scanpack/dist/validator.js

Dependency scanner to detect unknown or malicious packages in Node.js and Bun projects

import { MaliciousPackageRepositoryAdapter } from './infrastructure/adapters/malicious-package.repository.adapter.js';
import { NpmRegistryAdapter } from './infrastructure/adapters/npm-registry.adapter.js';
import { validateDependenciesUseCase } from './infrastructure/container.js';
const npmRegistry = new NpmRegistryAdapter();
const maliciousRepository = new MaliciousPackageRepositoryAdapter();
export class DependencyValidator {
    static async checkNpmPackage(packageName) {
        return await npmRegistry.checkPackage(packageName);
    }
    static isKnownMalicious(packageName) {
        return maliciousRepository.isKnownMalicious(packageName);
    }
    static async validateDependency(dependency) {
        const npmCheck = await this.checkNpmPackage(dependency.name);
        const maliciousCheck = this.isKnownMalicious(dependency.name);
        const isSecurityHolding = npmCheck.isSecurityHolding || false;
        const isMalicious = maliciousCheck.isMalicious || isSecurityHolding;
        const isValid = npmCheck.exists && !isMalicious;
        const isUnknown = !npmCheck.exists && !isMalicious;
        let reason = maliciousCheck.reason;
        if (isSecurityHolding && !maliciousCheck.isMalicious) {
            reason = 'Security holding package - original package was removed by npm for security reasons';
        }
        else if (isUnknown) {
            reason = 'Package not found on npm';
        }
        return {
            dependency,
            isValid,
            existsOnNpm: npmCheck.exists,
            isKnownMalicious: isMalicious,
            isSecurityHolding,
            reason,
            npmUrl: npmCheck.url
        };
    }
    static async validateDependencies(dependencies) {
        return await validateDependenciesUseCase.execute(dependencies);
    }
}
//# sourceMappingURL=validator.js.map