if (!gitignorePresent) {
|
|
55
|
+
findings.push({
|
|
56
|
+
id: 'TOOLIP-GIT-MISSING-GITIGNORE',
|
|
57
|
+
title: 'Missing .gitignore',
|
|
58
|
+
severity: 'medium',
|
|
59
|
+
category: 'git-security',
|
|
60
|
+
message: 'No .gitignore file was found.',
|
|
61
|
+
recommendation: 'Add a .gitignore file that excludes secrets, build output, dependencies, and local machine files.'
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
if (gitignorePresent && !envIgnored) {
|
|
65
|
+
findings.push({
|
|
66
|
+
id: 'TOOLIP-GIT-ENV-NOT-IGNORED',
|
|
67
|
+
title: '.env files may not be ignored',
|
|
68
|
+
severity: 'high',
|
|
69
|
+
category: 'git-security',
|
|
70
|
+
message: '.gitignore does not appear to ignore .env files.',
|
|
71
|
+
recommendation: 'Add .env and .env.* to .gitignore while allowing a safe .env.example.'
|
|
72
|
+
});
|
|
73
|
+
}
|
|
74
|
+
if (gitignorePresent && !pemIgnored) {
|
|
75
|
+
findings.push({
|
|
76
|
+
id: 'TOOLIP-GIT-PEM-NOT-IGNORED',
|
|
77
|
+
title: 'PEM files may not be ignored',
|
|
78
|
+
severity: 'medium',
|
|
79
|
+
category: 'git-security',
|
|
80
|
+
message: '.gitignore does not appear to ignore PEM files.',
|
|
81
|
+
recommendation: 'Add *.pem and other key material patterns to .gitignore.'
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
return {
|
|
85
|
+
findings,
|
|
86
|
+
summary: {
|
|
87
|
+
filesChecked: files.length,
|
|
88
|
+
dangerousFiles: findings.filter((finding) => finding.file).length,
|
|
89
|
+
gitignorePresent,
|
|
90
|
+
envIgnored,
|
|
91
|
+
pemIgnored
|
|
92
|
+
}
|
|
93
|
+
};
|
|
94
|
+
}
|
|
95
|
+
async function exists(filePath) {
|
|
96
|
+
try {
|
|
97
|
+
await access(filePath);
|
|
98
|
+
return true;
|
|
99
|
+
}
|
|
100
|
+
catch {
|
|
101
|
+
return false;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
function ignoresPattern(gitignore, pattern) {
|
|
105
|
+
return gitignore
|
|
106
|
+
.split('\n')
|
|
107
|
+
.map((line) => line.trim())
|
|
108
|
+
.filter(Boolean)
|
|
109
|
+
.some((line) => line === pattern || line.includes(pattern));
|
|
110
|
+
}
|
|
111
|
+
//# sourceMappingURL=git-audit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"git-audit.js","sourceRoot":"","sources":["../../../src/core/git-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAcpD,MAAM,qBAAqB,GAAG;IAC5B;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,wBAAwB;QAC/B,KAAK,EAAE,mBAAmB;QAC1B,QAAQ,EAAE,MAAe;QACzB,OAAO,EAAE,+CAA+C;QACxD,cAAc,EAAE,gFAAgF;KACjG;IACD;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,SAAS;QAChB,KAAK,EAAE,kBAAkB;QACzB,QAAQ,EAAE,UAAmB;QAC7B,OAAO,EAAE,4CAA4C;QACrD,cAAc,EAAE,+EAA+E;KAChG;IACD;QACE,EAAE,EAAE,UAAU;QACd,KAAK,EAAE,mBAAmB;QAC1B,KAAK,EAAE,8BAA8B;QACrC,QAAQ,EAAE,UAAmB;QAC7B,OAAO,EAAE,4DAA4D;QACrE,cAAc,EAAE,mDAAmD;KACpE;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAY;IAC5C,MAAM,KAAK,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC3C,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IACpD,MAAM,gBAAgB,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IACrD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,CAAC,CAAC,MAAM,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEvF,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;YAC5C,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAExC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,cAAc,OAAO,CAAC,EAAE,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;gBAClF,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,cAAc;gBACxB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,cAAc,EAAE,OAAO,CAAC,cAAc;gBACtC,IAAI;aACL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,IAAI,cAAc,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;IAC1G,MAAM,UAAU,GAAG,cAAc,CAAC,gBAAgB,EAAE,OAAO,CAAC,IAAI,cAAc,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAEzG,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,8BAA8B;YAClC,KAAK,EAAE,oBAAoB;YAC3B,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,+BAA+B;YACxC,cAAc,EAAE,mGAAmG;SACpH,CAAC,CAAC;IACL,CAAC;IAED,IAAI,gBAAgB,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,4BAA4B;YAChC,KAAK,EAAE,+BAA+B;YACtC,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,kDAAkD;YAC3D,cAAc,EAAE,uEAAuE;SACxF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,gBAAgB,IAAI,CAAC,UAAU,EAAE,CAAC;QACpC,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,4BAA4B;YAChC,KAAK,EAAE,8BAA8B;YACrC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,cAAc;YACxB,OAAO,EAAE,iDAAiD;YAC1D,cAAc,EAAE,0DAA0D;SAC3E,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,QAAQ;QACR,OAAO,EAAE;YACP,YAAY,EAAE,KAAK,CAAC,MAAM;YAC1B,cAAc,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM;YACjE,gBAAgB;YAChB,UAAU;YACV,UAAU;SACX;KACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,QAAgB;IACpC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,SAAiB,EAAE,OAAe;IACxD,OAAO,SAAS;SACb,KAAK,CAAC,IAAI,CAAC;SACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;SAC1B,MAAM,CAAC,OAAO,CAAC;SACf,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;AAChE,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { mkdtemp, rm } from 'node:fs/promises';
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
|
+
import { promisify } from 'node:util';
|
|
4
|
+
import os from 'node:os';
|
|
5
|
+
import path from 'node:path';
|
|
6
|
+
import { runSecurityDoctor } from '../security-doctor.js';
|
|
7
|
+
const execFileAsync = promisify(execFile);
|
|
8
|
+
export async function auditRemoteRepository(url) {
|
|
9
|
+
if (!/^https:\/\/github\.com\/[^/]+\/[^/]+(?:\.git)?$/.test(url)) {
|
|
10
|
+
throw new Error('Only public GitHub repository URLs are supported.');
|
|
11
|
+
}
|
|
12
|
+
const temporaryRoot = await mkdtemp(path.join(os.tmpdir(), 'toolip-remote-audit-'));
|
|
13
|
+
const target = path.join(temporaryRoot, 'repository');
|
|
14
|
+
try {
|
|
15
|
+
await execFileAsync('gh', ['repo', 'clone', url, target, '--', '--depth=1'], {
|
|
16
|
+
encoding: 'utf8'
|
|
17
|
+
});
|
|
18
|
+
const report = await runSecurityDoctor(target);
|
|
19
|
+
return {
|
|
20
|
+
repository: url,
|
|
21
|
+
report
|
|
22
|
+
};
|
|
23
|
+
}
|
|
24
|
+
finally {
|
|
25
|
+
await rm(temporaryRoot, { recursive: true, force: true });
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=remote-audit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"remote-audit.js","sourceRoot":"","sources":["../../../../src/core/github/remote-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAW;IAIrD,IAAI,CAAC,iDAAiD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE;YAC3E,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,MAAM;SACP,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { readFile, writeFile } from 'node:fs/promises';
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
|
+
import { promisify } from 'node:util';
|
|
4
|
+
import path from 'node:path';
|
|
5
|
+
const execFileAsync = promisify(execFile);
|
|
6
|
+
export async function createUpgradePullRequest(root, packageName, targetVersion, dryRun) {
|
|
7
|
+
const manifestPath = path.join(root, 'package.json');
|
|
8
|
+
const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
|
|
9
|
+
const sections = ['dependencies', 'devDependencies', 'optionalDependencies', 'peerDependencies'];
|
|
10
|
+
let changed = false;
|
|
11
|
+
for (const section of sections) {
|
|
12
|
+
if (manifest[section]?.[packageName]) {
|
|
13
|
+
manifest[section][packageName] = targetVersion;
|
|
14
|
+
changed = true;
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
if (!changed) {
|
|
18
|
+
throw new Error(`${packageName} is not declared in package.json.`);
|
|
19
|
+
}
|
|
20
|
+
const branch = `toolip/upgrade-${packageName.replaceAll(/[^A-Za-z0-9]/g, '-')}-${targetVersion}`;
|
|
21
|
+
if (dryRun) {
|
|
22
|
+
return { branch, changed: true };
|
|
23
|
+
}
|
|
24
|
+
await execFileAsync('git', ['switch', '-c', branch], { cwd: root });
|
|
25
|
+
await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
|
|
26
|
+
await execFileAsync('npm', ['install', '--package-lock-only'], { cwd: root });
|
|
27
|
+
await execFileAsync('npm', ['test'], { cwd: root });
|
|
28
|
+
await execFileAsync('git', ['add', 'package.json', 'package-lock.json'], { cwd: root });
|
|
29
|
+
await execFileAsync('git', ['commit', '-m', `chore: upgrade ${packageName} to ${targetVersion}`], { cwd: root });
|
|
30
|
+
await execFileAsync('git', ['push', '-u', 'origin', branch], { cwd: root });
|
|
31
|
+
await execFileAsync('gh', [
|
|
32
|
+
'pr',
|
|
33
|
+
'create',
|
|
34
|
+
'--title',
|
|
35
|
+
`chore: upgrade ${packageName} to ${targetVersion}`,
|
|
36
|
+
'--body',
|
|
37
|
+
`Toolip generated this dependency upgrade after updating the lockfile and running the project test suite.`
|
|
38
|
+
], { cwd: root });
|
|
39
|
+
return { branch, changed: true };
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=upgrade-pr.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"upgrade-pr.js","sourceRoot":"","sources":["../../../../src/core/github/upgrade-pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAY,EACZ,WAAmB,EACnB,aAAqB,EACrB,MAAe;IAEf,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAwB,CAAC;IACzF,MAAM,QAAQ,GAAG,CAAC,cAAc,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,kBAAkB,CAAC,CAAC;IACjG,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,GAAG,aAAa,CAAC;YAC/C,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,mCAAmC,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,WAAW,CAAC,UAAU,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,aAAa,EAAE,CAAC;IAEjG,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,WAAW,OAAO,aAAa,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,aAAa,CACjB,IAAI,EACJ;QACE,IAAI;QACJ,QAAQ;QACR,SAAS;QACT,kBAAkB,WAAW,OAAO,aAAa,EAAE;QACnD,QAAQ;QACR,0GAA0G;KAC3G,EACD,EAAE,GAAG,EAAE,IAAI,EAAE,CACd,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACnC,CAAC"}
|