@coana-tech/cli 14.12.107 → 14.12.108

package/cli.mjs

@@ -250700,7 +250700,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.107";
+var version3 = "14.12.108";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.107",
+  "version": "14.12.108",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110412,24 +110412,11 @@ function getMaxRoundsHeuristicOptions(maxRounds) {
 }
 function getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities) {
   return {
-    includePackages: computePackagesOnVulnPathExcludingVulnerablePackage(vulnerabilities)
+    includePackages: computePackagesOnVulnPath(vulnerabilities)
   };
 }
-function computePackagesOnVulnPathExcludingVulnerablePackage(vulnerabilities) {
-  const packagesToAnalyze = /* @__PURE__ */ new Set();
-  vulnerabilities.filter((v) => !v.vulnerabilityAccessPaths || typeof v.vulnerabilityAccessPaths !== "string").forEach((v) => {
-    const visitedIdentifiers = [];
-    const helper = (node) => {
-      if (node.children && node.children.length > 0)
-        packagesToAnalyze.add(node.packageName);
-      node.children?.filter((c) => !visitedIdentifiers.includes(c)).forEach((c) => {
-        visitedIdentifiers.push(c);
-        helper(v.vulnChainDetails.transitiveDependencies[c]);
-      });
-    };
-    helper(v.vulnChainDetails);
-  });
-  return [...packagesToAnalyze];
+function computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages = false } = {}) {
+  return [...new Set(vulnerabilities.filter((v) => !v.vulnerabilityAccessPaths || typeof v.vulnerabilityAccessPaths !== "string").flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => includeLeafPackages || d.children?.length).map((d) => d.packageName)))];
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/jelly-runner.js
@@ -110441,7 +110428,7 @@ var PRINT_JELLY_COMMAND = false;
 async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, timeoutInSeconds, vulnerabilities, experiment) {
   const tmpFolder = await createTmpDirectory("jelly-analysis");
   try {
-    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ? reachabilityAnalysisOptions.entryPoints : [projectRoot];
+    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ?? [projectRoot];
     const jellyExecutable = ToolPathResolver.jellyPath;
     const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => ({
       osv: v,
@@ -110454,12 +110441,6 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const affectedPackagesFile = resolve14(tmpFolder, "affected-packages.json");
     const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve14(projectRoot, "js-analysis.log"));
     await writeFile6(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
-    let excludeEntries;
-    if (reachabilityAnalysisOptions.excludeDirs?.length) {
-      const excludeDirsRelativeToProjectRoot = reachabilityAnalysisOptions.excludeDirs.map((d) => relative6(projectRoot, resolve14(mainProjectRoot, d)));
-      const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
-      excludeEntries = [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
-    }
     const jellyCmd = cmdt`
       ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
         ${jellyExecutable}
@@ -110467,10 +110448,10 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
         --timeout ${timeoutInSeconds}
         --vulnerabilities ${vulnerabilitiesFile}
         --reachable-json ${affectedPackagesFile}
-        ${excludeEntries && ["--exclude-entries", ...excludeEntries]}
+        ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
         --diagnostics-json ${diagnosticsFile}
         --max-indirections=${jellyOptions.maxIndirections}
-        ${jellyOptions.includePackages && ["--include-packages", ...jellyOptions.includePackages]}
+        ${!!jellyOptions.includePackages?.length && ["--include-packages", ...jellyOptions.includePackages]}
         ${jellyOptions.approx && "--approx"}
         ${logFile ? ["--logfile", logFile] : []}
         --callstacks-json ${callStackFile}
@@ -110528,20 +110509,30 @@ async function runJellyPhantomDependencyAnalysis(projectRoot, options) {
     await rm2(tmpFolder, { recursive: true });
   }
 }
-async function runJellyImportReachabilityAnalysis(baseDir, projectDir, options) {
+async function runJellyImportReachabilityAnalysis(mainProjectRoot, projectRoot, vulnerabilities, options) {
   const tmpFolder = await createTmpDirectory("jelly-analysis");
   try {
-    const jellyExecutable = ToolPathResolver.jellyPath;
+    const includePackages = computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages: true });
     const reachableModulesFile = resolve14(tmpFolder, "reachable-modules.json");
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
-      ${jellyExecutable} --basedir ${baseDir} --modules-only
-        --reachable-json ${reachableModulesFile} ${projectDir}`;
+      ${ToolPathResolver.jellyPath} --basedir ${mainProjectRoot} --modules-only
+        ${!!includePackages.length && ["--include-packages", ...includePackages]}
+        ${getExcludes(mainProjectRoot, projectRoot, options)}
+        --reachable-json ${reachableModulesFile}
+        ${options.entryPoints ?? projectRoot}`;
     await runCommandResolveStdOut2(jellyCmd, void 0, { timeout: options.timeoutSeconds.allVulnRuns * 1e3 });
     return JSON.parse(await readFile8(reachableModulesFile, "utf-8"));
   } finally {
     await rm2(tmpFolder, { recursive: true });
   }
 }
+function getExcludes(mainProjectRoot, projectRoot, options) {
+  if (options.excludeDirs?.length) {
+    const excludeDirsRelativeToProjectRoot = options.excludeDirs.map((d) => relative6(projectRoot, resolve14(mainProjectRoot, d)));
+    const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
+    return [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
+  }
+}
 function relativizeSourceLocations(projectDir, paths) {
   return {
     ...paths,
@@ -112811,7 +112802,7 @@ var NpmAnalyzer = class {
       try {
         statusUpdater?.("Running import reachability analysis");
         logger.debug("Starting jelly import reachability analysis");
-        reachable = await runJellyImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, this.state.reachabilityAnalysisOptions);
+        reachable = await runJellyImportReachabilityAnalysis(this.state.rootWorkingDir, this.projectDir, vulns, this.state.reachabilityAnalysisOptions);
       } catch (e) {
         logger.debug("Error while running jelly import reachability analysis:", e);
       }

package/repos/coana-tech/jelly-private/dist/bundle/approx.js

@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
 import {
   require_hints,
   require_parser
-} from "./chunk-VD62II65.js";
+} from "./chunk-PAV2YSLW.js";
 import {
   require_proxy,
   require_sandbox
-} from "./chunk-GSPO4CLX.js";
+} from "./chunk-XJM6ACML.js";
 import {
   __commonJS,
   __name,
@@ -21,7 +21,7 @@ import {
   require_options,
   require_transform,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/approx.js
 var require_approx = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-QVZRZ7F3.js → chunk-AO2BBATE.js}

@@ -10,7 +10,7 @@ import {
   __require,
   require_logger,
   require_options
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // node_modules/source-map/lib/base64.js
 var require_base64 = __commonJS({
@@ -224314,4 +224314,4 @@ typescript/lib/typescript.js:
   and limitations under the License.
   ***************************************************************************** *)
 */
-//# sourceMappingURL=chunk-QVZRZ7F3.js.map
+//# sourceMappingURL=chunk-AO2BBATE.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-VD62II65.js → chunk-PAV2YSLW.js}

@@ -14,7 +14,7 @@ import {
   require_options,
   require_tokens,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/parsing/parser.js
 var require_parser = __commonJS({
@@ -516,4 +516,4 @@ export {
   require_patching,
   require_hints
 };
-//# sourceMappingURL=chunk-VD62II65.js.map
+//# sourceMappingURL=chunk-PAV2YSLW.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-LY4UAG7A.js → chunk-VDHMBLB5.js}

@@ -10924,6 +10924,16 @@ var require_logger2 = __commonJS({
     exports.default = logger;
     function setLogLevel(level) {
       logger.level = options_1.options.loglevel = level;
+      for (const lvl of Object.keys(colors)) {
+        const fnName = `is${lvl.charAt(0).toUpperCase() + lvl.slice(1)}Enabled`;
+        delete logger[fnName];
+        Object.defineProperty(logger, fnName, {
+          value: logger.isLevelEnabled(lvl) ? () => true : () => false,
+          writable: false,
+          configurable: true,
+          enumerable: false
+        });
+      }
     }
     __name(setLogLevel, "setLogLevel");
     function logToFile(file) {
@@ -19701,4 +19711,4 @@ fill-range/index.js:
    * Licensed under the MIT License.
    *)
 */
-//# sourceMappingURL=chunk-LY4UAG7A.js.map
+//# sourceMappingURL=chunk-VDHMBLB5.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-GSPO4CLX.js → chunk-XJM6ACML.js}

@@ -9,7 +9,7 @@ import {
   __name,
   __require,
   require_transform
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/proxy.js
 var require_proxy = __commonJS({
@@ -268,4 +268,4 @@ export {
   require_proxy,
   require_sandbox
 };
-//# sourceMappingURL=chunk-GSPO4CLX.js.map
+//# sourceMappingURL=chunk-XJM6ACML.js.map

package/repos/coana-tech/jelly-private/dist/bundle/hooks.js

@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
 
 import {
   require_moduleresolver
-} from "./chunk-QVZRZ7F3.js";
+} from "./chunk-AO2BBATE.js";
 import {
   require_sandbox
-} from "./chunk-GSPO4CLX.js";
+} from "./chunk-XJM6ACML.js";
 import {
   __commonJS,
   __name,
@@ -17,7 +17,7 @@ import {
   require_files,
   require_options,
   require_transform
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/approx/hooks.js
 var require_hooks = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/jelly.js

@@ -9,11 +9,11 @@ import {
   require_hints,
   require_parser,
   require_patching
-} from "./chunk-VD62II65.js";
+} from "./chunk-PAV2YSLW.js";
 import {
   require_moduleresolver,
   require_typescript
-} from "./chunk-QVZRZ7F3.js";
+} from "./chunk-AO2BBATE.js";
 import {
   __commonJS,
   __name,
@@ -37,7 +37,7 @@ import {
   require_tokens,
   require_transform,
   require_util
-} from "./chunk-LY4UAG7A.js";
+} from "./chunk-VDHMBLB5.js";
 
 // lib/misc/timer.js
 var require_timer = __commonJS({
@@ -4367,6 +4367,8 @@ var require_analyzer = __commonJS({
             }
             if (options_1.options.modulesOnly) {
               (0, modulefinder_1.findModules)(ast, solver.fragmentState, moduleInfo);
+              if (d.modules % 16 === 0)
+                a.timeoutTimer.checkTimeout();
             } else {
               const moduleParams = (0, extras_1.preprocessAst)(ast, moduleInfo);
               (0, logger_1.writeStdOutIfActive)("Initializing...");