From b9b15db3625b2a9b148f4d8ccf49e3e8fa6d5d53 Mon Sep 17 00:00:00 2001 From: Mulham Date: Sat, 6 Jun 2026 05:37:47 +0000 Subject: [PATCH 1/5] fix: preserve audit support for go and conda --- src/audit.js | 2 +- src/scanners/conda.js | 2 +- src/scanners/go.js | 2 ++ test/index.test.js | 1 + 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/src/audit.js b/src/audit.js index 073d2d8..553f069 100644 --- a/src/audit.js +++ b/src/audit.js @@ -190,7 +190,7 @@ async function auditPackages(manager, packages) { if (!ecosystem) return [] const queries = packages.map((pkg) => ({ - package: { ecosystem, name: pkg.name }, + package: { ecosystem, name: pkg.auditName || pkg.name }, version: pkg.version, })) diff --git a/src/scanners/conda.js b/src/scanners/conda.js index d9d86a5..b4464d5 100644 --- a/src/scanners/conda.js +++ b/src/scanners/conda.js @@ -20,7 +20,7 @@ export default async function scan() { type: 'library', })) - return { manager: cmd, packages } + return { manager: 'conda', packages } } catch (err) { if (err.message?.includes('EACCES') || err.message?.includes('permission')) { console.warn(`⚠ ${cmd}: permission denied.`) diff --git a/src/scanners/go.js b/src/scanners/go.js index 01ed612..e0f9d7c 100644 --- a/src/scanners/go.js +++ b/src/scanners/go.js @@ -15,12 +15,14 @@ export function parseGoBinaryMetadata(raw, binaryName) { if (!hasGoBuildMetadata) return null const modLine = lines.find((line) => line.startsWith('mod\t')) + const modulePath = modLine?.split(/\s+/)[1] || null const version = modLine?.split(/\s+/)[2] || 'installed' return { name: binaryName, version, type: 'binary', + ...(modulePath ? { auditName: modulePath } : {}), } } diff --git a/test/index.test.js b/test/index.test.js index b149e82..a5f8391 100644 --- a/test/index.test.js +++ b/test/index.test.js @@ -167,6 +167,7 @@ test('parseGoBinaryMetadata keeps only binaries with Go build metadata', () => { name: 'gopls', version: 'v0.16.2', type: 'binary', + auditName: 'golang.org/x/tools/gopls', }) assert.equal(parseGoBinaryMetadata('not a Go executable', 'random-tool'), null) From 87d8c2451be000664a76cf77db72cb2be1719233 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 03:51:19 +0000 Subject: [PATCH 2/5] chore(deps): bump github/codeql-action from 4.36.0 to 4.36.1 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/7211b7c8077ea37d8641b6271f6a365a22a5fbfa...87557b9c84dde89fdd9b10e88954ac2f4248e463) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index ce97bef..d1e9771 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -51,12 +51,12 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - name: Initialize CodeQL - uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa + uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 with: languages: javascript-typescript - name: Autobuild - uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa + uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463 - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa + uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 From 159aaf224b759f900b7c377d1c704b9a1c599041 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 03:51:24 +0000 Subject: [PATCH 3/5] chore(deps): bump actions/checkout from 6.0.2 to 6.0.3 Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...df4cb1c069e1874edd31b4311f1884172cec0e10) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- .github/workflows/npm-publish.yml | 2 +- .github/workflows/security.yml | 4 ++-- .github/workflows/update-homebrew-tap.yml | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c75ae48..26e5594 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 89eddd3..1bba079 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index d1e9771..188f550 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - name: Setup Node.js uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 - name: Initialize CodeQL uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 diff --git a/.github/workflows/update-homebrew-tap.yml b/.github/workflows/update-homebrew-tap.yml index b09dc32..6bd55df 100644 --- a/.github/workflows/update-homebrew-tap.yml +++ b/.github/workflows/update-homebrew-tap.yml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout pkgmap - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with: ref: main @@ -51,7 +51,7 @@ jobs: echo "sha256=$SHA" >> $GITHUB_OUTPUT - name: Checkout homebrew-tap - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 with: repository: mulhamna/homebrew-tap token: ${{ secrets.TAP_GITHUB_TOKEN }} From 889f21d050c0f66de9d95b81286c20999e308e7a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 03:51:28 +0000 Subject: [PATCH 4/5] chore(deps-dev): bump eslint from 10.4.0 to 10.4.1 Bumps [eslint](https://github.com/eslint/eslint) from 10.4.0 to 10.4.1. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/compare/v10.4.0...v10.4.1) --- updated-dependencies: - dependency-name: eslint dependency-version: 10.4.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- package-lock.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 8a31242..14dbd5e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -151,9 +151,9 @@ } }, "node_modules/@eslint/plugin-kit": { - "version": "0.7.1", - "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.7.1.tgz", - "integrity": "sha512-rZAP3aVgB9ds9KOeUSL+zZ21hPmo8dh6fnIFwRQj5EAZl9gzR7wxYbYXYysAM8CTqGmUGyp2S4kUdV17MnGuWQ==", + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.7.2.tgz", + "integrity": "sha512-+CNAzxglkrpNf/kKywqQfk74QjtceuOE7Qm+AF8miRvPF/wmmK5+OJOgVh3AVTT3RP2mH3+FOaxlE5v72owk0A==", "dev": true, "license": "Apache-2.0", "dependencies": { @@ -435,9 +435,9 @@ } }, "node_modules/eslint": { - "version": "10.4.0", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.4.0.tgz", - "integrity": "sha512-loXy6bWOoP3EP6JA7jo6p5jMpBJmHmsNZM5SFRHLdh1MGOPurMnNBj4ZlAbaqUAaQWbCr7jHV4P7gzAyryZWkQ==", + "version": "10.4.1", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.4.1.tgz", + "integrity": "sha512-AyIKhnOBuOAdueD7RB3xB+YeAWScb9jHsJBgH2Hcde8InP5JYhqrRR6iTMHyTEwgENK54Cp44e4v8BwNhsuHuw==", "dev": true, "license": "MIT", "dependencies": { @@ -446,7 +446,7 @@ "@eslint/config-array": "^0.23.5", "@eslint/config-helpers": "^0.6.0", "@eslint/core": "^1.2.1", - "@eslint/plugin-kit": "^0.7.1", + "@eslint/plugin-kit": "^0.7.2", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", From 0bf86b8fffa9218d4afd57454186d917791758f8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Jun 2026 03:51:23 +0000 Subject: [PATCH 5/5] chore(deps): bump commander from 12.1.0 to 15.0.0 Bumps [commander](https://github.com/tj/commander.js) from 12.1.0 to 15.0.0. - [Release notes](https://github.com/tj/commander.js/releases) - [Changelog](https://github.com/tj/commander.js/blob/master/CHANGELOG.md) - [Commits](https://github.com/tj/commander.js/compare/v12.1.0...v15.0.0) --- updated-dependencies: - dependency-name: commander dependency-version: 15.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package-lock.json | 10 +++++----- package.json | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 14dbd5e..cfada19 100644 --- a/package-lock.json +++ b/package-lock.json @@ -11,7 +11,7 @@ "dependencies": { "chalk": "^5.3.0", "cli-table3": "^0.6.3", - "commander": "^12.0.0", + "commander": "^15.0.0", "ora": "^9.3.0" }, "bin": { @@ -367,12 +367,12 @@ } }, "node_modules/commander": { - "version": "12.1.0", - "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz", - "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==", + "version": "15.0.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-15.0.0.tgz", + "integrity": "sha512-z67u4ZhzCL/Tydu1lJARtEZYWbWaN7oYLHbsuzocr6y4N6WZAagG3RQ4FW61V1/0+jImpj293XfrcYnd1qxtPg==", "license": "MIT", "engines": { - "node": ">=18" + "node": ">=22.12.0" } }, "node_modules/cross-spawn": { diff --git a/package.json b/package.json index 41dd8d4..514173f 100644 --- a/package.json +++ b/package.json @@ -58,7 +58,7 @@ "dependencies": { "chalk": "^5.3.0", "cli-table3": "^0.6.3", - "commander": "^12.0.0", + "commander": "^15.0.0", "ora": "^9.3.0" }, "devDependencies": {