add support for publishing vet to npm

Author: Sahilb315

.github/workflows/publish-npm.yml

@@ -0,0 +1,98 @@
+name: Publish NPM Package
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  publish-npm:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Extract version from tag
+        id: version
+        run: |
+          echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Wait for GitHub release
+        run: |
+          echo "Waiting for GitHub release v${{ steps.version.outputs.version }}..."
+          i=1
+          while [ $i -le 30 ]; do
+            if curl -s -f "https://api.github.com/repos/safedep/vet/releases/tags/v${{ steps.version.outputs.version }}" > /dev/null; then
+              echo "Release found!"
+              break
+            fi
+            if [ $i -eq 30 ]; then
+              echo "Release not found after 10 minutes"
+              exit 1
+            fi
+            echo "Waiting... ($i/30)"
+            sleep 20
+            i=$((i + 1))
+          done
+
+      - name: Prepare package
+        run: |
+          cd publish/npm
+          npm version ${{ steps.version.outputs.version }} --no-git-tag-version
+
+      - name: Publish to npm
+        run: |
+          cd publish/npm
+          npm publish --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  test-installation:
+    needs: publish-npm
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        node-version: ["16", "18", "20"]
+
+    steps:
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Wait for npm package
+        shell: bash
+        run: |
+          echo "Waiting for npm package..."
+          i=1
+          while [ $i -le 20 ]; do
+            if npm view @safedep/vet@${{ steps.version.outputs.version }} > /dev/null 2>&1; then
+              echo "Package available!"
+              break
+            fi
+            if [ $i -eq 20 ]; then
+              echo "Package not available after 10 minutes"
+              exit 1
+            fi
+            echo "Waiting... ($i/20)"
+            sleep 30
+            i=$((i + 1))
+          done
+
+      - name: Test installation
+        run: |
+          npm install -g @safedep/vet@${{ steps.version.outputs.version }}
+          vet version
+          vet --help || true

publish/npm/.npmignore

@@ -0,0 +1,17 @@
+# Exclude the actual binary (but keep the wrapper script)
+bin/vet
+bin/vet.exe
+
+# Exclude temp files and directories
+temp/
+.temp/
+
+# Exclude development files
+node_modules/
+.git/
+.gitignore
+*.log
+.DS_Store
+
+# Keep only the wrapper script in bin/
+!bin/vet.js

publish/npm/README.md

@@ -0,0 +1,95 @@
+# 🔍 vet
+
+Enterprise-grade open source software supply chain security in one CLI.
+
+This package delivers the `vet` binary via npm for teams that prefer Node.js tooling for install & upgrades.
+Full project: https://github.com/safedep/vet • Docs: https://docs.safedep.io/
+
+## ✨ What It Does
+
+- Detects vulnerabilities (context & usage aware)
+- Flags malicious / typosquatted packages (active + reputation)
+- Enforces “Policy as Code” (licenses, popularity, scorecards) with CEL filters
+- Works across ecosystems: npm, PyPI, Maven, Go, containers, SBOMs
+- Outputs actionable reports: JSON, SARIF, Markdown, CycloneDX SBOM
+
+## 📦 Install
+
+```bash
+npm install -g @safedep/vet
+```
+
+Check:
+```bash
+vet version
+```
+
+(Alternative installs: brew, direct binary, see upstream README.)
+
+## ⚡ Quick Start
+
+```bash
+# Scan current project (auto-detect lock/manifests)
+vet scan -D .
+
+# Scan a specific manifest
+vet scan -M package-lock.json
+```
+
+## 🛡 Basic Policies
+
+```bash
+# Fail on critical vulns
+vet scan -D . --filter 'vulns.critical.exists(p, true)' --filter-fail
+
+# License guard (example)
+vet scan -D . --filter 'licenses.contains_license("GPL-3.0")' --filter-fail
+
+# Scorecard maintenance threshold
+vet scan -D . --filter 'scorecard.scores.Maintained < 5' --filter-fail
+```
+
+## 🔬 Malware Detection
+
+```bash
+# Setup (get API key)
+vet cloud quickstart
+
+# Active malicious package analysis
+vet scan -D . --malware
+
+# Known-malicious lookup only (no key)
+vet scan -D . --malware-query
+```
+
+## 📊 Reports
+
+```bash
+vet scan -D . \
+  --report-json=report.json \
+  --report-sarif=report.sarif \
+  --report-markdown=report.md
+```
+
+Generate SBOM:
+```bash
+vet scan -D . --report-cdx=sbom.json
+```
+
+## 🧪 Re-query Saved Data
+
+```bash
+vet scan -D . --json-dump-dir ./.vet-scan
+vet query --from ./.vet-scan --filter 'vulns.high.exists(p, true)'
+```
+
+## 🤖 Integrations
+
+GitHub Action: safedep/vet-action
+
+GitLab Component: safedep/ci-components/vet
+
+Container: ghcr.io/safedep/vet:latest
+
+---
+For complete documentation, advanced usage, troubleshooting, and more information, please visit: github.com/safedep/vet

publish/npm/bin/vet.js

@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+const path = require("path");
+const { spawn } = require("child_process");
+const { ORG_NAME, PACKAGE_NAME, BINARY_NAME } = require("../config");
+
+const BINARY_NAME_WITH_EXT =
+  process.platform === "win32" ? `${BINARY_NAME}.exe` : BINARY_NAME;
+const BINARY_PATH = path.join(__dirname, BINARY_NAME_WITH_EXT);
+
+function main() {
+  // Check if binary exists
+  if (!fs.existsSync(BINARY_PATH)) {
+    console.error(`❌ ${BINARY_NAME_WITH_EXT} binary not found`);
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  }
+
+  // Verify binary is executable
+  try {
+    fs.accessSync(BINARY_PATH, fs.constants.F_OK | fs.constants.X_OK);
+  } catch (error) {
+    console.error(`❌ ${BINARY_NAME_WITH_EXT} is not executable`);
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  }
+
+  // Pass all arguments to the binary
+  const args = process.argv.slice(2);
+
+  // Spawn the binary with inherited stdio for proper terminal interaction
+  const child = spawn(BINARY_PATH, args, {
+    stdio: "inherit",
+    windowsHide: false,
+  });
+
+  // Handle process termination
+  child.on("error", (error) => {
+    console.error(
+      `❌ Failed to execute ${BINARY_NAME_WITH_EXT}: ${error.message}`,
+    );
+    console.error(
+      `Try reinstalling: npm install -g ${ORG_NAME}/${PACKAGE_NAME}`,
+    );
+    process.exit(1);
+  });
+
+  // Exit with the same code as the child process
+  child.on("exit", (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal);
+    } else {
+      process.exit(code || 0);
+    }
+  });
+
+  // Handle termination signals
+  process.on("SIGTERM", () => {
+    child.kill("SIGTERM");
+  });
+
+  process.on("SIGINT", () => {
+    child.kill("SIGINT");
+  });
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { main };

publish/npm/config.js

@@ -0,0 +1,30 @@
+// Configuration for npm binary wrapper
+
+const ORG_NAME = "@safedep";
+const PACKAGE_NAME = "vet";
+const BINARY_NAME = "vet";
+
+// GitHub repository information for releases
+const REPO_OWNER = "safedep";
+const REPO_NAME = "vet";
+
+// GitHub releases base URL (constructed from repo info)
+const GITHUB_RELEASES_BASE = `https://github.com/${REPO_OWNER}/${REPO_NAME}/releases/download`;
+
+// Platform-specific binary filename patterns (GoReleaser format)
+const BINARY_PATTERNS = {
+  "darwin-x64": `${BINARY_NAME}_Darwin_x86_64.tar.gz`,
+  "darwin-arm64": `${BINARY_NAME}_Darwin_arm64.tar.gz`,
+  "linux-x64": `${BINARY_NAME}_Linux_x86_64.tar.gz`,
+  "win32-x64": `${BINARY_NAME}_Windows_x86_64.zip`,
+};
+
+module.exports = {
+  ORG_NAME,
+  PACKAGE_NAME,
+  BINARY_NAME,
+  REPO_OWNER,
+  REPO_NAME,
+  GITHUB_RELEASES_BASE,
+  BINARY_PATTERNS,
+};