@anren-utils/mcp-audit 1.0.0

package/.editorconfig

@@ -0,0 +1,13 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+tab_width = 2
+end_of_line = crlf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = false

package/dist/audit/auditUtils.d.ts

@@ -0,0 +1,12 @@
+import type { AuditResult } from "../types.js";
+/**
+ * @Desc: 执行npm audit命令，返回审计结果
+ * @param {string} workDir
+ */
+export declare function npmAudit(workDir: string): Promise<AuditResult>;
+/**
+ * @Desc: 执行pnpm audit命令，返回审计结果
+ * @param {string} workDir
+ */
+export declare function pnpmAudit(workDir: string): Promise<AuditResult>;
+//# sourceMappingURL=auditUtils.d.ts.map

package/dist/audit/auditUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditUtils.d.ts","sourceRoot":"","sources":["../../src/audit/auditUtils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG/C;;;GAGG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,MAAM,wBAK7C;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,MAAM,wBAK9C"}

package/dist/audit/auditUtils.js

@@ -0,0 +1,22 @@
+import { runCommand } from "../utils/index.js";
+/**
+ * @Desc: 执行npm audit命令，返回审计结果
+ * @param {string} workDir
+ */
+export async function npmAudit(workDir) {
+    const cmd = `npm audit --json`;
+    const jsonResult = await runCommand(cmd, workDir); // 在工作目录中执行命令
+    const auditData = JSON.parse(jsonResult);
+    return auditData;
+}
+/**
+ * @Desc: 执行pnpm audit命令，返回审计结果
+ * @param {string} workDir
+ */
+export async function pnpmAudit(workDir) {
+    const cmd = `pnpm audit --json`;
+    const jsonResult = await runCommand(cmd, workDir); // 在工作目录中执行命令
+    const auditData = JSON.parse(jsonResult);
+    return auditData;
+}
+//# sourceMappingURL=auditUtils.js.map

package/dist/audit/auditUtils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auditUtils.js","sourceRoot":"","sources":["../../src/audit/auditUtils.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,OAAe;IAC5C,MAAM,GAAG,GAAG,kBAAkB,CAAC;IAC/B,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,aAAa;IAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAgB,CAAC;IACxD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAe;IAC7C,MAAM,GAAG,GAAG,mBAAmB,CAAC;IAChC,MAAM,UAAU,GAAG,MAAM,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,aAAa;IAChE,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAgB,CAAC;IACxD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/audit/currentAudit.d.ts

@@ -0,0 +1,53 @@
+import type { AuditSeverity } from "../types.js";
+/**
+ * 单个漏洞问题的详细信息
+ */
+interface Problem {
+    /** 漏洞 ID (Advisory ID) */
+    source: number;
+    /** 包名 */
+    name: string;
+    /** 依赖名 */
+    dependency: string;
+    /** 漏洞标题 */
+    title: string;
+    /** 漏洞详情 URL */
+    url: string;
+    /** 严重程度 */
+    severity: AuditSeverity;
+    /** CWE 列表 */
+    cwe: string[];
+    /** CVSS 评分数据 */
+    cvss: {
+        score: number;
+        vectorString: string;
+    };
+    /** 受影响的版本范围 */
+    range: string;
+}
+/**
+ * currentAudit 函数返回的最终结果对象
+ */
+interface CurrentAuditResult {
+    /** 包名 */
+    name: string;
+    /** 版本/范围 */
+    range: string;
+    /** 节点路径，当前工程通常为根目录 '.' */
+    nodes: string[];
+    /** 依赖链，当前工程通常为空 */
+    depChains: any[];
+    /** 检测到的所有漏洞问题列表 */
+    problems: Problem[];
+    /** 当前包的最高严重程度 */
+    severity: AuditSeverity;
+}
+/**
+ * @Desc: 添加当前工程的审计结果
+ * @return {*}
+ * @param {string} name
+ * @param {string} version
+ */
+export declare function currentAudit(name: string, version: string): Promise<CurrentAuditResult | null>;
+export {};
+//# sourceMappingURL=currentAudit.d.ts.map

package/dist/audit/currentAudit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"currentAudit.d.ts","sourceRoot":"","sources":["../../src/audit/currentAudit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD;;GAEG;AACH,UAAU,OAAO;IACf,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IAEf,SAAS;IACT,IAAI,EAAE,MAAM,CAAC;IAEb,UAAU;IACV,UAAU,EAAE,MAAM,CAAC;IAEnB,WAAW;IACX,KAAK,EAAE,MAAM,CAAC;IAEd,eAAe;IACf,GAAG,EAAE,MAAM,CAAC;IAEZ,WAAW;IACX,QAAQ,EAAE,aAAa,CAAC;IAExB,aAAa;IACb,GAAG,EAAE,MAAM,EAAE,CAAC;IAEd,gBAAgB;IAChB,IAAI,EAAE;QACJ,KAAK,EAAE,MAAM,CAAC;QACd,YAAY,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF,eAAe;IACf,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,UAAU,kBAAkB;IAC1B,SAAS;IACT,IAAI,EAAE,MAAM,CAAC;IAEb,YAAY;IACZ,KAAK,EAAE,MAAM,CAAC;IAEd,0BAA0B;IAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;IAEhB,mBAAmB;IACnB,SAAS,EAAE,GAAG,EAAE,CAAC;IAEjB,mBAAmB;IACnB,QAAQ,EAAE,OAAO,EAAE,CAAC;IAEpB,iBAAiB;IACjB,QAAQ,EAAE,aAAa,CAAC;CACzB;AAUD;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,sCAwC/D"}

package/dist/audit/currentAudit.js

@@ -0,0 +1,54 @@
+import { remoteAudit } from "./remoteAudit.js";
+const severityLevelsMap = {
+    info: 0,
+    low: 1,
+    moderate: 2,
+    high: 3,
+    critical: 4,
+};
+/**
+ * @Desc: 添加当前工程的审计结果
+ * @return {*}
+ * @param {string} name
+ * @param {string} version
+ */
+export async function currentAudit(name, version) {
+    // 1. 调用 remoteAudit 函数获取审计结果
+    const auditResult = await remoteAudit(name, version);
+    // 2. 规格化审计结果
+    if (!auditResult.advisories ||
+        Object.keys(auditResult.advisories).length === 0) {
+        return null;
+    }
+    const result = {
+        name,
+        range: version,
+        nodes: ["."],
+        depChains: [],
+        problems: [],
+        severity: "info",
+    };
+    const advisories = Object.values(auditResult.advisories);
+    let maxSeverity = "info";
+    result.problems = advisories.map((advisory) => {
+        const problem = {
+            source: advisory.id,
+            name,
+            dependency: name,
+            title: advisory.title,
+            url: advisory.url,
+            severity: advisory.severity,
+            cwe: advisory.cwe,
+            cvss: advisory.cvss,
+            range: advisory.vulnerable_versions,
+        };
+        // 更新最大严重性
+        if (severityLevelsMap[problem.severity] > severityLevelsMap[maxSeverity]) {
+            maxSeverity = problem.severity;
+        }
+        return problem;
+    });
+    result.severity = maxSeverity;
+    return result;
+}
+//# sourceMappingURL=currentAudit.js.map

package/dist/audit/currentAudit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"currentAudit.js","sourceRoot":"","sources":["../../src/audit/currentAudit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AA4D/C,MAAM,iBAAiB,GAAkC;IACvD,IAAI,EAAE,CAAC;IACP,GAAG,EAAE,CAAC;IACN,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAY,EAAE,OAAe;IAC9D,6BAA6B;IAC7B,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACrD,aAAa;IACb,IACE,CAAC,WAAW,CAAC,UAAU;QACvB,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,MAAM,KAAK,CAAC,EAChD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,MAAM,GAAuB;QACjC,IAAI;QACJ,KAAK,EAAE,OAAO;QACd,KAAK,EAAE,CAAC,GAAG,CAAC;QACZ,SAAS,EAAE,EAAE;QACb,QAAQ,EAAE,EAAE;QACZ,QAAQ,EAAE,MAAM;KACjB,CAAC;IACF,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;IACzD,IAAI,WAAW,GAAkB,MAAM,CAAC;IACxC,MAAM,CAAC,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;QAC5C,MAAM,OAAO,GAAY;YACvB,MAAM,EAAE,QAAQ,CAAC,EAAE;YACnB,IAAI;YACJ,UAAU,EAAE,IAAI;YAChB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;YACnB,KAAK,EAAE,QAAQ,CAAC,mBAAmB;SACpC,CAAC;QACF,UAAU;QACV,IAAI,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,iBAAiB,CAAC,WAAW,CAAC,EAAE,CAAC;YACzE,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC;QACjC,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,QAAQ,GAAG,WAAW,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/audit/getDepChain.d.ts

@@ -0,0 +1,16 @@
+import type { VulnerabilityInfo } from "../types.js";
+/**
+ * 图的伸缩算法，用于获取从给定节点出发的所有依赖链条
+ * 给定图结构中的一个节点，获取从该节点的依赖节点出发一直走到终点，一共走出的所有链条
+ * 注意：图结构中可能存在环，遇到环时，环所在的节点直接作为终点即可
+ * @param {VulnerabilityInfo} vulnerabilityInfo - 给定的漏洞信息
+ * @param {Record<string, VulnerabilityInfo>} vulnerabilities - 所有漏洞信息的映射表，键为漏洞名称，值为漏洞信息
+ * @returns {Array<string[][]>} 返回所有依赖链，每个链是一个字符串数组，每个字符串是一个漏洞名称
+ * 返回结果示例："depChains": [["@vue/cli-plugin-babel","@vue/cli-service","@intervolga/optimize-cssnano-plugin","postcss"],[
+            "@vue/cli-plugin-router",
+            "@vue/cli-service",
+            "@intervolga/optimize-cssnano-plugin",
+            "postcss"]]
+ */
+export declare function getDepChains(vulnerabilityInfo: VulnerabilityInfo, vulnerabilities: Record<string, VulnerabilityInfo>): string[][];
+//# sourceMappingURL=getDepChain.d.ts.map

package/dist/audit/getDepChain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"getDepChain.d.ts","sourceRoot":"","sources":["../../src/audit/getDepChain.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAC1B,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,cAqDnD"}

package/dist/audit/getDepChain.js

@@ -0,0 +1,60 @@
+/**
+ * 图的伸缩算法，用于获取从给定节点出发的所有依赖链条
+ * 给定图结构中的一个节点，获取从该节点的依赖节点出发一直走到终点，一共走出的所有链条
+ * 注意：图结构中可能存在环，遇到环时，环所在的节点直接作为终点即可
+ * @param {VulnerabilityInfo} vulnerabilityInfo - 给定的漏洞信息
+ * @param {Record<string, VulnerabilityInfo>} vulnerabilities - 所有漏洞信息的映射表，键为漏洞名称，值为漏洞信息
+ * @returns {Array<string[][]>} 返回所有依赖链，每个链是一个字符串数组，每个字符串是一个漏洞名称
+ * 返回结果示例："depChains": [["@vue/cli-plugin-babel","@vue/cli-service","@intervolga/optimize-cssnano-plugin","postcss"],[
+            "@vue/cli-plugin-router",
+            "@vue/cli-service",
+            "@intervolga/optimize-cssnano-plugin",
+            "postcss"]]
+ */
+export function getDepChains(vulnerabilityInfo, vulnerabilities) {
+    // 存储所有找到的依赖链(存储最终结果：所有找到的完整路径)
+    const chains = [];
+    // 当前DFS路径（用于检测环）(当前正在探索的路径栈（用于记录路径和检测环）)
+    const currentPath = [];
+    /**
+     * 深度优先搜索函数
+     * @param {VulnerabilityInfo} currentVulnerabilityInfo - 当前处理的漏洞信息
+     */
+    function dfs(currentVulnerabilityInfo) {
+        // 1. 健壮性检查
+        if (!currentVulnerabilityInfo)
+            return;
+        // 2. 环检测
+        // 检查是否形成环（当前节点已在路径中）
+        // 如果当前节点的名字已经存在于当前路径中，说明我们遇到了一个环（A->B->C->A）。
+        // 将当前路径记录下来并停止该分支的搜索。
+        if (currentPath.includes(currentVulnerabilityInfo.name)) {
+            chains.push([...currentPath]); // 注意：这里并没有把重复的节点再次加入，而是截断
+            return;
+        }
+        // 3. 前进：将当前节点加入路径头部
+        // 使用 unshift 是为了让链条保持顺序：[起点, ..., 当前节点]
+        currentPath.unshift(currentVulnerabilityInfo.name);
+        // 4. 终点判断
+        // 如果没有依赖节点，说明到达终点
+        if (!currentVulnerabilityInfo.effects ||
+            currentVulnerabilityInfo.effects.length === 0) {
+            chains.push([...currentPath]);
+        }
+        else {
+            // 5. 递归遍历
+            // 遍历当前节点的所有依赖项，对每一个依赖项递归调用 dfs
+            for (const effect of currentVulnerabilityInfo.effects) {
+                dfs(vulnerabilities[effect]);
+            }
+        }
+        // 6. 回溯
+        // 当递归返回（无论是找到了终点还是遇到了环），
+        // 必须将当前节点从路径中移除，以便探索下一条可能的路径。
+        currentPath.shift();
+    }
+    // 从给定节点开始DFS
+    dfs(vulnerabilityInfo);
+    return chains;
+}
+//# sourceMappingURL=getDepChain.js.map

package/dist/audit/getDepChain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getDepChain.js","sourceRoot":"","sources":["../../src/audit/getDepChain.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,YAAY,CAC1B,iBAAoC,EACpC,eAAkD;IAElD,+BAA+B;IAC/B,MAAM,MAAM,GAAe,EAAE,CAAC;IAE9B,yCAAyC;IACzC,MAAM,WAAW,GAAa,EAAE,CAAC;IAEjC;;;OAGG;IACH,SAAS,GAAG,CAAC,wBAA4C;QACvD,WAAW;QACX,IAAI,CAAC,wBAAwB;YAAE,OAAO;QAEtC,SAAS;QACT,qBAAqB;QACrB,8CAA8C;QAC9C,sBAAsB;QACtB,IAAI,WAAW,CAAC,QAAQ,CAAC,wBAAwB,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,0BAA0B;YACzD,OAAO;QACT,CAAC;QAED,oBAAoB;QACpB,wCAAwC;QACxC,WAAW,CAAC,OAAO,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC;QAEnD,UAAU;QACV,kBAAkB;QAClB,IACE,CAAC,wBAAwB,CAAC,OAAO;YACjC,wBAAwB,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAC7C,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,UAAU;YACV,+BAA+B;YAC/B,KAAK,MAAM,MAAM,IAAI,wBAAwB,CAAC,OAAO,EAAE,CAAC;gBACtD,GAAG,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC;YAC/B,CAAC;QACH,CAAC;QACD,QAAQ;QACR,yBAAyB;QACzB,8BAA8B;QAC9B,WAAW,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,aAAa;IACb,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAEvB,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/audit/index.d.ts

@@ -0,0 +1,11 @@
+import type { RemoteWorkspaceInfo } from "../parseProject/parseWorkspace.js";
+import type { PackageJsonInfo, PackageManager } from "../types.js";
+interface AuditOptions {
+    workDir: string;
+    packageJson: PackageJsonInfo;
+    subPackageInfos: RemoteWorkspaceInfo | null;
+    currentPackageManager: PackageManager;
+}
+export declare function audit(options: AuditOptions): Promise<import("./normalizeAuditResult.js").NormalizedResult>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AAC7E,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKnE,UAAU,YAAY;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,eAAe,CAAC;IAC7B,eAAe,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAC5C,qBAAqB,EAAE,cAAc,CAAC;CACvC;AAED,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,iEAMhD"}

package/dist/audit/index.js

@@ -0,0 +1,64 @@
+import { join } from "path";
+import { npmAudit, pnpmAudit } from "./auditUtils.js";
+import { currentAudit } from "./currentAudit.js";
+import { normalizeAuditResult } from "./normalizeAuditResult.js";
+export async function audit(options) {
+    const { subPackageInfos } = options;
+    if (subPackageInfos?.subPackageNames) {
+        return await monorepoAudit(options);
+    }
+    return await defaultAudit(options);
+}
+async function defaultAudit(options) {
+    const { workDir, packageJson, currentPackageManager } = options;
+    const auditFn = currentPackageManager === "npm" ? npmAudit : pnpmAudit;
+    // 调用 npmAudit 获取审计结果
+    const auditResult = await auditFn(workDir);
+    // 规范化审计结果
+    const normalizedResult = normalizeAuditResult(auditResult);
+    // 添加当前工程的审计结果
+    const current = await currentAudit(packageJson.name, packageJson.version);
+    if (current) {
+        normalizedResult.vulnerabilities[current.severity].unshift(current);
+    }
+    // 添加汇总信息
+    normalizedResult.summary = {
+        total: Object.values(normalizedResult.vulnerabilities).reduce((sum, arr) => sum + arr.length, 0),
+        critical: normalizedResult.vulnerabilities.critical.length,
+        high: normalizedResult.vulnerabilities.high.length,
+        moderate: normalizedResult.vulnerabilities.moderate.length,
+        low: normalizedResult.vulnerabilities.low.length,
+        info: normalizedResult.vulnerabilities.info.length,
+    };
+    return normalizedResult;
+}
+async function monorepoAudit(options) {
+    const { workDir, packageJson, subPackageInfos, currentPackageManager } = options;
+    if (!subPackageInfos) {
+        throw new Error("monorepo工程必须包含子包信息");
+    }
+    const auditFn = currentPackageManager === "npm" ? npmAudit : pnpmAudit;
+    // 调用 npmAudit 获取审计结果
+    const auditResult = await auditFn(workDir);
+    // 得到所有子包的审计结果
+    const subPackageAuditResults = await Promise.all(subPackageInfos.subPackageNames.map((subPackageName) => auditFn(join(workDir, subPackageName))));
+    const allAuditResults = [auditResult, ...subPackageAuditResults];
+    // 规范化审计结果
+    const normalizedResult = normalizeAuditResult(allAuditResults);
+    // 添加当前工程的审计结果
+    const current = await currentAudit(packageJson.name, packageJson.version);
+    if (current) {
+        normalizedResult.vulnerabilities[current.severity].unshift(current);
+    }
+    // 添加汇总信息
+    normalizedResult.summary = {
+        total: Object.values(normalizedResult.vulnerabilities).reduce((sum, arr) => sum + arr.length, 0),
+        critical: normalizedResult.vulnerabilities.critical.length,
+        high: normalizedResult.vulnerabilities.high.length,
+        moderate: normalizedResult.vulnerabilities.moderate.length,
+        low: normalizedResult.vulnerabilities.low.length,
+        info: normalizedResult.vulnerabilities.info.length,
+    };
+    return normalizedResult;
+}
+//# sourceMappingURL=index.js.map

package/dist/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AASjE,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,OAAqB;IAC/C,MAAM,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IACpC,IAAI,eAAe,EAAE,eAAe,EAAE,CAAC;QACrC,OAAO,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAqB;IAC/C,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,GAAG,OAAO,CAAC;IAChE,MAAM,OAAO,GAAG,qBAAqB,KAAK,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IACvE,qBAAqB;IACrB,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAE3C,UAAU;IACV,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAE3D,cAAc;IACd,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,OAAO,EAAE,CAAC;QACZ,gBAAgB,CAAC,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtE,CAAC;IACD,SAAS;IACT,gBAAgB,CAAC,OAAO,GAAG;QACzB,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC,MAAM,CAC3D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAC9B,CAAC,CACF;QACD,QAAQ,EAAE,gBAAgB,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM;QAC1D,IAAI,EAAE,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM;QAClD,QAAQ,EAAE,gBAAgB,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM;QAC1D,GAAG,EAAE,gBAAgB,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM;QAChD,IAAI,EAAE,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM;KACnD,CAAC;IACF,OAAO,gBAAgB,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,OAAqB;IAChD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,qBAAqB,EAAE,GACpE,OAAO,CAAC;IACV,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IACD,MAAM,OAAO,GAAG,qBAAqB,KAAK,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IACvE,qBAAqB;IACrB,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IAC3C,cAAc;IACd,MAAM,sBAAsB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC9C,eAAe,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,EAAE,CACrD,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CACvC,CACF,CAAC;IACF,MAAM,eAAe,GAAG,CAAC,WAAW,EAAE,GAAG,sBAAsB,CAAC,CAAC;IAEjE,UAAU;IACV,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;IAE/D,cAAc;IACd,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC,OAAO,CAAC,CAAC;IAC1E,IAAI,OAAO,EAAE,CAAC;QACZ,gBAAgB,CAAC,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACtE,CAAC;IACD,SAAS;IACT,gBAAgB,CAAC,OAAO,GAAG;QACzB,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC,MAAM,CAC3D,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC,GAAG,GAAG,GAAG,CAAC,MAAM,EAC9B,CAAC,CACF;QACD,QAAQ,EAAE,gBAAgB,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM;QAC1D,IAAI,EAAE,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM;QAClD,QAAQ,EAAE,gBAAgB,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM;QAC1D,GAAG,EAAE,gBAAgB,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM;QAChD,IAAI,EAAE,gBAAgB,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM;KACnD,CAAC;IACF,OAAO,gBAAgB,CAAC;AAC1B,CAAC"}

package/dist/audit/normalizeAuditResult.d.ts

@@ -0,0 +1,13 @@
+import type { AuditResult, AuditSeverity, NormalizedVulnerabilityInfo } from "../types.js";
+export interface NormalizedResult {
+    vulnerabilities: Record<AuditSeverity, NormalizedVulnerabilityInfo[]>;
+    summary?: Record<AuditSeverity | "total", number>;
+}
+/**
+ * 处理 auditResult 是数组的情况，合并多个审计结果
+ * @param auditResults AuditResult 数组
+ * @returns 合并后的标准化结果
+ */
+export declare function normalizeAuditResults(auditResults: AuditResult[]): NormalizedResult;
+export declare function normalizeAuditResult(auditResult: AuditResult | AuditResult[]): NormalizedResult;
+//# sourceMappingURL=normalizeAuditResult.d.ts.map

package/dist/audit/normalizeAuditResult.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalizeAuditResult.d.ts","sourceRoot":"","sources":["../../src/audit/normalizeAuditResult.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,aAAa,EACb,2BAA2B,EAE5B,MAAM,aAAa,CAAC;AAGrB,MAAM,WAAW,gBAAgB;IAC/B,eAAe,EAAE,MAAM,CAAC,aAAa,EAAE,2BAA2B,EAAE,CAAC,CAAC;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC,aAAa,GAAG,OAAO,EAAE,MAAM,CAAC,CAAC;CACnD;AA8CD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,YAAY,EAAE,WAAW,EAAE,GAuB1D,gBAAgB,CACtB;AAED,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,WAAW,GAAG,WAAW,EAAE,oBAU5E"}

package/dist/audit/normalizeAuditResult.js

@@ -0,0 +1,81 @@
+import { getDepChains } from "./getDepChain.js";
+function _normalizeVulnerabilities(auditResult) {
+    // 漏洞级别分类组别，用于后续统计漏洞数量
+    const result = {
+        critical: [],
+        high: [],
+        moderate: [],
+        low: [],
+        info: [],
+    };
+    for (const key in auditResult.vulnerabilities) {
+        // 获取当前漏洞的包信息
+        const packageInfo = auditResult.vulnerabilities[key];
+        const normalizedPackage = _normalizePackage(packageInfo);
+        if (normalizedPackage) {
+            result[normalizedPackage.severity].push(normalizedPackage);
+        }
+    }
+    return result;
+    function _normalizePackage(packageInfo) {
+        if (!packageInfo) {
+            return null;
+        }
+        const { via = [] } = packageInfo;
+        // 只需要记录自身有漏洞的包，而不是依赖的包
+        const validVia = via.filter((it) => typeof it === "object");
+        if (validVia.length === 0) {
+            return null;
+        }
+        // 规格化漏洞信息
+        const info = {
+            name: packageInfo.name,
+            severity: packageInfo.severity,
+            problems: validVia,
+            nodes: packageInfo.nodes || [],
+        };
+        info.depChains = getDepChains(packageInfo, auditResult.vulnerabilities);
+        // info.depChains = info.depChains.filter(
+        //   (chain) => !isInvalidChain(chain, packageInfo.name)
+        // );
+        return info;
+    }
+}
+/**
+ * 处理 auditResult 是数组的情况，合并多个审计结果
+ * @param auditResults AuditResult 数组
+ * @returns 合并后的标准化结果
+ */
+export function normalizeAuditResults(auditResults) {
+    // 初始化结果对象
+    const result = {
+        critical: [],
+        high: [],
+        moderate: [],
+        low: [],
+        info: [],
+    };
+    // 遍历所有审计结果
+    for (const auditResult of auditResults) {
+        const normalizedResult = _normalizeVulnerabilities(auditResult);
+        // 合并每个级别的漏洞
+        for (const severity in normalizedResult) {
+            const vulnerabilities = normalizedResult[severity];
+            result[severity].push(...vulnerabilities);
+        }
+    }
+    return {
+        vulnerabilities: result,
+    };
+}
+export function normalizeAuditResult(auditResult) {
+    if (Array.isArray(auditResult)) {
+        return {
+            vulnerabilities: normalizeAuditResults(auditResult).vulnerabilities,
+        };
+    }
+    return {
+        vulnerabilities: _normalizeVulnerabilities(auditResult),
+    };
+}
+//# sourceMappingURL=normalizeAuditResult.js.map

package/dist/audit/normalizeAuditResult.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalizeAuditResult.js","sourceRoot":"","sources":["../../src/audit/normalizeAuditResult.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAOhD,SAAS,yBAAyB,CAAC,WAAwB;IACzD,sBAAsB;IACtB,MAAM,MAAM,GAAyD;QACnE,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,EAAE;QACP,IAAI,EAAE,EAAE;KACT,CAAC;IACF,KAAK,MAAM,GAAG,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;QAC9C,aAAa;QACb,MAAM,WAAW,GAAG,WAAW,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QACrD,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACzD,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;IAEd,SAAS,iBAAiB,CAAC,WAA+B;QACxD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,EAAE,GAAG,GAAG,EAAE,EAAE,GAAG,WAAW,CAAC;QACjC,uBAAuB;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,UAAU;QACV,MAAM,IAAI,GAAgC;YACxC,IAAI,EAAE,WAAW,CAAC,IAAI;YACtB,QAAQ,EAAE,WAAW,CAAC,QAAQ;YAC9B,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,WAAW,CAAC,KAAK,IAAI,EAAE;SAC/B,CAAC;QACF,IAAI,CAAC,SAAS,GAAG,YAAY,CAAC,WAAW,EAAE,WAAW,CAAC,eAAe,CAAC,CAAC;QACxE,0CAA0C;QAC1C,wDAAwD;QACxD,KAAK;QACL,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,YAA2B;IAC/D,UAAU;IACV,MAAM,MAAM,GAAyD;QACnE,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,QAAQ,EAAE,EAAE;QACZ,GAAG,EAAE,EAAE;QACP,IAAI,EAAE,EAAE;KACT,CAAC;IAEF,WAAW;IACX,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,MAAM,gBAAgB,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;QAEhE,YAAY;QACZ,KAAK,MAAM,QAAQ,IAAI,gBAAgB,EAAE,CAAC;YACxC,MAAM,eAAe,GAAG,gBAAgB,CAAC,QAAyB,CAAC,CAAC;YACpE,MAAM,CAAC,QAAyB,CAAC,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,OAAO;QACL,eAAe,EAAE,MAAM;KACJ,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,WAAwC;IAC3E,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,eAAe,EAAE,qBAAqB,CAAC,WAAW,CAAC,CAAC,eAAe;SAChD,CAAC;IACxB,CAAC;IAED,OAAO;QACL,eAAe,EAAE,yBAAyB,CAAC,WAAW,CAAC;KACpC,CAAC;AACxB,CAAC"}

package/dist/audit/remoteAudit.d.ts

@@ -0,0 +1,3 @@
+import type { NpmAuditResponse } from "../types.js";
+export declare function remoteAudit(packageName: string, packageVersion: string): Promise<NpmAuditResponse>;
+//# sourceMappingURL=remoteAudit.d.ts.map

package/dist/audit/remoteAudit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remoteAudit.d.ts","sourceRoot":"","sources":["../../src/audit/remoteAudit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAIpD,wBAAsB,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,6BAqB5E"}

package/dist/audit/remoteAudit.js

@@ -0,0 +1,24 @@
+const URL = "https://registry.npmjs.org/-/npm/v1/security/audits";
+export async function remoteAudit(packageName, packageVersion) {
+    const body = {
+        name: "example-audit", // 项目名字随便写
+        version: "1.0.0", // 项目的版本，随便写
+        requires: {
+            [packageName]: packageVersion,
+        },
+        dependencies: {
+            [packageName]: {
+                version: packageVersion,
+            },
+        },
+    };
+    const resp = await fetch(URL, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json",
+        },
+        body: JSON.stringify(body),
+    });
+    return (await resp.json());
+}
+//# sourceMappingURL=remoteAudit.js.map

package/dist/audit/remoteAudit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remoteAudit.js","sourceRoot":"","sources":["../../src/audit/remoteAudit.ts"],"names":[],"mappings":"AAEA,MAAM,GAAG,GAAG,qDAAqD,CAAC;AAElE,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,WAAmB,EAAE,cAAsB;IAC3E,MAAM,IAAI,GAAG;QACX,IAAI,EAAE,eAAe,EAAE,UAAU;QACjC,OAAO,EAAE,OAAO,EAAE,YAAY;QAC9B,QAAQ,EAAE;YACR,CAAC,WAAW,CAAC,EAAE,cAAc;SAC9B;QACD,YAAY,EAAE;YACZ,CAAC,WAAW,CAAC,EAAE;gBACb,OAAO,EAAE,cAAc;aACxB;SACF;KACF,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;KAC3B,CAAC,CAAC;IACH,OAAO,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAqB,CAAC;AACjD,CAAC"}

package/dist/generateLock/index.d.ts

@@ -0,0 +1,17 @@
+import type { PackageJsonInfo, PackageManager } from "../types.js";
+import type { RemoteWorkspaceInfo } from "../parseProject/parseWorkspace.js";
+interface GenerateLockOptions {
+    workDir: string;
+    packageJson: PackageJsonInfo;
+    subPackageInfos: RemoteWorkspaceInfo | null;
+    projectRoot: string;
+    currentPackageManager: PackageManager;
+}
+/**
+ * @Desc: 向工作目录添加package.json文件，然后生成lock文件
+ * @param {string} workDir 工作目录
+ * @param {Object} packageJson package.json文件内容
+ */
+export declare function generateLock(options: GenerateLockOptions): Promise<void>;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/generateLock/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/generateLock/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACnE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AAE7E,UAAU,mBAAmB;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,eAAe,CAAC;IAC7B,eAAe,EAAE,mBAAmB,GAAG,IAAI,CAAC;IAC5C,WAAW,EAAE,MAAM,CAAC;IACpB,qBAAqB,EAAE,cAAc,CAAC;CACvC;AAkLD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,iBAO9D"}