npm - trust-npm - Versions diffs - 0.1.0 → 0.1.2 - Mend

trust-npm 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -38,6 +38,7 @@ This will:
 - create/update `.trust-npm.json` from `package-lock.json`
 - persist alias `npm -> trust-npm` in your shell profile
+- add/update `AGENTS.md` with trust-npm usage policy
 You can force shell target:
@@ -51,7 +52,7 @@ trust-npm init --shell zsh
 ### `trust-npm init`
-Initializes `.trust-npm.json` using lockfile dependencies and sets a persistent shell alias (`npm -> trust-npm`).
+Initializes `.trust-npm.json`, sets shell alias, and writes agent guidance.
 ```bash
 trust-npm init

package/dist/cli.js CHANGED Viewed

@@ -1,7 +1,11 @@
 #!/usr/bin/env node
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
+const package_json_1 = __importDefault(require("../package.json"));
 const init_1 = require("./commands/init");
 const install_1 = require("./commands/install");
 const approve_1 = require("./commands/approve");
@@ -10,7 +14,7 @@ const program = new commander_1.Command();
 program
     .name("trust-npm")
     .description("Secure wrapper around npm install with trust baseline checks")
-    .version("0.1.0");
+    .version(package_json_1.default.version);
 program
     .command("init")
     .description("Create .trust-npm.json and auto-alias npm -> trust-npm")
@@ -28,6 +32,14 @@ program
     const rawInstallArgs = getRawInstallArgs(process.argv);
     await (0, install_1.runInstall)(rawInstallArgs);
 });
+program
+    .command("i [packages...]")
+    .description("Alias for install")
+    .allowUnknownOption(true)
+    .action(async () => {
+    const rawInstallArgs = getRawInstallArgs(process.argv);
+    await (0, install_1.runInstall)(rawInstallArgs);
+});
 program
     .command("approve <packages...>")
     .description("Approve one or more packages into .trust-npm.json")
@@ -50,7 +62,7 @@ program.parseAsync(process.argv).catch((error) => {
     process.exitCode = 1;
 });
 function getRawInstallArgs(argv) {
-    const installIndex = argv.findIndex((token) => token === "install");
+    const installIndex = argv.findIndex((token) => token === "install" || token === "i");
     if (installIndex < 0) {
         return [];
     }

package/dist/commands/init.js CHANGED Viewed

@@ -24,6 +24,8 @@ async function runInit(options = {}) {
     const storePath = (0, trustStore_1.trustStorePath)(projectRoot);
     console.log(`Initialized trust store: ${storePath}`);
     console.log(`Trusted packages imported: ${trustedFromLockfile.size}`);
+    ensureAgentGuidance(projectRoot);
+    console.log("Agent guidance added: AGENTS.md updated with trust-npm policy.");
     if (!options.skipAlias) {
         const shell = detectShell(options.shell);
         const profilePath = ensureAliasInProfile(shell);
@@ -38,6 +40,27 @@ async function runInit(options = {}) {
         console.log("  Set-Alias npm trust-npm");
     }
 }
+function ensureAgentGuidance(projectRoot) {
+    const agentsPath = path_1.default.join(projectRoot, "AGENTS.md");
+    const startMarker = "<!-- trust-npm policy start -->";
+    const endMarker = "<!-- trust-npm policy end -->";
+    const block = `${startMarker}
+## trust-npm Policy
+Use \`trust-npm\` for dependency installs and approvals in this repo.
+- Always run \`trust-npm install ...\`, never plain \`npm install ...\`.
+- For blocked packages, use \`trust-npm approve <package>\` only after review.
+- Use \`trust-npm status\` to inspect trust state.
+${endMarker}
+`;
+    if (!fs_1.default.existsSync(agentsPath)) {
+        fs_1.default.writeFileSync(agentsPath, `${block}\n`, "utf8");
+        return;
+    }
+    appendBlockIfMissing(agentsPath, startMarker, block);
+}
 function detectShell(requested) {
     if (requested) {
         return requested;

package/dist/commands/install.js CHANGED Viewed

@@ -49,7 +49,7 @@ function extractRequestedPackages(args) {
 function printBlockedPackages(analyses) {
     for (const analysis of analyses) {
         const header = analysis.isHighRisk ? "BLOCKED (high risk)" : "BLOCKED (untrusted package)";
-        console.error(`\n❌ ${header}: ${analysis.packageName}`);
+        console.error(`\n${header}: ${analysis.packageName}`);
         console.error("Reason:");
         if (analysis.reasons.length > 0) {
             for (const reason of analysis.reasons) {

package/dist/core/npm.js CHANGED Viewed

@@ -7,7 +7,11 @@ async function runNpm(args) {
     return new Promise((resolve, reject) => {
         const child = (0, child_process_1.spawn)(npmCommand, args, {
             stdio: "inherit",
-            shell: false
+            shell: false,
+            env: {
+                ...process.env,
+                TRUST_NPM_ACTIVE: "1"
+            }
         });
         child.on("error", (error) => reject(error));
         child.on("close", (code) => resolve(code ?? 1));

package/dist/core/risk.js CHANGED Viewed

@@ -1,6 +1,10 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.analyzePackageRisk = analyzePackageRisk;
+const axios_1 = __importDefault(require("axios"));
 const registry_1 = require("./registry");
 const NEW_PACKAGE_DAYS_THRESHOLD = 7;
 const LOW_DOWNLOADS_THRESHOLD = 100;
@@ -8,27 +12,49 @@ async function analyzePackageRisk(packageName, threshold) {
     let score = 0;
     const reasons = [];
     const metadata = {};
-    const [pkg, downloads] = await Promise.all([
+    const [pkgResult, downloadsResult] = await Promise.allSettled([
         (0, registry_1.fetchPackageMetadata)(packageName),
         (0, registry_1.fetchWeeklyDownloads)(packageName)
     ]);
-    const ageDays = getPackageAgeDays(pkg.createdAt);
-    metadata.publishedAt = pkg.createdAt;
-    metadata.ageDays = ageDays;
-    metadata.weeklyDownloads = downloads.downloads;
-    if (typeof ageDays === "number" && ageDays < NEW_PACKAGE_DAYS_THRESHOLD) {
-        score += 40;
-        reasons.push(`Published ${ageDays} day(s) ago`);
-    }
-    if (downloads.downloads < LOW_DOWNLOADS_THRESHOLD) {
-        score += 30;
-        reasons.push(`${downloads.downloads} weekly downloads`);
+    let weeklyDownloads;
+    if (pkgResult.status === "fulfilled") {
+        const ageDays = getPackageAgeDays(pkgResult.value.createdAt);
+        metadata.publishedAt = pkgResult.value.createdAt;
+        metadata.ageDays = ageDays;
+        if (typeof ageDays === "number" && ageDays < NEW_PACKAGE_DAYS_THRESHOLD) {
+            score += 40;
+            reasons.push(`Published ${ageDays} day(s) ago`);
+        }
+        const hasRepo = hasRepository(pkgResult.value.repository);
+        metadata.hasRepository = hasRepo;
+        if (!hasRepo) {
+            score += 20;
+            reasons.push("Missing repository field");
+        }
+    }
+    else if (isNotFoundError(pkgResult.reason)) {
+        score += 100;
+        reasons.push("Package not found in npm registry");
     }
-    const hasRepo = hasRepository(pkg.repository);
-    metadata.hasRepository = hasRepo;
-    if (!hasRepo) {
+    else {
         score += 20;
-        reasons.push("Missing repository field");
+        reasons.push("Could not verify package metadata");
+    }
+    if (downloadsResult.status === "fulfilled") {
+        weeklyDownloads = downloadsResult.value.downloads;
+        metadata.weeklyDownloads = weeklyDownloads;
+    }
+    else if (isNotFoundError(downloadsResult.reason)) {
+        weeklyDownloads = 0;
+        metadata.weeklyDownloads = weeklyDownloads;
+    }
+    else {
+        score += 10;
+        reasons.push("Could not verify weekly downloads");
+    }
+    if (typeof weeklyDownloads === "number" && weeklyDownloads < LOW_DOWNLOADS_THRESHOLD) {
+        score += 30;
+        reasons.push(`${weeklyDownloads} weekly downloads`);
     }
     const suspiciousName = hasSuspiciousName(packageName);
     metadata.suspiciousName = suspiciousName;
@@ -45,6 +71,12 @@ async function analyzePackageRisk(packageName, threshold) {
         metadata
     };
 }
+function isNotFoundError(error) {
+    if (!axios_1.default.isAxiosError(error)) {
+        return false;
+    }
+    return error.response?.status === 404;
+}
 function getPackageAgeDays(createdAt) {
     if (!createdAt) {
         return undefined;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "trust-npm",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "A safe npm wrapper that blocks untrusted dependencies by default.",
   "type": "commonjs",
   "main": "dist/cli.js",