Releases: didrod205/unspook
Release list
v0.2.0 — line/column + --report diagnostics
unspook now tells you exactly where a hidden character is — and shows it in review-friendly form.
📍 Line & column on every finding
scan results now include line and column (1-based; column counted in code points, so it matches what you see). Jump straight to the offender in a big file.
🔍 New report() + unspook --report
A compiler-style diagnostic for security & code review — perfect for catching a Trojan Source (CVE-2021-42574) bidi attack:
src/auth.js:2:18 DANGER U+202E RIGHT-TO-LEFT OVERRIDE (bidi)
if (access != "ad[U+202E]nimda[U+202C]") {
^
Each finding shows file:line:col, severity, the source line with the invisible character revealed inline, and a caret pointing at it. Colored output (respects NO_COLOR / --no-color).
Also
unspook --scannow printsline:colwith colored severity (was a raw index).--versionreads the real package version.- Library API adds
report()andReportLine;Findinggainsline/column.
Still zero dependencies, pure functions, runs anywhere. 26 tests.
Install
npx unspook --report src/ # review for Trojan Source & hidden chars💖 Sponsor via Lemon Squeezy.
v0.1.0
First public release of unspook — reveal & remove the invisible, dangerous, and confusable characters hiding in your text.
- 🔎
scan()finds zero-width spaces, BOMs, bidi controls (Trojan Source, CVE-2021-42574), Unicode tag chars (invisible prompt injection), homoglyphs, smart quotes, NBSP & more — each with a name, severity and position - 🧹
clean()strips the dangerous/invisible by default and keeps your visible text; opt-in smart-quote & homoglyph normalization - 🖥️ Free local-only web app (GitHub Pages — nothing uploaded)
- ⌨️
unspookCLI — clean/scan/reveal;--scanexits non-zero for CI & pre-commit hooks - 📦 Zero dependencies, ESM + CJS + TypeScript types
Web app: https://didrod205.github.io/unspook/ · npm install unspook