@coana-tech/cli 14.12.16 → 14.12.19

package/cli.mjs

@@ -206082,7 +206082,7 @@ var NpmSocketUpgradeManager = class {
         this.rootDir,
         subprojectDir
       );
-      this.applySecurityFixesForSocketArtifacts(
+      await this.applySecurityFixesForSocketArtifacts(
         subprojectDir,
         fixingManager,
         artifacts,
@@ -224639,7 +224639,7 @@ var CoanaSupportedVulnerabilitiesDBInterface = class _CoanaSupportedVulnerabilit
   async upsertVulnerabilityPattern(ghsa, ecosystem, updateFields) {
     const advisory = ghsa;
     const _id = `${ghsa}-${ecosystem}`;
-    return this.vulnerabilitiesSupportedCollection.updateOne(
+    return await this.vulnerabilitiesSupportedCollection.updateOne(
       { _id },
       {
         $set: {
@@ -225672,7 +225672,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version2 = "14.12.16";
+var version2 = "14.12.19";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pick } = import_lodash15.default;
@@ -226517,7 +226517,7 @@ async function computeFixesAndUpgradePurls(path2, options, logFile) {
   if (computedFix.type !== "success") {
     throw new Error(`No fix found for the given vulnerabilities`);
   }
-  const ghsasFailedToFix = options.applyFixesTo.filter((ghsa) => {
+  const ghsasFailedToFix = Object.keys(ghsaToVulnerableArtifactIdsToApply).filter((ghsa) => {
     const artifactIds = ghsaToVulnerableArtifactIdsToApply[ghsa];
     if (!artifactIds)
       return false;
@@ -226550,7 +226550,7 @@ async function computeFixesAndUpgradePurls(path2, options, logFile) {
       concurrency: "1",
       globPattern: options.globPattern,
       rangeStyle: options.rangeStyle
-    }, autofixRunId) ?? "fixed-all";
+    }, void 0, autofixRunId) ?? "fixed-all";
     if (autofixRunId) {
       await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasFailedToFix.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : ghsasFailedToFix.length === Object.keys(ghsaToVulnerableArtifactIdsToApply).length || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some");
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.16",
+  "version": "14.12.19",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -73725,12 +73725,6 @@ async function asyncForEach(array, fn, concurrency = 1) {
   }
   await Promise.all(Array.from({ length: concurrency }, async () => worker()));
 }
-async function applySeries(arr, fn) {
-  let i2 = 0;
-  for (const item of arr) {
-    await fn(item, i2++);
-  }
-}
 async function asyncFilter(arr, predicate, concurrency = 1) {
   const results = await asyncMap(arr, predicate, concurrency);
   return arr.filter((_v, index2) => results[index2]);
@@ -74383,20 +74377,6 @@ async function withTmpDirectory(prefix, fn, deleteTmpDir = true) {
 
 // ../web-compat-utils/src/vuln-chain-detail-utils.ts
 var ROOT_NODE_STR = "";
-function computeParentsMap(d) {
-  const parentsMap = /* @__PURE__ */ new Map();
-  const addToMap = (children2, id) => {
-    children2?.forEach((dep) => {
-      if (!parentsMap.has(dep)) parentsMap.set(dep, []);
-      parentsMap.get(dep).push(id);
-    });
-  };
-  for (const [id, node] of Object.entries(d.transitiveDependencies)) {
-    addToMap(node.children, id);
-  }
-  addToMap(d.children, ROOT_NODE_STR);
-  return parentsMap;
-}
 
 // dist/whole-program-code-aware-vulnerability-scanner/code-aware-vulnerability-scanner.js
 var import_lodash13 = __toESM(require_lodash(), 1);
@@ -88577,130 +88557,6 @@ async function convertSocketArtifacts2(artifacts, tmpDir) {
   return deps;
 }
 
-// dist/whole-program-code-aware-vulnerability-scanner/js/jelly-runner.js
-var import_lodash9 = __toESM(require_lodash(), 1);
-import { readFile as readFile7, rm as rm2, writeFile as writeFile5 } from "fs/promises";
-import { relative as relative4, resolve as resolve6 } from "path";
-var { map: map2, uniq: uniq4 } = import_lodash9.default;
-var PRINT_JELLY_COMMAND = false;
-async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, vulnerabilities, experiment) {
-  const tmpFolder = await createTmpDirectory("jelly-analysis");
-  try {
-    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ? reachabilityAnalysisOptions.entryPoints : [projectRoot];
-    const jellyExecutable = resolve6(COANA_REPOS_PATH(), "jelly-private", "dist", "bundle", "jelly.js");
-    const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => ({
-      osv: v,
-      patterns: v.vulnerabilityAccessPaths.map((p) => experiment === "AUGMENT_IMPORT_PATHS_EXPERIMENT" ? p.replace(">", "/**>") : p)
-      // Repalce > with /**> to ensure Jelly also matches call <PKG/dist/index.js>.foo for pattern <PKG>.foo
-    }));
-    const vulnerabilitiesFile = resolve6(tmpFolder, "vulnerabilities.json");
-    const diagnosticsFile = resolve6(tmpFolder, "diagnostics.json");
-    const matchesFile = resolve6(tmpFolder, "matches.json");
-    const callStackFile = resolve6(tmpFolder, "call-stacks.json");
-    const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve6(projectRoot, "js-analysis.log"));
-    await writeFile5(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
-    let excludeEntries;
-    if (reachabilityAnalysisOptions.excludeDirs?.length) {
-      const excludeDirsRelativeToProjectRoot = reachabilityAnalysisOptions.excludeDirs.map((d) => relative4(projectRoot, resolve6(mainProjectRoot, d)));
-      const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
-      excludeEntries = [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
-    }
-    const jellyCmd = [
-      "node",
-      `--max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}`,
-      jellyExecutable,
-      "--basedir",
-      mainProjectRoot,
-      "--timeout",
-      "" + (reachabilityAnalysisOptions.timeoutInSeconds ?? 60),
-      "--vulnerabilities",
-      vulnerabilitiesFile,
-      ...excludeEntries ? ["--exclude-entries", ...excludeEntries] : [],
-      "--diagnostics-json",
-      diagnosticsFile,
-      ...jellyOptions.maxIndirections ? ["--max-indirections", "" + jellyOptions.maxIndirections] : [],
-      ...jellyOptions.includePackages ? ["--include-packages", ...jellyOptions.includePackages] : [],
-      ...jellyOptions.approx ? ["--approx"] : [],
-      ...logFile ? ["--logfile", logFile] : [],
-      "--matches-file",
-      matchesFile,
-      "--vulnerabilities-callstacks",
-      callStackFile,
-      ...filesToAnalyze
-    ];
-    if (PRINT_JELLY_COMMAND)
-      logger.info("Jelly command:", jellyCmd.join(" "));
-    await runCommandResolveStdOut(
-      jellyCmd,
-      void 0,
-      // If it is an experimental run, make sure to crash the process if Jelly takes more than 50% longer than the timeout.
-      // This is done to mitigate the scenario where the Jelly process gets close to the memory limit and thus ends up spending most of its time on garbage collection, which can increase the time between timeout checks dramatically.
-      experiment && reachabilityAnalysisOptions.timeoutInSeconds ? { timeout: reachabilityAnalysisOptions.timeoutInSeconds * 1e3 * 1.5 } : void 0
-    );
-    if (reachabilityAnalysisOptions.printLogFile)
-      logger.info("JS analysis log file:", await readFile7(logFile, "utf-8"));
-    const analysisDiagnostics = JSON.parse(await readFile7(diagnosticsFile, "utf-8"));
-    analysisDiagnostics.time = analysisDiagnostics.analysisTime;
-    delete analysisDiagnostics.analysisTime;
-    analysisDiagnostics.timings = {
-      analysisTime: analysisDiagnostics.time,
-      patternMatchingTime: analysisDiagnostics.patternMatchingTime
-    };
-    const callStacks = JSON.parse(await readFile7(callStackFile, "utf-8"));
-    const matches = {};
-    for (const { vulnerability, paths } of callStacks) {
-      const transformedStacks = transformJellyCallStacks(projectRoot, paths);
-      if (matches[vulnerability.osv.url]) {
-        matches[vulnerability.osv.url].stacks.push(...transformedStacks.stacks);
-      } else
-        matches[vulnerability.osv.url] = transformedStacks;
-    }
-    return {
-      matches,
-      analysisDiagnostics
-    };
-  } finally {
-    await rm2(tmpFolder, { recursive: true });
-  }
-}
-async function runJellyPhantomDependencyAnalysis(projectRoot) {
-  const tmpFolder = await createTmpDirectory("jelly-analysis");
-  try {
-    const jellyExecutable = resolve6(COANA_REPOS_PATH(), "jelly-private", "dist", "bundle", "jelly.js");
-    const reachablePackagesFile = resolve6(tmpFolder, "reachable-packages.json");
-    const jellyCmd = [
-      "node",
-      jellyExecutable,
-      "--basedir",
-      projectRoot,
-      "--modules-only",
-      "--ignore-dependencies",
-      "--reachable-packages-file",
-      reachablePackagesFile,
-      projectRoot
-    ];
-    await runCommandResolveStdOut(jellyCmd);
-    return JSON.parse(await readFile7(reachablePackagesFile, "utf-8"));
-  } finally {
-    await rm2(tmpFolder, { recursive: true });
-  }
-}
-function relativizeSourceLocations(projectDir, paths) {
-  return {
-    ...paths,
-    stacks: paths.stacks.map((stack) => stack.map((s2) => ({
-      ...s2,
-      sourceLocation: { ...s2.sourceLocation, filename: relative4(projectDir, s2.sourceLocation.filename) }
-    })))
-  };
-}
-function transformJellyCallStacks(projectRoot, paths) {
-  return {
-    ...relativizeSourceLocations(projectRoot, paths),
-    affectedPackages: uniq4(paths.stacks.flatMap((stack) => map2(stack, "package")))
-  };
-}
-
 // dist/whole-program-code-aware-vulnerability-scanner/js/js-code-aware-vulnerability-scanner.js
 import { mkdtempSync } from "fs";
 import { cp as cp3, mkdir as mkdir7, rm as rm3, writeFile as writeFile6 } from "fs/promises";
@@ -88708,11 +88564,11 @@ import { tmpdir as tmpdir2 } from "os";
 import { join as join16 } from "path";
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-var import_lodash10 = __toESM(require_lodash(), 1);
+var import_lodash9 = __toESM(require_lodash(), 1);
 import { existsSync as existsSync8 } from "fs";
 import { mkdir as mkdir6, symlink } from "fs/promises";
 import { availableParallelism } from "os";
-import { dirname as dirname9, resolve as resolve8 } from "path";
+import { dirname as dirname9, resolve as resolve7 } from "path";
 
 // ../../node_modules/.pnpm/@isaacs+fs-minipass@4.0.1/node_modules/@isaacs/fs-minipass/dist/esm/index.js
 import EE from "events";
@@ -93350,7 +93206,7 @@ var mkdirpNative = Object.assign(async (path9, options) => {
 }, { sync: mkdirpNativeSync });
 
 // ../../node_modules/.pnpm/mkdirp@3.0.1/node_modules/mkdirp/dist/mjs/path-arg.js
-import { parse as parse13, resolve as resolve7 } from "path";
+import { parse as parse13, resolve as resolve6 } from "path";
 var platform3 = process.env.__TESTING_MKDIRP_PLATFORM__ || process.platform;
 var pathArg = (path9) => {
   if (/\0/.test(path9)) {
@@ -93359,7 +93215,7 @@ var pathArg = (path9) => {
       code: "ERR_INVALID_ARG_VALUE"
     });
   }
-  path9 = resolve7(path9);
+  path9 = resolve6(path9);
   if (platform3 === "win32") {
     const badWinChars = /[*|"<>?:]/;
     const { root: root3 } = parse13(path9);
@@ -94704,12 +94560,12 @@ var mtimeFilter = (opt) => {
 };
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
-var { chunk } = import_lodash10.default;
+var { chunk } = import_lodash9.default;
 async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall) {
-  if (existsSync8(resolve8(subprojectDir, "node_modules")))
+  if (existsSync8(resolve7(subprojectDir, "node_modules")))
     return { failedPackages: [], installedPackages: [] };
   return await withTmpDirectory("npm-packages", async (tmpDir) => {
-    const dirToInstallDependencies = resolve8(subprojectDir, "node_modules", ".jelly");
+    const dirToInstallDependencies = resolve7(subprojectDir, "node_modules", ".jelly");
     const transitiveDependenciesToInstall = Object.fromEntries(Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([depId, dep]) => [depId, { ...dep }]));
     const { installedPackages, failedPackages } = await downloadDependenciesToDir(Object.values(transitiveDependenciesToInstall), tmpDir);
     const augmentedInstalledPackages = await extractDownloadedDependenciesToDir(dirToInstallDependencies, tmpDir, installedPackages);
@@ -94742,7 +94598,7 @@ async function downloadDependenciesToDir(dependenciesToInstall, tmpDir) {
           })}`, tmpDir);
           const npmPackRes = JSON.parse(stdout);
           chunk2.forEach((dep, idx) => {
-            dep.tarFileName = resolve8(tmpDir, npmPackRes[idx].filename);
+            dep.tarFileName = resolve7(tmpDir, npmPackRes[idx].filename);
           });
           installedPackages.push(...chunk2);
         } catch (e) {
@@ -94771,8 +94627,8 @@ function getPackageName(dep) {
 }
 async function extractDownloadedDependenciesToDir(dirToInstallDependencies, tmpDir, dependenciesToInstall) {
   return await asyncMap(dependenciesToInstall, async (dep) => {
-    const tgzPath = resolve8(tmpDir, dep.tarFileName);
-    const dependencyDir = resolve8(dirToInstallDependencies, `${dep.version ? `${getPackageName(dep)}@${dep.version}` : getPackageName(dep)}`.replace("/", "+"), "node_modules", "aliasName" in dep && dep.aliasName ? dep.aliasName : getPackageName(dep));
+    const tgzPath = resolve7(tmpDir, dep.tarFileName);
+    const dependencyDir = resolve7(dirToInstallDependencies, `${dep.version ? `${getPackageName(dep)}@${dep.version}` : getPackageName(dep)}`.replace("/", "+"), "node_modules", "aliasName" in dep && dep.aliasName ? dep.aliasName : getPackageName(dep));
     await mkdir6(dependencyDir, { recursive: true });
     await extract({ file: tgzPath, cwd: dependencyDir, stripComponents: 1 });
     dep.installedPath = dependencyDir;
@@ -94787,7 +94643,7 @@ async function createSymlinksForDependenciesInRootDir(workspaceDir, dependencies
     const aliasName = "aliasName" in dependencyToInstall ? dependencyToInstall.aliasName : void 0;
     if (directDependencyNameToInfo[packageName] && directDependencyNameToInfo[packageName].version !== version3)
       continue;
-    const pathToCreateSymlinkFrom = resolve8(workspaceDir, "node_modules", aliasName ?? packageName);
+    const pathToCreateSymlinkFrom = resolve7(workspaceDir, "node_modules", aliasName ?? packageName);
     if (existsSync8(pathToCreateSymlinkFrom))
       continue;
     await mkdir6(dirname9(pathToCreateSymlinkFrom), { recursive: true });
@@ -94801,7 +94657,7 @@ async function createSymlinksForEachDependency(dependencyInfosForDependenciesToI
       const pathToCreateSymlinkTo = dep.installedPath;
       if (!existsSync8(pathToCreateSymlinkTo))
         continue;
-      const pathToCreateSymlinkFrom = resolve8(depInfo.installedPath, "..", "aliasName" in dep && dep.aliasName !== void 0 ? dep.aliasName : getPackageName(dep));
+      const pathToCreateSymlinkFrom = resolve7(depInfo.installedPath, "..", "aliasName" in dep && dep.aliasName !== void 0 ? dep.aliasName : getPackageName(dep));
       if (existsSync8(pathToCreateSymlinkFrom))
         continue;
       await mkdir6(dirname9(pathToCreateSymlinkFrom), { recursive: true });
@@ -94928,6 +94784,122 @@ function computePackagesOnVulnPathExcludingVulnerablePackage(vulnerabilities) {
   return [...packagesToAnalyze];
 }
 
+// dist/whole-program-code-aware-vulnerability-scanner/js/jelly-runner.js
+var import_lodash10 = __toESM(require_lodash(), 1);
+import { readFile as readFile7, rm as rm2, writeFile as writeFile5 } from "fs/promises";
+import { relative as relative4, resolve as resolve8 } from "path";
+var { map: map2, uniq: uniq4 } = import_lodash10.default;
+var PRINT_JELLY_COMMAND = false;
+async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, vulnerabilities, experiment) {
+  const tmpFolder = await createTmpDirectory("jelly-analysis");
+  try {
+    const filesToAnalyze = reachabilityAnalysisOptions.entryPoints ? reachabilityAnalysisOptions.entryPoints : [projectRoot];
+    const jellyExecutable = resolve8(COANA_REPOS_PATH(), "jelly-private", "dist", "bundle", "jelly.js");
+    const vulnerabilitiesInJellyFormat = vulnerabilities.map((v) => ({
+      osv: v,
+      patterns: v.vulnerabilityAccessPaths.map((p) => experiment === "AUGMENT_IMPORT_PATHS_EXPERIMENT" ? p.replace(">", "/**>") : p)
+      // Replace > with /**> to ensure Jelly also matches call <PKG/dist/index.js>.foo for pattern <PKG>.foo
+    }));
+    const vulnerabilitiesFile = resolve8(tmpFolder, "vulnerabilities.json");
+    const diagnosticsFile = resolve8(tmpFolder, "diagnostics.json");
+    const matchesFile = resolve8(tmpFolder, "matches.json");
+    const callStackFile = resolve8(tmpFolder, "call-stacks.json");
+    const logFile = reachabilityAnalysisOptions.analysisLogFile ?? (reachabilityAnalysisOptions.printLogFile && resolve8(projectRoot, "js-analysis.log"));
+    await writeFile5(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
+    let excludeEntries;
+    if (reachabilityAnalysisOptions.excludeDirs?.length) {
+      const excludeDirsRelativeToProjectRoot = reachabilityAnalysisOptions.excludeDirs.map((d) => relative4(projectRoot, resolve8(mainProjectRoot, d)));
+      const excludeDirsRelativeToProjectRootWithWildcards = excludeDirsRelativeToProjectRoot.map((d) => `${d}/**`);
+      excludeEntries = [...excludeDirsRelativeToProjectRoot, ...excludeDirsRelativeToProjectRootWithWildcards];
+    }
+    const jellyCmd = [
+      "node",
+      `--max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}`,
+      jellyExecutable,
+      "--basedir",
+      mainProjectRoot,
+      "--timeout",
+      "" + (reachabilityAnalysisOptions.timeoutInSeconds ?? 60),
+      "--vulnerabilities",
+      vulnerabilitiesFile,
+      ...excludeEntries ? ["--exclude-entries", ...excludeEntries] : [],
+      "--diagnostics-json",
+      diagnosticsFile,
+      ...jellyOptions.maxIndirections ? ["--max-indirections", "" + jellyOptions.maxIndirections] : [],
+      ...jellyOptions.includePackages ? ["--include-packages", ...jellyOptions.includePackages] : [],
+      ...jellyOptions.approx ? ["--approx"] : [],
+      ...logFile ? ["--logfile", logFile] : [],
+      "--matches-file",
+      matchesFile,
+      "--vulnerabilities-callstacks",
+      callStackFile,
+      ...filesToAnalyze
+    ];
+    if (PRINT_JELLY_COMMAND)
+      logger.info("Jelly command:", jellyCmd.join(" "));
+    await runCommandResolveStdOut(
+      jellyCmd,
+      void 0,
+      // If it is an experimental run, make sure to crash the process if Jelly takes more than 50% longer than the timeout.
+      // This is done to mitigate the scenario where the Jelly process gets close to the memory limit and thus ends up spending most of its time on garbage collection, which can increase the time between timeout checks dramatically.
+      experiment && reachabilityAnalysisOptions.timeoutInSeconds ? { timeout: reachabilityAnalysisOptions.timeoutInSeconds * 1e3 * 1.5 } : void 0
+    );
+    if (reachabilityAnalysisOptions.printLogFile)
+      logger.info("JS analysis log file:", await readFile7(logFile, "utf-8"));
+    const analysisDiagnostics = JSON.parse(await readFile7(diagnosticsFile, "utf-8"));
+    analysisDiagnostics.time = analysisDiagnostics.analysisTime;
+    delete analysisDiagnostics.analysisTime;
+    analysisDiagnostics.timings = {
+      analysisTime: analysisDiagnostics.time,
+      patternMatchingTime: analysisDiagnostics.patternMatchingTime
+    };
+    const callStacks = JSON.parse(await readFile7(callStackFile, "utf-8"));
+    const matches = {};
+    for (const { vulnerability, paths } of callStacks) {
+      const transformedStacks = transformJellyCallStacks(projectRoot, paths);
+      if (matches[vulnerability.osv.url]) {
+        matches[vulnerability.osv.url].stacks.push(...transformedStacks.stacks);
+      } else
+        matches[vulnerability.osv.url] = transformedStacks;
+    }
+    return {
+      matches,
+      analysisDiagnostics
+    };
+  } finally {
+    await rm2(tmpFolder, { recursive: true });
+  }
+}
+async function runJellyPhantomDependencyAnalysis(projectRoot, options) {
+  const tmpFolder = await createTmpDirectory("jelly-analysis");
+  try {
+    const jellyExecutable = resolve8(COANA_REPOS_PATH(), "jelly-private", "dist", "bundle", "jelly.js");
+    const reachablePackagesFile = resolve8(tmpFolder, "reachable-packages.json");
+    const jellyCmd = cmdt`node --max-old-space-size=${options.memoryLimitInMB}
+      ${jellyExecutable} --basedir ${projectRoot} --modules-only --ignore-dependencies
+        --reachable-packages-file ${reachablePackagesFile} ${projectRoot}`;
+    await runCommandResolveStdOut(jellyCmd);
+    return JSON.parse(await readFile7(reachablePackagesFile, "utf-8"));
+  } finally {
+    await rm2(tmpFolder, { recursive: true });
+  }
+}
+function relativizeSourceLocations(projectDir, paths) {
+  return {
+    ...paths,
+    stacks: paths.stacks.map((stack) => stack.map((s2) => ({
+      ...s2,
+      sourceLocation: { ...s2.sourceLocation, filename: relative4(projectDir, s2.sourceLocation.filename) }
+    })))
+  };
+}
+function transformJellyCallStacks(projectRoot, paths) {
+  return {
+    ...relativizeSourceLocations(projectRoot, paths),
+    affectedPackages: uniq4(paths.stacks.flatMap((stack) => map2(stack, "package")))
+  };
+}
+
 // dist/whole-program-code-aware-vulnerability-scanner/js/js-code-aware-vulnerability-scanner.js
 var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
   mainProjectDir;
@@ -94969,7 +94941,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
         computeDetectedOccurrences: ({ url: url2 }) => transformSourceLocations3(matches[url2] ?? [])
       };
     } catch (e) {
-      logger.error("Error while running analysis: ", e.stack);
+      logger.debug("Error while running analysis: ", e.stack);
       return { type: "error", message: e.message };
     } finally {
       this.numberAnalysesRun++;
@@ -96575,10 +96547,13 @@ ${errors.join("\n")}`);
         var trunc = trunc2;
         const exc = e;
         msg = util5.format("Error running mambalade:\n%O\nStdout:\n%s\nStderr:\n%s", pick(exc, ["code", "signal"]), trunc2(exc.stdout), trunc2(exc.stderr));
-        if (exc.signal ?? (exc.stderr.endsWith("MemoryError\n") || exc.stderr.includes("OSError: [Errno 12] Cannot allocate memory")))
+        if (exc.signal ?? (exc.stderr.endsWith("MemoryError\n") || exc.stderr.includes("OSError: [Errno 12] Cannot allocate memory"))) {
           msg = `Mambalade ran out of memory:
 ${msg}`;
-        logger.error(msg);
+          logger.debug(msg);
+        } else {
+          logger.error(msg);
+        }
       } else
         logger.error("Unexpected error:", e);
       return { type: "error", message: msg };
@@ -97449,9 +97424,9 @@ var NpmAnalyzer = class {
   }
   async runPhantomDependencyAnalysis() {
     try {
-      return (await runJellyPhantomDependencyAnalysis(this.projectDir)).map((r) => r.name);
+      return (await runJellyPhantomDependencyAnalysis(this.projectDir, this.state.reachabilityAnalysisOptions)).map((r) => r.name);
     } catch (e) {
-      console.error(e);
+      logger.debug("Error while running jelly phantom dependency analysis: ", e);
     }
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
@@ -97518,46 +97493,6 @@ var RustAnalyzer = class {
   }
 };
 
-// dist/apply-precomputed-reachability-results.js
-async function addPrecomputedResultsToVulnerabilities(analyzer, vulnerabilities) {
-  const phantomDependencies = await analyzer.runPhantomDependencyAnalysis();
-  if (!phantomDependencies)
-    return;
-  await applySeries(vulnerabilities, async (v) => {
-    const dismissVulnerability = canDismissVulnerability(phantomDependencies, v.vulnChainDetails);
-    v.unreachableByPrecomputation = dismissVulnerability ? "YES" : "NO";
-  });
-}
-function canDismissVulnerability(phantomDependencies, vulnChainDetails) {
-  const parentsMap = computeParentsMap(vulnChainDetails);
-  const [vulnNodeIdentifier] = Object.entries(vulnChainDetails.transitiveDependencies).find(([_identifier, node]) => node.vulnerable);
-  let canDismiss = true;
-  const recHelper = (nodeIdentifier, depth) => {
-    if (depth === 0)
-      return void 0;
-    const parents3 = parentsMap.get(nodeIdentifier).filter((parent2) => parent2 !== ROOT_NODE_STR);
-    const thisReachabilityPrecomp = nodeIdentifier === vulnNodeIdentifier ? "Reachable" : vulnChainDetails.transitiveDependencies[nodeIdentifier].reachabilityPrecomp;
-    if (!thisReachabilityPrecomp)
-      return void 0;
-    const thisMayReachVulnerableNode = ["Reachable", "Unknown"].includes(thisReachabilityPrecomp);
-    if (parents3.length === 0 && thisMayReachVulnerableNode) {
-      canDismiss = false;
-    }
-    if (parents3) {
-      const parentsReachabilityPrecomp = parents3.map((p) => recHelper(p, depth - 1));
-      if (parentsReachabilityPrecomp.some((reachabilityPrecomp) => !reachabilityPrecomp) && thisMayReachVulnerableNode) {
-        canDismiss = false;
-      }
-    }
-    if (thisMayReachVulnerableNode && phantomDependencies.includes(nodeIdentifier)) {
-      canDismiss = false;
-    }
-    return thisReachabilityPrecomp;
-  };
-  recHelper(vulnNodeIdentifier, 5);
-  return canDismiss;
-}
-
 // dist/main.js
 var { partition: partition3 } = import_lodash19.default;
 var ecosystemAnalyzer = {
@@ -97578,10 +97513,6 @@ async function runReachabilityAnalysis(state) {
   if (!constructor)
     throw Error(`No analyzer associated with ecosystem ${ecosystem}`);
   const analyzer = new constructor(state, projectDir);
-  try {
-    await addPrecomputedResultsToVulnerabilities(analyzer, state.vulnerabilities);
-  } catch (e) {
-  }
   const [vulnerabilitiesWithPrecomputedResults, vulnerabilitiesWithoutPrecomputedResults] = partition3(state.vulnerabilities, (v) => "results" in v);
   const augmentedVulnerabilities = await runWholeProgramCodeAwareVulnerabilityScanner(analyzer, vulnerabilitiesWithoutPrecomputedResults, async (amd) => {
     await dashboardAPI2.registerAnalysisMetadata(relative6(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, state.workspaceData.data.type, amd, COANA_REPORT_ID, apiKey2);