feat: flag git: and https: dependencies as security concern

[ndpvt-web]

Summary

Adds detection and visual flagging for dependencies that use git:, https:, or git+https: URLs instead of npm registry versions.

These URL-based dependencies bypass npm registry integrity checks and can be manipulated, as noted in the linked discussion. This implementation helps users identify potential security concerns in their dependency trees.

Changes

• Added isUrlDependency() utility function in server/utils/dependency-analysis.ts to detect URL-based dependencies
• Added scanUrlDependencies() function to scan dependency tree for URL-based deps
• Updated shared/types/dependency-analysis.ts with TypeScript types for URL dependency tracking
• Modified server/utils/dependency-resolver.ts to include URL dependency scanning in analysis
• Enhanced app/components/Package/Dependencies.vue to display warning icons next to URL-based dependencies with tooltips explaining the security concern

Testing

The implementation follows existing patterns in the codebase and integrates seamlessly with the current dependency analysis system.

Closes #1084

AI Disclosure

This PR was authored with the assistance of an AI coding assistant (Claude by Anthropic). All changes have been reviewed for correctness and follow the project's existing patterns and conventions.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
npmx.dev	Ready	Preview, Comment	Mar 10, 2026 9:11am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs.npmx.dev	Ignored	Preview	Mar 10, 2026 9:11am
npmx-lunaria	Ignored		Mar 10, 2026 9:11am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ee4d8f8-2f15-4c75-a823-c6acd35562c1

📥 Commits

Reviewing files that changed from the base of the PR and between b10c55f and 5d5cecc.

📒 Files selected for processing (1)

• server/utils/dependency-analysis.ts

---

📝 Walkthrough

Walkthrough

Adds URL-based dependency detection and reporting. A new UrlDependencyInfo type (name, url, depth, path) is introduced. analyzeDependencyTree now scans for git:/https: dependencies, aggregates urlDependencies: UrlDependencyInfo[], and uses a v3 cache key. The Vue component exposes a computed urlDepMap and getUrlDepInfo, prefers URL data for tooltips, applies an orange class for URL dependencies, and renders a TooltipApp block with an ARIA-labelled alert button for URL entries. Existing vulnerability and deprecation indicators are unchanged.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description clearly relates to the changeset, explaining the addition of URL dependency detection and visual flagging features across multiple files.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #1084: detects URL-based dependencies (git:, https:, git+https:, git+ssh:, http, file patterns), includes transitive dependencies at any depth, and surfaces them via UI flags and tooltips.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to implementing URL dependency detection and visual flagging as specified in issue #1084, with no extraneous modifications identified.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

server/utils/dependency-resolver.ts (1)

109-110: Field declared but not populated in this file.

The url field is added to the interface, but the resolveDependencyTree function doesn't populate it. Looking at resolveVersion (lines 82-92), URL-based dependencies return null and are excluded from resolution. The actual URL dependency detection happens in dependency-analysis.ts via scanUrlDependencies.

Consider whether this field should be:

1. Removed if URL dependencies are handled entirely separately (current approach via scanUrlDependencies)
2. Populated here if you want the resolver to track URLs for dependencies it encounters

The current implementation works because scanUrlDependencies reads URLs directly from the packument. However, this orphaned field could cause confusion for future maintainers.

server/utils/dependency-analysis.ts (1)

259-264: Consider aligning URL detection with resolveVersion patterns.

The isUrlDependency function checks for git:, https:, and git+https: prefixes. However, resolveVersion in dependency-resolver.ts (lines 82-92) handles additional patterns that bypass registry resolution:

• http://
• git+http:
• git+ssh:
• file:

Depending on the security concerns you want to surface, you may want to align these checks:

♻️ Suggested expansion

 function isUrlDependency(url: string): boolean {
-  return url.startsWith('git:') || url.startsWith('https:') || url.startsWith('git+https:')
+  return (
+    url.startsWith('git:') ||
+    url.startsWith('git+') ||
+    url.startsWith('http:') ||
+    url.startsWith('https:') ||
+    url.startsWith('file:')
+  )
 }

app/components/Package/Dependencies.vue (1)

176-188: Consider caching getUrlDepInfo result to avoid repeated lookups.

getUrlDepInfo(dep) is called 3 times for the same dependency in this template block (lines 177, 179, 184). Each call iterates through the urlDependencies array.

While the impact is minimal for small dependency lists, consider storing the result in a local variable pattern similar to how getVulnerableDepInfo and getDeprecatedDepInfo are used:

♻️ Suggested improvement using a computed map

// Create a lookup map for URL dependencies
const urlDepMap = computed(() => {
  if (!vulnTree.value) return new Map<string, UrlDependencyInfo>()
  return new Map(vulnTree.value.urlDependencies.map(p => [p.name, p]))
})

function getUrlDepInfo(depName: string) {
  return urlDepMap.value.get(depName) ?? null
}

Alternatively, Vue's template compiler may optimise repeated calls with the same arguments, so this is a minor suggestion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6a59a39-1d5a-4a50-ab07-7a986c298ad8

📥 Commits

Reviewing files that changed from the base of the PR and between 11842b4 and 761e38e.

📒 Files selected for processing (4)

• app/components/Package/Dependencies.vue
• server/utils/dependency-analysis.ts
• server/utils/dependency-resolver.ts
• shared/types/dependency-analysis.ts

[ndpvt-web]

Thanks for the thorough review! I've addressed all feedback:

1. Transitive URL dep scanning - Now iterates over all resolved packages instead of just root, covering dependencies at any depth as required by flag git: and https: dependencies #1084.
2. Aligned URL patterns - isUrlDependency now matches all patterns handled by resolveVersion (git+http, git+ssh, http, file).
3. Cached URL dep lookups - Added computed map in Dependencies.vue to avoid repeated array scans.
4. Removed orphaned field - Cleaned up unused url field from ResolvedPackage interface.

Updated in the latest commit.

[coderabbitai]

🧹 Nitpick comments (2)

server/utils/dependency-analysis.ts (2)

287-293: Consider excluding devDependencies from transitive package scans.

Including devDependencies when scanning transitive packages may flag URL dependencies that are never actually installed for end users (since devDependencies of dependencies are not resolved into the tree). This could cause misleading warnings.

For the root package, devDependencies are relevant, but for transitive packages they typically aren't installed.

💡 Suggested approach

 async function scanUrlDependencies(
   name: string,
   version: string,
   depth: DependencyDepth,
   path: string[],
 ): Promise<UrlDependencyInfo[]> {
   try {
     const packument = await fetchNpmPackage(name)
     const versionData = packument.versions[version]
     if (!versionData) return []

     const urlDeps: UrlDependencyInfo[] = []
-    const allDeps = {
-      ...versionData.dependencies,
-      ...versionData.optionalDependencies,
-      ...versionData.devDependencies,
-    }
+    // Include devDependencies only for the root package
+    const allDeps = depth === 'root'
+      ? {
+          ...versionData.dependencies,
+          ...versionData.optionalDependencies,
+          ...versionData.devDependencies,
+        }
+      : {
+          ...versionData.dependencies,
+          ...versionData.optionalDependencies,
+        }

---

345-350: Consider parallelising URL dependency scanning for consistency.

The scan currently processes packages sequentially, whereas OSV vulnerability queries use mapWithConcurrency. Since fetchNpmPackage likely caches packument data from the earlier resolveDependencyTree call, the impact is minimal, but parallel processing would be more consistent with the rest of the codebase.

♻️ Suggested refactor using mapWithConcurrency

     // Scan for git: and https: URL dependencies in all packages
-    const urlDependencies: UrlDependencyInfo[] = []
-    for (const pkg of packages) {
-      const pkgUrlDeps = await scanUrlDependencies(pkg.name, pkg.version, pkg.depth, pkg.path)
-      urlDependencies.push(...pkgUrlDeps)
-    }
+    const urlDepResults = await mapWithConcurrency(
+      packages,
+      pkg => scanUrlDependencies(pkg.name, pkg.version, pkg.depth, pkg.path),
+      OSV_DETAIL_CONCURRENCY,
+    )
+    const urlDependencies = urlDepResults.flat()

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96a2e5db-6be6-484f-8c91-d08d43f1c012

📥 Commits

Reviewing files that changed from the base of the PR and between 761e38e and 2840313.

📒 Files selected for processing (2)

• app/components/Package/Dependencies.vue
• server/utils/dependency-analysis.ts

[ndpvt-web]

Addressed the additional feedback:

1. devDependencies scoping - Now only includes devDependencies for the root package, avoiding misleading warnings for transitive packages.
2. Parallel scanning - Replaced sequential loop with mapWithConcurrency for consistency with OSV queries.

Updated in the latest commit.

[coderabbitai]

Actionable comments posted: 2

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 09702971-64e5-4e98-a9ea-41e853e5d7da

📥 Commits

Reviewing files that changed from the base of the PR and between 2840313 and b10c55f.

📒 Files selected for processing (1)

• server/utils/dependency-analysis.ts

[ndpvt-web]

Addressed both issues:

1. Depth correction - URL dependencies now correctly record their child depth (root deps -> direct, direct deps -> transitive) instead of using the parent package's depth.
2. Error handling - Removed silent error swallowing; scan failures now propagate consistently with OSV error handling patterns.

Updated in the latest commit.