feat: flag git: and https: dependencies as security concern

Adds detection and flagging for dependencies that use git: or https:
URLs, which can be manipulated as noted in the issue discussion.
These URL-based dependencies bypass npm registry integrity checks.

Closes #1084

Co-Authored-By: AI Assistant (Claude) <ai-assistant@contributor-bot.dev>
Signed-off-by: ndpvt-web <ndpvt-web@users.noreply.github.com>

Author: ndpvt-web

app/components/Package/Dependencies.vue

@@ -37,6 +37,12 @@ function getDeprecatedDepInfo(depName: string) {
   return vulnTree.value.deprecatedPackages.find(p => p.name === depName && p.depth === 'direct')
 }
 
+// Check if a dependency uses git: or https: URL
+function getUrlDepInfo(depName: string) {
+  if (!vulnTree.value) return null
+  return vulnTree.value.urlDependencies.find(p => p.name === depName)
+}
+
 // Expanded state for each section
 const depsExpanded = shallowRef(false)
 const peerDepsExpanded = shallowRef(false)
@@ -73,6 +79,8 @@ const sortedOptionalDependencies = computed(() => {
 
 // Get version tooltip
 function getDepVersionTooltip(dep: string, version: string) {
+  const urlDep = getUrlDepInfo(dep)
+  if (urlDep) return urlDep.url
   const outdated = outdatedDeps.value[dep]
   if (outdated) return getOutdatedTooltip(outdated, t)
   if (getVulnerableDepInfo(dep) || getDeprecatedDepInfo(dep)) return version
@@ -82,6 +90,7 @@ function getDepVersionTooltip(dep: string, version: string) {
 
 // Get version class
 function getDepVersionClass(dep: string) {
+  if (getUrlDepInfo(dep)) return 'text-orange-700 dark:text-orange-500'
   const outdated = outdatedDeps.value[dep]
   if (outdated) return getVersionClass(outdated)
   if (getVulnerableDepInfo(dep) || getDeprecatedDepInfo(dep)) return getVersionClass(undefined)
@@ -164,6 +173,19 @@ const numberFormatter = useNumberFormatter()
             >
               <span class="sr-only">{{ $t('package.deprecated.label') }}</span>
             </LinkBase>
+            <TooltipApp
+              v-if="getUrlDepInfo(dep)"
+              class="shrink-0 text-orange-700 dark:text-orange-500"
+              :text="getUrlDepInfo(dep)!.url"
+            >
+              <button
+                type="button"
+                class="p-2 -m-2"
+                :aria-label="`git/https dependency: ${getUrlDepInfo(dep)!.url}`"
+              >
+                <span class="i-lucide:triangle-alert w-3 h-3" aria-hidden="true" />
+              </button>
+            </TooltipApp>
             <LinkBase
               :to="packageRoute(dep, version)"
               class="block truncate"

server/utils/dependency-analysis.ts

@@ -8,6 +8,7 @@ import type {
   PackageVulnerabilityInfo,
   VulnerabilityTreeResult,
   DeprecatedPackageInfo,
+  UrlDependencyInfo,
   OsvAffected,
   OsvRange,
 } from '#shared/types/dependency-analysis'
@@ -255,6 +256,52 @@ function getSeverityLevel(vuln: OsvVulnerability): OsvSeverityLevel {
   return 'unknown'
 }
 
+/**
+ * Check if a dependency URL is a git: or https: URL that should be flagged.
+ */
+function isUrlDependency(url: string): boolean {
+  return url.startsWith('git:') || url.startsWith('https:') || url.startsWith('git+https:')
+}
+
+/**
+ * Scan a package's dependencies for git: and https: URLs.
+ * Returns a map of package names to their URL dependencies.
+ */
+async function scanUrlDependencies(
+  name: string,
+  version: string,
+  depth: DependencyDepth,
+  path: string[],
+): Promise<UrlDependencyInfo[]> {
+  try {
+    const packument = await fetchNpmPackage(name)
+    const versionData = packument.versions[version]
+    if (!versionData) return []
+
+    const urlDeps: UrlDependencyInfo[] = []
+    const allDeps = {
+      ...versionData.dependencies,
+      ...versionData.optionalDependencies,
+      ...versionData.devDependencies,
+    }
+
+    for (const [depName, depUrl] of Object.entries(allDeps || {})) {
+      if (isUrlDependency(depUrl)) {
+        urlDeps.push({
+          name: depName,
+          url: depUrl,
+          depth,
+          path: [...path, `${depName}@${depUrl}`],
+        })
+      }
+    }
+
+    return urlDeps
+  } catch {
+    return []
+  }
+}
+
 /**
  * Analyze entire dependency tree for vulnerabilities and deprecated packages.
  * Uses OSV batch API for efficient vulnerability discovery, then fetches
@@ -289,6 +336,9 @@ export const analyzeDependencyTree = defineCachedFunction(
         return depthOrder[a.depth] - depthOrder[b.depth]
       })
 
+    // Scan for git: and https: URL dependencies in the root package
+    const urlDependencies = await scanUrlDependencies(name, version, 'root', [])
+
     // Step 1: Use batch API to find which packages have vulnerabilities
     // This is much faster than individual queries - one request for all packages
     const { vulnerableIndices, failed: batchFailed } = await queryOsvBatch(packages)
@@ -347,6 +397,7 @@ export const analyzeDependencyTree = defineCachedFunction(
       version,
       vulnerablePackages,
       deprecatedPackages,
+      urlDependencies,
       totalPackages: packages.length,
       failedQueries,
       totalCounts,
@@ -356,6 +407,6 @@ export const analyzeDependencyTree = defineCachedFunction(
     maxAge: 60 * 60,
     swr: true,
     name: 'dependency-analysis',
-    getKey: (name: string, version: string) => `v2:${name}@${version}`,
+    getKey: (name: string, version: string) => `v3:${name}@${version}`,
   },
 )

server/utils/dependency-resolver.ts

@@ -106,6 +106,8 @@ export interface ResolvedPackage {
   path?: string[]
   /** Deprecation message if the version is deprecated */
   deprecated?: string
+  /** Original URL if this was a git: or https: dependency */
+  url?: string
 }
 
 /**

shared/types/dependency-analysis.ts

@@ -180,6 +180,19 @@ export interface DeprecatedPackageInfo {
   message: string
 }
 
+/**
+ * URL-based dependency info (git:, https:)
+ */
+export interface UrlDependencyInfo {
+  name: string
+  /** The git: or https: URL */
+  url: string
+  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
+  depth: DependencyDepth
+  /** Dependency path from root package */
+  path: string[]
+}
+
 /**
  * Result of dependency tree analysis
  */
@@ -192,6 +205,8 @@ export interface VulnerabilityTreeResult {
   vulnerablePackages: PackageVulnerabilityInfo[]
   /** All deprecated packages in the tree */
   deprecatedPackages: DeprecatedPackageInfo[]
+  /** All dependencies using git: or https: URLs */
+  urlDependencies: UrlDependencyInfo[]
   /** Total packages analyzed */
   totalPackages: number
   /** Number of packages that could not be checked (OSV query failed) */