Skip to content

feat: graded output for MAL- advisories from git sources#621

Open
sonukapoor wants to merge 4 commits into
mainfrom
feat/issue-618-git-source-mal-classification
Open

feat: graded output for MAL- advisories from git sources#621
sonukapoor wants to merge 4 commits into
mainfrom
feat/issue-618-git-source-mal-classification

Conversation

@sonukapoor

@sonukapoor sonukapoor commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

When a MAL- advisory matches a package installed from a git/tarball source (GitHub, GitLab, Bitbucket), show a graded warning with context instead of the alarming 'Remove it from your dependencies immediately.' message.

The advisory is still surfaced — just with accurate framing so teams can triage rather than panic.

What changed

  • New detection functions isGitSource() and hasCommitShaPinning() in src/utils/advisory.ts
  • Scanner priority chain: git source → maliciousGitSource + maliciousGitSourcePinned; private registry → maliciousUnverifiable (unchanged); npm registry → confirmed malicious (unchanged)
  • Terminal output: ⚠ Git source (SHA-pinned) or ⚠ Git source (floating ref) with resolved URL
  • HTML report: orange badge-git-source badge variant
  • New examples/git-source-mal/ fixture demonstrating the output

Example output (compact)

UNKNOWN  node-ipc@9.2.3
            Direct dependency
            ⚠ Git source — verify repository and org are trusted. Source: https://codeload.github.com/...

Reported by a Discord engineer whose first-party GitHub-hosted packages were flagged as malicious.

Closes #618

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: smarter classification and messaging for git/URL/tarball dependencies with MAL- advisories

1 participant

@sonukapoor