Checks lockfiles against known malicious or compromised npm package reports.
Local reports use the OSV schema used by the OpenSSF malicious-packages
repository and OSV.dev MAL-* advisories. This keeps the default check
offline and reproducible while allowing callers to supply an updated database
path through configuration.
Summary
Functions
Return whether an OSV advisory affects an npm package version.
Return the shared global cache path for OSV-format compromised-package reports.
Check a lockfile map against configured compromised-package sources.
Check a lockfile against OSV.dev and return query errors to the caller.
Check one package version against configured compromised-package sources.
Convert a finding to a JSON-encodable map.
Formats compromised-package findings for CLI output.
Merge advisory lists by OSV id and return stable sorted advisories.
Merge new OSV advisories into an existing local database.
Read OSV advisory reports from a local JSON database.
Write OSV advisory reports to a local JSON database.
Types
Functions
Return whether an OSV advisory affects an npm package version.
@spec cache_path() :: String.t()
Return the shared global cache path for OSV-format compromised-package reports.
@spec check( NPM.Lockfile.t(), keyword() ) :: [finding()]
Check a lockfile map against configured compromised-package sources.
@spec check_osv( NPM.Lockfile.t(), keyword() ) :: {:ok, [finding()]} | {:error, term()}
Check a lockfile against OSV.dev and return query errors to the caller.
Check one package version against configured compromised-package sources.
Convert a finding to a JSON-encodable map.
Formats compromised-package findings for CLI output.
Merge advisory lists by OSV id and return stable sorted advisories.
Merge new OSV advisories into an existing local database.
Read OSV advisory reports from a local JSON database.
Write OSV advisory reports to a local JSON database.