NodeSecure · fraxken · Oct 30, 2025 · Oct 30, 2025
diff --git a/.npmrc b/.npmrc
@@ -1,2 +1,4 @@
 package-lock=false
 provenance=true
+save-exact=true
+ignore-scripts=true
diff --git a/package.json b/package.json
@@ -97,7 +97,7 @@
     "@nodesecure/npm-registry-sdk": "^4.4.0",
     "@nodesecure/ossf-scorecard-sdk": "^3.2.1",
     "@nodesecure/rc": "^5.0.0",
-    "@nodesecure/report": "^3.0.0",
+    "@nodesecure/report": "4.0.0",
     "@nodesecure/scanner": "^7.1.0",
     "@nodesecure/utils": "^2.2.0",
     "@nodesecure/vulnera": "^2.0.1",

diff --git a/workspaces/server/src/endpoints/report.ts b/workspaces/server/src/endpoints/report.ts
@@ -2,17 +2,18 @@
 import fs from "node:fs";
 
 // Import Third-party Dependencies
-import { report } from "@nodesecure/report";
 import send from "@polka/send-type";
-import type { Request, Response } from "express-serve-static-core";
+import { report } from "@nodesecure/report";
 import { appCache } from "@nodesecure/cache";
+import type { Request, Response } from "express-serve-static-core";
+import type { RC } from "@nodesecure/rc";
 
 // Import Internal Dependencies
 import { context } from "../ALS.js";
 import { bodyParser } from "../middlewares/bodyParser.js";
 
 // TODO: provide a non-file-based API on RC side ?
-const kReportPayload = {
+const kReportPayload: Partial<RC["report"]> = {
   includeTransitiveInternal: false,
   reporters: [
     "pdf"
@@ -46,16 +47,22 @@ const kReportPayload = {
 };
 
 export async function post(req: Request, res: Response) {
-  const body = await bodyParser(req);
+  const body = await bodyParser(req) as {
+    title: string;
+    includesAllDeps: boolean;
+    theme: "light" | "dark";
+  };
   const { title, includesAllDeps, theme } = body;
+
   const { dataFilePath } = context.getStore()!;
   const scannerPayload = dataFilePath ?
     JSON.parse(fs.readFileSync(dataFilePath, "utf-8")) :
     appCache.getPayload((await appCache.payloadsList()).current);
-  const reportPayload = structuredClone(kReportPayload);
+
   const rootDependencyName = scannerPayload.rootDependencyName;
   const [organizationPrefixOrRepo, repo] = rootDependencyName.split("/");
-  Object.assign(reportPayload, {
+  const reportPayload = structuredClone({
+    ...kReportPayload,
     title,
     npm: {
       organizationPrefix: repo === undefined ? null : organizationPrefixOrRepo,
@@ -65,8 +72,14 @@ export async function post(req: Request, res: Response) {
   });
 
   try {
+    const dependencies = includesAllDeps ?
+      scannerPayload.dependencies :
+      {
+        [rootDependencyName]: scannerPayload.dependencies[rootDependencyName]
+      };
+
     const data = await report(
-      includesAllDeps ? scannerPayload.dependencies : { [rootDependencyName]: scannerPayload.dependencies[rootDependencyName] },
+      dependencies,
       reportPayload
     );
 

diff --git a/workspaces/server/src/middlewares/bodyParser.ts b/workspaces/server/src/middlewares/bodyParser.ts
@@ -7,7 +7,9 @@ import type { Request } from "express-serve-static-core";
  * @param {*} req
  * @returns {Promise<any>}
  */
-export async function bodyParser(req: Request) {
+export async function bodyParser(
+  req: Request
+) {
   let rawBody = "";
   for await (const chunk of req) {
     rawBody += chunk;