Skip to content

Releases: didrod205/unspook

v0.2.0 — line/column + --report diagnostics

Choose a tag to compare

@didrod205 didrod205 released this 01 Jun 06:16

unspook now tells you exactly where a hidden character is — and shows it in review-friendly form.

📍 Line & column on every finding

scan results now include line and column (1-based; column counted in code points, so it matches what you see). Jump straight to the offender in a big file.

🔍 New report() + unspook --report

A compiler-style diagnostic for security & code review — perfect for catching a Trojan Source (CVE-2021-42574) bidi attack:

src/auth.js:2:18  DANGER  U+202E RIGHT-TO-LEFT OVERRIDE (bidi)
  if (access != "ad[U+202E]nimda[U+202C]") {
                   ^

Each finding shows file:line:col, severity, the source line with the invisible character revealed inline, and a caret pointing at it. Colored output (respects NO_COLOR / --no-color).

Also

  • unspook --scan now prints line:col with colored severity (was a raw index).
  • --version reads the real package version.
  • Library API adds report() and ReportLine; Finding gains line/column.

Still zero dependencies, pure functions, runs anywhere. 26 tests.

Install

npx unspook --report src/        # review for Trojan Source & hidden chars

💖 Sponsor via Lemon Squeezy.

v0.1.0

Choose a tag to compare

@didrod205 didrod205 released this 29 May 14:00

First public release of unspook — reveal & remove the invisible, dangerous, and confusable characters hiding in your text.

  • 🔎 scan() finds zero-width spaces, BOMs, bidi controls (Trojan Source, CVE-2021-42574), Unicode tag chars (invisible prompt injection), homoglyphs, smart quotes, NBSP & more — each with a name, severity and position
  • 🧹 clean() strips the dangerous/invisible by default and keeps your visible text; opt-in smart-quote & homoglyph normalization
  • 🖥️ Free local-only web app (GitHub Pages — nothing uploaded)
  • ⌨️ unspook CLI — clean/scan/reveal; --scan exits non-zero for CI & pre-commit hooks
  • 📦 Zero dependencies, ESM + CJS + TypeScript types

Web app: https://didrod205.github.io/unspook/ · npm install unspook