mulhamna · mulhamna · Jun 6, 2026 · Jun 6, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -19,7 +19,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Setup Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
@@ -48,15 +48,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
+        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463
         with:
           languages: javascript-typescript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
+        uses: github/codeql-action/autobuild@87557b9c84dde89fdd9b10e88954ac2f4248e463
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa
+        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463
diff --git a/.github/workflows/update-homebrew-tap.yml b/.github/workflows/update-homebrew-tap.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout pkgmap
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
         with:
           ref: main
 
@@ -51,7 +51,7 @@ jobs:
           echo "sha256=$SHA" >> $GITHUB_OUTPUT
 
       - name: Checkout homebrew-tap
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
         with:
           repository: mulhamna/homebrew-tap
           token: ${{ secrets.TAP_GITHUB_TOKEN }}

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -58,7 +58,7 @@
   "dependencies": {
     "chalk": "^5.3.0",
     "cli-table3": "^0.6.3",
-    "commander": "^12.0.0",
+    "commander": "^15.0.0",
     "ora": "^9.3.0"
   },
   "devDependencies": {

diff --git a/src/audit.js b/src/audit.js
@@ -190,7 +190,7 @@ async function auditPackages(manager, packages) {
   if (!ecosystem) return []
 
   const queries = packages.map((pkg) => ({
-    package: { ecosystem, name: pkg.name },
+    package: { ecosystem, name: pkg.auditName || pkg.name },
     version: pkg.version,
   }))
 

diff --git a/src/scanners/conda.js b/src/scanners/conda.js
@@ -20,7 +20,7 @@ export default async function scan() {
       type: 'library',
     }))
 
-    return { manager: cmd, packages }
+    return { manager: 'conda', packages }
   } catch (err) {
     if (err.message?.includes('EACCES') || err.message?.includes('permission')) {
       console.warn(`⚠ ${cmd}: permission denied.`)

diff --git a/src/scanners/go.js b/src/scanners/go.js
@@ -15,12 +15,14 @@ export function parseGoBinaryMetadata(raw, binaryName) {
   if (!hasGoBuildMetadata) return null
 
   const modLine = lines.find((line) => line.startsWith('mod\t'))
+  const modulePath = modLine?.split(/\s+/)[1] || null
   const version = modLine?.split(/\s+/)[2] || 'installed'
 
   return {
     name: binaryName,
     version,
     type: 'binary',
+    ...(modulePath ? { auditName: modulePath } : {}),
   }
 }
 

diff --git a/test/index.test.js b/test/index.test.js
@@ -167,6 +167,7 @@ test('parseGoBinaryMetadata keeps only binaries with Go build metadata', () => {
     name: 'gopls',
     version: 'v0.16.2',
     type: 'binary',
+    auditName: 'golang.org/x/tools/gopls',
   })
 
   assert.equal(parseGoBinaryMetadata('not a Go executable', 'random-tool'), null)