archy/scripts/audit-deps.sh

#!/bin/bash
set -euo pipefail
# SEC-203: Dependency audit — run npm audit and cargo audit.

REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

log() { echo -e "\033[1;34m[AUDIT]\033[0m $*"; }

main() {
  log "=== Dependency Audit ==="
  echo ""

  # Frontend — npm audit
  log "Running npm audit..."
  cd "$REPO_ROOT/neode-ui"
  npm audit --omit=dev 2>&1 | tail -20 || true
  echo ""

  # Backend — cargo audit (if installed)
  log "Checking for cargo-audit..."
  if command -v cargo-audit &>/dev/null; then
    log "Running cargo audit..."
    cd "$REPO_ROOT/core"
    cargo audit 2>&1 | tail -20 || true
  else
    log "cargo-audit not installed locally — run on build server:"
    log "  cargo install cargo-audit && cd core && cargo audit"
  fi

  echo ""

  # Check for pinned versions in Cargo.toml
  log "Checking Cargo.toml version pinning..."
  local unpinned
  unpinned=$(grep -E '^[a-z].*= "[^=><~]' "$REPO_ROOT/core/archipelago/Cargo.toml" 2>/dev/null | grep -v '= "' || echo "")
  if [ -z "$unpinned" ]; then
    log "  All Cargo dependencies appear pinned"
  else
    log "  WARNING: Some deps may not be pinned:"
    echo "$unpinned" | head -5 | sed 's/^/    /'
  fi

  # Check for pinned versions in package.json
  log "Checking package.json version pinning..."
  local npm_unpinned
  npm_unpinned=$(grep -E '"[^"]+": "\^|~' "$REPO_ROOT/neode-ui/package.json" | head -10 || echo "")
  if [ -n "$npm_unpinned" ]; then
    log "  NOTE: Some npm deps use ^ or ~ (normal for npm):"
    echo "$npm_unpinned" | head -5 | sed 's/^/    /'
  fi

  echo ""
  log "=== Audit Complete ==="
}

main "$@"