general repo maintenance

Author: alii

.github/workflows/test.yml

@@ -0,0 +1,26 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run tests
+        run: bun test

README.md

@@ -38,8 +38,11 @@ If your `scan` function throws an error, it will be gracefully handled by Bun, b
 
 ### Validation
 
-The template implements simple validation for the sake of keeping the template
-simple. Consider using a schema validation library like Zod for production:
+If you fetch a threat feed over the network, perhaps from your own API, consider
+using a schema validation library like Zod for production. This code needs to be
+defensive in all cases, so we should fail if we receive an invalid thread feed,
+rather than continuining and potentially returning an empty array of advisories.
+It's better to fail fast here.
 
 ```typescript
 import { z } from 'zod';
@@ -53,6 +56,22 @@ const ThreatFeedItemSchema = z.object({
 });
 ```
 
+### Useful Bun APIs
+
+Bun provides several built-in APIs that are particularly useful for security providers:
+
+- **`Bun.semver.satisfies()`**: Essential for checking if package versions match vulnerability ranges. No external dependencies needed.
+
+  ```typescript
+  if (Bun.semver.satisfies(version, '>=1.0.0 <1.2.5')) {
+  	// Version is vulnerable
+  }
+  ```
+
+- **`Bun.hash()`**: Fast hashing for package integrity checks
+- **`Bun.file()`**: Efficient file I/O for reading local threat databases
+- **`Bun.spawn()`**: Run external security scanners if needed
+
 ## Testing
 
 This template comes with a test file already setup. It tests for a known

provider.test.ts

@@ -1,31 +1,37 @@
 import { expect, test } from 'bun:test';
-import { provider } from './src';
+import { provider } from './src/index.ts';
 
-const mockInstallInfo: Bun.Security.Package[] = [
-	{
-		name: 'bun',
-		version: '1.3.0',
-		requestedRange: '1.3.0',
-		tarball: 'https://registry.npmjs.org/bun/-/bun-1.3.0.tgz',
-	},
-	{
-		name: 'event-stream',
-		version: '3.3.6', // This was a known incident in 2018 - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
-		requestedRange: '3.3.6',
-		tarball: 'https://registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz',
-	},
-];
+/////////////////////////////////////////////////////////////////////////////////////
+//  This test file is mostly just here to get you up and running quickly. It's
+//  likely you'd want to improve or remove this, and add more coverage for your
+//  own code.
+/////////////////////////////////////////////////////////////////////////////////////
 
 test('Provider should warn about known malicious packages', async () => {
-	const advisories = await provider.scan({ packages: mockInstallInfo });
+	const advisories = await provider.scan({
+		packages: [
+			{
+				name: 'event-stream',
+				version: '3.3.6', // This was a known incident in 2018 - https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
+				requestedRange: '^3.3.0',
+				tarball: 'https://registry.npmjs.org/event-stream/-/event-stream-3.3.6.tgz',
+			},
+		],
+	});
 
 	expect(advisories.length).toBeGreaterThan(0);
 	const advisory = advisories[0]!;
+	expect(advisory).toBeDefined();
 
 	expect(advisory).toMatchObject({
-		level: 'warn',
+		level: 'fatal',
 		package: 'event-stream',
 		url: expect.any(String),
 		description: expect.any(String),
 	});
 });
+
+test('There should be no advisories if no packages are being installed', async () => {
+	const advisories = await provider.scan({ packages: [] });
+	expect(advisories.length).toBe(0);
+});

src/index.ts

@@ -1,35 +1,56 @@
+// This is just an example interface of mock data. You can change this to the
+// type of your actual threat feed (or ideally use a good schema validation
+// library to infer your types from).
+interface ThreatFeedItem {
+	package: string;
+	range: string;
+	url: string | null;
+	description: string | null;
+	categories: Array<'protestware' | 'adware' | 'backdoor' | 'malware' | 'botnet'>;
+}
+
+async function fetchThreatFeed(packages: Bun.Security.Package[]): Promise<ThreatFeedItem[]> {
+	// In a real provider you would probably replace this mock data with a
+	// fetch() to your threat feed, validating it with Zod or a similar library.
+
+	const myPretendThreatFeed: ThreatFeedItem[] = [
+		{
+			package: 'event-stream',
+			range: '>=3.3.6', // You can use Bun.semver.satisfies to match this
+			url: 'https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident',
+			description: 'event-stream is a malicious package',
+			categories: ['malware'],
+		},
+	];
+
+	return myPretendThreatFeed.filter(item => {
+		return packages.some(
+			p => p.name === item.package && Bun.semver.satisfies(p.version, item.range)
+		);
+	});
+}
+
 export const provider: Bun.Security.Provider = {
 	version: '1',
 	async scan({ packages }) {
-		const response = await fetch('https://api.example.com/scan', {
-			method: 'POST',
-			body: JSON.stringify({
-				packages: packages.map(p => ({
-					name: p.name,
-					version: p.version,
-				})),
-			}),
-			headers: {
-				'Content-Type': 'application/json',
-			},
-		});
-
-		const json = await response.json();
-		validateThreatFeed(json);
+		const feed = await fetchThreatFeed(packages);
 
 		// Iterate over reported threats and return an array of advisories. This
 		// could be longer, shorter or equal length of the input packages array.
 		// Whatever you return will be shown to the user.
 
 		const results: Bun.Security.Advisory[] = [];
 
-		for (const item of json) {
+		for (const item of feed) {
 			// Advisory levels control installation behavior:
 			// - All advisories are always shown to the user regardless of level
 			// - Fatal: Installation stops immediately (e.g., backdoors, botnets)
 			// - Warning: User prompted in TTY, auto-cancelled in non-TTY (e.g., protestware, adware)
 
-			const isFatal = item.categories.includes('backdoor') || item.categories.includes('botnet');
+			const isFatal =
+				item.categories.includes('malware') ||
+				item.categories.includes('backdoor') ||
+				item.categories.includes('botnet');
 
 			const isWarning =
 				item.categories.includes('protestware') || item.categories.includes('adware');
@@ -50,43 +71,3 @@ export const provider: Bun.Security.Provider = {
 		return results;
 	},
 };
-
-type ThreatFeedItemCategory =
-	| 'protestware'
-	| 'adware'
-	| 'backdoor'
-	| 'botnet'; /* ...maybe you have some others */
-
-interface ThreatFeedItem {
-	package: string;
-	version: string;
-	url: string | null;
-	description: string | null;
-	categories: Array<ThreatFeedItemCategory>;
-}
-
-// You should really use a schema validation library like Zod here to validate
-// the feed. This code needs to be defensive rather than fast, so it's sensible
-// to check just to be sure.
-function validateThreatFeed(json: unknown): asserts json is ThreatFeedItem[] {
-	if (!Array.isArray(json)) {
-		throw new Error('Invalid threat feed');
-	}
-
-	for (const item of json) {
-		if (
-			typeof item !== 'object' ||
-			item === null ||
-			!('package' in item) ||
-			!('version' in item) ||
-			!('url' in item) ||
-			!('description' in item) ||
-			typeof item.package !== 'string' ||
-			typeof item.version !== 'string' ||
-			(typeof item.url !== 'string' && item.url !== null) ||
-			(typeof item.description !== 'string' && item.description !== null)
-		) {
-			throw new Error('Invalid threat feed item');
-		}
-	}
-}

temp.d.ts

@@ -30,14 +30,6 @@ declare module 'bun' {
 			 * This could be a tag like `beta` or a semver range like `>=4.0.0`
 			 */
 			requestedRange: string;
-
-			// /**
-			//  * Integrity hash provided from the registry
-			//  *
-			//  * Bun will usually verify this, but it's possible there are cases where
-			//  * it was not validated.
-			//  */
-			// integrity: string;
 		}
 
 		/**