{"id":50057631,"url":"https://github.com/patchstack/connect","last_synced_at":"2026-05-21T15:01:35.215Z","repository":{"id":357365863,"uuid":"1236586829","full_name":"patchstack/connect","owner":"patchstack","description":"Patchstack connector for JavaScript applications. Scans your lockfile and reports installed packages to Patchstack for vulnerability monitoring.","archived":false,"fork":false,"pushed_at":"2026-05-12T13:50:52.000Z","size":65,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-12T14:14:38.994Z","etag":null,"topics":["cve","dependency-scanning","nodejs","npm","patchstack","sca","security","typescript","vulnerability"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/patchstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-12T11:40:35.000Z","updated_at":"2026-05-12T12:24:03.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/patchstack/connect","commit_stats":null,"previous_names":["patchstack/connect"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/patchstack/connect","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patchstack%2Fconnect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patchstack%2Fconnect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patchstack%2Fconnect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patchstack%2Fconnect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/patchstack","download_url":"https://codeload.github.com/patchstack/connect/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/patchstack%2Fconnect/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33305277,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-21T12:23:38.849Z","status":"ssl_error","status_checked_at":"2026-05-21T12:22:11.673Z","response_time":62,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","dependency-scanning","nodejs","npm","patchstack","sca","security","typescript","vulnerability"],"created_at":"2026-05-21T15:01:19.663Z","updated_at":"2026-05-21T15:01:35.198Z","avatar_url":"https://github.com/patchstack.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @patchstack/connect\n\nConnect a JavaScript / Node.js application to [Patchstack](https://patchstack.com) for continuous vulnerability monitoring. Scans your `package-lock.json` and reports installed packages so Patchstack can match them against its vulnerability database and notify you when something needs patching.\n\nFor how this repo fits with the wider Patchstack ecosystem (`saas`, `hub`, `patchstack-website`, `patchstack-connect`), see [`patchstack/saas` → `docs/ecosystem.md`](https://github.com/patchstack/saas/blob/main/docs/ecosystem.md).\n\n## Install prompt (for AI coding tools)\n\nCopy and paste this prompt into any AI coding assistant (Cursor, v0, Bolt, Lovable, Claude Code, etc.):\n\n\u003e Add `@patchstack/connect` to this project as a dev dependency, then add `\"prebuild\": \"patchstack-connect scan\"` to `package.json` `scripts`. The first time the script runs, Patchstack provisions a site automatically from the lockfile and saves the new site UUID to `.patchstackrc.json` — no dashboard signup or manual UUID required. Commit `.patchstackrc.json` so every developer / CI run targets the same site.\n\n## Quick start (zero configuration)\n\n```bash\nnpm install --save-dev @patchstack/connect\nnpx @patchstack/connect scan\n```\n\nThat's it. The first `scan`:\n\n1. Reads your `package-lock.json`.\n2. POSTs the package list to Patchstack with **no** UUID.\n3. Patchstack provisions a fresh site and returns its UUID.\n4. The connector writes the UUID to `.patchstackrc.json` so the next `scan` targets the same site.\n5. The connector prints a claim URL — open it in a browser to attach the new site to your Patchstack account. You can re-display it any time with `npx @patchstack/connect status`.\n\nThen wire it into builds:\n\n```jsonc\n// package.json\n{\n  \"scripts\": {\n    \"prebuild\": \"patchstack-connect scan\"\n  }\n}\n```\n\n## Quick start (existing site)\n\nIf you already created an \"Application\" site in the Patchstack dashboard, pre-seed the UUID:\n\n```bash\nnpm install --save-dev @patchstack/connect\nnpx @patchstack/connect init \u003cyour-site-uuid\u003e\nnpx @patchstack/connect scan\n```\n\n## CLI\n\n```\npatchstack-connect scan   [options]                Scan the lockfile and POST to Patchstack.\n                                                   If no UUID is configured the server provisions\n                                                   one and the connector persists it.\npatchstack-connect init   \u003csite-uuid\u003e              Optional: pre-seed .patchstackrc.json with\n                                                   an existing site UUID\npatchstack-connect status [options]                Show current configuration\npatchstack-connect help                            Print help\n\nOptions (for scan and status):\n  --site-uuid \u003cuuid\u003e      Override the configured site UUID\n  --endpoint \u003curl\u003e        Override the API endpoint\n  --dry-run               (scan only) Print the payload without posting\n```\n\n## Configuration\n\nPrecedence (highest wins):\n\n1. CLI flag (`--site-uuid`, `--endpoint`)\n2. Environment variable\n3. `.patchstackrc.json` in the current directory\n\nEnvironment variables:\n\n- `PATCHSTACK_SITE_UUID` — the site UUID from your Patchstack dashboard\n- `PATCHSTACK_ENDPOINT` — override the API endpoint (default `https://api.patchstack.com/monitor/pulse/manifest`)\n- `PATCHSTACK_TIMEOUT_MS` — request timeout in milliseconds (default `30000`)\n\n`.patchstackrc.json` example:\n\n```json\n{\n  \"siteUuid\": \"550e8400-e29b-41d4-a716-446655440000\"\n}\n```\n\nThe site UUID is the only credential. Possession of it grants the right to submit manifests for that site, so treat it like an API token: keep it out of public repos, and prefer the environment variable in CI.\n\n## Programmatic API\n\n```ts\nimport { scanAndReport } from '@patchstack/connect';\n\nconst result = await scanAndReport();\nconsole.log(result.response.stored ? 'Reported' : 'Unchanged');\n```\n\nLower-level pieces are also exported: `scanLockfile`, `buildWirePayload`, `postManifest`, `resolveConfig`.\n\n## What gets sent\n\n```json\n{\n  \"ecosystem\": \"npm\",\n  \"packages\": [\n    { \"name\": \"axios\",  \"version\": \"1.6.0\" },\n    { \"name\": \"lodash\", \"version\": \"4.17.15\" },\n    { \"name\": \"lodash\", \"version\": \"4.17.21\" }\n  ]\n}\n```\n\nThat's the entire payload. No source code, no environment variables, no file paths — just the package names and versions from your lockfile. Duplicate names with different versions are preserved so transitive vulnerabilities aren't missed.\n\n## Supported lockfiles\n\n- ✅ `package-lock.json` (npm v6 / v2 / v3) — parsed directly\n- ✅ `pnpm-lock.yaml` (pnpm v5 / v6 / v7 / v8 / v9) — parsed directly\n- ✅ `yarn.lock` (yarn classic v1 and yarn berry v2+) — parsed directly\n- ✅ `bun.lockb` (binary) — package list resolved by walking `node_modules/`\n- ✅ `bun.lock` (text) — same fallback; direct parsing coming\n\nIf both a Bun lockfile and `node_modules/` are present, the connector walks `node_modules/` to enumerate the installed packages. Run `bun install` (or `npm install`) before scanning so the directory is populated.\n\n## Development\n\n```bash\nnpm install\nnpm run typecheck\nnpm test\nnpm run build\n```\n\n## Release process\n\nPull requests run typecheck, tests, build, package verification, and a production dependency audit in GitHub Actions.\n\nPublishing runs when a GitHub Release is published. The release tag must match the package version in `package.json` with a leading `v`. For example, `package.json` version `0.2.0` must be released with tag `v0.2.0`; otherwise the workflow fails before publishing.\n\nTo publish a release:\n\n1. Bump the package version, for example `npm version 0.2.0 --no-git-tag-version`.\n2. Commit `package.json` and `package-lock.json`.\n3. Merge the version bump to `main`.\n4. Create and publish a GitHub Release tagged `v0.2.0`.\n5. The `Publish` workflow verifies the package, then runs `npm publish --provenance --access public`.\n\nBefore the first release, configure npm trusted publishing for this package:\n\n1. Merge `.github/workflows/publish.yml` to `main`.\n2. Open the `@patchstack/connect` package settings on npmjs.com.\n3. In **Trusted publishing**, choose **GitHub Actions**.\n4. Configure:\n   - Organization/user: `patchstack`\n   - Repository: `connect`\n   - Workflow filename: `publish.yml`\n   - Environment name: `npm`\n5. In GitHub repository settings, create an `npm` environment. Optional but recommended: require reviewer approval for that environment.\n\nDo not add an npm publish token to GitHub secrets for this workflow. Trusted publishing uses GitHub OIDC short-lived credentials. After the first trusted publish succeeds, npm recommends setting package publishing access to require two-factor authentication and disallow tokens.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatchstack%2Fconnect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpatchstack%2Fconnect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpatchstack%2Fconnect/lists"}