UNPKG

vibe-guard

Version:

██ Vibe-Guard Security Scanner - 28 essential security rules to catch vulnerabilities before they catch you! Zero dependencies, instant setup, works everywhere, optimized performance. Detects SQL injection, XSS, exposed secrets, CSRF, CORS issues, contain

devjosef.github.io/vibe-guard/

Devjosef/vibe-guard

779 lines • 32.6 kB

JavaScript

"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.InsecureDependenciesRule = void 0; const types_1 = require("../types"); class InsecureDependenciesRule extends types_1.BaseRule { constructor() { super(...arguments); this.name = 'insecure-dependencies'; this.description = 'Detects potentially insecure dependencies and packages with context-aware analysis'; this.severity = 'medium'; this.vulnerablePackages = [ // Node.js packages with known CVEs! { name: 'lodash', versions: ['<4.17.21'], reason: 'Prototype pollution vulnerabilities (CVE-2021-23337)', confidence: 0.95, severity: 'critical', validation: (version) => this.validateLodashVersion(version) }, { name: 'moment', versions: ['*'], reason: 'Deprecated package with security issues, use date-fns or dayjs instead', confidence: 0.9, severity: 'high', validation: (version) => this.validateMomentUsage(version) }, { name: 'request', versions: ['*'], reason: 'Deprecated package with security issues (CVE-2020-8163)', confidence: 0.95, severity: 'critical', validation: (version) => this.validateRequestUsage(version) }, { name: 'node-uuid', versions: ['*'], reason: 'Deprecated, use uuid package instead', confidence: 0.85, severity: 'high', validation: (version) => this.validateNodeUuidUsage(version) }, { name: 'growl', versions: ['<1.10.0'], reason: 'Command injection vulnerability (CVE-2017-16042)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateGrowlVersion(version) }, { name: 'handlebars', versions: ['<4.7.7'], reason: 'Template injection vulnerabilities (CVE-2021-23369)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateHandlebarsVersion(version) }, { name: 'serialize-javascript', versions: ['<3.1.0'], reason: 'XSS vulnerability (CVE-2020-7660)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateSerializeJavascriptVersion(version) }, { name: 'minimist', versions: ['<1.2.6'], reason: 'Prototype pollution vulnerability (CVE-2021-44906)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateMinimistVersion(version) }, { name: 'yargs-parser', versions: ['<13.1.2'], reason: 'Prototype pollution vulnerability (CVE-2020-7608)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateYargsParserVersion(version) }, { name: 'ini', versions: ['<1.3.6'], reason: 'Prototype pollution vulnerability (CVE-2020-7788)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateIniVersion(version) }, { name: 'event-stream', versions: ['*'], reason: 'Backdoored package with malicious code injection', confidence: 0.95, severity: 'critical', validation: (version) => this.validateEventStreamUsage(version) }, // Python packages with known CVEs! { name: 'django', versions: ['<3.2.13'], reason: 'Multiple security vulnerabilities (CVE-2021-44420)', confidence: 0.95, severity: 'critical', validation: (version) => this.validateDjangoVersion(version) }, { name: 'flask', versions: ['<2.0.0'], reason: 'Security improvements in newer versions', confidence: 0.8, severity: 'high', validation: (version) => this.validateFlaskVersion(version) }, { name: 'requests', versions: ['<2.20.0'], reason: 'SSL verification issues (CVE-2018-18074)', confidence: 0.85, severity: 'critical', validation: (version) => this.validateRequestsVersion(version) }, { name: 'pyyaml', versions: ['<5.4'], reason: 'Arbitrary code execution vulnerability (CVE-2020-1747)', confidence: 0.95, severity: 'critical', validation: (version) => this.validatePyyamlVersion(version) }, { name: 'pillow', versions: ['<8.3.2'], reason: 'Multiple image processing vulnerabilities (CVE-2021-3450)', confidence: 0.9, severity: 'critical', validation: (version) => this.validatePillowVersion(version) }, // PHP packages with known CVEs! { name: 'symfony/symfony', versions: ['<4.4.35'], reason: 'Multiple security vulnerabilities (CVE-2021-41264)', confidence: 0.95, severity: 'critical', validation: (version) => this.validateSymfonyVersion(version) }, { name: 'laravel/framework', versions: ['<8.75.0'], reason: 'Security vulnerabilities (CVE-2021-3129)', confidence: 0.9, severity: 'critical', validation: (version) => this.validateLaravelVersion(version) }, { name: 'monolog/monolog', versions: ['<2.3.5'], reason: 'Remote code execution vulnerability (CVE-2021-37145)', confidence: 0.95, severity: 'critical', validation: (version) => this.validateMonologVersion(version) } ]; this.suspiciousPatterns = [ { pattern: /(?:^|\s)(?:eval|exec|shell|cmd|system|proc|spawn)(?:-|_)?(?:js|py|php|rb)?\s*[:=]/gi, type: 'Suspicious package name', confidence: 0.8, severity: 'medium', validation: (text) => this.validateSuspiciousPackage(text) }, { pattern: /(?:^|\s)(?:backdoor|malware|virus|trojan|keylogger)\s*[:=]/gi, type: 'Malicious package name', confidence: 0.95, severity: 'critical', validation: (text) => this.validateMaliciousPackage(text) }, { pattern: /(?:^|\s)(?:coin|cryptojs|digminer|miner|hashcoin|bitcoin|ethereum|monero)\s*[:=]/gi, type: 'Cryptominer package', confidence: 0.9, severity: 'critical', validation: (text) => this.validateCryptominerPackage(text) }, { pattern: /(?:^|\s)(?:lodahs|momnet|expres|reactt|angualr|vuejs)\s*[:=]/gi, type: 'Potential typosquatting', confidence: 0.7, severity: 'medium', validation: (text) => this.validateTyposquatting(text) }, { pattern: /["'](?:\*|latest|>.*|>=.*\|\|.*|.*\.\*\.\*)["']/g, type: 'Overly permissive version range', confidence: 0.6, severity: 'medium', validation: (text) => this.validatePermissiveVersion(text) }, { pattern: /"devDependencies"\s*:\s*\{[^}]*"(?:nodemon|webpack-dev-server|jest|mocha|chai|sinon)"/gi, type: 'Development dependency in production', confidence: 0.5, severity: 'medium', validation: (text) => this.validateDevDependency(text) }, { pattern: /"scripts"\s*:\s*\{[^}]*"(?:postinstall|preinstall|install)"\s*:\s*["'](?:curl|wget|fetch|node\s+.*\.js)/gi, type: 'Suspicious postinstall script', confidence: 0.85, severity: 'critical', validation: (text) => this.validateSuspiciousScript(text) } ]; this.safePatterns = [ /example/i, /demo/i, /test/i, /sample/i, /placeholder/i, /development/i, /dev/i, /staging/i, /localhost/i, /127\.0\.0\.1/i, /console\.log/i, /console\.warn/i, /console\.error/i, /logger\.(?:log|warn|error|info)/i, /print/i, /echo/i, /printf/i, /System\.out\.println/i, /puts/i, /Console\.WriteLine/i, /comment/i, /note/i, /todo/i, /fixme/i, /secure/i, /safe/i, /protected/i, /defense/i, /guard/i, /prevent/i, /block/i, /restrict/i ]; } check(fileContent) { const issues = []; const language = this.detectLanguage(fileContent.path); const packageManager = this.detectPackageManager(fileContent.path); const framework = this.detectFramework(fileContent.content, language); // Skips if not a dependency file if (!this.isDependencyFile(fileContent.path)) { return issues; } // Checks for vulnerable packages using package manager specific patterns this.checkVulnerablePackages(fileContent, issues, language, packageManager, framework); // Checks for suspicious patterns this.checkSuspiciousPatterns(fileContent, issues, language, packageManager, framework); return issues; } getPackagePattern(packageManager, packageName) { switch (packageManager) { case 'npm': case 'yarn': case 'pnpm': // JSON format: "package": "version" return new RegExp(`"${packageName}"\\s*:\\s*["']([^"']+)["']`, 'gi'); case 'pip': // requirements.txt: package==version return new RegExp(`^${packageName}\\s*==\\s*([^\\s]+)`, 'gmi'); case 'composer': // Composer: "name": "^version" return new RegExp(`"${packageName}"\\s*:\\s*["']([^"']+)["']`, 'gi'); case 'bundler': // Gemfile: gem "name", "~> version" return new RegExp(`gem\\s+["']${packageName}["']\\s*,\\s*["']([^"']+)["']`, 'gi'); case 'maven': case 'gradle': // Maven: <groupId> <artifactId> <version> return new RegExp(`<artifactId>${packageName}</artifactId>\\s*<version>([^<]+)</version>`, 'gi'); default: // Fallback to generic pattern return new RegExp(`"${packageName}"\\s*:\\s*["']([^"']+)["']`, 'gi'); } } analyzeContext(fileContent, line, column, language, packageManager, framework, hasVulnerableDependencies, dependencyType) { const lines = fileContent.lines; const currentLine = lines[line - 1] || ''; const surroundingLines = lines.slice(Math.max(0, line - 3), line + 2); return { isInComment: this.isInComment(currentLine, language), isInString: this.isInString(currentLine, column), isInTestFile: this.isInTestFile(fileContent.path), isInDocumentation: this.isInDocumentation(surroundingLines), isInDevDependencies: this.isInDevDependencies(fileContent.content, line), surroundingCode: surroundingLines.join('\n'), language, packageManager, framework, hasVulnerableDependencies: hasVulnerableDependencies || false, dependencyType }; } isInComment(line, language) { const trimmed = line.trim(); if (language === 'javascript' || language === 'typescript') { return trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*'); } if (language === 'python') { return trimmed.startsWith('#'); } if (language === 'php') { return trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('#'); } if (language === 'yaml' || language === 'yml') { return trimmed.startsWith('#'); } if (language === 'toml') { return trimmed.startsWith('#'); } return false; } isInString(line, column) { const before = line.substring(0, column); const quotes = (before.match(/['"`]/g) || []).length; return quotes % 2 === 1; } isInTestFile(filePath) { return filePath.includes('test') || filePath.includes('spec') || filePath.includes('mock'); } isInDocumentation(lines) { return lines.some(line => line.includes('@example') || line.includes('@doc') || line.includes('@description') || line.includes('README') || line.includes('documentation')); } detectLanguage(filePath) { const ext = filePath.split('.').pop()?.toLowerCase(); const languageMap = { 'js': 'javascript', 'jsx': 'javascript', 'ts': 'typescript', 'tsx': 'typescript', 'py': 'python', 'php': 'php', 'rb': 'ruby', 'go': 'go', 'java': 'java', 'cs': 'csharp', 'cpp': 'cpp', 'c': 'c', 'rs': 'rust', 'kt': 'kotlin', 'swift': 'swift', 'dart': 'dart', 'scala': 'scala', 'clj': 'clojure', 'hs': 'haskell', 'yaml': 'yaml', 'yml': 'yaml', 'json': 'json', 'toml': 'toml', 'xml': 'xml', 'gradle': 'gradle', 'exs': 'elixir' }; return languageMap[ext || ''] || 'unknown'; } detectPackageManager(filePath) { if (filePath.includes('package.json')) return 'npm'; if (filePath.includes('yarn.lock')) return 'yarn'; if (filePath.includes('pnpm-lock.yaml')) return 'pnpm'; if (filePath.includes('requirements.txt')) return 'pip'; if (filePath.includes('Pipfile')) return 'pipenv'; if (filePath.includes('poetry.lock')) return 'poetry'; if (filePath.includes('composer.json')) return 'composer'; if (filePath.includes('Gemfile')) return 'bundler'; if (filePath.includes('Cargo.toml')) return 'cargo'; if (filePath.includes('go.mod')) return 'go'; if (filePath.includes('pom.xml')) return 'maven'; if (filePath.includes('build.gradle')) return 'gradle'; if (filePath.includes('build.sbt')) return 'sbt'; if (filePath.includes('mix.exs')) return 'mix'; if (filePath.includes('pubspec.yaml')) return 'pub'; if (filePath.includes('Podfile')) return 'cocoapods'; if (filePath.includes('Cartfile')) return 'carthage'; return undefined; } detectFramework(content, language) { if (language === 'javascript' || language === 'typescript') { if (content.includes('express') || content.includes('app.get') || content.includes('app.post')) return 'express'; if (content.includes('react') || content.includes('jsx') || content.includes('tsx')) return 'react'; if (content.includes('vue') || content.includes('Vue.createApp')) return 'vue'; if (content.includes('angular') || content.includes('@Component')) return 'angular'; if (content.includes('next') || content.includes('Next.js')) return 'nextjs'; } if (language === 'python') { if (content.includes('flask') || content.includes('Flask')) return 'flask'; if (content.includes('django') || content.includes('Django')) return 'django'; if (content.includes('fastapi') || content.includes('FastAPI')) return 'fastapi'; } if (language === 'php') { if (content.includes('laravel') || content.includes('Laravel')) return 'laravel'; if (content.includes('symfony') || content.includes('Symfony')) return 'symfony'; } return undefined; } detectDependencyType(filePath) { if (filePath.includes('package.json')) return 'node'; if (filePath.includes('requirements.txt')) return 'python'; if (filePath.includes('composer.json')) return 'php'; if (filePath.includes('Gemfile')) return 'ruby'; if (filePath.includes('Cargo.toml')) return 'rust'; if (filePath.includes('go.mod')) return 'go'; if (filePath.includes('pom.xml')) return 'java'; if (filePath.includes('build.gradle')) return 'java'; if (filePath.includes('mix.exs')) return 'elixir'; if (filePath.includes('pubspec.yaml')) return 'dart'; return undefined; } isDependencyFile(filePath) { const dependencyFiles = [ /package\.json$/i, /requirements\.txt$/i, /Pipfile$/i, /composer\.json$/i, /Gemfile$/i, /Cargo\.toml$/i, /go\.mod$/i, /pom\.xml$/i, /build\.gradle$/i, /build\.sbt$/i, /mix\.exs$/i, /pubspec\.yaml$/i, /Podfile$/i, /Cartfile$/i ]; return dependencyFiles.some(pattern => pattern.test(filePath)); } checkVulnerablePackages(fileContent, issues, language, packageManager, framework) { for (const pkg of this.vulnerablePackages) { const packagePattern = this.getPackagePattern(packageManager, pkg.name); const matches = this.findMatches(fileContent.content, packagePattern); for (const { match, line, column, lineContent } of matches) { const version = match[1]; if (version && this.isVulnerableVersion(version, pkg.versions) && pkg.validation(version)) { const context = this.analyzeContext(fileContent, line, column, language, packageManager, framework, true, this.detectDependencyType(fileContent.path)); const finalConfidence = this.calculateConfidence(pkg.confidence, context); const finalSeverity = this.calculateSeverity(pkg.severity, context, finalConfidence); if (finalConfidence >= 0.5) { issues.push(this.createIssue(fileContent.path, line, column, lineContent, `Vulnerable dependency: ${pkg.name} ${version} - ${pkg.reason} (confidence: ${Math.round(finalConfidence * 100)}%)`, this.generateSuggestion(pkg, context), finalSeverity)); } } } } } checkSuspiciousPatterns(fileContent, issues, language, packageManager, framework) { for (const { pattern, type, confidence, severity, validation } of this.suspiciousPatterns) { const matches = this.findMatches(fileContent.content, pattern); for (const { match, line, column, lineContent } of matches) { const matchedText = match[0]; const context = this.analyzeContext(fileContent, line, column, language, packageManager, framework, false, this.detectDependencyType(fileContent.path)); // Skips if in safe context if (this.isSafeContext(context)) { continue; } // Validates the suspicious pattern if (!validation(matchedText)) { continue; } // Calculates final confidence and severity based on context const finalConfidence = this.calculateConfidence(confidence, context); const finalSeverity = this.calculateSeverity(severity, context, finalConfidence); if (finalConfidence >= 0.5) { issues.push(this.createIssue(fileContent.path, line, column, lineContent, `Suspicious dependency pattern: ${type} (confidence: ${Math.round(finalConfidence * 100)}%)`, this.generateSuspiciousSuggestion(type, context), finalSeverity)); } } } } isSafeContext(context) { if (context.isInComment) return true; if (context.isInTestFile) return true; if (context.isInDocumentation) return true; if (this.safePatterns.some(pattern => pattern.test(context.surroundingCode))) { return true; } return false; } calculateConfidence(baseConfidence, context) { let confidence = baseConfidence; // Adjusts confidence based on context if (context.isInDevDependencies) confidence *= 0.7; // Reduces for dev dependencies if (context.packageManager) confidence *= 1.1; // Increases for known package managers if (context.framework) confidence *= 1.1; // Increases for known frameworks return Math.min(confidence, 1.0); } isVulnerableVersion(version, vulnerableVersions) { for (const vulnerableVersion of vulnerableVersions) { if (vulnerableVersion === '*') { return true; } if (vulnerableVersion.startsWith('<')) { const targetVersion = vulnerableVersion.substring(1); if (this.compareVersions(version, targetVersion) < 0) { return true; } } } return false; } compareVersions(version1, version2) { const v1Parts = version1.split('.').map(Number); const v2Parts = version2.split('.').map(Number); const maxLength = Math.max(v1Parts.length, v2Parts.length); for (let i = 0; i < maxLength; i++) { const v1 = v1Parts[i] || 0; const v2 = v2Parts[i] || 0; if (v1 < v2) return -1; if (v1 > v2) return 1; } return 0; } isInDevDependencies(content, lineNumber) { const lines = content.split('\n'); const targetLine = lineNumber - 1; for (let i = targetLine; i >= 0; i--) { const line = lines[i]?.trim(); if (!line) continue; if (line.includes('"devDependencies"') || line.includes("'devDependencies'")) { return true; } if (line.includes('"dependencies"') || line.includes("'dependencies'")) { return false; } } return false; } // Validation methods for vulnerable packages! validateLodashVersion(version) { return this.compareVersions(version, '4.17.21') < 0; } validateMomentUsage(_version) { return true; // All versions are deprecated } validateRequestUsage(_version) { return true; // All versions are deprecated } validateNodeUuidUsage(_version) { return true; // All versions are deprecated } validateGrowlVersion(version) { return this.compareVersions(version, '1.10.0') < 0; } validateHandlebarsVersion(version) { return this.compareVersions(version, '4.7.7') < 0; } validateSerializeJavascriptVersion(version) { return this.compareVersions(version, '3.1.0') < 0; } validateMinimistVersion(version) { return this.compareVersions(version, '1.2.6') < 0; } validateYargsParserVersion(version) { return this.compareVersions(version, '13.1.2') < 0; } validateIniVersion(version) { return this.compareVersions(version, '1.3.6') < 0; } validateDjangoVersion(version) { return this.compareVersions(version, '3.2.13') < 0; } validateFlaskVersion(version) { return this.compareVersions(version, '2.0.0') < 0; } validateRequestsVersion(version) { return this.compareVersions(version, '2.20.0') < 0; } validatePyyamlVersion(version) { return this.compareVersions(version, '5.4') < 0; } validatePillowVersion(version) { return this.compareVersions(version, '8.3.2') < 0; } validateSymfonyVersion(version) { return this.compareVersions(version, '4.4.35') < 0; } validateLaravelVersion(version) { return this.compareVersions(version, '8.75.0') < 0; } validateMonologVersion(version) { return this.compareVersions(version, '2.3.5') < 0; } validateEventStreamUsage(_version) { return true; // All versions are backdoored } validateCryptominerPackage(text) { const cryptominerKeywords = ['coin', 'cryptojs', 'digminer', 'miner', 'hashcoin', 'bitcoin', 'ethereum', 'monero']; return cryptominerKeywords.some(keyword => text.toLowerCase().includes(keyword)); } validateSuspiciousScript(text) { const suspiciousScripts = ['curl', 'wget', 'fetch', 'node']; return suspiciousScripts.some(script => text.toLowerCase().includes(script)); } calculateSeverity(baseSeverity, context, confidence) { let severity = baseSeverity; // Adjusts the severity based on context if (context.isInDevDependencies) { // Lowers the severity for dev dependencies but keeps at least medium if (severity === 'critical') severity = 'high'; else if (severity === 'high') severity = 'medium'; else if (severity === 'medium') severity = 'medium'; // Keeps medium } // Checks if in production context (Dockerfile, CI/CD) if (this.isInProductionContext(context)) { // Treats as production level severity if (severity === 'medium') severity = 'high'; else if (severity === 'low') severity = 'medium'; } // Framework specific adjustments if (context.framework) { if (['react', 'angular', 'vue'].includes(context.framework)) { // Frontend frameworks: Highlight build dependency risk if (severity === 'medium') severity = 'high'; } else if (['express', 'django', 'laravel'].includes(context.framework)) { // Backend APIs: Emphasize exposure risk if (severity === 'medium') severity = 'high'; } } // Confidence based adjustments if (confidence < 0.6 && severity === 'critical') { severity = 'high'; } return severity; } isInProductionContext(context) { // Checks if this dependency is used in production contexts const productionKeywords = ['dockerfile', 'docker-compose', 'deploy', 'production', 'prod', 'ci/cd', 'github actions', 'gitlab-ci', 'jenkins']; return productionKeywords.some(keyword => context.surroundingCode.toLowerCase().includes(keyword)); } // Validation methods: For suspicious patterns! validateSuspiciousPackage(text) { const suspiciousKeywords = ['eval', 'exec', 'shell', 'cmd', 'system', 'proc', 'spawn']; return suspiciousKeywords.some(keyword => text.toLowerCase().includes(keyword)); } validateMaliciousPackage(text) { const maliciousKeywords = ['backdoor', 'malware', 'virus', 'trojan', 'keylogger']; return maliciousKeywords.some(keyword => text.toLowerCase().includes(keyword)); } validateTyposquatting(text) { const typosquattingPatterns = ['lodahs', 'momnet', 'expres', 'reactt', 'angualr', 'vuejs']; return typosquattingPatterns.some(pattern => text.toLowerCase().includes(pattern)); } validatePermissiveVersion(text) { return /\*|latest|>.*|>=.*\|\|.*|.*\.\*\.\*/.test(text); } validateDevDependency(text) { const devDeps = ['nodemon', 'webpack-dev-server', 'jest', 'mocha', 'chai', 'sinon']; return devDeps.some(dep => text.toLowerCase().includes(dep)); } generateSuggestion(pkg, context) { let suggestion = `Update ${pkg.name} to a secure version. ${pkg.reason}.`; if (context.packageManager) { suggestion += ` Run '${this.getUpdateCommand(context.packageManager)}' to update dependencies.`; } if (context.framework) { suggestion += ` For ${context.framework}, consider using framework-specific security tools and dependency management.`; } return suggestion; } generateSuspiciousSuggestion(type, context) { const suggestions = { 'Suspicious package name': 'Review this dependency for security concerns and consider using a trusted alternative.', 'Malicious package name': 'This package name suggests malicious intent. Remove immediately and scan for other suspicious dependencies.', 'Potential typosquatting': 'This appears to be a typosquatting attempt. Use the correct package name.', 'Overly permissive version range': 'Use specific version ranges to prevent automatic updates to potentially vulnerable versions.', 'Development dependency in production': 'Move development dependencies to devDependencies section.' }; let suggestion = suggestions[type] || 'Review this dependency for security concerns.'; if (context.packageManager) { suggestion += ` Use '${this.getAuditCommand(context.packageManager)}' to check for known vulnerabilities.`; } return suggestion; } getUpdateCommand(packageManager) { const commands = { 'npm': 'npm audit fix', 'yarn': 'yarn audit', 'pnpm': 'pnpm audit', 'pip': 'pip audit', 'composer': 'composer audit', 'bundler': 'bundle audit', 'cargo': 'cargo audit', 'go': 'go list -m all | grep -E "(vulnerable|deprecated)"', 'maven': 'mvn dependency:check', 'gradle': 'gradle dependencyCheckAnalyze' }; return commands[packageManager] || 'dependency audit'; } getAuditCommand(packageManager) { const commands = { 'npm': 'npm audit', 'yarn': 'yarn audit', 'pnpm': 'pnpm audit', 'pip': 'pip audit', 'composer': 'composer audit', 'bundler': 'bundle audit', 'cargo': 'cargo audit', 'go': 'go list -m all', 'maven': 'mvn dependency:check', 'gradle': 'gradle dependencyCheckAnalyze' }; return commands[packageManager] || 'dependency audit'; } } exports.InsecureDependenciesRule = InsecureDependenciesRule; //# sourceMappingURL=insecure-dependencies.js.map