@coana-tech/cli 14.12.177 → 14.12.179

package/cli.mjs

@@ -251427,7 +251427,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "14.12.177";
+var version3 = "14.12.179";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
@@ -252435,7 +252435,7 @@ async function writeAnalysisDebugInfo(outputFilePath, ecosystemToWorkspaceToVuln
 handleNexeBinaryMode();
 var program2 = new Command();
 var run2 = new Command();
-run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.", false).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
+run2.name("run").argument("<path>", "File system path to folder containing the project").option("-o, --output-dir <path>", "Write json report to <path>/coana-report.json").option("-d, --debug", "Enable debug logging", false).option("-s, --silent", "Silence all debug/warning output", false).option("--silent-spinner", "Silence spinner", "CI" in process.env || !process.stdin.isTTY).option("-p, --print-report", "Print the report to the console", false).option("--offline-database <path>", "Path to a coana-offline-db.json file for running the CLI without internet connectivity", void 0).option("-t, --timeout <timeout>", "Set API <timeout> in milliseconds to Coana backend.", "300000").option("-a, --analysis-timeout <timeout>", "Set <timeout> in seconds for each reachability analysis run").option("--memory-limit <memoryInMB>", "Set memory limit for analysis to <memoryInMB> megabytes of memory.", "8192").option("-c, --concurrency <concurrency>", "Set the maximum number of concurrent reachability analysis runs. It's recommended to choose a concurrency level that ensures that each analysis run has at least the --memory-limit amount of memory available. NPM reachability analysis does not support concurrent execution, so the concurrency level is ignored for NPM.", "1").option("--api-key <key>", "Set the Coana dashboard API key. By setting you also enable the dashboard integration.").addOption(new Option("--write-report-to-file", "Write the report dashboard-compatible report to dashboard-report.json. This report may help the Coana team debug issues with the report insertion mechanism.").default(false).hideHelp()).option("--project-name <repoName>", "Set the name of the repository. Used for dashboard integration.").option("--repo-url <repoUrl>", "Set the URL of the repository. Used for dashboard integration.").option("--include-dirs <relativeDirs...>", "globs for directories to include from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, projects that are not included may still be scanned if they are referenced from included projects.").option("--exclude-dirs <relativeDirs...>", "globs for directories to exclude from the detection of subprojects (space-separated)(use relative paths from the project root). Notice, excluded projects may still be scanned if they are referenced from non-excluded projects.").option("--disable-analysis-splitting", "Limits Coana to at most 1 reachability analysis run per workspace").option("--print-analysis-log-file", "Store log output from the JavaScript/TypeScript reachability analysis in the file js-analysis.log file in the root of each workspace", false).option("--entry-points <entryPoints...>", "List of files to analyze for root workspace. The reachability analysis automatically analyzes all files used by the entry points. If not provided, all JavaScript and TypeScript files are considered entry points. For non-root workspaces, all JavaScript and TypeScript files are analyzed as well.").option("--include-projects-with-no-reachability-support", "Also runs Coana on projects where we support traditional SCA, but does not yet support reachability analysis.", false).option("--ecosystems <ecosystems...>", "List of ecosystems to analyze (space-separated). Currently NPM, PIP, MAVEN, NUGET and GO are supported. Default is all supported ecosystems.").addOption(new Option("--purl-types <purlTypes...>", "List of PURL types to analyze (space-separated). Currently npm, pypi, maven, nuget, golang and cargo are supported. Default is all supported purl types.").hideHelp()).option("--changed-files <files...>", "List of files that have changed. If provided, Coana only analyzes workspaces and modules that contain changed files.").option("--disable-report-submission", "Disable the submission of the report to the Coana dashboard. Used by the pipeline blocking feature.", false).option("--disable-analytics-sharing", "Disable analytics sharing.", false).option("--provider-project <path>", "File system path to folder containing the provider project (Only supported for Maven, Gradle, and SBT)").option("--provider-workspaces <dirs...>", "List of workspaces that build the provided runtime environment (Only supported for Maven, Gradle, and SBT)", (paths) => paths.split(" ")).option("--lightweight-reachability", "Runs Coana in lightweight mode. This increases analysis speed but also raises the risk of Coana misclassifying the reachability of certain complex vulnerabilities. Recommended only for use with Coana Guardrail mode.", false).addOption(new Option("--run-without-docker", "Run package managers and reachability analyzers without using docker").default(process.env.RUN_WITHOUT_DOCKER === "true").hideHelp()).addOption(new Option("--run-env <env>", "Specifies the environment in which the CLI is run. So far only MANAGED_SCAN and UNKNOWN are supported.").default("UNKNOWN").choices(["UNKNOWN", "MANAGED_SCAN"]).hideHelp()).addOption(new Option("--guardrail-mode", "Run Coana in guardrail mode. This mode is used to prevent new reachable vulnerabilities from being introduced into the codebase. Usually run as a CI check when pushing new commits to a pull request.")).option("--ignore-failing-workspaces", "Continue processing when a workspace fails instead of exiting. Failed workspaces will be logged at termination.", false).addOption(new Option("--socket-mode <output-file>", "Run Coana in socket mode and write report to <output-file>").hideHelp()).addOption(new Option("--manifests-tar-hash <hash>", "Hash of the tarball containing all manifest files already uploaded to Socket. If provided, Socket will be used for computing dependency trees.").hideHelp()).option("--skip-cache-usage", "Do not attempt to use cached analysis configuration from previous runs", false).addOption(new Option("--lazy-mode", "Enable lazy analysis mode for JavaScript/TypeScript. This can significantly speed up analysis by only analyzing code that is actually relevant for the vulnerabilities being analyzed.").default(false).hideHelp()).addOption(new Option("--min-severity <severity>", "Set the minimum severity of vulnerabilities to analyze. Supported severities are info, low, moderate, high and critical.").choices(["info", "INFO", "low", "LOW", "moderate", "MODERATE", "high", "HIGH", "critical", "CRITICAL"])).option("--use-unreachable-from-precomputation", "Skip the reachability analysis for vulnerabilities that are already known to be unreachable from the precomputed reachability analysis (Tier 2).", false).addOption(new Option("--use-only-pregenerated-sboms", "Only include artifacts that have CDX or SPDX files in their manifest files.").default(false).hideHelp()).version(version3).configureHelp({ sortOptions: true }).action(async (path9, options) => {
   process.env.DOCKER_IMAGE_TAG ??= version3;
   options.ecosystems = options.ecosystems?.map((e) => e.toUpperCase());
   options.minSeverity = options.minSeverity?.toUpperCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "14.12.177",
+  "version": "14.12.179",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110952,13 +110952,13 @@ function convertToArtifactForInstallation(dep) {
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/heuristics.js
-var largeIndirectionBoundOptions = {
-  maxIndirections: 1024
+var lazyIndirectionBoundOptions = {
+  maxIndirections: 5
 };
 var AllPackagesHeuristic = {
   // Analyzing all packages disregarding what vulnerabilities affect the project being analyzed
   name: "ALL_PACKAGES",
-  getOptions: () => largeIndirectionBoundOptions,
+  getOptions: () => lazyIndirectionBoundOptions,
   splitAnalysisInBuckets: false
 };
 var OnlyVulnPathPackagesExceptVulnerablePackageHeuristic = {
@@ -110996,7 +110996,7 @@ function getMaxIndirectionsHeuristicOptions(maxIndirections) {
 }
 function getOnlyPackagesInVulnPathsWithoutLeafPackagesHeuristicOptions(vulnerabilities) {
   return {
-    ...largeIndirectionBoundOptions,
+    ...lazyIndirectionBoundOptions,
     includePackages: computePackagesOnVulnPath(vulnerabilities)
   };
 }
@@ -111012,6 +111012,7 @@ import { relative as relative6, resolve as resolve13 } from "path";
 var { map: map2, uniq: uniq4 } = import_lodash10.default;
 var PRINT_JELLY_COMMAND = false;
 var STRACE_MAX_LINES = 1e4;
+var MAX_FILE_SIZE = 512 * 1024;
 async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reachabilityAnalysisOptions, timeoutInSeconds, vulnerabilities, experiment, telemetryHandler, analyzerTelemetryHandler) {
   const tmpFolder = await createTmpDirectory("jelly-analysis");
   try {
@@ -111035,22 +111036,23 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     const affectedPackagesFile = resolve13(tmpFolder, "affected-packages.json");
     const logFile = reachabilityAnalysisOptions.printLogFile ? resolve13(projectRoot, "js-analysis.log") : void 0;
     await writeFile7(vulnerabilitiesFile, JSON.stringify(vulnerabilitiesInJellyFormat));
-    const useLazy = experiment === "LAZY_EXPERIMENT" || reachabilityAnalysisOptions.lazy;
     const { includePackages } = jellyOptions;
+    const veryLazy = reachabilityAnalysisOptions.lazy;
     const jellyCmd = cmdt`
       ${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)}
         --max-old-space-size=${reachabilityAnalysisOptions.memoryLimitInMB ?? 8192}
         --max-semi-space-size=128
         ${logFile && ["--trace-gc", "--trace-gc-verbose", "--trace-gc-ignore-scavenger", "--trace-mutator-utilization"]}
         ${jellyExecutable}
+        --max-file-size ${MAX_FILE_SIZE}
         --basedir ${mainProjectRoot}
         --timeout ${timeoutInSeconds}
         --vulnerabilities ${vulnerabilitiesFile}
-        ${useLazy && ["--lazy", "--lazy-cleanup", "--lazy-soft-assert", "--reparse", "--memory", "0.85"]}
+        --lazy --lazy-cleanup --lazy-soft-assert --reparse --memory=0.9
         --reachable-json ${affectedPackagesFile}
         ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
         --diagnostics-json ${diagnosticsFile}
-        --max-indirections=${useLazy ? 2 : jellyOptions.maxIndirections}
+        --max-indirections=${veryLazy ? 2 : jellyOptions.maxIndirections}
         ${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
         ${jellyOptions.approx && "--approx"}
         --callstacks-json ${callStackFile}
@@ -111082,6 +111084,8 @@ async function runJellyAnalysis(mainProjectRoot, projectRoot, jellyOptions, reac
     if (reachabilityAnalysisOptions.printLogFile)
       logger.info("JS analysis log file:", logFile);
     const analysisDiagnostics = JSON.parse(await readFile9(diagnosticsFile, "utf-8"));
+    if (analysisDiagnostics.lazyErrors)
+      logger.debug(`Jelly --lazy errors: %O`, analysisDiagnostics.lazyErrors);
     const callStacks = JSON.parse(await readFile9(callStackFile, "utf-8"));
     const matches = {};
     const realProjectRoot = await realpath2(projectRoot);
@@ -111116,7 +111120,8 @@ async function runJellyPhantomDependencyAnalysis(projectRoot, options, telemetry
     const jellyExecutable = ToolPathResolver.jellyPath;
     const reachablePackagesFile = resolve13(tmpFolder, "reachable-packages.json");
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
-      ${jellyExecutable} --basedir ${projectRoot} --modules-only --ignore-dependencies
+      ${jellyExecutable} --max-file-size ${MAX_FILE_SIZE}
+        --basedir ${projectRoot} --modules-only --ignore-dependencies
         --reachable-json ${reachablePackagesFile} ${projectRoot}`;
     await runCommandResolveStdOut2(jellyCmd, void 0, {
       timeout: options.timeoutSeconds.allVulnRuns * 1e3,
@@ -111136,7 +111141,8 @@ async function runJellyImportReachabilityAnalysis(mainProjectRoot, projectRoot,
     const includePackages = computePackagesOnVulnPath(vulnerabilities, { includeLeafPackages: true });
     const reachableModulesFile = resolve13(tmpFolder, "reachable-modules.json");
     const jellyCmd = cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} --max-old-space-size=${options.memoryLimitInMB}
-      ${ToolPathResolver.jellyPath} --basedir ${mainProjectRoot} --modules-only --reparse
+      ${ToolPathResolver.jellyPath} --max-file-size ${MAX_FILE_SIZE}
+        --basedir ${mainProjectRoot} --modules-only --reparse
         ${includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"]}
         ${getExcludes(mainProjectRoot, projectRoot, options)}
         --reachable-json ${reachableModulesFile}
@@ -111216,10 +111222,11 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
         diagnostics,
         terminatedEarly,
         reachedDependencies: diagnostics.packages > 0,
+        // XXX: Always true
         affectedPurls: analysisRes.affectedPurls,
-        // A round of 0 or 1 indicates that at most 1 level of indirections in the calls was resolved,
-        // which is too few for us to confidently trust the results.
-        lowConfidence: diagnostics.round < 2 && terminatedEarly,
+        // A round of 0 or 1 indicates that at we did not have enough time to finish analysis of modules that directly
+        // import modules with vulnerable APIs, which is too few for us to confidently trust the results.
+        lowConfidence: diagnostics.analyzerRounds < 2 && terminatedEarly,
         computeDetectedOccurrences: ({ url: url2 }) => this.transformSourceLocations(matches[url2] ?? { analysisLevel: "function-level", affectedPackages: [], stacks: [] })
       };
     } catch (e) {

package/repos/coana-tech/jelly-private/dist/bundle/approx.js

@@ -7,11 +7,11 @@ import "./iterator-helpers-polyfill.js";
 import {
   require_hints,
   require_parser
-} from "./chunk-B4YMLUZ5.js";
+} from "./chunk-IHOAXGXT.js";
 import {
   require_proxy,
   require_sandbox
-} from "./chunk-6YZBCEC5.js";
+} from "./chunk-AQ5JQOUT.js";
 import {
   __commonJS,
   __name,
@@ -21,7 +21,7 @@ import {
   require_options,
   require_transform,
   require_util
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // lib/approx/approx.js
 var require_approx = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-6YZBCEC5.js → chunk-AQ5JQOUT.js}

@@ -9,7 +9,7 @@ import {
   __name,
   __require,
   require_transform
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // lib/approx/proxy.js
 var require_proxy = __commonJS({
@@ -268,4 +268,4 @@ export {
   require_proxy,
   require_sandbox
 };
-//# sourceMappingURL=chunk-6YZBCEC5.js.map
+//# sourceMappingURL=chunk-AQ5JQOUT.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-B4YMLUZ5.js → chunk-IHOAXGXT.js}

@@ -14,7 +14,7 @@ import {
   require_options,
   require_tokens,
   require_util
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // lib/parsing/parser.js
 var require_parser = __commonJS({
@@ -516,4 +516,4 @@ export {
   require_patching,
   require_hints
 };
-//# sourceMappingURL=chunk-B4YMLUZ5.js.map
+//# sourceMappingURL=chunk-IHOAXGXT.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-LFEVD6IY.js → chunk-S4OPEAUO.js}

@@ -10874,6 +10874,7 @@ var require_options = __commonJS({
       eagerPropagation: false,
       interops: true,
       modulesJson: void 0,
+      maxFileSize: void 0,
       preciseAccessPathTransitions: false,
       lazy: false,
       lazyCleanup: false,
@@ -19923,4 +19924,4 @@ fill-range/index.js:
    * Licensed under the MIT License.
    *)
 */
-//# sourceMappingURL=chunk-LFEVD6IY.js.map
+//# sourceMappingURL=chunk-S4OPEAUO.js.map

package/repos/coana-tech/jelly-private/dist/bundle/{chunk-B76EIOV4.js → chunk-SGCFSZ72.js}

@@ -8,7 +8,7 @@ import {
   __commonJS,
   __name,
   __require
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // node_modules/source-map/lib/base64.js
 var require_base64 = __commonJS({
@@ -224380,4 +224380,4 @@ typescript/lib/typescript.js:
   and limitations under the License.
   ***************************************************************************** *)
 */
-//# sourceMappingURL=chunk-B76EIOV4.js.map
+//# sourceMappingURL=chunk-SGCFSZ72.js.map

package/repos/coana-tech/jelly-private/dist/bundle/hooks.js

@@ -6,10 +6,10 @@ import "./iterator-helpers-polyfill.js";
 
 import {
   require_moduleresolver
-} from "./chunk-B76EIOV4.js";
+} from "./chunk-SGCFSZ72.js";
 import {
   require_sandbox
-} from "./chunk-6YZBCEC5.js";
+} from "./chunk-AQ5JQOUT.js";
 import {
   __commonJS,
   __name,
@@ -17,7 +17,7 @@ import {
   require_files,
   require_options,
   require_transform
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // lib/approx/hooks.js
 var require_hooks = __commonJS({

package/repos/coana-tech/jelly-private/dist/bundle/jelly.js

@@ -9,11 +9,11 @@ import {
   require_hints,
   require_parser,
   require_patching
-} from "./chunk-B4YMLUZ5.js";
+} from "./chunk-IHOAXGXT.js";
 import {
   require_moduleresolver,
   require_typescript
-} from "./chunk-B76EIOV4.js";
+} from "./chunk-SGCFSZ72.js";
 import {
   __commonJS,
   __name,
@@ -37,7 +37,7 @@ import {
   require_tokens,
   require_transform,
   require_util
-} from "./chunk-LFEVD6IY.js";
+} from "./chunk-S4OPEAUO.js";
 
 // lib/misc/timer.js
 var require_timer = __commonJS({
@@ -525,6 +525,7 @@ var require_patternparser = __commonJS({
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.AccessPathPatternCanonicalizer = void 0;
     exports.parseDetectionPattern = parseDetectionPattern;
+    var util_1 = require_util();
     var patterns_1 = require_patterns();
     var AccessPathPatternCanonicalizer = class {
       static {
@@ -532,12 +533,7 @@ var require_patternparser = __commonJS({
       }
       canonical = /* @__PURE__ */ new Map();
       canonicalize(p) {
-        const key = p.toString();
-        const c = this.canonical.get(key);
-        if (c)
-          return c;
-        this.canonical.set(key, p);
-        return p;
+        return (0, util_1.getOrSet)(this.canonical, p.toString(), () => p);
       }
     };
     exports.AccessPathPatternCanonicalizer = AccessPathPatternCanonicalizer;
@@ -877,6 +873,7 @@ var require_patternparser = __commonJS({
           [filter, pos] = parseFilter(pos);
           filters.push(filter);
         }
+        p = c.canonicalize(new patterns_1.CallResultAccessPathPattern(p));
         res = new patterns_1.CallDetectionPattern(p, onlyReturnChanged, onlyWhenUsedAsPromise, onlyNonNewCalls, filters.length > 0 ? filters : void 0);
       } else if (([b, pos] = parseOptionalKeyword(pos, "component")) && b) {
         pos = parseSpace(pos, false);
@@ -887,6 +884,7 @@ var require_patternparser = __commonJS({
           [filter, pos] = parseFilter(pos);
           filters.push(filter);
         }
+        p = c.canonicalize(new patterns_1.ComponentAccessPathPattern(p));
         res = new patterns_1.ComponentDetectionPattern(p, filters.length > 0 ? filters : void 0);
       } else
         throw 0;
@@ -1067,7 +1065,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
       const s = /* @__PURE__ */ new Set();
       for (const d of ds)
         if (d)
-          d.ap.visitAccessPathPatterns((p) => {
+          (d instanceof patterns_1.DetectionPattern ? d.ap : d).visitAccessPathPatterns((p) => {
             if (p instanceof patterns_1.ImportAccessPathPattern)
               s.add(p.glob);
           });
@@ -1090,10 +1088,10 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
       bs.set(i);
       return bs;
     });
-    function getPatternGraph(ds) {
+    function getPatternGraph(ps) {
       const unknowns = /* @__PURE__ */ new Map();
       return {
-        graph: new Map(ds.map((p) => {
+        graph: new Map(ps.map((p) => {
           const edges = Array.from({ length: 4 }, () => new bitset_1.SmallBitSet());
           const properties = /* @__PURE__ */ new Map();
           let wildcardIdx = -1;
@@ -1172,7 +1170,7 @@ ${pattern}${"semanticPatchId" in p ? ` (pattern #${p.semanticPatchId} version ${
               edges[i].unionUpdate(post);
             return [post, false];
           }, "aux");
-          aux(p instanceof patterns_1.CallDetectionPattern ? new patterns_1.CallResultAccessPathPattern(p.ap) : p instanceof patterns_1.ComponentDetectionPattern ? new patterns_1.ComponentAccessPathPattern(p.ap) : p.ap);
+          aux(p);
           return [p, (prev, next) => {
             const [a, b] = [classify(prev), classify(next)];
             if (!a || !b)
@@ -1199,6 +1197,7 @@ var require_globalstate = __commonJS({
     };
     Object.defineProperty(exports, "__esModule", { value: true });
     exports.GlobalState = void 0;
+    var fs_1 = __require("fs");
     var util_1 = require_util();
     var constraintvars_1 = require_constraintvars();
     var tokens_1 = require_tokens();
@@ -1265,7 +1264,7 @@ var require_globalstate = __commonJS({
       }
       set vulnerabilities(v) {
         this._vulnerabilities = v;
-        this.accessPathEdges = v && options_1.options.preciseAccessPathTransitions ? (0, patternloader_1.getPatternGraph)(v.getPatterns()) : void 0;
+        this.accessPathEdges = v && options_1.options.preciseAccessPathTransitions ? (0, patternloader_1.getPatternGraph)(v.getUniqueAPPatterns()) : void 0;
       }
       canonicalizeVar(v) {
         const next = /* @__PURE__ */ __name(() => {
@@ -1386,7 +1385,14 @@ var require_globalstate = __commonJS({
             if (logger_1.default.isDebugEnabled())
               logger_1.default.debug(`${moduleInfo} already encountered in another directory`);
           } else {
-            const ignoreModule = from && (options_1.options.ignoreDependencies || !packageInfo.isEntry && (options_1.options.includePackages && !options_1.options.includePackages.includes(packageInfo.name))) || options_1.options.excludePackages?.includes(packageInfo.name);
+            let ignoreModule = from && (options_1.options.ignoreDependencies || !packageInfo.isEntry && (options_1.options.includePackages && !options_1.options.includePackages.includes(packageInfo.name))) || options_1.options.excludePackages?.includes(packageInfo.name);
+            if (!ignoreModule && options_1.options.maxFileSize !== void 0) {
+              const fileSize = (0, fs_1.statSync)(tofile).size;
+              if (fileSize > options_1.options.maxFileSize) {
+                ignoreModule = true;
+                logger_1.default.warn(`Ignoring module ${tofile} due to file size ${fileSize} > ${options_1.options.maxFileSize}`);
+              }
+            }
             moduleInfo = new infos_1.ModuleInfo(rel, packageInfo, from === void 0, !ignoreModule);
             packageInfo.modules.set(rel, moduleInfo);
             this.moduleInfos.set(moduleInfo.toString(), moduleInfo);
@@ -2675,6 +2681,7 @@ var require_solver = __commonJS({
       phase;
       timer = new timer_1.default();
       lazyRoundsHook;
+      terminationCheckCounter = 0;
       constructor(abort) {
         this.abort = abort;
       }
@@ -2829,6 +2836,10 @@ var require_solver = __commonJS({
           unprocessedTokensSize: d.unprocessedTokensSize,
           unprocessedListeners1: f.postponedListenerCalls.length,
           unprocessedListeners2: f.postponedListenerCalls2.length,
+          tokenListenerNotifications1: d.tokenListenerNotifications,
+          tokenListenerNotifications2: d.tokenListener2Notifications,
+          arrayEntriesListenerNotifications: d.arrayEntriesListenerNotifications,
+          objectPropertiesListenerNotifications: d.objectPropertiesListenerNotifications,
           packages: a.packageInfos.size,
           modules: a.moduleInfos.size,
           modulesFull: d.modulesFull,
@@ -2849,8 +2860,7 @@ var require_solver = __commonJS({
           if (d > this.diagnostics.lastPrintDiagnosticsTime + 100) {
             this.diagnostics.lastPrintDiagnosticsTime = d;
             (0, logger_1.writeStdOut)(`${this.phase}... (total time: ${d}ms, call edges: ${f.numberOfCallToFunctionEdges}` + (options_1.options.diagnostics ? `, vars: ${f.getNumberOfVarsWithTokens()}, tokens: ${f.numberOfTokens}, subsets: ${f.numberOfSubsetEdges}, ` + (options_1.options.maxIndirections !== void 0 ? `round: ${this.diagnostics.round}, ` : "") + `wave: ${this.diagnostics.wave}, propagations: ${this.diagnostics.propagations}, worklist: ${this.diagnostics.unprocessedTokensSize + f.postponedListenerCalls.length + f.postponedListenerCalls2.length - this.postponedListenersProcessed}` : "") + ")");
-            f.a.timeoutTimer.checkTimeout();
-            (0, memory_1.checkMemoryLow)();
+            this.checkTerminationConditions();
           }
         }
       }
@@ -3226,7 +3236,8 @@ var require_solver = __commonJS({
             for (const to of s)
               this.addTokens(ts, to);
             this.incrementPropagations();
-          }
+          } else
+            this.incrementTerminationCheckCount();
           const tr = f.tokenListeners.get(v);
           if (tr)
             if (Array.isArray(ts))
@@ -3249,11 +3260,7 @@ var require_solver = __commonJS({
       }
       incrementPropagations() {
         this.diagnostics.propagations++;
-        if (this.diagnostics.propagations % 100 === 0) {
-          this.globalState.timeoutTimer.checkTimeout();
-          (0, memory_1.checkMemoryLow)();
-          this.printDiagnostics();
-        }
+        this.incrementTerminationCheckCount();
       }
       isIgnoredVar(v) {
         return v instanceof constraintvars_1.ObjectPropertyVar && v.obj instanceof tokens_1.NativeObjectToken && !v.obj.moduleInfo && (v.accessor === "get" || v.accessor === "set");
@@ -3264,8 +3271,7 @@ var require_solver = __commonJS({
           logger_1.default.debug("Processing constraints until fixpoint...");
         const { fragmentState: f, diagnostics: d } = this;
         d.propagationRounds++;
-        f.a.timeoutTimer.checkTimeout();
-        (0, memory_1.checkMemoryLow)();
+        this.checkTerminationConditions();
         await this.checkAbort();
         if (logger_1.default.isVerboseEnabled())
           logger_1.default.verbose(`Propagating (tokens: ${this.unprocessedTokens.size}, non-bounded: ${f.postponedListenerCalls.length}, bounded: ${f.postponedListenerCalls2.length})`);
@@ -3337,11 +3343,7 @@ var require_solver = __commonJS({
             d.listenerNotificationRounds++;
             f.postponedListenerCalls.forEach((fun, arg) => {
               fun(arg);
-              if (++this.postponedListenersProcessed % 100 === 0) {
-                f.a.timeoutTimer.checkTimeout();
-                (0, memory_1.checkMemoryLow)();
-                this.printDiagnostics();
-              }
+              this.incrementTerminationCheckCount();
             });
             f.postponedListenerCalls.length = this.postponedListenersProcessed = 0;
             d.totalListenerCallTime += timer.elapsed();
@@ -3361,11 +3363,7 @@ var require_solver = __commonJS({
               this.postponedListenersProcessed = 0;
               f.postponedListenerCalls2.forEachAndClear((fun, arg) => {
                 fun(arg);
-                if (++this.postponedListenersProcessed % 100 === 0) {
-                  f.a.timeoutTimer.checkTimeout();
-                  (0, memory_1.checkMemoryLow)();
-                  this.printDiagnostics();
-                }
+                this.incrementTerminationCheckCount();
               });
               d.totalListenerCallTime += timer.elapsed();
               if (logger_1.default.isVerboseEnabled() || options_1.options.diagnostics && options_1.options.printProgress)
@@ -3396,6 +3394,18 @@ var require_solver = __commonJS({
           }
         }
       }
+      incrementTerminationCheckCount() {
+        if (++this.terminationCheckCounter === 100) {
+          this.checkTerminationConditions(true);
+          this.terminationCheckCounter = 0;
+        }
+      }
+      checkTerminationConditions(printDiagnostics = false) {
+        if (printDiagnostics)
+          this.printDiagnostics();
+        this.globalState.timeoutTimer.checkTimeout();
+        (0, memory_1.checkMemoryLow)();
+      }
       assertLazy(strings, ...values) {
         const template = strings.join("%s");
         if (options_1.options.lazySoftAssert) {
@@ -5617,11 +5627,8 @@ var require_analyzer = __commonJS({
                   }
                   if (!options_1.options.reparse || a.reachedModulesFull.has(moduleInfo))
                     moduleInfo.ast = ast;
-                  if (d.modules % 16 === 0) {
-                    solver.printDiagnostics();
-                    a.timeoutTimer.checkTimeout();
-                    (0, memory_1.checkMemoryLow)();
-                  }
+                  if (d.modules % 16 === 0)
+                    solver.checkTerminationConditions(true);
                 }
                 for (const moduleInfo of a.pendingModulesFull) {
                   let ast = moduleInfo.ast;
@@ -5634,11 +5641,8 @@ var require_analyzer = __commonJS({
                     const str = fs_1.default.readFileSync(file, "utf8");
                     ast = (0, parser_1.parseAndDesugar)(str, file, solver.fragmentState);
                   }
-                  if (++d.modulesFull % 16 === 0) {
-                    solver.printDiagnostics();
-                    a.timeoutTimer.checkTimeout();
-                    (0, memory_1.checkMemoryLow)();
-                  }
+                  if (++d.modulesFull % 16 === 0)
+                    solver.checkTerminationConditions(true);
                   if (!options_1.options.modulesOnly && options_1.options.printProgress)
                     logger_1.default.info(`Analyzing ${moduleInfo}`);
                   const moduleParams = (0, extras_1.preprocessAst)(ast, moduleInfo);
@@ -9248,7 +9252,7 @@ var require_patternmatcher = __commonJS({
               res.push({ exp, encl, uncertainties });
             }
         } else if (d instanceof patterns_1.CallDetectionPattern) {
-          const sub = this.findAccessPathPatternMatches(new patterns_1.CallResultAccessPathPattern(d.ap), moduleFilter);
+          const sub = this.findAccessPathPatternMatches(d.ap, moduleFilter);
           const f = this.fragmentState;
           for (const level of exports.confidenceLevels)
             matches: for (const [exp, [, encl]] of sub[level]) {
@@ -9291,7 +9295,7 @@ var require_patternmatcher = __commonJS({
               }
             }
         } else if (d instanceof patterns_1.ComponentDetectionPattern) {
-          const sub = this.findAccessPathPatternMatches(new patterns_1.ComponentAccessPathPattern(d.ap), moduleFilter);
+          const sub = this.findAccessPathPatternMatches(d.ap, moduleFilter);
           for (const level of exports.confidenceLevels)
             matches: for (const [exp, [, encl]] of sub[level]) {
               (0, assert_1.default)(encl);
@@ -9490,8 +9494,7 @@ var require_tapirpatterns = __commonJS({
           const tpVersion = "version" in tp ? ` (version ${tp.version})` : "";
           const p = patterns[i];
           if (p) {
-            solver.globalState.timeoutTimer.checkTimeout();
-            (0, memory_1.checkMemoryLow)();
+            solver.checkTerminationConditions();
             const ms = matcher.findDetectionPatternMatches(p, solver.diagnostics);
             for (const m of ms) {
               logger_1.default.info(`Pattern #${tpId}: ${tpPattern}${tpVersion} matches ${(0, util_1.locationToStringWithFileAndEnd)(m.exp.loc)} (confidence: ${isHigh(m) ? "high" : "low"})`);
@@ -13217,7 +13220,7 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
             }
         }
         const globToPatterns = /* @__PURE__ */ new Map();
-        const patterns = this.getPatterns();
+        const patterns = this.getUniqueAPPatterns();
         for (const p of patterns)
           for (const glob of (0, patternloader_1.getGlobs)([p]))
             (0, util_1.mapArrayAdd)(glob, p, globToPatterns);
@@ -13225,13 +13228,16 @@ ${p} (${(0, vulnerabilities_1.getVulnerabilityId)(v)})`);
           this.importGlobsToPatterns.push([micromatch_1.default.matcher(g), ps]);
         this.hasCallbackArgumentPattern = patterns.some((p) => {
           let found = false;
-          p.ap.visitAccessPathPatterns((app) => found ||= app instanceof patterns_1.CallbackArgumentAccessPathPattern);
+          p.visitAccessPathPatterns((app) => found ||= app instanceof patterns_1.CallbackArgumentAccessPathPattern);
           return found;
         });
       }
       getPatterns() {
         return this.patterns.values().flatMap((ps) => ps).toArray();
       }
+      getUniqueAPPatterns() {
+        return Array.from(new Set(this.getPatterns().map((p) => p.ap)));
+      }
       reachedPackage(packageInfo) {
         const vs = this.vulnerabilities.get(packageInfo.name);
         if (vs) {
@@ -14008,7 +14014,7 @@ var require_main = __commonJS({
     var assert_1 = __importDefault(__require("assert"));
     var semver_1 = __importDefault(require_semver2());
     var ENGINES_NODE = require_package()?.engines?.node;
-    commander_1.program.name("jelly").version(options_1.VERSION).addHelpText("before", options_1.COPYRIGHT).option("-b, --basedir <directory>", "base directory for files to analyze (default: auto-detect)").option("-f, --logfile <file>", "log to file (default: log to stdout)").option("-l, --loglevel <level>", "log level (debug/verbose/info/warn/error)", "info").option("-i, --timeout <seconds>", "limit analysis time").option("-a, --dataflow-html <file>", "save data-flow graph as HTML file").option("-m, --callgraph-html <file>", "save call graph as HTML file").option("-j, --callgraph-json <file>", "save call graph as JSON file").option("-s, --soundness <file>", "compare with dynamic call graph").option("-n, --graal-home <directory>", "home of graal-nodejs (default: $GRAAL_HOME)").option("-d, --dynamic <file>", "generate call graph dynamically, no static analysis").option("--approx", "enable approximate interpretation").option("--approx-only <file>", "perform approximate interpretation, no static analysis").option("--approx-load <file>", "use pre-computed approximate interpretation results").option("-p, --patterns <file...>", "files containing API usage patterns to detect").option("-v, --vulnerabilities <file>", "report vulnerability matches").option("--vulnerabilities-json <json>", "report vulnerability matches (patterns given as JSON string)").option("--include-packages <package...>", "include only dependencies in this list").option("--exclude-packages <package...>", "exclude dependencies in this list").option("--ignore-dependencies", "don't include dependencies in analysis").option("--ignore-unresolved", "don't report errors about unresolved modules").option("--npm-test <dir>", "run 'npm test' instead of 'node' (use with -d)").option("--callgraph", "report call graph").option("--tokens-json <file>", "save tokens for constraint variables as JSON file").option("--tokens", "report tokens for constraint variables").option("--largest", "report largest token sets and subset relations").option("--no-cycle-elimination", "disable cycle elimination").option("--no-natives", "disable nonessential models of native libraries").option("--test-graal", "test graal-nodejs (use with -d)").option("--no-print-progress", "don't print analysis progress information").option("--no-tty", "don't print solver progress for TTY").option("--warnings-unsupported", "print warnings about unsupported features").option("--gc", "enable garbage collection for more accurate memory usage reporting").option("--typescript", "enable TypeScript type inference (use with -p)").option("--api-usage", "report API usage of external packages (implies --ignore-dependencies)").option("--api-exported", "report API of modules").option("--find-access-paths <location>", "find access paths for source location (file:line)").option("--higher-order-functions", "report higher-order functions").option("--zeros", "report calls with zero callees and functions with zero callers").option("--exclude-entries <glob...>", "files to exclude when specifying entry directories").option("--tracked-modules <glob...>", "modules to track usage of (default: auto-detect)").option("--external-matches", "enable pattern matches from external code").option("--no-callgraph-implicit", "omit implicit calls in call graph").option("--no-callgraph-native", "omit native calls in call graph").option("--no-callgraph-require", "omit module loading in call graph").option("--no-callgraph-external", "omit heuristic external callbacks in call graph").option("--diagnostics", "report internal analysis diagnostics").option("--diagnostics-json <file>", "save analysis diagnostics in JSON file").option("--variable-kinds", "report constraint variable kinds").option("--max-waves <number>", "limit number of fixpoint waves").option("--max-indirections <number>", "limit number of function call and property write indirections").option("--full-indirection-bounding", "enable indirection bounding for method calls and property reads (use with --max-indirections)").option("--typescript-library-usage <file>", "save TypeScript library usage in JSON file, no analysis").option("--modules-only", "report reachable packages and modules only, no analysis").option("--compare-callgraphs", "compare two call graphs given as JSON files, no analysis").option("--reachability", "compare call graph reachability (use with -s or --compare-callgraphs)").option("--library", "assume program is a library (default: true if in node_modules)").option("--skip-tests", "skip files that look like tests").option("--no-patch-escaping", "disable patching using escape analysis").option("--patch-dynamics", "enable dynamic property access patching heuristic").option("--patch-method-calls", "enable method call patching heuristic").option("--no-patch-this", "disable 'this' patching heuristic").option("--proto", "enable model of assignments to the __proto__ property").option("--obj-spread", "enable model of spread syntax for object literals ({...obj})").option("--native-overwrites", "allow overwriting of native object properties").option("--ignore-imprecise-native-calls", "ignore imprecise native calls").option("--matches-json <file>", "save vulnerability pattern matches in JSON file").option("--reachable-json <file>", "save reachable packages and modules in JSON file").option("--callstacks-json <file>", "save vulnerability call stacks in JSON file").option("--vulnerabilities-full", "full report of vulnerabilities").option("--eager-propagation", "perform propagation after each module").option("--no-interops", "disable models of common module interop helper functions").option("--modules-json <file>", "save modules dependencies in JSON file").option("--precise-access-path-transitions", "enable pruning of imprecise access path transitions (uses more unique access path tokens)").addOption(commander_1.program.createOption("--lazy", "lazy analysis of modules").implies({
+    commander_1.program.name("jelly").version(options_1.VERSION).addHelpText("before", options_1.COPYRIGHT).option("-b, --basedir <directory>", "base directory for files to analyze (default: auto-detect)").option("-f, --logfile <file>", "log to file (default: log to stdout)").option("-l, --loglevel <level>", "log level (debug/verbose/info/warn/error)", "info").option("-i, --timeout <seconds>", "limit analysis time").option("-a, --dataflow-html <file>", "save data-flow graph as HTML file").option("-m, --callgraph-html <file>", "save call graph as HTML file").option("-j, --callgraph-json <file>", "save call graph as JSON file").option("-s, --soundness <file>", "compare with dynamic call graph").option("-n, --graal-home <directory>", "home of graal-nodejs (default: $GRAAL_HOME)").option("-d, --dynamic <file>", "generate call graph dynamically, no static analysis").option("--approx", "enable approximate interpretation").option("--approx-only <file>", "perform approximate interpretation, no static analysis").option("--approx-load <file>", "use pre-computed approximate interpretation results").option("-p, --patterns <file...>", "files containing API usage patterns to detect").option("-v, --vulnerabilities <file>", "report vulnerability matches").option("--vulnerabilities-json <json>", "report vulnerability matches (patterns given as JSON string)").option("--include-packages <package...>", "include only dependencies in this list").option("--exclude-packages <package...>", "exclude dependencies in this list").option("--ignore-dependencies", "don't include dependencies in analysis").option("--ignore-unresolved", "don't report errors about unresolved modules").option("--npm-test <dir>", "run 'npm test' instead of 'node' (use with -d)").option("--callgraph", "report call graph").option("--tokens-json <file>", "save tokens for constraint variables as JSON file").option("--tokens", "report tokens for constraint variables").option("--largest", "report largest token sets and subset relations").option("--no-cycle-elimination", "disable cycle elimination").option("--no-natives", "disable nonessential models of native libraries").option("--test-graal", "test graal-nodejs (use with -d)").option("--no-print-progress", "don't print analysis progress information").option("--no-tty", "don't print solver progress for TTY").option("--warnings-unsupported", "print warnings about unsupported features").option("--gc", "enable garbage collection for more accurate memory usage reporting").option("--typescript", "enable TypeScript type inference (use with -p)").option("--api-usage", "report API usage of external packages (implies --ignore-dependencies)").option("--api-exported", "report API of modules").option("--find-access-paths <location>", "find access paths for source location (file:line)").option("--higher-order-functions", "report higher-order functions").option("--zeros", "report calls with zero callees and functions with zero callers").option("--exclude-entries <glob...>", "files to exclude when specifying entry directories").option("--tracked-modules <glob...>", "modules to track usage of (default: auto-detect)").option("--external-matches", "enable pattern matches from external code").option("--no-callgraph-implicit", "omit implicit calls in call graph").option("--no-callgraph-native", "omit native calls in call graph").option("--no-callgraph-require", "omit module loading in call graph").option("--no-callgraph-external", "omit heuristic external callbacks in call graph").option("--diagnostics", "report internal analysis diagnostics").option("--diagnostics-json <file>", "save analysis diagnostics in JSON file").option("--variable-kinds", "report constraint variable kinds").option("--max-waves <number>", "limit number of fixpoint waves").option("--max-indirections <number>", "limit number of function call and property write indirections").option("--full-indirection-bounding", "enable indirection bounding for method calls and property reads (use with --max-indirections)").option("--typescript-library-usage <file>", "save TypeScript library usage in JSON file, no analysis").option("--modules-only", "report reachable packages and modules only, no analysis").option("--compare-callgraphs", "compare two call graphs given as JSON files, no analysis").option("--reachability", "compare call graph reachability (use with -s or --compare-callgraphs)").option("--library", "assume program is a library (default: true if in node_modules)").option("--skip-tests", "skip files that look like tests").option("--no-patch-escaping", "disable patching using escape analysis").option("--patch-dynamics", "enable dynamic property access patching heuristic").option("--patch-method-calls", "enable method call patching heuristic").option("--no-patch-this", "disable 'this' patching heuristic").option("--proto", "enable model of assignments to the __proto__ property").option("--obj-spread", "enable model of spread syntax for object literals ({...obj})").option("--native-overwrites", "allow overwriting of native object properties").option("--ignore-imprecise-native-calls", "ignore imprecise native calls").option("--matches-json <file>", "save vulnerability pattern matches in JSON file").option("--reachable-json <file>", "save reachable packages and modules in JSON file").option("--callstacks-json <file>", "save vulnerability call stacks in JSON file").option("--vulnerabilities-full", "full report of vulnerabilities").option("--eager-propagation", "perform propagation after each module").option("--no-interops", "disable models of common module interop helper functions").option("--modules-json <file>", "save modules dependencies in JSON file").option("--max-file-size <bytes>", "skip files larger than the given size in bytes", (value) => parseInt(value, 10)).option("--precise-access-path-transitions", "enable pruning of imprecise access path transitions (uses more unique access path tokens)").addOption(commander_1.program.createOption("--lazy", "lazy analysis of modules").implies({
       preciseAccessPathTransitions: true
     })).option("--lazy-cleanup", "lazily clean up redundant tokens for lazy module analysis").option("--lazy-soft-assert", "assertions for --lazy mode are non-fatal (see diagnostics)").option("--reparse", "reparse by need (use with --lazy)").option("--memory <limit>", "abort if reaching selected fraction of memory limit").usage("[options] [files]").addHelpText("after", `
 All modules reachable by require/import from the given files are included in the analysis