trim-safe 1.0.0 → 1.0.2

package/README.md

@@ -6,7 +6,7 @@ Safe, drop-in replacement for the abandoned [`trim`](https://www.npmjs.com/packa
 
 The `trim` package (1M+ weekly downloads) has been effectively abandoned since 2013. Its canonical GitHub repo is dormant, the patch fork was archived in 2023, and the original source was never updated with the CVE fix.
 
-The package contains **CVE-2020-7753** — a ReDoS vulnerability in the regex `/^\s*|\s*$/g`. An attacker can craft an input string that causes catastrophic regex backtracking, consuming all CPU and hanging your process.
+The package contains **CVE-2020-7753** / **GHSA-cmr6-74hv-c9fg** — a ReDoS vulnerability (CVSS 7.5 HIGH) in the regex `/^\s*|\s*$/g`. An attacker can craft an input string that causes catastrophic regex backtracking, consuming all CPU and hanging your process.
 
 `trim-safe` fixes the vulnerability using a loop-based approach with no regex backtracking. Same API, zero security debt.
 
@@ -16,6 +16,19 @@ The package contains **CVE-2020-7753** — a ReDoS vulnerability in the regex `/
 npm install trim-safe
 ```
 
+When installed into a project, `trim-safe` automatically checks your dependency tree. If it finds the vulnerable `trim` package, it prints a migration prompt:
+
+```
+⚠  VULNERABLE: trim (CVE-2020-7753) found in dependency tree
+  3 packages still depend on the vulnerable trim package.
+
+  Migrate:
+    npm install trim-safe
+    # in your code: require('trim-safe') instead of require('trim')
+```
+
+No extra setup needed.
+
 ## Usage
 
 ```js

package/package.json

@@ -1,24 +1,47 @@
 {
   "name": "trim-safe",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Safe, drop-in replacement for the abandoned trim package. Fixed ReDoS vulnerability (CVE-2020-7753).",
   "main": "index.js",
+  "types": "index.d.ts",
+  "files": [
+    "index.js",
+    "index.d.ts",
+    "README.md",
+    "test.js",
+    "scripts"
+  ],
   "scripts": {
-    "test": "node test.js"
+    "test": "node test.js",
+    "postinstall": "node scripts/migrate-check.js",
+    "prepare": "npm run test",
+    "prepublishOnly": "npm run test"
   },
   "keywords": [
+    "trim-safe",
     "trim",
     "string",
     "whitespace",
     "safe",
     "regex",
-    "redos"
+    "redos",
+    "cve",
+    "security",
+    "javascript",
+    "typescript",
+    "nodejs",
+    "utility"
   ],
+  "author": "Jay Suryawanshi",
   "license": "MIT",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/Jay-Suryawansh7/trim-safe.git"
   },
+  "bugs": {
+    "url": "https://github.com/Jay-Suryawansh7/trim-safe/issues"
+  },
+  "homepage": "https://github.com/Jay-Suryawansh7/trim-safe#readme",
   "engines": {
     "node": ">=0.10.0"
   }

package/scripts/migrate-check.js

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+
+var execSync = require('child_process').execSync;
+
+function log(msg) { console.log(msg); }
+function red(s)    { return '\x1b[31m' + s + '\x1b[0m'; }
+function green(s) { return '\x1b[32m' + s + '\x1b[0m'; }
+function yellow(s){ return '\x1b[33m' + s + '\x1b[0m'; }
+function cyan(s)  { return '\x1b[36m' + s + '\x1b[0m'; }
+
+try {
+  var out = execSync('npm ls trim --all --parseable 2>/dev/null', { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
+  var lines = out.trim().split('\n').filter(Boolean);
+
+  if (lines.length === 0) {
+    log('\n  ' + green('\u2713') + '  trim-safe OK — no vulnerable trim found in your dependency tree.');
+    return;
+  }
+
+  log('\n  ' + red('\u26A0') + '  ' + red('VULNERABLE: trim (CVE-2020-7753) found in dependency tree'));
+  log('  ' + lines.length + ' package' + (lines.length === 1 ? '' : 's') + ' still depend on the vulnerable trim package.\n');
+
+  var unique = {};
+  lines.forEach(function(l) {
+    var parts = l.split('node_modules/');
+    var pkg = parts[parts.length - 1];
+    if (pkg && pkg !== 'trim') unique[pkg] = true;
+  });
+  var names = Object.keys(unique).filter(Boolean);
+
+  if (names.length > 0 && names.length <= 20) {
+    log('  Direct dependents: ' + names.join(', '));
+    log('');
+  }
+
+  log('  ' + cyan('Migrate:'));
+  log('    npm install trim-safe');
+  log('    # in your code: require(\'trim-safe\') instead of require(\'trim\')');
+  log('');
+} catch (e) {
+  try {
+    var out2 = execSync('npm ls trim 2>/dev/null', { encoding: 'utf8' });
+    if (out2 && out2.includes('trim@')) {
+      log(yellow('\n  trim found in dependency tree — run "npm install trim-safe" to migrate.\n'));
+    }
+  } catch (e2) {}
+}

package/.github/workflows/test.yml

@@ -1,20 +0,0 @@
-name: Test
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18, 20, 22]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm test

package/SECURITY.md

@@ -1,22 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-| Version | Supported          |
-| ------- | ------------------ |
-| 1.x     | :white_check_mark: |
-
-## Reporting a Vulnerability
-
-If you discover a security vulnerability in `trim-safe`, please report it via:
-
-1. **GitHub Issues** (preferred for non-critical issues)
-2. **Email** — open an issue first and we'll respond within 48 hours
-
-Please do not disclose security vulnerabilities publicly until a fix is available.
-
-## Security Model
-
-`trim-safe` intentionally contains **no external dependencies** — only stdlib JavaScript. The attack surface is zero network calls, zero file reads, and no dynamic code execution.
-
-The package has no `postinstall`, `preinstall`, `prepare`, or any other lifecycle hooks.