Skip to content

v0.2.0 — line/column + --report diagnostics

Latest

Choose a tag to compare

@didrod205 didrod205 released this 01 Jun 06:16

unspook now tells you exactly where a hidden character is — and shows it in review-friendly form.

📍 Line & column on every finding

scan results now include line and column (1-based; column counted in code points, so it matches what you see). Jump straight to the offender in a big file.

🔍 New report() + unspook --report

A compiler-style diagnostic for security & code review — perfect for catching a Trojan Source (CVE-2021-42574) bidi attack:

src/auth.js:2:18  DANGER  U+202E RIGHT-TO-LEFT OVERRIDE (bidi)
  if (access != "ad[U+202E]nimda[U+202C]") {
                   ^

Each finding shows file:line:col, severity, the source line with the invisible character revealed inline, and a caret pointing at it. Colored output (respects NO_COLOR / --no-color).

Also

  • unspook --scan now prints line:col with colored severity (was a raw index).
  • --version reads the real package version.
  • Library API adds report() and ReportLine; Finding gains line/column.

Still zero dependencies, pure functions, runs anywhere. 26 tests.

Install

npx unspook --report src/        # review for Trojan Source & hidden chars

💖 Sponsor via Lemon Squeezy.