Skip to content

Commit ed56e49

Browse files
ejntaylorclaude
andcommitted
Initial release of @patchstack/connect
JavaScript/Node.js connector that scans package-lock.json and reports installed packages to Patchstack Pulse for vulnerability monitoring. - TypeScript with dual ESM/CJS build via tsup - Zero runtime dependencies - CLI: init / scan / status - Programmatic API via scanAndReport() - 28 vitest tests covering parser, normalize, client, config - Verified live against the Pulse manifest endpoint Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 parents  commit ed56e49

23 files changed

Lines changed: 4113 additions & 0 deletions

.gitignore

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
node_modules
2+
dist
3+
*.log
4+
.DS_Store
5+
.env
6+
.env.local
7+
.patchstackrc.json
8+
coverage
9+
.vitest

.npmignore

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
src
2+
tests
3+
tsconfig.json
4+
tsup.config.ts
5+
.gitignore
6+
.github
7+
coverage
8+
*.tsbuildinfo

LICENSE

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
MIT License
2+
3+
Copyright (c) 2026 Patchstack
4+
5+
Permission is hereby granted, free of charge, to any person obtaining a copy
6+
of this software and associated documentation files (the "Software"), to deal
7+
in the Software without restriction, including without limitation the rights
8+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9+
copies of the Software, and to permit persons to whom the Software is
10+
furnished to do so, subject to the following conditions:
11+
12+
The above copyright notice and this permission notice shall be included in all
13+
copies or substantial portions of the Software.
14+
15+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21+
SOFTWARE.

README.md

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
# @patchstack/connect
2+
3+
Connect a JavaScript / Node.js application to [Patchstack](https://patchstack.com) for continuous vulnerability monitoring. Scans your `package-lock.json` and reports installed packages so Patchstack can match them against its vulnerability database and notify you when something needs patching.
4+
5+
## Install prompt (for AI coding tools)
6+
7+
Copy and paste this prompt into any AI coding assistant (Cursor, v0, Bolt, Lovable, Claude Code, etc.):
8+
9+
> Add `@patchstack/connect` to this project as a dev dependency. Run `npx @patchstack/connect init <SITE_UUID>` once to save the site UUID, then add `"prebuild": "patchstack-connect scan"` to `package.json` `scripts` so dependencies are reported to Patchstack on every build. Replace `<SITE_UUID>` with the UUID from the Patchstack dashboard.
10+
11+
## Quick start
12+
13+
```bash
14+
npm install --save-dev @patchstack/connect
15+
npx @patchstack/connect init <your-site-uuid>
16+
npx @patchstack/connect scan
17+
```
18+
19+
Get your site UUID from the Patchstack dashboard: create a new site with type **Application**, then copy the UUID shown on the site's settings page.
20+
21+
## CLI
22+
23+
```
24+
patchstack-connect init <site-uuid> Save the site UUID to .patchstackrc.json
25+
patchstack-connect scan [--dry-run] Scan the lockfile and POST to Patchstack
26+
patchstack-connect status Show current configuration
27+
patchstack-connect help Print help
28+
```
29+
30+
## Configuration
31+
32+
Precedence (highest wins):
33+
34+
1. CLI flag
35+
2. Environment variable
36+
3. `.patchstackrc.json` in the current directory
37+
38+
Environment variables:
39+
40+
- `PATCHSTACK_SITE_UUID` — the site UUID from your Patchstack dashboard
41+
- `PATCHSTACK_ENDPOINT` — override the API endpoint (default `https://app.patchstack.com/monitor/pulse/manifest`)
42+
43+
`.patchstackrc.json` example:
44+
45+
```json
46+
{
47+
"siteUuid": "550e8400-e29b-41d4-a716-446655440000"
48+
}
49+
```
50+
51+
The site UUID is the only credential. Possession of it grants the right to submit manifests for that site, so treat it like an API token: keep it out of public repos, and prefer the environment variable in CI.
52+
53+
## Programmatic API
54+
55+
```ts
56+
import { scanAndReport } from '@patchstack/connect';
57+
58+
const result = await scanAndReport();
59+
console.log(result.response.stored ? 'Reported' : 'Unchanged');
60+
```
61+
62+
Lower-level pieces are also exported: `scanLockfile`, `buildWirePayload`, `postManifest`, `resolveConfig`.
63+
64+
## What gets sent
65+
66+
```json
67+
{
68+
"ecosystem": "npm",
69+
"packages": [
70+
{ "name": "axios", "version": "1.6.0" },
71+
{ "name": "lodash", "version": "4.17.15" },
72+
{ "name": "lodash", "version": "4.17.21" }
73+
]
74+
}
75+
```
76+
77+
That's the entire payload. No source code, no environment variables, no file paths — just the package names and versions from your lockfile. Duplicate names with different versions are preserved so transitive vulnerabilities aren't missed.
78+
79+
## Supported lockfiles
80+
81+
-`package-lock.json` (npm v6 / v2 / v3)
82+
-`yarn.lock` — coming soon
83+
-`pnpm-lock.yaml` — coming soon
84+
85+
## Development
86+
87+
```bash
88+
npm install
89+
npm run typecheck
90+
npm test
91+
npm run build
92+
```
93+
94+
## License
95+
96+
MIT

0 commit comments

Comments
 (0)