Skip to content

feat(enrichment): overly-broad dependency version-range analyzer #2036

Description

@JSONbored

New REES local analyzer that flags newly-added/changed npm dependency specifiers that use dangerously loose ranges (*, latest, >=x, x bare-major) instead of a pinned/caret/tilde range — a reproducibility and supply-chain drift risk. Pure compute over manifest patches, no registry call, distinct from the vuln/typosquat analyzers.

Deliverables

  • Add LooseRangeFinding ({ file, line, package: string, range: string, kind: 'wildcard'|'latest'|'unbounded-gte'|'bare' }) + looseRange? key to review-enrichment/src/types.ts
  • Create review-enrichment/src/analyzers/loose-range.ts: parse added dependency lines in package.json patches, classify the specifier, flag loose kinds; cap with maxFindings
  • Register a local descriptor (category 'supply-chain', cost 'local', requires ['files']) with inline render() in review-enrichment/src/analyzers/registry.ts
  • Add review-enrichment/test/loose-range.test.ts covering each loose kind, a pinned/caret/tilde range not flagged, and the cap

References

  • review-enrichment/src/analyzers/dependency-scan.ts (package.json manifest parsing to reuse)
  • review-enrichment/src/analyzers/registry.ts:36-63 (supply-chain local descriptor template)
  • review-enrichment/src/types.ts:289-311

Part of #1499.


size: XS · gittensor:bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    gittensor:bugGittensor-scored bug fix — scores a 0.05x multiplier.help wantedExtra attention is needed

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions