unspook now tells you exactly where a hidden character is — and shows it in review-friendly form.
📍 Line & column on every finding
scan results now include line and column (1-based; column counted in code points, so it matches what you see). Jump straight to the offender in a big file.
🔍 New report() + unspook --report
A compiler-style diagnostic for security & code review — perfect for catching a Trojan Source (CVE-2021-42574) bidi attack:
src/auth.js:2:18 DANGER U+202E RIGHT-TO-LEFT OVERRIDE (bidi)
if (access != "ad[U+202E]nimda[U+202C]") {
^
Each finding shows file:line:col, severity, the source line with the invisible character revealed inline, and a caret pointing at it. Colored output (respects NO_COLOR / --no-color).
Also
unspook --scannow printsline:colwith colored severity (was a raw index).--versionreads the real package version.- Library API adds
report()andReportLine;Findinggainsline/column.
Still zero dependencies, pure functions, runs anywhere. 26 tests.
Install
npx unspook --report src/ # review for Trojan Source & hidden chars💖 Sponsor via Lemon Squeezy.