@coana-tech/cli 15.0.2 → 15.0.3

package/cli.mjs

@@ -251822,7 +251822,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "15.0.2";
+var version3 = "15.0.3";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.0.2",
+  "version": "15.0.3",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -110960,6 +110960,9 @@ async function validateNpmDependencyDownloads(artifactIdToArtifact, packageNames
 }
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/heuristics.js
+var largeIndirectionBoundOptions = {
+  maxIndirections: 1024
+};
 var lazyIndirectionBoundOptions = {
   maxIndirections: 5
 };
@@ -111895,7 +111898,9 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
           --reachable-json ${affectedPackagesFile}
           ${getExcludes(mainProjectRoot, projectRoot, reachabilityAnalysisOptions)}
           --diagnostics-json ${diagnosticsFile}
-          --max-indirections ${maxIndirections}
+          --max-indirections=${/* XXX: maxIndirections is tuned for --lazy mode, which SparJS doesn't support,
+       * so we use a value that's better for non-lazy analysis. */
+      maxIndirections ? largeIndirectionBoundOptions.maxIndirections : void 0}
           ${!!includePackages && (includePackages.length ? ["--include-packages", ...includePackages] : ["--ignore-dependencies"])}
           ${/* XXX: Requires Node 22+ */
       approx && "--approx"}
@@ -114004,8 +114009,8 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     const bucketsFromLastAnalysisAndCliVersion = await dashboardAPI.getBucketsForLastReport(relative9(state.rootWorkingDir, state.subprojectDir) || ".", state.workspacePath, vulnerabilities[0].ecosystem ?? "NPM", COANA_REPORT_ID, apiKey);
     if (!bucketsFromLastAnalysisAndCliVersion)
       return void 0;
-    const { cliVersion: cliVersion2, buckets: bucketsFromLastAnalysis } = bucketsFromLastAnalysisAndCliVersion;
-    if (bucketsFromLastAnalysis.some((b) => b.heuristicName === heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3.name))
+    const { cliVersion: cliVersion2, buckets: rawBucketsFromLastAnalysis } = bucketsFromLastAnalysisAndCliVersion;
+    if (rawBucketsFromLastAnalysis.some((b) => b.heuristicName === heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3.name))
       return;
     try {
       if ((0, import_semver4.lt)(cliVersion2, CLI_VERSION_TO_USE_CACHING_FROM[ecosystem] ?? CLI_VERSION_TO_USE_CACHING_FROM_DEFAULT))
@@ -114013,6 +114018,7 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
     } catch (e) {
       return void 0;
     }
+    const bucketsFromLastAnalysis = rawBucketsFromLastAnalysis.filter((b) => b.heuristicName !== "IMPORT_REACHABILITY");
     const duplicateUrls = findDuplicateVulnsInBuckets(bucketsFromLastAnalysis);
     if (duplicateUrls.length > 0) {
       sendWarningToDashboard(`Assertion error: Detected bucket(s) with non-unique vulnerability URLs. Non-unique URLs: ${duplicateUrls.join(" ")}.`, {