npm - vuln-scan - Versions diffs - 0.1.2 → 0.1.4 - Mend

vuln-scan 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -27,6 +27,12 @@ A Node.js CLI that scans a project’s **lockfile** (npm / pnpm / yarn) to find
 npx vuln-scan
 ```
+### Run with pnpm
+```bash
+pnpm dlx vuln-scan
+```
 ### Install globally
 ```bash
@@ -62,4 +68,8 @@ node ./cli.js
 node ./cli.js --json
 ```
+## Security
+See [SECURITY.md](SECURITY.md) for vulnerability reporting and PGP details.

package/cli.js CHANGED Viewed

@@ -1,26 +1,44 @@
 #!/usr/bin/env node
+import { setDefaultResultOrder } from 'node:dns';
+import { createRequire } from 'node:module';
 import chalk from 'chalk';
 import ora from 'ora';
 import Table from 'cli-table3';
 import { scanProject } from './src/core.js';
+const require = createRequire(import.meta.url);
+const { version: CLI_VERSION } = require('./package.json');
+function brandingLine() {
+  return `${chalk.bold('vuln-scan')}${chalk.gray(' - ')}${chalk.cyan('Debasis')}`;
+}
 function printHelp() {
+  const valueLine = chalk.gray(`v${CLI_VERSION}`);
+  const features = chalk.cyan('Fast | Secure | Protect');
+  const tagline = chalk.gray('Scan Dependencies - Stay Safe - Fix Quickly');
   const text = `
-${chalk.bold('vuln-scan')}
+${features}
+${tagline}
+${chalk.bold('vuln-scan')} ${valueLine}
 Scans a project's lockfile (npm/pnpm/yarn) for known vulnerabilities using the OSV.dev API.
+Made by Debasis (https://github.com/DebaA17)
 Usage:
   npx vuln-scan
+  pnpm dlx vuln-scan
   vuln-scan
 Options:
   --json     Output machine-readable JSON
   --help     Show this help
 `;
-  // eslint-disable-next-line no-console
   console.log(text.trim());
 }
@@ -39,7 +57,27 @@ function severityColor(sev) {
   }
 }
+// Compare two semantic versions (returns true if v1 < v2)
+function isVulnerable(installedVersion, fixedVersion) {
+  const installedParts = installedVersion.split('.').map(Number);
+  const fixedParts = fixedVersion.split('.').map(Number);
+  for (let i = 0; i < Math.max(installedParts.length, fixedParts.length); i++) {
+    const installed = installedParts[i] || 0;
+    const fixed = fixedParts[i] || 0;
+    if (installed < fixed) return true;
+    if (installed > fixed) return false;
+  }
+  return false; // versions are equal → not vulnerable
+}
 async function main() {
+  try {
+    setDefaultResultOrder('ipv4first');
+  } catch {
+    // Older Node versions may not support this
+  }
   const args = new Set(process.argv.slice(2));
   if (args.has('--help') || args.has('-h')) {
     printHelp();
@@ -48,31 +86,34 @@ async function main() {
   const jsonOutput = args.has('--json');
-  const spinner = ora({ text: 'Scanning dependencies…', spinner: 'dots' }).start();
+  const spinner = ora({ text: 'Scanning dependencies...', spinner: 'dots' }).start();
   try {
     const result = await scanProject({
       cwd: process.cwd(),
       onProgress: ({ processed, total }) => {
-        spinner.text = `Scanning dependencies… ${processed}/${total}`;
+        spinner.text = `Scanning dependencies... ${processed}/${total}`;
       }
     });
     spinner.stop();
+    // Filter vulnerabilities: only show if installed version < fixed version
+    const activeVulns = result.vulnerabilities.filter(v => {
+      if (!v.fixed) return true; // no fixed info, assume still vulnerable
+      return isVulnerable(v.version, v.fixed);
+    });
     if (jsonOutput) {
-      // Keep stdout clean for piping/automation.
-      // eslint-disable-next-line no-console
-      console.log(JSON.stringify(result, null, 2));
-      // eslint-disable-next-line no-console
+      console.log(JSON.stringify({ ...result, vulnerabilities: activeVulns }, null, 2));
+      console.error(brandingLine());
       console.error(chalk.green('Scan complete!'));
       return;
     }
-    if (result.vulnerabilities.length === 0) {
-      // eslint-disable-next-line no-console
+    if (activeVulns.length === 0) {
       console.log(chalk.green(`No known vulnerabilities found in ${result.dependencyCount} dependencies.`));
-      // eslint-disable-next-line no-console
+      console.log(brandingLine());
       console.log(chalk.green('Scan complete!'));
       return;
     }
@@ -80,33 +121,25 @@ async function main() {
     const table = new Table({
       head: ['Package', 'CVE ID', 'Severity', 'Summary'],
       wordWrap: true,
-      colWidths: [
-        28,
-        18,
-        10,
-        70
-      ]
+      colWidths: [28, 18, 10, 70]
     });
-    for (const v of result.vulnerabilities) {
+    for (const v of activeVulns) {
       const pkg = `${v.package}@${v.version}`;
       const cve = v.cve || v.id;
       const summary = v.summary + (v.fixed ? ` (Fix: ${v.fixed})` : '');
       table.push([pkg, cve, severityColor(v.severity), summary]);
     }
-    // eslint-disable-next-line no-console
     console.log(table.toString());
-    // eslint-disable-next-line no-console
+    console.log(brandingLine());
     console.log(chalk.green('Scan complete!'));
   } catch (err) {
     spinner.stop();
     const message = err instanceof Error ? err.message : String(err);
-    // eslint-disable-next-line no-console
     console.error(chalk.red(`Error: ${message}`));
     process.exitCode = 1;
   }
 }
-await main();
+await main();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vuln-scan",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Node.js CLI to scan dependency lockfiles for vulnerabilities using OSV.dev",
   "type": "module",
   "bin": {

package/src/core.js CHANGED Viewed

@@ -18,11 +18,24 @@ const OSV_QUERY_URL = 'https://api.osv.dev/v1/query';
 export async function scanProject({ cwd, onProgress }) {
   const projectPackageJsonPath = path.join(cwd, 'package.json');
   const hasPackageJson = await exists(projectPackageJsonPath);
-  if (!hasPackageJson) {
-    throw new Error('Missing package.json in the current directory.');
+  let detected;
+  try {
+    detected = await detectPackageManager(cwd);
+  } catch {
+    if (hasPackageJson) {
+      throw new Error(
+        'No supported lockfile found (package-lock.json, pnpm-lock.yaml, yarn.lock). ' +
+          'Run your package manager install command to generate a lockfile, then re-run vuln-scan.'
+      );
+    }
+    throw new Error(
+      'Nothing to scan: no package.json or supported lockfile found (package-lock.json, pnpm-lock.yaml, yarn.lock). '
+        + 'Run vuln-scan from a project directory.'
+    );
   }
-  const { packageManager, lockfilePath } = await detectPackageManager(cwd);
+  const { packageManager, lockfilePath } = detected;
   const dependencies = await readDependenciesFromLockfile({
     packageManager,
@@ -320,10 +333,12 @@ async function queryOsv({ name, version }) {
     }
   };
-  const res = await fetch(OSV_QUERY_URL, {
+  const res = await fetchWithRetry(OSV_QUERY_URL, {
     method: 'POST',
     headers: {
-      'content-type': 'application/json'
+      'content-type': 'application/json',
+      // A friendly UA can help with debugging/telemetry on the server side.
+      'user-agent': 'vuln-scan (node)'
     },
     body: JSON.stringify(body)
   });
@@ -336,6 +351,63 @@ async function queryOsv({ name, version }) {
   return res.json();
 }
+async function fetchWithRetry(url, init) {
+  const retries = 3;
+  const timeoutMs = 15_000;
+  for (let attempt = 0; attempt <= retries; attempt += 1) {
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+      // eslint-disable-next-line no-undef
+      return await fetch(url, {
+        ...init,
+        signal: controller.signal
+      });
+    } catch (err) {
+      const isLast = attempt === retries;
+      const message = err instanceof Error ? err.message : String(err);
+      const code = extractNodeErrorCode(err);
+      if (isLast) {
+        // Provide a more actionable message than the generic "fetch failed".
+        if (code === 'ETIMEDOUT' || code === 'ENETUNREACH' || code === 'EAI_AGAIN') {
+          throw new Error(
+            `Network error reaching OSV.dev (${code}). ` +
+              `If you're on an IPv6-restricted network, try: NODE_OPTIONS=--dns-result-order=ipv4first vuln-scan`
+          );
+        }
+        throw new Error(`Failed to reach OSV.dev: ${message}`);
+      }
+      // Retry transient network issues / timeouts.
+      if (code === 'ETIMEDOUT' || code === 'ECONNRESET' || code === 'ENETUNREACH' || code === 'EAI_AGAIN') {
+        await delay(250 * Math.pow(2, attempt));
+        continue;
+      }
+      // AbortError or other non-network errors should fail fast.
+      throw err;
+    } finally {
+      clearTimeout(timeout);
+    }
+  }
+  // Unreachable.
+  throw new Error('Failed to reach OSV.dev.');
+}
+function extractNodeErrorCode(err) {
+  // Node/undici errors often have nested causes.
+  const code = err?.cause?.code || err?.code;
+  return typeof code === 'string' ? code : null;
+}
+function delay(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 function normalizeOsvResponse({ dependency, response }) {
   const vulns = Array.isArray(response?.vulns) ? response.vulns : [];