You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
New REES local analyzer that flags newly-added/changed npm dependency specifiers that use dangerously loose ranges (*, latest, >=x, x bare-major) instead of a pinned/caret/tilde range — a reproducibility and supply-chain drift risk. Pure compute over manifest patches, no registry call, distinct from the vuln/typosquat analyzers.
Create review-enrichment/src/analyzers/loose-range.ts: parse added dependency lines in package.json patches, classify the specifier, flag loose kinds; cap with maxFindings
Register a local descriptor (category 'supply-chain', cost 'local', requires ['files']) with inline render() in review-enrichment/src/analyzers/registry.ts
Add review-enrichment/test/loose-range.test.ts covering each loose kind, a pinned/caret/tilde range not flagged, and the cap
References
review-enrichment/src/analyzers/dependency-scan.ts (package.json manifest parsing to reuse)
review-enrichment/src/analyzers/registry.ts:36-63 (supply-chain local descriptor template)
New REES local analyzer that flags newly-added/changed npm dependency specifiers that use dangerously loose ranges (
*,latest,>=x,xbare-major) instead of a pinned/caret/tilde range — a reproducibility and supply-chain drift risk. Pure compute over manifest patches, no registry call, distinct from the vuln/typosquat analyzers.Deliverables
LooseRangeFinding({ file, line, package: string, range: string, kind: 'wildcard'|'latest'|'unbounded-gte'|'bare' }) +looseRange?key to review-enrichment/src/types.tsReferences
review-enrichment/src/analyzers/dependency-scan.ts (package.json manifest parsing to reuse)review-enrichment/src/analyzers/registry.ts:36-63 (supply-chain local descriptor template)review-enrichment/src/types.ts:289-311Part of #1499.
size: XS · gittensor:bug