Adding lock scanner for vulnerabilities

[rully-saputra15]

📋 Problem Statement

Currently, fix-react2shell-next only scans package.json files for vulnerable package versions. However, this approach has limitations:

• ❌ Doesn't detect vulnerable packages in transitive dependencies
• ❌ Misses vulnerabilities that exist in lock files but not in package.json
• ❌ Cannot verify the actual resolved versions in the dependency tree
• ❌ Users may have vulnerable React 19 packages installed that aren't directly specified

💡 Proposed Solution

Add a new --scan-lockfiles (or --lockfiles) flag that scans lock files to detect vulnerable React 19 packages anywhere in the dependency tree.

Supported Lock Files

• ✅ package-lock.json (npm v1, v2, v3)
• ✅ yarn.lock (yarn v1)
• ✅ pnpm-lock.yaml (pnpm v6+)
• ✅ bun.lockb / bun.lock (bun)

React Packages to Scan

• react
• react-dom
• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

🎯 Expected Behavior

New flag to enable lock file scanning

npx fix-react2shell-next --scan-lockfiles

Output example

🔒 Scanning lock files for React 19 vulnerabilities...

Found 1 lock file(s) with vulnerable React packages:

package-lock.json
react-server-dom-webpack: 19.0.0 -> 19.0.2 [CVE-2025-66478, CVE-2025-55184, CVE-2025-55183]
react-dom: 19.1.0 -> 19.1.3 [CVE-2025-55184, CVE-2025-55183]

💡 To fix lock file issues, update your package.json versions and run your package manager's install command.## 🏗️ Implementation Details

New Module: lib/utils/lockfile-scanner.js

module.exports = {
scanLockfile(dir), // Scan directory for lock files
analyzeLockfile(data), // Analyze parsed lock file
findAndScanLockfiles(dir), // Recursively scan all lock files
checkPackageVulnerability(), // Check package against CVEs
REACT_PACKAGES // List of packages to scan
};### Integration Points

• Add --scan-lockfiles / --lockfiles CLI flag
• Integrate with existing vulnerability checking in lib/index.js
• Add lock file results to JSON output
• Display results in CLI output

Lock File Parsers

Each parser will handle its specific format:

1. npm (package-lock.json):

   • Parse v1, v2, v3 lockfile formats
   • Extract from packages and dependencies sections

2. yarn (yarn.lock):

   • Parse yarn v1 format
   • Handle quoted/unquoted package names
   • Extract version from declarations

3. pnpm (pnpm-lock.yaml):

   • Parse YAML format
   • Extract from packages section
   • Handle pnpm's package path format

4. bun (bun.lockb):

   • Binary format - limited direct support
   • Fallback to package manager detection

✨ Features

1. Multi-format Support: Parse all major lock file formats
2. CVE Integration: Check against all 4 existing CVEs
3. Deduplication: Handle duplicate packages intelligently
4. Monorepo Support: Scan lock files across all packages
5. JSON Output: Include results in --json output for CI/CD
6. Performance: Fast scanning with single-pass parsing

📊 Benefits

✅ More Comprehensive: Detects vulnerabilities in entire dependency tree
✅ Better Coverage: Finds issues that package.json scanning misses
✅ All Package Managers: Works with npm, yarn, pnpm, bun
✅ Monorepo-Aware: Scans all lock files in monorepos
✅ CI/CD Ready: JSON output for automation
✅ Backward Compatible: Opt-in feature, no breaking changes

📝 Usage Examples

Basic lock file scanning

npx fix-react2shell-next --scan-lockfiles### With JSON output for CI/CD
npx fix-react2shell-next --scan-lockfiles --json > report.json### Combined with dry-run
npx fix-react2shell-next --scan-lockfiles --dry-run### Combined with fix
npx fix-react2shell-next --fix --scan-lockfiles## 🧪 Testing Requirements

• Unit tests for each lock file parser
• Integration tests with CVE modules
• Edge case handling (malformed files, empty files)
• Deduplication tests
• Monorepo scenarios
• All package managers

Test Coverage Goals

// test/lockfile-scanner.test.js
describe('Lock File Scanner', () => {
describe('scanLockfile', () => {
it('should detect npm package-lock.json');
it('should detect yarn.lock');
it('should detect pnpm-lock.yaml');
it('should return null when no lockfile exists');
});

describe('checkPackageVulnerability', () => {
it('should detect vulnerable React 19.0.0');
it('should not flag patched versions');
it('should return patched version recommendations');
});

describe('analyzeLockfile', () => {
it('should analyze lockfile and find vulnerabilities');
it('should deduplicate packages');
it('should include CVE IDs and severity');
});
});## 📚 Documentation Updates

• Update README.md with new flag documentation
• Add usage examples
• Document lock file format support
• Update CLI help text
• Add section to "What it does"

README Changes

What it does

1. Recursively scans all package.json files (handles monorepos)
2. Scans lock files for vulnerable React packages (optional, use --scan-lockfiles)
3. Checks for vulnerable versions of Next.js and React RSC packages
4. Patches to the correct fixed version based on your current version
5. Refreshes your lockfile with the detected package manager## 🔄 Backward Compatibility

This is a new opt-in feature:

✅ No breaking changes
✅ All existing functionality preserved
✅ New flag is optional
✅ Existing tests continue to pass
✅ Same output format (unless using new flag)

🔗 Related

CVEs Addressed:

• CVE-2025-66478 (React2Shell RCE - Critical)
• CVE-2025-55183 (Source Code Exposure - Medium)
• CVE-2025-55184 (Denial of Service - High)
• CVE-2025-67779 (DoS Incomplete Fix - High)

Related Files:

• lib/vulnerabilities/index.js - CVE registry
• lib/index.js - Main CLI logic
• lib/utils/package-manager.js - Package manager detection

[rully-saputra15]

@allenzhou101 kindly help to review

[rully-saputra15]

PR: #43