v1.3.0 slopsquatting feature

Author: slowcoder360

README.md

@@ -12,6 +12,9 @@ VibeSafe helps developers quickly check their projects for common security issue
 - 🔐 **Secret Scanning**  
   Flags AWS keys, JWTs, SSH keys, high-entropy strings, and secrets in `.env` files.
 
+- 🛡️ **Secure Package Installation** (`vibesafe install`)  
+  Helps prevent slopsquatting & typosquatting by checking package trustworthiness before installing.
+
 - 📦 **Dependency Vulnerability Detection**  
   Checks `package.json` dependencies against the [OSV.dev](https://osv.dev) vulnerability database. *(Direct deps only for now — lockfile support coming soon).*
 
@@ -110,6 +113,92 @@ vibesafe scan -r ai-report.md
 vibesafe scan --high-only
 ```
 
+## 🛡️ Secure Package Installation: `vibesafe install`
+
+VibeSafe now includes a command to help you install npm packages more safely, protecting against typosquatting and other suspicious packages.
+
+**Basic Usage:**
+
+Use `vibesafe install` (or its alias `vibesafe i`) just like you would use `npm install`:
+
+```bash
+vibesafe install <package-name>
+# Example
+vibesafe install express
+```
+
+**How it Works:**
+
+Before installing, `vibesafe install` performs several heuristic checks on the package(s) you want to install:
+
+*   **Package Age:** Flags very new packages (e.g., published within the last 30 days).
+*   **Download Volume:** Flags packages with very low download counts.
+*   **README Presence:** Checks for a missing or placeholder README file.
+*   **License:** Verifies if a license is specified.
+*   **Repository/Homepage:** Checks for a linked code repository or homepage.
+
+**User Confirmation:**
+
+If any of these checks raise a warning, VibeSafe will list the concerns and ask for your confirmation before proceeding with the installation:
+
+```shell
+$ vibesafe install some-new-package
+[vibesafe] Processing package "some-new-package" (1 of 1)...
+[vibesafe] Fetching metadata for "some-new-package"...
+[vibesafe] Successfully fetched metadata for "some-new-package".
+  Created: <date>
+[vibesafe] ⚠ Found 2 heuristic warning(s) for "some-new-package":
+  - Package "some-new-package" was published recently... (Severity: Medium)
+    Details: Published 0 days ago (threshold: 30 days)
+  - Package "some-new-package" has a placeholder README... (Severity: Low)
+    Details: ...
+Are you sure you want to install "some-new-package"? [y/N]
+```
+
+*   Enter `y` or `yes` to proceed despite warnings.
+*   Enter `n` or press Enter to abort the installation.
+
+**Automatic Yes (for CI/Scripts):**
+
+Use the `--yes` flag to automatically accept warnings and proceed with installation. This is useful in non-interactive environments.
+
+```bash
+vibesafe install <package-name> --yes
+```
+If `--yes` is not used in a non-interactive environment (e.g., a script without a TTY), VibeSafe will abort installation if any warnings are found.
+
+**Installing Multiple Packages:**
+
+You can specify multiple packages to install in one command. VibeSafe will process them sequentially:
+
+```bash
+vibesafe install packageA packageB packageC
+```
+If an issue is found with one package and you choose to abort, subsequent packages in the list will not be processed.
+
+**Passing Flags to npm (e.g., `--save-dev`):**
+
+If you need to pass additional arguments directly to the `npm install` command (like `--save-dev`, `--legacy-peer-deps`, etc.), use the `--` separator after your package names and before the npm flags:
+
+```bash
+vibesafe install <package-name> -- --save-dev
+vibesafe install packageA packageB -- --save-dev --legacy-peer-deps
+```
+
+### Future Enhancements for `vibesafe install` (TODO)
+
+We plan to enhance `vibesafe install` with more advanced security features:
+
+*   **Typosquatting & Name Similarity Detection:**
+    *   Detect package names that are very similar to popular packages (e.g., using Levenshtein distance).
+    *   Suggest correct package names if a typo is suspected (e.g., "Did you mean `express`?").
+*   **Malicious Package Database Check:**
+    *   Integrate with services like OSV.dev to check if a package version is known to be malicious.
+*   **Installation Script Warnings:**
+    *   Inspect package manifests for `preinstall`/`postinstall` scripts and warn the user.
+*   **Configurable Rules:**
+    *   Allow users to customize thresholds for warnings (e.g., package age, download counts) via a configuration file.
+
 ## 🛑📁 Ignoring Files (.vibesafeignore)
 
 Create a `.vibesafeignore` file in the root of the directory being scanned. Add file paths or glob patterns (one per line) to exclude them from the scan. The syntax is the same as `.gitignore`.
@@ -148,6 +237,6 @@ For questions or commercial partnership inquiries, contact **vibesafepackage@gma
 ## 📛 Trademark Notice
 
 **VibeSafe™** is a trademark of Secret Society LLC.  
-Use of the name “VibeSafe” for derivative tools, competing products, or commercial services is **not permitted without prior written consent.**
+Use of the name "VibeSafe" for derivative tools, competing products, or commercial services is **not permitted without prior written consent.**
 
 You are free to fork or build upon this code under the [MIT License](./LICENSE), but please use a different name and branding for public or commercial distributions.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "vibesafe",
-  "version": "1.2.0",
+  "version": "1.3.0",
   "description": "A CLI tool to scan your codebase for security vibes.",
   "main": "dist/index.js",
   "bin": {

src/index.ts

@@ -19,6 +19,13 @@ import { scanForLoggingIssues, LoggingFinding } from './scanners/logging';
 import { scanForHttpClientIssues, HttpClientFinding } from './scanners/httpClient';
 import { detectTechnologies, DetectedTechnologies } from './frameworkDetection';
 
+// --- VibeSafe Installer Imports ---
+import { fetchPackageMetadata, fetchPackageDownloads } from './installer/npmRegistryClient';
+import { checkPackageAge, HeuristicWarning, checkDownloadVolume, checkReadmePresence, checkLicensePresence, checkRepositoryPresence } from './installer/heuristicChecks';
+import readline from 'readline'; // Added for user input
+import { spawn } from 'child_process'; // Added for spawning npm
+// We will add more imports from './installer/*' here as we build out features
+
 // Define a combined finding type if needed later
 
 // Helper for coloring severities
@@ -577,6 +584,187 @@ program.command('scan')
 
   });
 
+program.command('install')
+  .alias('i')
+  .description('Install a package safely after security checks.')
+  .argument('<package>', 'Package to install (e.g., express, [email protected])')
+  .argument('[npmArgs...]', 'Additional arguments to pass to npm (e.g., --save-dev, --legacy-peer-deps)')
+  .option('--yes', 'Automatically answer yes to prompts and run non-interactively')
+  .action(async (packageNameArg: string, additionalArgs: string[], options: { yes?: boolean }) => {
+    
+    const packagesToProcess: string[] = [packageNameArg];
+    const npmPassThroughFlags: string[] = [];
+
+    for (const arg of additionalArgs) {
+      if (arg.startsWith('-')) {
+        npmPassThroughFlags.push(arg);
+      } else {
+        packagesToProcess.push(arg);
+      }
+    }
+
+    let overallExitCode = 0;
+    let stopAllProcessing = false;
+
+    for (let i = 0; i < packagesToProcess.length; i++) {
+      const currentPkgName = packagesToProcess[i];
+      console.log(chalk.magenta(`\n[vibesafe] Processing package "${chalk.cyan(currentPkgName)}" (${i + 1} of ${packagesToProcess.length})...`));
+      if (npmPassThroughFlags.length > 0) {
+        console.log(chalk.dim(`  with npm flags: ${npmPassThroughFlags.join(' ')}`));
+      }
+
+      // Flags to manage flow for the current package
+      let proceedWithInstallation = false; 
+      let installationAbortedManually = false;
+      let errorOccurredDuringChecks = false;
+
+      try {
+        // Reset for each package, but if it becomes true, we stop all.
+        // This logic is largely moved from the original single-package handler
+        
+        console.log(`[vibesafe] Fetching metadata for \"${chalk.cyan(currentPkgName)}\"...`);
+        const metadata = await fetchPackageMetadata(currentPkgName);
+        console.log(chalk.green(`[vibesafe] Successfully fetched metadata for \"${chalk.cyan(currentPkgName)}\".`));
+        
+        if (metadata.time?.created) {
+          console.log(`  Created: ${new Date(metadata.time.created).toLocaleDateString()}`);
+        }
+
+        // --- Perform Heuristic Checks ---
+        const warnings: HeuristicWarning[] = [];
+
+        const ageWarning = checkPackageAge(metadata);
+        if (ageWarning) warnings.push(ageWarning);
+
+        const downloadsData = await fetchPackageDownloads(currentPkgName);
+        if (downloadsData.error) {
+          console.warn(chalk.yellow(`[WARN] Could not fetch download stats for \"${chalk.cyan(currentPkgName)}\": ${downloadsData.error}`));
+        } else {
+          console.log(`  Downloads (last month): ${downloadsData.downloads !== undefined ? downloadsData.downloads.toLocaleString() : 'N/A'}`);
+          const downloadWarning = checkDownloadVolume(currentPkgName, downloadsData);
+          if (downloadWarning) warnings.push(downloadWarning);
+        }
+
+        const readmeWarning = checkReadmePresence(metadata);
+        if (readmeWarning) warnings.push(readmeWarning);
+
+        const licenseWarning = checkLicensePresence(metadata);
+        if (licenseWarning) warnings.push(licenseWarning);
+
+        const repoWarning = checkRepositoryPresence(metadata);
+        if (repoWarning) warnings.push(repoWarning);
+
+        // --- Process Aggregated Warnings ---
+        if (warnings.length === 0) {
+          console.log(chalk.green(`[vibesafe] ✔ No heuristic warnings found for \"${chalk.cyan(currentPkgName)}\". Proceeding to installation.`));
+          proceedWithInstallation = true;
+        } else {
+          console.log(chalk.yellow(`[vibesafe] ⚠ Found ${warnings.length} heuristic warning(s) for \"${chalk.cyan(currentPkgName)}\":`));
+          warnings.forEach(w => {
+            console.warn(chalk.yellow(`  - ${w.message} (Severity: ${w.severity})`));
+            if (w.details) {
+              let detailsString = typeof w.details === 'string' ? w.details : JSON.stringify(w.details);
+              if (w.type === 'PackageAge' && typeof w.details === 'object' && w.details !== null && 'ageInDays' in w.details && 'thresholdDays' in w.details) {
+                detailsString = `Published ${Math.floor(w.details.ageInDays)} days ago (threshold: ${w.details.thresholdDays} days)`;
+              }
+              console.warn(chalk.yellow(`    Details: ${detailsString}`));
+            }
+          });
+
+          if (options.yes) {
+            console.log(chalk.yellow('[vibesafe] --yes flag detected. Proceeding with installation despite warnings.'));
+            proceedWithInstallation = true;
+          } else if (!process.stdin.isTTY) {
+            console.log(chalk.red('[vibesafe] Non-interactive input detected. Aborting installation due to warnings.'));
+            console.log(chalk.red('[vibesafe] Use the --yes flag to force installation in non-interactive mode if necessary.'));
+            overallExitCode = 1;
+            stopAllProcessing = true; // Stop processing further packages
+          } else {
+            const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+            const answer = await new Promise<string>(resolve => 
+              rl.question(chalk.blueBright(`Are you sure you want to install \"${chalk.cyan(currentPkgName)}\"? [y/N] `), resolve)
+            );
+            rl.close();
+            if (answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes') {
+              console.log(chalk.green(`[vibesafe] User approved installation for \"${chalk.cyan(currentPkgName)}\".`));
+              proceedWithInstallation = true;
+            } else {
+              console.log(chalk.red(`[vibesafe] User aborted installation for \"${chalk.cyan(currentPkgName)}\".`));
+              installationAbortedManually = true;
+              overallExitCode = 1;
+              stopAllProcessing = true; // Stop processing further packages
+            }
+          }
+        }
+      } catch (error: any) {
+        console.error(chalk.red(`[vibesafe] Error during security checks for \"${chalk.cyan(currentPkgName)}\": ${error.message}`));
+        errorOccurredDuringChecks = true;
+        overallExitCode = 1;
+        stopAllProcessing = true; // Stop processing further packages
+      }
+
+      if (stopAllProcessing) {
+        console.log(chalk.red(`[vibesafe] Aborting further package processing due to previous error or user cancellation.`));
+        break; // Exit the loop over packages
+      }
+
+      if (proceedWithInstallation && !installationAbortedManually && !errorOccurredDuringChecks) {
+        console.log(chalk.blue(`[vibesafe] Invoking npm install for \"${chalk.cyan(currentPkgName)}\"` + 
+                       `${npmPassThroughFlags.length > 0 ? ` with flags: ${chalk.dim(npmPassThroughFlags.join(' '))}` : chalk.dim(' (no additional flags)')}...`));
+        
+        const npmCommand = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+        const installProcess = spawn(npmCommand, ['install', currentPkgName, ...npmPassThroughFlags], { stdio: 'inherit' });
+
+        const npmPromise = new Promise<void>((resolve, reject) => {
+          installProcess.on('error', (err) => {
+            console.error(chalk.red(`[vibesafe] Failed to start npm process for \"${chalk.cyan(currentPkgName)}\": ${err.message}`));
+            overallExitCode = 1;
+            stopAllProcessing = true;
+            reject(err);
+          });
+
+          installProcess.on('close', (code) => {
+            if (code === 0) {
+              console.log(chalk.green(`[vibesafe] Successfully installed \"${chalk.cyan(currentPkgName)}\".`));
+              resolve();
+            } else {
+              console.error(chalk.red(`[vibesafe] npm install for \"${chalk.cyan(currentPkgName)}\" failed with exit code ${code}.`));
+              overallExitCode = 1;
+              stopAllProcessing = true; 
+              reject(new Error(`npm install failed with code ${code}`));
+            }
+          });
+        });
+        
+        try {
+          await npmPromise;
+        } catch (npmError) {
+          // Error already logged, overallExitCode and stopAllProcessing are set.
+          // Just need to ensure we break the loop if not already handled by stopAllProcessing check.
+          if (stopAllProcessing) break;
+        }
+      } else if (installationAbortedManually || errorOccurredDuringChecks) {
+        // Message already logged, overallExitCode and stopAllProcessing are set.
+        if (stopAllProcessing) break; 
+      }
+      // If !proceedWithInstallation due to non-interactive mode with warnings (and no --yes), already handled.
+
+      if (stopAllProcessing && i < packagesToProcess.length -1) { // if we stopped and there were more packages
+          console.log(chalk.yellow(`[vibesafe] Remaining packages (${packagesToProcess.length - 1 - i}) were not processed.`));
+          break;
+      }
+    } // end for loop over packages
+
+    if (overallExitCode !== 0) {
+      process.exitCode = overallExitCode;
+      console.log(chalk.redBright(`[vibesafe] Finished 'install' command with errors or cancellations.`));
+    } else if (!stopAllProcessing) {
+      console.log(chalk.greenBright(`[vibesafe] Successfully processed all requested packages.`));
+    }
+    // No explicit process.exit(0) needed, as it's the default if process.exitCode is not set to non-zero.
+
+  });
+
 // Helper for sorting console output - Add Info level
 function severityToSortOrder(severity: FindingSeverity | SecretFinding['severity'] | UploadFinding['severity'] | LoggingFinding['severity'] | EndpointFinding['severity'] | RateLimitFinding['severity'] | HttpClientFinding['severity']): number {
     switch (severity) {