@coana-tech/cli 15.0.3 → 15.0.5

package/cli.mjs

@@ -16020,9 +16020,9 @@ var require_picomatch = __commonJS({
     var utils = require_utils();
     var constants4 = require_constants();
     var isObject2 = (val2) => val2 && typeof val2 === "object" && !Array.isArray(val2);
-    var picomatch11 = (glob2, options, returnState = false) => {
+    var picomatch12 = (glob2, options, returnState = false) => {
       if (Array.isArray(glob2)) {
-        const fns = glob2.map((input) => picomatch11(input, options, returnState));
+        const fns = glob2.map((input) => picomatch12(input, options, returnState));
         const arrayMatcher = (str) => {
           for (const isMatch4 of fns) {
             const state2 = isMatch4(str);
@@ -16038,16 +16038,16 @@ var require_picomatch = __commonJS({
       }
       const opts = options || {};
       const posix3 = opts.windows;
-      const regex = isState ? picomatch11.compileRe(glob2, options) : picomatch11.makeRe(glob2, options, false, true);
+      const regex = isState ? picomatch12.compileRe(glob2, options) : picomatch12.makeRe(glob2, options, false, true);
       const state = regex.state;
       delete regex.state;
       let isIgnored = () => false;
       if (opts.ignore) {
         const ignoreOpts = { ...options, ignore: null, onMatch: null, onResult: null };
-        isIgnored = picomatch11(opts.ignore, ignoreOpts, returnState);
+        isIgnored = picomatch12(opts.ignore, ignoreOpts, returnState);
       }
       const matcher = (input, returnObject = false) => {
-        const { isMatch: isMatch4, match: match2, output } = picomatch11.test(input, regex, options, { glob: glob2, posix: posix3 });
+        const { isMatch: isMatch4, match: match2, output } = picomatch12.test(input, regex, options, { glob: glob2, posix: posix3 });
         const result = { glob: glob2, state, regex, posix: posix3, input, output, match: match2, isMatch: isMatch4 };
         if (typeof opts.onResult === "function") {
           opts.onResult(result);
@@ -16073,7 +16073,7 @@ var require_picomatch = __commonJS({
       }
       return matcher;
     };
-    picomatch11.test = (input, regex, options, { glob: glob2, posix: posix3 } = {}) => {
+    picomatch12.test = (input, regex, options, { glob: glob2, posix: posix3 } = {}) => {
       if (typeof input !== "string") {
         throw new TypeError("Expected input to be a string");
       }
@@ -16090,24 +16090,24 @@ var require_picomatch = __commonJS({
       }
       if (match2 === false || opts.capture === true) {
         if (opts.matchBase === true || opts.basename === true) {
-          match2 = picomatch11.matchBase(input, regex, options, posix3);
+          match2 = picomatch12.matchBase(input, regex, options, posix3);
         } else {
           match2 = regex.exec(output);
         }
       }
       return { isMatch: Boolean(match2), match: match2, output };
     };
-    picomatch11.matchBase = (input, glob2, options) => {
-      const regex = glob2 instanceof RegExp ? glob2 : picomatch11.makeRe(glob2, options);
+    picomatch12.matchBase = (input, glob2, options) => {
+      const regex = glob2 instanceof RegExp ? glob2 : picomatch12.makeRe(glob2, options);
       return regex.test(utils.basename(input));
     };
-    picomatch11.isMatch = (str, patterns, options) => picomatch11(patterns, options)(str);
-    picomatch11.parse = (pattern, options) => {
-      if (Array.isArray(pattern)) return pattern.map((p3) => picomatch11.parse(p3, options));
+    picomatch12.isMatch = (str, patterns, options) => picomatch12(patterns, options)(str);
+    picomatch12.parse = (pattern, options) => {
+      if (Array.isArray(pattern)) return pattern.map((p3) => picomatch12.parse(p3, options));
       return parse16(pattern, { ...options, fastpaths: false });
     };
-    picomatch11.scan = (input, options) => scan(input, options);
-    picomatch11.compileRe = (state, options, returnOutput = false, returnState = false) => {
+    picomatch12.scan = (input, options) => scan(input, options);
+    picomatch12.compileRe = (state, options, returnOutput = false, returnState = false) => {
       if (returnOutput === true) {
         return state.output;
       }
@@ -16118,13 +16118,13 @@ var require_picomatch = __commonJS({
       if (state && state.negated === true) {
         source = `^(?!${source}).*$`;
       }
-      const regex = picomatch11.toRegex(source, options);
+      const regex = picomatch12.toRegex(source, options);
       if (returnState === true) {
         regex.state = state;
       }
       return regex;
     };
-    picomatch11.makeRe = (input, options = {}, returnOutput = false, returnState = false) => {
+    picomatch12.makeRe = (input, options = {}, returnOutput = false, returnState = false) => {
       if (!input || typeof input !== "string") {
         throw new TypeError("Expected a non-empty string");
       }
@@ -16135,9 +16135,9 @@ var require_picomatch = __commonJS({
       if (!parsed.output) {
         parsed = parse16(input, options);
       }
-      return picomatch11.compileRe(parsed, options, returnOutput, returnState);
+      return picomatch12.compileRe(parsed, options, returnOutput, returnState);
     };
-    picomatch11.toRegex = (source, options) => {
+    picomatch12.toRegex = (source, options) => {
       try {
         const opts = options || {};
         return new RegExp(source, opts.flags || (opts.nocase ? "i" : ""));
@@ -16146,8 +16146,8 @@ var require_picomatch = __commonJS({
         return /$^/;
       }
     };
-    picomatch11.constants = constants4;
-    module2.exports = picomatch11;
+    picomatch12.constants = constants4;
+    module2.exports = picomatch12;
   }
 });
 
@@ -16157,14 +16157,14 @@ var require_picomatch2 = __commonJS({
     "use strict";
     var pico = require_picomatch();
     var utils = require_utils();
-    function picomatch11(glob2, options, returnState = false) {
+    function picomatch12(glob2, options, returnState = false) {
       if (options && (options.windows === null || options.windows === void 0)) {
         options = { ...options, windows: utils.isWindows() };
       }
       return pico(glob2, options, returnState);
     }
-    Object.assign(picomatch11, pico);
-    module2.exports = picomatch11;
+    Object.assign(picomatch12, pico);
+    module2.exports = picomatch12;
   }
 });
 
@@ -39550,9 +39550,9 @@ var require_picomatch3 = __commonJS({
     var utils = require_utils3();
     var constants4 = require_constants3();
     var isObject2 = (val2) => val2 && typeof val2 === "object" && !Array.isArray(val2);
-    var picomatch11 = (glob2, options, returnState = false) => {
+    var picomatch12 = (glob2, options, returnState = false) => {
       if (Array.isArray(glob2)) {
-        const fns = glob2.map((input) => picomatch11(input, options, returnState));
+        const fns = glob2.map((input) => picomatch12(input, options, returnState));
         const arrayMatcher = (str) => {
           for (const isMatch4 of fns) {
             const state2 = isMatch4(str);
@@ -39568,16 +39568,16 @@ var require_picomatch3 = __commonJS({
       }
       const opts = options || {};
       const posix3 = utils.isWindows(options);
-      const regex = isState ? picomatch11.compileRe(glob2, options) : picomatch11.makeRe(glob2, options, false, true);
+      const regex = isState ? picomatch12.compileRe(glob2, options) : picomatch12.makeRe(glob2, options, false, true);
       const state = regex.state;
       delete regex.state;
       let isIgnored = () => false;
       if (opts.ignore) {
         const ignoreOpts = { ...options, ignore: null, onMatch: null, onResult: null };
-        isIgnored = picomatch11(opts.ignore, ignoreOpts, returnState);
+        isIgnored = picomatch12(opts.ignore, ignoreOpts, returnState);
       }
       const matcher = (input, returnObject = false) => {
-        const { isMatch: isMatch4, match: match2, output } = picomatch11.test(input, regex, options, { glob: glob2, posix: posix3 });
+        const { isMatch: isMatch4, match: match2, output } = picomatch12.test(input, regex, options, { glob: glob2, posix: posix3 });
         const result = { glob: glob2, state, regex, posix: posix3, input, output, match: match2, isMatch: isMatch4 };
         if (typeof opts.onResult === "function") {
           opts.onResult(result);
@@ -39603,7 +39603,7 @@ var require_picomatch3 = __commonJS({
       }
       return matcher;
     };
-    picomatch11.test = (input, regex, options, { glob: glob2, posix: posix3 } = {}) => {
+    picomatch12.test = (input, regex, options, { glob: glob2, posix: posix3 } = {}) => {
       if (typeof input !== "string") {
         throw new TypeError("Expected input to be a string");
       }
@@ -39620,24 +39620,24 @@ var require_picomatch3 = __commonJS({
       }
       if (match2 === false || opts.capture === true) {
         if (opts.matchBase === true || opts.basename === true) {
-          match2 = picomatch11.matchBase(input, regex, options, posix3);
+          match2 = picomatch12.matchBase(input, regex, options, posix3);
         } else {
           match2 = regex.exec(output);
         }
       }
       return { isMatch: Boolean(match2), match: match2, output };
     };
-    picomatch11.matchBase = (input, glob2, options, posix3 = utils.isWindows(options)) => {
-      const regex = glob2 instanceof RegExp ? glob2 : picomatch11.makeRe(glob2, options);
+    picomatch12.matchBase = (input, glob2, options, posix3 = utils.isWindows(options)) => {
+      const regex = glob2 instanceof RegExp ? glob2 : picomatch12.makeRe(glob2, options);
       return regex.test(path9.basename(input));
     };
-    picomatch11.isMatch = (str, patterns, options) => picomatch11(patterns, options)(str);
-    picomatch11.parse = (pattern, options) => {
-      if (Array.isArray(pattern)) return pattern.map((p3) => picomatch11.parse(p3, options));
+    picomatch12.isMatch = (str, patterns, options) => picomatch12(patterns, options)(str);
+    picomatch12.parse = (pattern, options) => {
+      if (Array.isArray(pattern)) return pattern.map((p3) => picomatch12.parse(p3, options));
       return parse16(pattern, { ...options, fastpaths: false });
     };
-    picomatch11.scan = (input, options) => scan(input, options);
-    picomatch11.compileRe = (state, options, returnOutput = false, returnState = false) => {
+    picomatch12.scan = (input, options) => scan(input, options);
+    picomatch12.compileRe = (state, options, returnOutput = false, returnState = false) => {
       if (returnOutput === true) {
         return state.output;
       }
@@ -39648,13 +39648,13 @@ var require_picomatch3 = __commonJS({
       if (state && state.negated === true) {
         source = `^(?!${source}).*$`;
       }
-      const regex = picomatch11.toRegex(source, options);
+      const regex = picomatch12.toRegex(source, options);
       if (returnState === true) {
         regex.state = state;
       }
       return regex;
     };
-    picomatch11.makeRe = (input, options = {}, returnOutput = false, returnState = false) => {
+    picomatch12.makeRe = (input, options = {}, returnOutput = false, returnState = false) => {
       if (!input || typeof input !== "string") {
         throw new TypeError("Expected a non-empty string");
       }
@@ -39665,9 +39665,9 @@ var require_picomatch3 = __commonJS({
       if (!parsed.output) {
         parsed = parse16(input, options);
       }
-      return picomatch11.compileRe(parsed, options, returnOutput, returnState);
+      return picomatch12.compileRe(parsed, options, returnOutput, returnState);
     };
-    picomatch11.toRegex = (source, options) => {
+    picomatch12.toRegex = (source, options) => {
       try {
         const opts = options || {};
         return new RegExp(source, opts.flags || (opts.nocase ? "i" : ""));
@@ -39676,8 +39676,8 @@ var require_picomatch3 = __commonJS({
         return /$^/;
       }
     };
-    picomatch11.constants = constants4;
-    module2.exports = picomatch11;
+    picomatch12.constants = constants4;
+    module2.exports = picomatch12;
   }
 });
 
@@ -39695,7 +39695,7 @@ var require_micromatch = __commonJS({
     "use strict";
     var util5 = __require("util");
     var braces = require_braces();
-    var picomatch11 = require_picomatch4();
+    var picomatch12 = require_picomatch4();
     var utils = require_utils3();
     var isEmptyString = (val2) => val2 === "" || val2 === "./";
     var micromatch4 = (list2, patterns, options) => {
@@ -39712,7 +39712,7 @@ var require_micromatch = __commonJS({
         }
       };
       for (let i7 = 0; i7 < patterns.length; i7++) {
-        let isMatch4 = picomatch11(String(patterns[i7]), { ...options, onResult }, true);
+        let isMatch4 = picomatch12(String(patterns[i7]), { ...options, onResult }, true);
         let negated = isMatch4.state.negated || isMatch4.state.negatedExtglob;
         if (negated) negatives++;
         for (let item of list2) {
@@ -39740,8 +39740,8 @@ var require_micromatch = __commonJS({
       return matches;
     };
     micromatch4.match = micromatch4;
-    micromatch4.matcher = (pattern, options) => picomatch11(pattern, options);
-    micromatch4.isMatch = (str, patterns, options) => picomatch11(patterns, options)(str);
+    micromatch4.matcher = (pattern, options) => picomatch12(pattern, options);
+    micromatch4.isMatch = (str, patterns, options) => picomatch12(patterns, options)(str);
     micromatch4.any = micromatch4.isMatch;
     micromatch4.not = (list2, patterns, options = {}) => {
       patterns = [].concat(patterns).map(String);
@@ -39788,7 +39788,7 @@ var require_micromatch = __commonJS({
     micromatch4.some = (list2, patterns, options) => {
       let items = [].concat(list2);
       for (let pattern of [].concat(patterns)) {
-        let isMatch4 = picomatch11(String(pattern), options);
+        let isMatch4 = picomatch12(String(pattern), options);
         if (items.some((item) => isMatch4(item))) {
           return true;
         }
@@ -39798,7 +39798,7 @@ var require_micromatch = __commonJS({
     micromatch4.every = (list2, patterns, options) => {
       let items = [].concat(list2);
       for (let pattern of [].concat(patterns)) {
-        let isMatch4 = picomatch11(String(pattern), options);
+        let isMatch4 = picomatch12(String(pattern), options);
         if (!items.every((item) => isMatch4(item))) {
           return false;
         }
@@ -39809,23 +39809,23 @@ var require_micromatch = __commonJS({
       if (typeof str !== "string") {
         throw new TypeError(`Expected a string: "${util5.inspect(str)}"`);
       }
-      return [].concat(patterns).every((p3) => picomatch11(p3, options)(str));
+      return [].concat(patterns).every((p3) => picomatch12(p3, options)(str));
     };
     micromatch4.capture = (glob2, input, options) => {
       let posix3 = utils.isWindows(options);
-      let regex = picomatch11.makeRe(String(glob2), { ...options, capture: true });
+      let regex = picomatch12.makeRe(String(glob2), { ...options, capture: true });
       let match2 = regex.exec(posix3 ? utils.toPosixSlashes(input) : input);
       if (match2) {
         return match2.slice(1).map((v) => v === void 0 ? "" : v);
       }
     };
-    micromatch4.makeRe = (...args2) => picomatch11.makeRe(...args2);
-    micromatch4.scan = (...args2) => picomatch11.scan(...args2);
+    micromatch4.makeRe = (...args2) => picomatch12.makeRe(...args2);
+    micromatch4.scan = (...args2) => picomatch12.scan(...args2);
     micromatch4.parse = (patterns, options) => {
       let res = [];
       for (let pattern of [].concat(patterns || [])) {
         for (let str of braces(String(pattern), options)) {
-          res.push(picomatch11.parse(str, options));
+          res.push(picomatch12.parse(str, options));
         }
       }
       return res;
@@ -147531,7 +147531,7 @@ var require_micromatch2 = __commonJS({
     "use strict";
     var util5 = __require("util");
     var braces = require_braces2();
-    var picomatch11 = require_picomatch4();
+    var picomatch12 = require_picomatch4();
     var utils = require_utils3();
     var isEmptyString = (v) => v === "" || v === "./";
     var hasBraces = (v) => {
@@ -147552,7 +147552,7 @@ var require_micromatch2 = __commonJS({
         }
       };
       for (let i7 = 0; i7 < patterns.length; i7++) {
-        let isMatch4 = picomatch11(String(patterns[i7]), { ...options, onResult }, true);
+        let isMatch4 = picomatch12(String(patterns[i7]), { ...options, onResult }, true);
         let negated = isMatch4.state.negated || isMatch4.state.negatedExtglob;
         if (negated) negatives++;
         for (let item of list2) {
@@ -147580,8 +147580,8 @@ var require_micromatch2 = __commonJS({
       return matches;
     };
     micromatch4.match = micromatch4;
-    micromatch4.matcher = (pattern, options) => picomatch11(pattern, options);
-    micromatch4.isMatch = (str, patterns, options) => picomatch11(patterns, options)(str);
+    micromatch4.matcher = (pattern, options) => picomatch12(pattern, options);
+    micromatch4.isMatch = (str, patterns, options) => picomatch12(patterns, options)(str);
     micromatch4.any = micromatch4.isMatch;
     micromatch4.not = (list2, patterns, options = {}) => {
       patterns = [].concat(patterns).map(String);
@@ -147628,7 +147628,7 @@ var require_micromatch2 = __commonJS({
     micromatch4.some = (list2, patterns, options) => {
       let items = [].concat(list2);
       for (let pattern of [].concat(patterns)) {
-        let isMatch4 = picomatch11(String(pattern), options);
+        let isMatch4 = picomatch12(String(pattern), options);
         if (items.some((item) => isMatch4(item))) {
           return true;
         }
@@ -147638,7 +147638,7 @@ var require_micromatch2 = __commonJS({
     micromatch4.every = (list2, patterns, options) => {
       let items = [].concat(list2);
       for (let pattern of [].concat(patterns)) {
-        let isMatch4 = picomatch11(String(pattern), options);
+        let isMatch4 = picomatch12(String(pattern), options);
         if (!items.every((item) => isMatch4(item))) {
           return false;
         }
@@ -147649,23 +147649,23 @@ var require_micromatch2 = __commonJS({
       if (typeof str !== "string") {
         throw new TypeError(`Expected a string: "${util5.inspect(str)}"`);
       }
-      return [].concat(patterns).every((p3) => picomatch11(p3, options)(str));
+      return [].concat(patterns).every((p3) => picomatch12(p3, options)(str));
     };
     micromatch4.capture = (glob2, input, options) => {
       let posix3 = utils.isWindows(options);
-      let regex = picomatch11.makeRe(String(glob2), { ...options, capture: true });
+      let regex = picomatch12.makeRe(String(glob2), { ...options, capture: true });
       let match2 = regex.exec(posix3 ? utils.toPosixSlashes(input) : input);
       if (match2) {
         return match2.slice(1).map((v) => v === void 0 ? "" : v);
       }
     };
-    micromatch4.makeRe = (...args2) => picomatch11.makeRe(...args2);
-    micromatch4.scan = (...args2) => picomatch11.scan(...args2);
+    micromatch4.makeRe = (...args2) => picomatch12.makeRe(...args2);
+    micromatch4.scan = (...args2) => picomatch12.scan(...args2);
     micromatch4.parse = (patterns, options) => {
       let res = [];
       for (let pattern of [].concat(patterns || [])) {
         for (let str of braces(String(pattern), options)) {
-          res.push(picomatch11.parse(str, options));
+          res.push(picomatch12.parse(str, options));
         }
       }
       return res;
@@ -205359,6 +205359,7 @@ var AnalyzerTelemetryServer = class {
 
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -205431,7 +205432,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -205467,15 +205468,38 @@ async function execNeverFail(cmd, dir, options) {
       let args2;
       if (typeof cmd !== "string") [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args2,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve45({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -205655,6 +205679,11 @@ async function getFilesRelative(dir, excludeDirs) {
         if (!excludeDirs?.includes(item.name)) await helper(itemPath, arrayOfFiles);
       } else if (item.isFile()) {
         arrayOfFiles.push(itemPath);
+      } else if (item.isSymbolicLink()) {
+        try {
+          if ((await stat(join3(dir, itemPath))).isFile()) arrayOfFiles.push(itemPath);
+        } catch {
+        }
       }
     }
     return arrayOfFiles;
@@ -224785,6 +224814,7 @@ var AnalyzerTelemetryServer2 = class {
 
 // ../utils/dist/command-utils.js
 var DEFAULT_TIMEOUT_MS2 = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS2 = 60 * 1e3;
 async function execAndLogOnFailure3(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail3(cmd, dir, options);
   if (result.error)
@@ -224853,7 +224883,7 @@ function wrapWithMemoryLimit2(cmd, options) {
           onTelemetry(metrics) {
             if (subprocess?.exitCode === null && metrics.rss >= memoryLimitKiB * 1024) {
               logger.debug(`Memory limit of ${options.memoryLimitInMB} MiB exceeded (RSS: ${(metrics.rss / 1024 / 1024).toFixed(2)} MiB). Terminating process.`);
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -224888,10 +224918,34 @@ async function execNeverFail3(cmd, dir, options) {
       if (typeof cmd !== "string")
         [cmd, ...args2] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS2;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS2;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
-      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout }, (error, stdout, stderr) => {
+      let sigtermTimer;
+      let sigkillTimer;
+      const childProcess = execFile4(cmd, args2, { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args2 === void 0, timeout: 0 }, (error, stdout, stderr) => {
+        if (sigtermTimer)
+          clearTimeout(sigtermTimer);
+        if (sigkillTimer)
+          clearTimeout(sigkillTimer);
         resolve45({ error, stdout, stderr });
       });
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null)
+            return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(`Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`);
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry2(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -225800,14 +225854,25 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
         ([pkgIdentifier, pkgObj2]) => pkgIdentifier.startsWith(`${fix.dependencyName}@`) && pkgObj2.version === fix.currentVersion
       );
       if (!packageToFix) return;
-      const [, pkgObj] = packageToFix;
+      const [oldKey, pkgObj] = packageToFix;
       const packageDetails = await getPackageVersionDetailsFromNpm(fix.dependencyName, fix.fixedVersion);
-      Object.assign(pkgObj, {
-        version: fix.fixedVersion,
-        resolution: `${fix.dependencyName}@npm:${fix.fixedVersion}`,
-        dependencies: packageDetails.dependencies
-      });
+      pkgObj.version = fix.fixedVersion;
+      pkgObj.resolution = `${fix.dependencyName}@npm:${fix.fixedVersion}`;
+      setOrDelete(pkgObj, "dependencies", withBerryNpmDescriptors(packageDetails.dependencies));
+      setOrDelete(pkgObj, "optionalDependencies", withBerryNpmDescriptors(packageDetails.optionalDependencies));
       delete pkgObj.checksum;
+      const exactOldKey = `${fix.dependencyName}@npm:${fix.currentVersion}`;
+      const newKey = `${fix.dependencyName}@npm:${fix.fixedVersion}`;
+      if (oldKey === exactOldKey && newKey !== oldKey) {
+        const lock = yarnLock;
+        if (lock[newKey] !== void 0 && lock[newKey] !== pkgObj) {
+          throw new Error(
+            `Cannot rename lockfile entry "${oldKey}" to "${newKey}": target key already exists with different contents`
+          );
+        }
+        lock[newKey] = pkgObj;
+        delete lock[oldKey];
+      }
     });
     await this.writeYarnObj(yarnLock, yarnLockLocation);
   }
@@ -225852,6 +225917,21 @@ var YarnFixingManager = class extends NpmEcosystemFixingManager {
     }
   }
 };
+function withBerryNpmDescriptors(deps) {
+  if (!deps) return deps;
+  const result = {};
+  for (const [name2, range2] of Object.entries(deps)) {
+    result[name2] = /^[a-z][a-z0-9+.-]*:/i.test(range2) ? range2 : `npm:${range2}`;
+  }
+  return result;
+}
+function setOrDelete(obj, key, value2) {
+  if (value2 === void 0) {
+    delete obj[key];
+  } else {
+    obj[key] = value2;
+  }
+}
 async function checkForYarnResolutions(packageJsonPath, fixes) {
   if (!existsSync16(packageJsonPath)) return;
   const content = await readFile19(packageJsonPath, "utf-8");
@@ -229685,11 +229765,13 @@ var PipSocketUpgradeManager = class {
   );
   pyprojectTomlMatcher = (0, import_picomatch8.default)("pyproject.toml", { basename: true });
   uvLockMatcher = (0, import_picomatch8.default)("uv.lock", { basename: true });
+  poetryLockMatcher = (0, import_picomatch8.default)("poetry.lock", { basename: true });
   async applySocketArtifactUpgrades(ctxt) {
     const pyprojectTomlFiles = ctxt.manifestFiles.filter((f6) => this.pyprojectTomlMatcher(f6));
     const patches = [];
     const uvLockFilesToValidate = /* @__PURE__ */ new Set();
     const lockFileToDepTree = /* @__PURE__ */ new Map();
+    const poetryLockArtifacts = /* @__PURE__ */ new Map();
     for (const [idx, upgradeVersion] of ctxt.upgrades) {
       const artifact = ctxt.artifacts[idx];
       assert13(artifact.name);
@@ -229761,6 +229843,10 @@ var PipSocketUpgradeManager = class {
           patches.push(...await this.createUvLockPatches(mf.file, idx, upgradeVersion, ctxt));
           uvLockFilesToValidate.add(mf.file);
           patches.push(...await this.createOverrideDependencyUpdatePatches(rootTomlFile, idx, upgradeVersion, ctxt));
+        } else if (this.poetryLockMatcher(mf.file)) {
+          const existing = poetryLockArtifacts.get(mf.file) ?? [];
+          existing.push(idx);
+          poetryLockArtifacts.set(mf.file, existing);
         } else {
           ctxt.statusUpdater?.({
             status: "error",
@@ -229780,6 +229866,14 @@ var PipSocketUpgradeManager = class {
         }
       }
     }
+    for (const [file, artifacts] of poetryLockArtifacts) {
+      ctxt.statusUpdater?.({
+        status: "error",
+        file,
+        artifacts,
+        message: "The Poetry package manager is not currently supported for upgrades"
+      });
+    }
     await applyPatches("PIP", this.rootDir, patches, ctxt);
     for (const lockFile of uvLockFilesToValidate) {
       const upgradesForLockFile = [];
@@ -234861,7 +234955,7 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
   }
   if (upgrades.size === 0) {
     if (autofixRunId) {
-      await getSocketAPI().finalizeAutofixRun(autofixRunId, "fixed-none");
+      await getSocketAPI().finalizeAutofixRun(autofixRunId, "fixed-none", void 0, await logger.getLogContent(logFile));
     }
     throw new Error(`Unable to compute fixes for any of the requested vulnerabilities: ${prettyApplyFixesTo(options.applyFixesTo)}`);
   }
@@ -234879,7 +234973,7 @@ async function computeFixesAndUpgradePurls(path9, options, logFile) {
     }, autofixRunId) ?? "fixed-all";
     if (autofixRunId) {
       const allGhsasFailed = fixesFound.length === 0;
-      await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasWithFailedArtifacts.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : allGhsasFailed || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some");
+      await getSocketAPI().finalizeAutofixRun(autofixRunId, ghsasWithFailedArtifacts.length === 0 && applyFixesStatus === "fixed-all" ? "fixed-all" : allGhsasFailed || applyFixesStatus === "fixed-none" ? "fixed-none" : "fixed-some", void 0, await logger.getLogContent(logFile));
     }
     return {
       type: "applied-fixes",
@@ -234965,6 +235059,7 @@ import { existsSync as existsSync30, writeFileSync as writeFileSync3 } from "fs"
 import { mkdir as mkdir6, rm as rm3, writeFile as writeFile15 } from "fs/promises";
 var import_lodash15 = __toESM(require_lodash(), 1);
 import os2 from "os";
+var import_picomatch11 = __toESM(require_picomatch2(), 1);
 import { join as join34, relative as relative22, resolve as resolve42 } from "path";
 
 // ../utils/src/dashboard-api/shared-api.ts
@@ -251822,7 +251917,7 @@ async function onlineScan(dependencyTree, apiKey, timeout) {
 }
 
 // dist/version.js
-var version3 = "15.0.3";
+var version3 = "15.0.5";
 
 // dist/cli-core.js
 var { mapValues, omit, partition, pickBy: pickBy2 } = import_lodash15.default;
@@ -252088,11 +252183,50 @@ var CliCore = class {
       logger.info(bold(`  ${ecosystem} (${workspaces.length}):`));
       workspaces.forEach((workspace) => logger.info(bold(`    ${workspace}`)));
     });
+    const ecosystemToWorkspaceToAnalysisDataForPreinstall = {};
+    const ecosystemToWorkspaceToVulnerabilitiesForPreinstall = {};
+    for (const [ecosystem, workspaceToAnalysisData] of Object.entries(ecosystemToWorkspaceToAnalysisData)) {
+      if (this.options.purlTypes && !this.options.purlTypes.some((purlType) => getAdvisoryEcosystemFromPurlType(purlType) === ecosystem)) {
+        continue;
+      }
+      const includeDirs = this.options.includeDirs ?? [];
+      const filteredWorkspaces = {};
+      for (const [workspace, analysisData] of Object.entries(workspaceToAnalysisData)) {
+        const resolvedWorkspace = resolve42(this.rootWorkingDirectory, workspace);
+        const shouldExclude = shouldIgnoreDueToExcludeDirsOrChangedFiles({
+          mainProjectDir: this.rootWorkingDirectory,
+          excludeDirs: this.options.excludeDirs ?? [],
+          changedFiles: this.options.changedFiles,
+          includeDirs
+        }, resolvedWorkspace);
+        if (shouldExclude)
+          continue;
+        if (includeDirs.length > 0) {
+          const relPath = relative22(this.rootWorkingDirectory, resolvedWorkspace);
+          if (!import_picomatch11.default.isMatch(relPath, includeDirs))
+            continue;
+        }
+        filteredWorkspaces[workspace] = analysisData;
+      }
+      if (Object.keys(filteredWorkspaces).length > 0) {
+        ecosystemToWorkspaceToAnalysisDataForPreinstall[ecosystem] = filteredWorkspaces;
+        const ecosystemVulns = ecosystemToWorkspaceToVulnerabilities[ecosystem];
+        if (ecosystemVulns) {
+          const filteredVulns = {};
+          for (const workspace of Object.keys(filteredWorkspaces)) {
+            if (ecosystemVulns[workspace]) {
+              filteredVulns[workspace] = ecosystemVulns[workspace];
+            }
+          }
+          ecosystemToWorkspaceToVulnerabilitiesForPreinstall[ecosystem] = filteredVulns;
+        }
+      }
+    }
     let preinstallDir;
     try {
       logger.info(bold("Pre-installing dependencies for all projects..."));
       preinstallDir = await createTmpDirectory("coana-preinstall");
-      await this.preInstallAllDependencies(preinstallDir, ecosystemToWorkspaceToAnalysisData, ecosystemToWorkspaceToVulnerabilities, otherModulesCommunicator);
+      await this.preInstallAllDependencies(preinstallDir, ecosystemToWorkspaceToAnalysisDataForPreinstall, ecosystemToWorkspaceToVulnerabilitiesForPreinstall, otherModulesCommunicator);
       logger.info(bold("All dependencies pre-installed successfully"));
     } catch (e) {
       if (this.options.reachContinueOnInstallErrors) {
@@ -252644,7 +252778,7 @@ Subproject: ${subproject}`);
     const allFailures = [];
     await asyncMap(installTasks, async ({ ecosystem, workspace, analysisData, vulnerabilities, installDir }) => {
       try {
-        const result = await otherModulesCommunicator.installDependencies(workspace, ".", analysisData, ecosystem, vulnerabilities, {
+        const result = await otherModulesCommunicator.installDependencies(this.rootWorkingDirectory, workspace, analysisData, ecosystem, vulnerabilities, {
           timeoutSeconds: {
             allVulnRuns: this.analysisTimeoutInSeconds,
             bucketedRuns: bucketedAnalysisTimeoutInSeconds
@@ -252654,14 +252788,14 @@ Subproject: ${subproject}`);
           haltOnInstallErrors: false
         }, installDir);
         if (result.failedPackages.length > 0) {
-          logger.info(`  ${ecosystem}/${workspace}: failed to install ${result.failedPackages.join(", ")}`);
+          logger.info(`  ${ecosystem}:${workspace}: failed to install ${result.failedPackages.join(", ")}`);
           allFailures.push({ ecosystem, workspace, failedPackages: result.failedPackages });
         } else {
-          logger.info(`  ${ecosystem}/${workspace}: all packages installed successfully`);
+          logger.info(`  ${ecosystem}:${workspace}: all packages installed successfully`);
         }
       } catch (e) {
         const message2 = e instanceof Error ? e.message : String(e);
-        logger.info(`  ${ecosystem}/${workspace}: pre-install failed (${message2})`);
+        logger.info(`  ${ecosystem}:${workspace}: pre-install failed (${message2})`);
         allFailures.push({ ecosystem, workspace, failedPackages: [`(pre-install error: ${message2})`] });
       }
     }, Number(this.options.concurrency));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coana-tech/cli",
-  "version": "15.0.3",
+  "version": "15.0.5",
   "description": "Coana CLI",
   "type": "module",
   "bin": {

package/reachability-analyzers-cli.mjs

@@ -87597,6 +87597,7 @@ var AnalyzerTelemetryServer = class {
 
 // ../utils/src/command-utils.ts
 var DEFAULT_TIMEOUT_MS = 30 * 60 * 1e3;
+var DEFAULT_KILL_GRACE_PERIOD_MS = 60 * 1e3;
 async function execAndLogOnFailure(cmd, dir, options, logLevel = "info") {
   const result = await execNeverFail(cmd, dir, options);
   if (result.error) logCommandOutput(result, cmd, dir, logLevel);
@@ -87666,7 +87667,7 @@ function wrapWithMemoryLimit(cmd, options) {
                   2
                 )} MiB). Terminating process.`
               );
-              subprocess.kill(options.killSignal ?? "SIGTERM");
+              subprocess.kill("SIGTERM");
               subprocess = void 0;
             }
             prevHandler?.onTelemetry(metrics);
@@ -87702,15 +87703,38 @@ async function execNeverFail(cmd, dir, options) {
       let args;
       if (typeof cmd !== "string") [cmd, ...args] = cmd;
       const timeout = options?.timeout ?? DEFAULT_TIMEOUT_MS;
+      const killGracePeriodMs = options?.killGracePeriodMs ?? DEFAULT_KILL_GRACE_PERIOD_MS;
       const env = analyzerTelemetryFilePath ? { ...options?.env ?? process.env, ANALYZER_TELEMETRY_FILE_PATH: analyzerTelemetryFilePath } : options?.env;
+      let sigtermTimer;
+      let sigkillTimer;
       const childProcess = execFile2(
         cmd,
         args,
-        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout },
+        { ...options, env, cwd: dir, maxBuffer: 1024 * 1024 * 1024, shell: args === void 0, timeout: 0 },
         (error, stdout, stderr) => {
+          if (sigtermTimer) clearTimeout(sigtermTimer);
+          if (sigkillTimer) clearTimeout(sigkillTimer);
           resolve28({ error, stdout, stderr });
         }
       );
+      if (timeout > 0) {
+        sigtermTimer = setTimeout(() => {
+          if (childProcess.exitCode !== null || childProcess.signalCode !== null) return;
+          childProcess.kill();
+          if (killGracePeriodMs > 0) {
+            sigkillTimer = setTimeout(() => {
+              if (childProcess.exitCode === null && childProcess.signalCode === null) {
+                logger.debug(
+                  `Process (pid ${childProcess.pid}) did not exit within ${killGracePeriodMs}ms of SIGTERM; escalating to SIGKILL`
+                );
+                childProcess.kill("SIGKILL");
+              }
+            }, killGracePeriodMs);
+            sigkillTimer.unref?.();
+          }
+        }, timeout);
+        sigtermTimer.unref?.();
+      }
       if (options?.telemetryHandler && childProcess.pid)
         stopTelemetry = startTelemetry(childProcess, options.telemetryHandler);
       if (options?.pipe) {
@@ -87961,6 +87985,11 @@ async function getFiles(dir, excludeDirs) {
         if (!excludeDirs?.includes(item.name)) await helper(itemPath, arrayOfFiles);
       } else if (item.isFile()) {
         arrayOfFiles.push(itemPath);
+      } else if (item.isSymbolicLink()) {
+        try {
+          if ((await stat(itemPath)).isFile()) arrayOfFiles.push(itemPath);
+        } catch {
+        }
       }
     }
     return arrayOfFiles;
@@ -96286,7 +96315,7 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const outputFile = resolve9(tmpDir, "output.json");
       await writeFile5(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.dotnet });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.dotnet });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile7(outputFile, "utf-8")).result;
@@ -96327,7 +96356,6 @@ var DotnetCodeAwareVulnerabilityScanner = class _DotnetCodeAwareVulnerabilitySca
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
       const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runDotnetReachabilityAnalysis -i ${inputFile} -o ${outputFile} --cocoa ${getCocoaPath()} --tree-sitter-c-sharp ${getTreeSitterCSharpPath()}`, void 0, {
         timeout: timeoutMs,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.dotnet,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -110365,7 +110393,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -110404,7 +110432,7 @@ var JavaCodeAwareVulnerabilityScanner = class _JavaCodeAwareVulnerabilityScanner
       const outputFile = resolve10(tmpDir, "output.json");
       await writeFile6(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runJvmReachabilityAnalysis -i ${inputFile} -o ${outputFile} --javap-service ${getJavapServicePath()} --tree-sitter-java ${getTreeSitterJavaPath()} --tree-sitter-kotlin ${getTreeSitterKotlinPath()} --tree-sitter-scala ${getTreeSitterScalaPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.java, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile8(outputFile, "utf-8")).result;
@@ -110925,7 +110953,7 @@ function tarjanAndCondensation(packageMetadatas) {
 
 // dist/whole-program-code-aware-vulnerability-scanner/js/dependency-preparation.js
 async function prepareNpmDependencies(subprojectDir, workspaceDir, artifactIdToArtifact, directDependencies, packageNamesToInstall, preinstallDir) {
-  if (existsSync11(resolve12(subprojectDir, "node_modules")))
+  if (existsSync11(resolve12(subprojectDir, "node_modules")) || existsSync11(resolve12(workspaceDir, "node_modules")))
     return { failedPackages: [], installedPackages: [] };
   const artifactToOriginal = /* @__PURE__ */ new Map();
   const transitiveDependenciesToInstall = Object.fromEntries(Object.entries(artifactIdToArtifact).filter(([_, dep]) => packageNamesToInstall.includes(getPackageName(dep))).map(([depId, dep]) => {
@@ -111039,7 +111067,6 @@ var JSAnalysisEngine = class {
         ${options.entryPoints ?? projectRoot}`;
       await runCommandResolveStdOut2(cmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111134,10 +111161,11 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmdToRun,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout (e.g., due to GC pressure).
+        // Terminate if the process exceeds 1.5x the timeout (e.g., due to GC pressure making
+        // Jelly's internal timeout checks unreliable). execNeverFail sends SIGTERM first and
+        // escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -111188,7 +111216,6 @@ var JellyJSAnalysisEngine = class extends JSAnalysisEngine {
           --reachable-json ${reachablePackagesFile} ${projectRoot}`;
       await runCommandResolveStdOut2(jellyCmd, void 0, {
         timeout: options.timeoutSeconds.allVulnRuns * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.js,
         telemetryHandler,
         analyzerTelemetryHandler
@@ -111905,6 +111932,7 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
           ${/* XXX: Requires Node 22+ */
       approx && "--approx"}
           --callstacks-json ${callStackFile}
+          --escape-patch-resolved-reads
           --unresolved-non-vulnerable
           ${parseShellArgs(process.env.COANA_SPARJS_ADDITIONAL_FLAGS ?? "")}
           ${filesToAnalyze}
@@ -111912,10 +111940,10 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       await runCommandResolveStdOut2(
         cmd,
         void 0,
-        // Use SIGKILL to ensure termination even if the process is unresponsive 50% above the timeout
+        // Terminate if the process exceeds 1.5x the timeout. execNeverFail sends SIGTERM
+        // first and escalates to SIGKILL after a grace period if the process remains alive.
         {
           timeout: timeoutInSeconds * 1e3 * 1.5,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.js,
           telemetryHandler,
           analyzerTelemetryHandler,
@@ -111950,12 +111978,14 @@ var SparJSAnalysisEngine = class extends JSAnalysisEngine {
       for (const match2 of Object.values(matches))
         match2.affectedPackages = uniq5(match2.stacks.flatMap((stack) => map3(stack, "package")));
       const affectedPackages = JSON.parse(await readFile11(affectedPackagesFile, "utf-8")).packages;
+      const aborted = analysisDiagnostics.solver.aborted;
       return {
         matches,
         analysisDiagnostics: {
           ...analysisDiagnostics,
-          aborted: analysisDiagnostics.solver.aborted,
-          timeout: analysisDiagnostics.totalTime / 1e6 >= timeoutInSeconds,
+          aborted: !!aborted,
+          timeout: aborted === "timeout",
+          lowmemory: aborted === "out_of_memory",
           timings: {
             analysisTime: (analysisDiagnostics.totalTime - analysisDiagnostics.patternMatchingTime) / 1e3,
             patternMatchingTime: analysisDiagnostics.patternMatchingTime / 1e3,
@@ -112071,7 +112101,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       ...new Set(state.vulnerabilities.flatMap((v) => Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).filter((d) => d.vulnerable === true).map((d) => d.packageName)))
     ];
     const packagesToInstall = !includePackages ? state.workspaceData.type === "coana" ? Object.values(state.workspaceData.data.dependencyTree.transitiveDependencies).map((dep) => getPackageName(dep)) : state.workspaceData.data.artifacts.map((dep) => getPackageName(dep)) : [.../* @__PURE__ */ new Set([...includePackages, ...vulnerablePackageNames])];
-    const { failedPackages } = await prepareNpmDependencies(state.rootWorkingDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall, state.preinstallDir);
+    const { failedPackages } = await prepareNpmDependencies(state.subprojectDir, this.projectDir, state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.transitiveDependencies : Object.fromEntries(state.workspaceData.data.artifacts.map((d) => [d.id, d])), state.workspaceData.type === "coana" ? state.workspaceData.data.dependencyTree.dependencies ?? [] : state.workspaceData.data.artifacts.filter((a2) => a2.direct).map((a2) => a2.id), packagesToInstall, state.preinstallDir);
     this.packagesExcludedUnrelatedToHeuristic = failedPackages.map((p) => getPackageName(p));
   }
   async runAnalysis(vulnerabilities, heuristic, timeoutInSeconds, experiment, telemetryHandler, analyzerTelemetryHandler) {
@@ -112080,7 +112110,7 @@ var JSCodeAwareVulnerabilityScanner = class _JSCodeAwareVulnerabilityScanner {
       analysisOptionsFromHeuristic.approx = process.env.JELLY_APPROX === "true" || experiment === "JELLY_APPROX";
       const analysisRes = await this.resolveEngine(experiment).runAnalysis(this.mainProjectDir, this.projectDir, analysisOptionsFromHeuristic, this.options, timeoutInSeconds, vulnerabilities, experiment, telemetryHandler, analyzerTelemetryHandler);
       const { analysisDiagnostics: diagnostics, matches } = analysisRes;
-      const terminatedEarly = diagnostics.lowmemory ?? diagnostics.rangeError ?? (diagnostics.aborted || diagnostics.timeout);
+      const terminatedEarly = diagnostics.rangeError ?? (diagnostics.aborted || diagnostics.timeout || diagnostics.lowmemory);
       return {
         type: "success",
         diagnostics,
@@ -112317,7 +112347,6 @@ var GoCodeAwareVulnerabilityScanner = class {
           -topk=4 ${heuristic.includeTests && "-tests"}
           ${this.projectDir} ${vulnAccPaths}`, void 0, {
         timeout: timeoutInSeconds * 1e3,
-        killSignal: "SIGKILL",
         memoryLimitInMB,
         env: memoryLimitInMB ? { ...process.env, GOMEMLIMIT: `${Math.max(Math.ceil(memoryLimitInMB - 256), 0)}MiB` } : void 0,
         heartbeat: HEARTBEATS.go,
@@ -112728,7 +112757,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(timeoutInSeconds * 1.5, timeoutInSeconds + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustDirectDependencyAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust });
       if (result.error)
         return void 0;
       const packageIds = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -112764,7 +112793,7 @@ var RustCodeAwareVulnerabilityScanner = class _RustCodeAwareVulnerabilityScanner
       const outputFile = resolve17(tmpDir, "output.json");
       await writeFile10(inputFile, JSON.stringify(options));
       const timeoutMs = Math.max(effectiveTimeout * 1.5, effectiveTimeout + 30) * 1e3;
-      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, killSignal: "SIGKILL", heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
+      const result = await execNeverFail2(cmdt`${await getNodeExecutable(ToolPathResolver.nodeExecutablePath)} ${getClassGraphAnalysisCliPath()} runRustReachabilityAnalysis -i ${inputFile} -o ${outputFile} --tree-sitter-rust ${getTreeSitterRustPath()}`, void 0, { timeout: timeoutMs, heartbeat: HEARTBEATS.rust, telemetryHandler, analyzerTelemetryHandler });
       if (result.error)
         return { type: "error", message: result.error.message ?? "unknown error" };
       const { success, error, analysisDiagnostics: diagnostics, vulnerablePaths, reachablePackageIds } = JSON.parse(await readFile13(outputFile, "utf-8")).result;
@@ -113278,9 +113307,8 @@ var PythonCodeAwareVulnerabilityScanner = class {
           PYPY_GC_MAX: `${memoryLimitInMB ? Math.max(Math.ceil(memoryLimitInMB - 256), 1) : 0}MB`
         },
         // Forcefully kill the process if the internal timeout mechanism fails.
-        // Use SIGKILL to ensure termination even if the process is unresponsive.
+        // execNeverFail sends SIGTERM first and escalates to SIGKILL after a grace period.
         timeout: (timeoutInSeconds * 1.5 + 15) * 1e3,
-        killSignal: "SIGKILL",
         heartbeat: HEARTBEATS.python,
         telemetryHandler,
         analyzerTelemetryHandler,
@@ -113979,9 +114007,22 @@ async function analyzeWithHeuristics(state, vulns, heuristicsInOrder, doNotRecom
           heuristic: getHeuristicFromName(state, b.heuristicName, ecosystem),
           vulnerabilities: b.vulnUrls.map((vUrl) => vulnerabilities.find((v) => v.url === vUrl))
         })), analysisMetadataCollector, true);
+        const originalUrlToReachability = transformVulnsToUrlToReachability(resWithoutExperimentalHeuristic.augmentedVulnerabilities);
+        if (expHeuristicName === "SPARJS_EXPERIMENT") {
+          for (const v of resWithoutExperimentalHeuristic.augmentedVulnerabilities) {
+            if (v.results.type !== "success")
+              continue;
+            const { stacks } = v.results.detectedOccurrences;
+            if (!stacks.length)
+              continue;
+            const pkgsInVulnChain = new Set(Object.values(v.vulnChainDetails.transitiveDependencies).map((d) => d.packageName));
+            if (stacks.every((s2) => s2.some((f2, i4) => i4 > 0 && !pkgsInVulnChain.has(f2.package))))
+              ignoredVulnerabilities.add(v.url);
+          }
+        }
         await Promise.all([
           sendTimeRegressionsToDashboard(expHeuristicName, resWithoutExperimentalHeuristic.analysisMetadata, bucketsToRecompute),
-          sendReachabilityRegressionsToDashboard(resWithoutExperimentalHeuristic.analysisMetadata[0].heuristicName, expHeuristicName, transformVulnsToUrlToReachability(resWithoutExperimentalHeuristic.augmentedVulnerabilities), experimentalUrlToReachability, ignoredVulnerabilities)
+          sendReachabilityRegressionsToDashboard(resWithoutExperimentalHeuristic.analysisMetadata[0].heuristicName, expHeuristicName, originalUrlToReachability, experimentalUrlToReachability, ignoredVulnerabilities)
         ]);
       }
       const vulnsToGetFromExperimental = bucketsNotToRecompute.flatMap((b) => b.vulnUrls);
@@ -114289,8 +114330,8 @@ function findDuplicateVulnsInBuckets(bucketsFromLastAnalysis) {
   }
   return duplicateUrls;
 }
-function transformVulnsToUrlToReachability(oldHeuristicAugmentedVulnerabilities) {
-  return Object.fromEntries(oldHeuristicAugmentedVulnerabilities.map((v) => [
+function transformVulnsToUrlToReachability(augmentedVulnerabilities) {
+  return Object.fromEntries(augmentedVulnerabilities.map((v) => [
     v.url,
     {
       reachability: getVulnReachability(v.results),
@@ -114402,7 +114443,7 @@ async function runSparPhpAnalysis(projectDir, vulns, includePackages, timeoutInS
     const vulnInput = vulns.map((v) => {
       const vulnerablePackage = Object.values(v.vulnChainDetails?.transitiveDependencies ?? {}).find((d) => d.vulnerable);
       return {
-        npm: { url: v.url, name: vulnerablePackage?.packageName ?? "", range: "*" },
+        advisory: { url: v.url, name: vulnerablePackage?.packageName ?? "", range: "*" },
         patterns: v.vulnerabilityAccessPaths
       };
     });
@@ -114416,7 +114457,6 @@ async function runSparPhpAnalysis(projectDir, vulns, includePackages, timeoutInS
         ${includePackagesArgs}`, void 0, {
       timeout: (timeoutInSeconds + 10) * 1e3,
       // Give a bit of extra time for spar-php to shut down gracefully
-      killSignal: "SIGKILL",
       heartbeat: HEARTBEATS.php,
       telemetryHandler,
       analyzerTelemetryHandler
@@ -114899,8 +114939,9 @@ var NpmAnalyzer = class {
   }
   async runReachabilityAnalysis(vulns, analysisMetadataCollector, statusUpdater) {
     const heuristicsInOrder = this.state.otherAnalysisOptions.lightweightReachability ? [heuristics.IGNORE_DEPENDENCIES_AND_MAX_ROUNDS_3] : [heuristics.ONLY_VULN_PATH_PACKAGES_EXCEPT_VULNERABLE_PACKAGE];
-    const nodeModulesAlreadyExisted = existsSync20(resolve25(this.state.subprojectDir, "node_modules"));
-    this.preinstalledDependencies = nodeModulesAlreadyExisted ? "YES" : "NO";
+    const nodeModulesAlreadyExistedInSubprojectDir = existsSync20(resolve25(this.state.subprojectDir, "node_modules"));
+    const nodeModulesAlreadyExistedInProjectDir = existsSync20(resolve25(this.projectDir, "node_modules"));
+    this.preinstalledDependencies = nodeModulesAlreadyExistedInSubprojectDir || nodeModulesAlreadyExistedInProjectDir ? "YES" : "NO";
     const wrappedCollector = (metadata) => {
       const jellyDiagnostics = metadata.analysisDiagnostics;
       if (jellyDiagnostics?.modules !== void 0) {
@@ -115025,11 +115066,11 @@ ${e.stack}` : String(e),
       return res;
     } finally {
       await Promise.all([this.engine.cleanup(), vulnerabilityScanner.cleanup()]);
-      if (!nodeModulesAlreadyExisted) {
-        if (existsSync20(resolve25(this.state.subprojectDir, "node_modules")))
-          await rm11(resolve25(this.state.subprojectDir, "node_modules"), { recursive: true });
-        if (existsSync20(resolve25(this.projectDir, "node_modules")))
-          await rm11(resolve25(this.projectDir, "node_modules"), { recursive: true });
+      if (!nodeModulesAlreadyExistedInSubprojectDir) {
+        await rm11(resolve25(this.state.subprojectDir, "node_modules"), { recursive: true, force: true });
+      }
+      if (!nodeModulesAlreadyExistedInProjectDir) {
+        await rm11(resolve25(this.projectDir, "node_modules"), { recursive: true, force: true });
       }
     }
   }
@@ -115224,7 +115265,6 @@ var RubyCodeAwareVulnerabilityScanner = class {
         this.numberAnalysesRun++;
         await exec2(cmd, this.projectDir, {
           timeout: (timeoutInSeconds * 1.5 + 10) * 1e3,
-          killSignal: "SIGKILL",
           heartbeat: HEARTBEATS.ruby,
           telemetryHandler
         });