@code-pushup/js-packages-plugin 0.29.0 → 0.34.0

package/CONTRIBUTING.md

@@ -0,0 +1,10 @@
+# Contributing to js-packages
+
+## Adding new package managers
+
+In order to add a support for a new package manager, one needs to do the following.
+
+1. Expand `packageManagerSchema` in `config.ts`.
+2. Expand `<command>Args` in `runner/<command>/constants.ts` with a set of arguments to be run for a given package manager command.
+3. Create a custom type in `runner/<command>/types.ts` with relevant properties based on expected command JSON output.
+4. Create a function in `runner/<command>/unify-type.ts` that will transform JSON output into a normalized type `OutdatedResult` or `AuditResult` and add it to `normalized<command>Mapper` in `runner/<command>/constants.ts`.

package/README.md

@@ -10,9 +10,14 @@ This plugin checks for known vulnerabilities and outdated dependencies.
 It supports the following package managers:
 
 - [NPM](https://docs.npmjs.com/)
-- [Yarn v1](https://classic.yarnpkg.com/docs/) & [Yarn v2+](https://yarnpkg.com/getting-started)
+- [Yarn v1](https://classic.yarnpkg.com/docs/)
+- [Yarn v2+](https://yarnpkg.com/getting-started)
+  - In order to check outdated dependencies for Yarn v2+, you need to install [`yarn-plugin-outdated`](https://github.com/mskelton/yarn-plugin-outdated).
 - [PNPM](https://pnpm.io/pnpm-cli)
 
+> ![NOTE]
+> As of now, Yarn v2 does not support security audit of optional dependencies. Only production and dev dependencies audits will be included in the report.
+
 ## Getting started
 
 1. If you haven't already, install [@code-pushup/cli](../cli/README.md) and create a configuration file.
@@ -97,7 +102,7 @@ The plugin accepts the following parameters:
 
 ### Audits and group
 
-This plugin provides a group per check for a convenient declaration in your config.
+This plugin provides a group per check for a convenient declaration in your config. Each group contains audits for all supported groups of dependencies (`prod`, `dev` and `optional`).
 
 ```ts
      // ...

package/bin.js

@@ -657,6 +657,20 @@ import chalk2 from "chalk";
 import { mkdir, readFile, readdir, rm, stat } from "node:fs/promises";
 import { join } from "node:path";
 
+// packages/utils/src/lib/formatting.ts
+function pluralize(text, amount) {
+  if (amount != null && Math.abs(amount) === 1) {
+    return text;
+  }
+  if (text.endsWith("y")) {
+    return `${text.slice(0, -1)}ies`;
+  }
+  if (text.endsWith("s")) {
+    return `${text}es`;
+  }
+  return `${text}s`;
+}
+
 // packages/utils/src/lib/guards.ts
 function isPromiseFulfilledResult(result) {
   return result.status === "fulfilled";
@@ -739,7 +753,7 @@ var ProcessError = class extends Error {
   }
 };
 function executeProcess(cfg) {
-  const { observer, cwd, command, args, alwaysResolve = false } = cfg;
+  const { observer, cwd, command, args, ignoreExitCode = false } = cfg;
   const { onStdout, onError, onComplete } = observer ?? {};
   const date = (/* @__PURE__ */ new Date()).toISOString();
   const start = performance.now();
@@ -759,7 +773,7 @@ function executeProcess(cfg) {
     });
     process2.on("close", (code) => {
       const timings = { date, duration: calcDuration(start) };
-      if (code === 0 || alwaysResolve) {
+      if (code === 0 || ignoreExitCode) {
         onComplete?.();
         resolve({ code, stdout, stderr, ...timings });
       } else {
@@ -775,9 +789,25 @@ function executeProcess(cfg) {
 import { simpleGit } from "simple-git";
 
 // packages/utils/src/lib/transform.ts
+import { platform } from "node:os";
 function objectToEntries(obj) {
   return Object.entries(obj);
 }
+function objectFromEntries(entries) {
+  return Object.fromEntries(entries);
+}
+function toUnixNewlines(text) {
+  return platform() === "win32" ? text.replace(/\r\n/g, "\n") : text;
+}
+function fromJsonLines(jsonLines) {
+  const unifiedNewLines = toUnixNewlines(jsonLines).trim();
+  return JSON.parse(`[${unifiedNewLines.split("\n").join(",")}]`);
+}
+function apostrophize(text, upperCase) {
+  const lastCharMatch = text.match(/(\w)\W*$/);
+  const lastChar = lastCharMatch?.[1] ?? "";
+  return `${text}'${lastChar.toLocaleLowerCase() === "s" ? "" : upperCase ? "S" : "s"}`;
+}
 
 // packages/utils/src/lib/progress.ts
 import chalk3 from "chalk";
@@ -797,6 +827,17 @@ var defaultAuditLevelMapping = {
   low: "warning",
   info: "info"
 };
+var dependencyGroupToLong = {
+  prod: "dependencies",
+  dev: "devDependencies",
+  optional: "optionalDependencies"
+};
+var pkgManagerCommands = {
+  npm: "npm",
+  "yarn-classic": "yarn",
+  "yarn-modern": "yarn",
+  pnpm: "pnpm"
+};
 
 // packages/plugin-js-packages/src/lib/config.ts
 var dependencyGroups = ["prod", "dev", "optional"];
@@ -834,6 +875,218 @@ var jsPackagesPluginConfigSchema = z15.object({
   }).default(defaultAuditLevelMapping).transform(fillAuditLevelMapping)
 });
 
+// packages/plugin-js-packages/src/lib/runner/utils.ts
+function filterAuditResult(result, key, referenceResult) {
+  if (result.vulnerabilities.length === 0) {
+    return result;
+  }
+  const uniqueResult = result.vulnerabilities.reduce(
+    (acc, ref) => {
+      const matchReference = referenceResult ?? acc;
+      const isMatch = matchReference.vulnerabilities.map((vulnerability) => vulnerability[key]).includes(ref[key]);
+      if (isMatch) {
+        return {
+          vulnerabilities: acc.vulnerabilities,
+          summary: {
+            ...acc.summary,
+            [ref.severity]: acc.summary[ref.severity] - 1,
+            total: acc.summary.total - 1
+          }
+        };
+      }
+      return {
+        vulnerabilities: [...acc.vulnerabilities, ref],
+        summary: acc.summary
+      };
+    },
+    { vulnerabilities: [], summary: result.summary }
+  );
+  return {
+    vulnerabilities: uniqueResult.vulnerabilities,
+    summary: uniqueResult.summary
+  };
+}
+
+// packages/plugin-js-packages/src/lib/runner/audit/unify-type.ts
+function npmToAuditResult(output) {
+  const npmAudit = JSON.parse(output);
+  const vulnerabilities = objectToEntries(npmAudit.vulnerabilities).map(
+    ([name, detail]) => {
+      const advisory = npmToAdvisory(name, npmAudit.vulnerabilities);
+      return {
+        name: name.toString(),
+        severity: detail.severity,
+        versionRange: detail.range,
+        directDependency: detail.isDirect ? true : detail.effects[0] ?? "",
+        fixInformation: npmToFixInformation(detail.fixAvailable),
+        ...advisory != null && {
+          title: advisory.title,
+          url: advisory.url
+        }
+      };
+    }
+  );
+  return {
+    vulnerabilities,
+    summary: npmAudit.metadata.vulnerabilities
+  };
+}
+function npmToFixInformation(fixAvailable) {
+  if (typeof fixAvailable === "boolean") {
+    return fixAvailable ? "Fix is available." : "";
+  }
+  return `Fix available: Update \`${fixAvailable.name}\` to version **${fixAvailable.version}**${fixAvailable.isSemVerMajor ? " (breaking change)." : "."}`;
+}
+function npmToAdvisory(name, vulnerabilities, prevNodes = /* @__PURE__ */ new Set()) {
+  const advisory = vulnerabilities[name]?.via;
+  if (Array.isArray(advisory) && advisory.length > 0 && typeof advisory[0] === "object") {
+    return { title: advisory[0].title, url: advisory[0].url };
+  }
+  if (Array.isArray(advisory) && advisory.length > 0 && advisory.every((value) => typeof value === "string")) {
+    let advisoryInfo = null;
+    let newReferences = [];
+    let advisoryInfoFound = false;
+    for (const via of advisory) {
+      if (!prevNodes.has(via)) {
+        newReferences.push(via);
+      }
+    }
+    while (newReferences.length > 0 && !advisoryInfoFound) {
+      const ref = newReferences.pop();
+      prevNodes.add(ref);
+      const result = npmToAdvisory(ref, vulnerabilities, prevNodes);
+      if (result != null) {
+        advisoryInfo = { title: result.title, url: result.url };
+        advisoryInfoFound = true;
+      }
+    }
+    return advisoryInfo;
+  }
+  return null;
+}
+function yarnv1ToAuditResult(output) {
+  const yarnv1Result = fromJsonLines(output);
+  const [yarnv1Advisory, yarnv1Summary] = validateYarnv1Result(yarnv1Result);
+  const vulnerabilities = yarnv1Advisory.map(
+    ({ data: { resolution, advisory } }) => {
+      const { id, path } = resolution;
+      const directDependency = path.slice(0, path.indexOf(">"));
+      const {
+        module_name: name,
+        title,
+        url,
+        severity,
+        vulnerable_versions: versionRange,
+        recommendation: fixInformation
+      } = advisory;
+      return {
+        name,
+        title,
+        id,
+        url,
+        severity,
+        versionRange,
+        directDependency: name === directDependency ? true : directDependency,
+        fixInformation
+      };
+    }
+  );
+  const summary = {
+    ...yarnv1Summary.data.vulnerabilities,
+    total: Object.values(yarnv1Summary.data.vulnerabilities).reduce(
+      (acc, amount) => acc + amount,
+      0
+    )
+  };
+  return filterAuditResult({ vulnerabilities, summary }, "id");
+}
+function validateYarnv1Result(result) {
+  const summary = result.at(-1);
+  if (summary?.type !== "auditSummary") {
+    throw new Error("Invalid Yarn v1 audit result - no summary found.");
+  }
+  const vulnerabilities = result.filter(
+    (item) => item.type === "auditAdvisory"
+  );
+  return [vulnerabilities, summary];
+}
+function yarnv2ToAuditResult(output) {
+  const yarnv2Audit = JSON.parse(output);
+  const vulnerabilities = Object.values(yarnv2Audit.advisories).map(
+    ({
+      module_name: name,
+      severity,
+      title,
+      url,
+      vulnerable_versions: versionRange,
+      recommendation: fixInformation,
+      findings
+    }) => {
+      const directDep = findings[0]?.paths[0];
+      return {
+        name,
+        severity,
+        title,
+        url,
+        versionRange,
+        fixInformation,
+        directDependency: directDep != null && directDep !== name ? directDep : true
+      };
+    }
+  );
+  return {
+    vulnerabilities,
+    summary: {
+      ...yarnv2Audit.metadata.vulnerabilities,
+      total: getVulnerabilitiesTotal(yarnv2Audit.metadata.vulnerabilities)
+    }
+  };
+}
+function pnpmToAuditResult(output) {
+  const pnpmResult = JSON.parse(output);
+  const vulnerabilities = Object.values(pnpmResult.advisories).map(
+    ({
+      module_name: name,
+      id,
+      title,
+      url,
+      severity,
+      vulnerable_versions: versionRange,
+      recommendation: fixInformation,
+      findings
+    }) => {
+      const path = findings[0]?.paths[0];
+      return {
+        name,
+        id,
+        title,
+        url,
+        severity,
+        versionRange,
+        directDependency: path == null ? true : pnpmToDirectDependency(path),
+        fixInformation
+      };
+    }
+  );
+  return {
+    vulnerabilities,
+    summary: {
+      ...pnpmResult.metadata.vulnerabilities,
+      total: getVulnerabilitiesTotal(pnpmResult.metadata.vulnerabilities)
+    }
+  };
+}
+function pnpmToDirectDependency(path) {
+  const deps = path.split(" > ").slice(1);
+  if (deps.length <= 1) {
+    return true;
+  }
+  return deps[0]?.split("@")[0] ?? true;
+}
+function getVulnerabilitiesTotal(summary) {
+  return Object.values(summary).reduce((acc, value) => acc + value, 0);
+}
+
 // packages/plugin-js-packages/src/lib/runner/audit/constants.ts
 var auditScoreModifiers = {
   critical: 1,
@@ -842,20 +1095,65 @@ var auditScoreModifiers = {
   low: 0.02,
   info: 0.01
 };
+var normalizeAuditMapper = {
+  npm: npmToAuditResult,
+  "yarn-classic": yarnv1ToAuditResult,
+  "yarn-modern": yarnv2ToAuditResult,
+  pnpm: pnpmToAuditResult
+};
+var filterNpmAuditResults = (results) => ({
+  prod: results.prod,
+  dev: filterAuditResult(results.dev, "name", results.prod),
+  optional: filterAuditResult(results.optional, "name", results.prod)
+});
+var filterPnpmAuditResults = (results) => ({
+  prod: results.prod,
+  dev: results.dev,
+  optional: filterAuditResult(
+    filterAuditResult(results.optional, "id", results.prod),
+    "id",
+    results.dev
+  )
+});
+var postProcessingAuditMapper = {
+  npm: filterNpmAuditResults,
+  // prod dependencies need to be filtered out manually since v10
+  pnpm: filterPnpmAuditResults
+  // optional dependencies don't have an exclusive option so they need duplicates filtered out
+};
+var npmDependencyOptions = {
+  prod: ["--omit=dev", "--omit=optional"],
+  dev: ["--include=dev", "--omit=optional"],
+  optional: ["--include=optional", "--omit=dev"]
+};
+var yarnv2EnvironmentOptions = {
+  prod: "production",
+  dev: "development",
+  optional: ""
+};
+var pnpmDependencyOptions = {
+  prod: ["--prod", "--no-optional"],
+  dev: ["--dev", "--no-optional"],
+  optional: []
+};
+var auditArgs = (groupDep) => ({
+  npm: [...npmDependencyOptions[groupDep], "--audit-level=none"],
+  "yarn-classic": ["--groups", dependencyGroupToLong[groupDep]],
+  "yarn-modern": ["--environment", yarnv2EnvironmentOptions[groupDep]],
+  pnpm: [...pnpmDependencyOptions[groupDep]]
+});
 
 // packages/plugin-js-packages/src/lib/runner/audit/transform.ts
-function auditResultToAuditOutput(result, dependenciesType, auditLevelMapping) {
+function auditResultToAuditOutput(result, packageManager, dependenciesType, auditLevelMapping) {
   const issues = vulnerabilitiesToIssues(
     result.vulnerabilities,
     auditLevelMapping
   );
   return {
-    slug: `npm-audit-${dependenciesType}`,
-    score: calculateAuditScore(result.metadata.vulnerabilities),
-    value: result.metadata.vulnerabilities.total,
-    displayValue: vulnerabilitiesToDisplayValue(
-      result.metadata.vulnerabilities
-    ),
+    slug: `${packageManager}-audit-${dependenciesType}`,
+    score: calculateAuditScore(result.summary),
+    value: result.summary.total,
+    displayValue: summaryToDisplayValue(result.summary),
     ...issues.length > 0 && { details: { issues } }
   };
 }
@@ -874,31 +1172,26 @@ function calculateAuditScore(stats) {
     1
   );
 }
-function vulnerabilitiesToDisplayValue(vulnerabilities) {
-  if (vulnerabilities.total === 0) {
+function summaryToDisplayValue(summary) {
+  if (summary.total === 0) {
     return "0 vulnerabilities";
   }
-  const vulnerabilityStats = packageAuditLevels.map(
-    (level) => vulnerabilities[level] > 0 ? `${vulnerabilities[level]} ${level}` : ""
-  ).filter((text) => text !== "").join(", ");
-  return `${vulnerabilities.total} ${vulnerabilities.total === 1 ? "vulnerability" : "vulnerabilities"} (${vulnerabilityStats})`;
+  const vulnerabilityStats = packageAuditLevels.map((level) => summary[level] > 0 ? `${summary[level]} ${level}` : "").filter((text) => text !== "").join(", ");
+  return `${summary.total} ${summary.total === 1 ? "vulnerability" : "vulnerabilities"} (${vulnerabilityStats})`;
 }
 function vulnerabilitiesToIssues(vulnerabilities, auditLevelMapping) {
-  if (Object.keys(vulnerabilities).length === 0) {
+  if (vulnerabilities.length === 0) {
     return [];
   }
-  return Object.values(vulnerabilities).map((detail) => {
-    const versionRange = detail.range === "*" ? "**all** versions" : `versions **${detail.range}**`;
-    const vulnerabilitySummary = `\`${detail.name}\` dependency has a **${detail.severity}** vulnerability in ${versionRange}.`;
-    const fixInformation = typeof detail.fixAvailable === "boolean" ? `Fix is ${detail.fixAvailable ? "" : "not "}available.` : `Fix available: Update \`${detail.fixAvailable.name}\` to version **${detail.fixAvailable.version}**${detail.fixAvailable.isSemVerMajor ? " (breaking change)." : "."}`;
-    if (Array.isArray(detail.via) && detail.via.length > 0 && typeof detail.via[0] === "object") {
-      return {
-        message: `${vulnerabilitySummary} ${fixInformation} More information: [${detail.via[0].title}](${detail.via[0].url})`,
-        severity: auditLevelMapping[detail.severity]
-      };
-    }
+  return vulnerabilities.map((detail) => {
+    const versionRange = detail.versionRange === "*" ? "**all** versions" : `versions **${detail.versionRange}**`;
+    const directDependency = typeof detail.directDependency === "string" ? `\`${detail.directDependency}\`` : "";
+    const depHierarchy = directDependency === "" ? `\`${detail.name}\` dependency` : `${apostrophize(directDependency)} dependency \`${detail.name}\``;
+    const vulnerabilitySummary = `has a **${detail.severity}** vulnerability in ${versionRange}.`;
+    const fixInfo = detail.fixInformation ? ` ${detail.fixInformation}` : "";
+    const additionalInfo = detail.title != null && detail.url != null ? ` More information: [${detail.title}](${detail.url})` : "";
     return {
-      message: `${vulnerabilitySummary} ${fixInformation}`,
+      message: `${depHierarchy} ${vulnerabilitySummary}${fixInfo}${additionalInfo}`,
       severity: auditLevelMapping[detail.severity]
     };
   });
@@ -914,67 +1207,140 @@ var PLUGIN_CONFIG_PATH = join2(
   "plugin-config.json"
 );
 
+// packages/plugin-js-packages/src/lib/runner/outdated/unify-type.ts
+function npmToOutdatedResult(output) {
+  const npmOutdated = JSON.parse(output);
+  return objectToEntries(npmOutdated).filter(
+    (entry) => entry[1].current != null
+  ).map(([name, overview]) => ({
+    name,
+    current: overview.current,
+    latest: overview.latest,
+    type: overview.type,
+    ...overview.homepage != null && { url: overview.homepage }
+  }));
+}
+function yarnv1ToOutdatedResult(output) {
+  const yarnv1Outdated = fromJsonLines(output);
+  const dependencies = yarnv1Outdated[1].data.body;
+  return dependencies.map(([name, current, _, latest, __, type, url]) => ({
+    name,
+    current,
+    latest,
+    type,
+    url
+  }));
+}
+function yarnv2ToOutdatedResult(output) {
+  const npmOutdated = JSON.parse(output);
+  return npmOutdated.map(({ name, current, latest, type }) => ({
+    name,
+    current,
+    latest,
+    type
+  }));
+}
+function pnpmToOutdatedResult(output) {
+  const pnpmOutdated = JSON.parse(output);
+  return objectToEntries(pnpmOutdated).map(
+    ([name, { current, latest, dependencyType: type }]) => ({
+      name,
+      current,
+      latest,
+      type
+    })
+  );
+}
+
 // packages/plugin-js-packages/src/lib/runner/outdated/constants.ts
 var outdatedSeverity = {
   major: "error",
   minor: "warning",
   patch: "info"
 };
+var normalizeOutdatedMapper = {
+  npm: npmToOutdatedResult,
+  "yarn-classic": yarnv1ToOutdatedResult,
+  "yarn-modern": yarnv2ToOutdatedResult,
+  pnpm: pnpmToOutdatedResult
+};
+var outdatedArgs = {
+  npm: ["--long"],
+  "yarn-classic": [],
+  "yarn-modern": [],
+  pnpm: []
+};
+
+// packages/plugin-js-packages/src/lib/runner/outdated/types.ts
+var versionType = ["major", "minor", "patch"];
 
 // packages/plugin-js-packages/src/lib/runner/outdated/transform.ts
-function outdatedResultToAuditOutput(result, dependenciesType) {
-  const validDependencies = objectToEntries(result).filter(
-    (entry) => entry[1].current != null
-  ).filter(
-    ([, detail]) => dependenciesType === "prod" ? detail.type === "dependencies" : detail.type === `${dependenciesType}Dependencies`
+function outdatedResultToAuditOutput(result, packageManager, dependencyGroup) {
+  const relevantDependencies = result.filter(
+    (dep) => dep.type === dependencyGroupToLong[dependencyGroup]
+  );
+  const outdatedDependencies = relevantDependencies.filter(
+    (dep) => dep.current !== dep.latest
   );
-  const outdatedDependencies = validDependencies.filter(
-    ([, versions]) => versions.current !== versions.wanted
+  const outdatedStats = outdatedDependencies.reduce(
+    (acc, dep) => {
+      const outdatedLevel = getOutdatedLevel(dep.current, dep.latest);
+      return { ...acc, [outdatedLevel]: acc[outdatedLevel] + 1 };
+    },
+    { major: 0, minor: 0, patch: 0 }
   );
-  const majorOutdatedAmount = outdatedDependencies.filter(
-    ([, versions]) => getOutdatedLevel(versions.current, versions.wanted) === "major"
-  ).length;
   const issues = outdatedDependencies.length === 0 ? [] : outdatedToIssues(outdatedDependencies);
   return {
-    slug: `npm-outdated-${dependenciesType}`,
+    slug: `${packageManager}-outdated-${dependencyGroup}`,
     score: calculateOutdatedScore(
-      majorOutdatedAmount,
-      validDependencies.length
+      outdatedStats.major,
+      relevantDependencies.length
     ),
     value: outdatedDependencies.length,
-    displayValue: outdatedToDisplayValue(
-      majorOutdatedAmount,
-      outdatedDependencies.length
-    ),
+    displayValue: outdatedToDisplayValue(outdatedStats),
     ...issues.length > 0 && { details: { issues } }
   };
 }
 function calculateOutdatedScore(majorOutdated, totalDeps) {
   return totalDeps > 0 ? (totalDeps - majorOutdated) / totalDeps : 1;
 }
-function outdatedToDisplayValue(majorOutdated, totalOutdated) {
-  return totalOutdated === 0 ? "all dependencies are up to date" : majorOutdated > 0 ? `${majorOutdated} out of ${totalOutdated} outdated dependencies require major update` : `${totalOutdated} outdated ${totalOutdated === 1 ? "dependency" : "dependencies"}`;
+function outdatedToDisplayValue(stats) {
+  const total = stats.major + stats.minor + stats.patch;
+  const versionBreakdown = versionType.map((version) => stats[version] > 0 ? `${stats[version]} ${version}` : "").filter((text) => text !== "");
+  if (versionBreakdown.length === 0) {
+    return "all dependencies are up to date";
+  }
+  if (versionBreakdown.length > 1) {
+    return `${total} outdated package versions (${versionBreakdown.join(
+      ", "
+    )})`;
+  }
+  return `${versionBreakdown[0]} outdated package ${pluralize(
+    "version",
+    total
+  )}`;
 }
 function outdatedToIssues(dependencies) {
-  return dependencies.map(([name, versions]) => {
-    const outdatedLevel = getOutdatedLevel(versions.current, versions.wanted);
-    const packageReference = versions.homepage == null ? `\`${name}\`` : `[\`${name}\`](${versions.homepage})`;
+  return dependencies.map((dep) => {
+    const { name, current, latest, url } = dep;
+    const outdatedLevel = getOutdatedLevel(current, latest);
+    const packageReference = url == null ? `\`${name}\`` : `[\`${name}\`](${url})`;
     return {
-      message: `Package ${packageReference} requires a **${outdatedLevel}** update from **${versions.current}** to **${versions.wanted}**.`,
+      message: `Package ${packageReference} requires a **${outdatedLevel}** update from **${current}** to **${latest}**.`,
       severity: outdatedSeverity[outdatedLevel]
     };
   });
 }
-function getOutdatedLevel(currentFullVersion, wantedFullVersion) {
+function getOutdatedLevel(currentFullVersion, latestFullVersion) {
   const current = splitPackageVersion(currentFullVersion);
-  const wanted = splitPackageVersion(wantedFullVersion);
-  if (current.major < wanted.major) {
+  const latest = splitPackageVersion(latestFullVersion);
+  if (current.major < latest.major) {
     return "major";
   }
-  if (current.minor < wanted.minor) {
+  if (current.minor < latest.minor) {
     return "minor";
   }
-  if (current.patch < wanted.patch) {
+  if (current.patch < latest.patch) {
     return "patch";
   }
   throw new Error("Package is not outdated.");
@@ -998,42 +1364,62 @@ async function executeRunner() {
 }
 async function processOutdated(packageManager) {
   const { stdout } = await executeProcess({
-    command: packageManager,
-    args: ["outdated", "--json", "--long"],
-    alwaysResolve: true
-    // npm outdated returns exit code 1 when outdated dependencies are found
+    command: pkgManagerCommands[packageManager],
+    args: ["outdated", "--json", ...outdatedArgs[packageManager]],
+    cwd: process.cwd(),
+    ignoreExitCode: true
+    // outdated returns exit code 1 when outdated dependencies are found
   });
-  const outdatedResult = JSON.parse(stdout);
+  const normalizedResult = normalizeOutdatedMapper[packageManager](stdout);
   return dependencyGroups.map(
-    (dep) => outdatedResultToAuditOutput(outdatedResult, dep)
+    (dep) => outdatedResultToAuditOutput(normalizedResult, packageManager, dep)
   );
 }
 async function processAudit(packageManager, auditLevelMapping) {
+  const supportedDepGroups = packageManager === "yarn-modern" ? dependencyGroups.filter((dep) => dep !== "optional") : dependencyGroups;
   const auditResults = await Promise.allSettled(
-    dependencyGroups.map(async (dep) => {
-      const { stdout } = await executeProcess({
-        command: packageManager,
-        args: ["audit", ...getNpmAuditOptions(dep)]
-      });
-      const auditResult = JSON.parse(stdout);
-      return auditResultToAuditOutput(auditResult, dep, auditLevelMapping);
-    })
+    supportedDepGroups.map(
+      async (dep) => {
+        const { stdout } = await executeProcess({
+          command: pkgManagerCommands[packageManager],
+          args: getAuditCommandArgs(packageManager, dep),
+          cwd: process.cwd(),
+          ignoreExitCode: packageManager === "yarn-classic" || packageManager === "pnpm"
+          // yarn v1 and PNPM do not have exit code configuration
+        });
+        return [dep, normalizeAuditMapper[packageManager](stdout)];
+      }
+    )
   );
   const rejected = auditResults.filter(isPromiseRejectedResult);
   if (rejected.length > 0) {
     rejected.map((result) => {
       console.error(result.reason);
     });
-    throw new Error(`JS Packages plugin: Running npm audit failed.`);
+    throw new Error(
+      `JS Packages plugin: Running ${pkgManagerCommands[packageManager]} audit failed.`
+    );
   }
-  return auditResults.filter(isPromiseFulfilledResult).map((x) => x.value);
+  const fulfilled = objectFromEntries(
+    auditResults.filter(isPromiseFulfilledResult).map((x) => x.value)
+  );
+  const uniqueResults = postProcessingAuditMapper[packageManager]?.(fulfilled) ?? fulfilled;
+  return supportedDepGroups.map(
+    (group) => auditResultToAuditOutput(
+      uniqueResults[group],
+      packageManager,
+      group,
+      auditLevelMapping
+    )
+  );
 }
-function getNpmAuditOptions(currentDep) {
-  const flags = [
-    `--include=${currentDep}`,
-    ...dependencyGroups.filter((dep) => dep !== currentDep).map((dep) => `--omit=${dep}`)
+function getAuditCommandArgs(packageManager, group) {
+  return [
+    ...packageManager === "yarn-modern" ? ["npm"] : [],
+    "audit",
+    "--json",
+    ...auditArgs(group)[packageManager]
   ];
-  return [...flags, "--json", "--audit-level=none"];
 }
 
 // packages/plugin-js-packages/src/bin.ts

package/index.js

@@ -4,7 +4,7 @@ import { fileURLToPath } from "node:url";
 
 // packages/plugin-js-packages/package.json
 var name = "@code-pushup/js-packages-plugin";
-var version = "0.29.0";
+var version = "0.34.0";
 
 // packages/plugin-js-packages/src/lib/config.ts
 import { z as z15 } from "zod";
@@ -834,9 +834,9 @@ async function jsPackagesPlugin(config) {
   );
   return {
     slug: "js-packages",
-    title: "Plugin for JS packages",
+    title: "JS Packages",
     icon: pkgManagerIcons[pkgManager],
-    description: "This plugin runs audit to uncover vulnerabilities and lists outdated dependencies. It supports npm, yarn classic and berry, pnpm package managers.",
+    description: "This plugin runs audit to uncover vulnerabilities and lists outdated dependencies. It supports npm, yarn classic, yarn modern, and pnpm package managers.",
     docsUrl: pkgManagerDocs[pkgManager],
     packageName: name,
     version,
@@ -854,9 +854,15 @@ function createGroups(pkgManager, checks) {
       docsUrl: auditDocs[pkgManager],
       refs: [
         // eslint-disable-next-line no-magic-numbers
-        { slug: `${pkgManager}-audit-prod`, weight: 8 },
+        { slug: `${pkgManager}-audit-prod`, weight: 3 },
         { slug: `${pkgManager}-audit-dev`, weight: 1 },
-        { slug: `${pkgManager}-audit-optional`, weight: 1 }
+        // Yarn v2 does not support audit for optional dependencies
+        ...pkgManager === "yarn-modern" ? [] : [
+          {
+            slug: `${pkgManager}-audit-optional`,
+            weight: 1
+          }
+        ]
       ]
     },
     outdated: {
@@ -866,7 +872,7 @@ function createGroups(pkgManager, checks) {
       docsUrl: outdatedDocs[pkgManager],
       refs: [
         // eslint-disable-next-line no-magic-numbers
-        { slug: `${pkgManager}-outdated-prod`, weight: 8 },
+        { slug: `${pkgManager}-outdated-prod`, weight: 3 },
         { slug: `${pkgManager}-outdated-dev`, weight: 1 },
         { slug: `${pkgManager}-outdated-optional`, weight: 1 }
       ]
@@ -888,12 +894,15 @@ function createAudits(pkgManager, checks) {
       description: getAuditDescription(check, "dev"),
       docsUrl: dependencyDocs.dev
     },
-    {
-      slug: `${pkgManager}-${check}-optional`,
-      title: getAuditTitle(pkgManager, check, "optional"),
-      description: getAuditDescription(check, "optional"),
-      docsUrl: dependencyDocs.optional
-    }
+    // Yarn v2 does not support audit for optional dependencies
+    ...pkgManager === "yarn-modern" && check === "audit" ? [] : [
+      {
+        slug: `${pkgManager}-${check}-optional`,
+        title: getAuditTitle(pkgManager, check, "optional"),
+        description: getAuditDescription(check, "optional"),
+        docsUrl: dependencyDocs.optional
+      }
+    ]
   ]);
 }
 function getAuditTitle(pkgManager, check, dependencyType) {

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@code-pushup/js-packages-plugin",
-  "version": "0.29.0",
+  "version": "0.34.0",
   "dependencies": {
-    "@code-pushup/models": "*",
-    "@code-pushup/utils": "*",
+    "@code-pushup/models": "0.34.0",
+    "@code-pushup/utils": "0.34.0",
     "zod": "^3.22.4"
   },
   "license": "MIT",

package/src/lib/config.d.ts

@@ -9,15 +9,16 @@ export type PackageManager = z.infer<typeof packageManagerSchema>;
 export declare const packageAuditLevels: readonly ["critical", "high", "moderate", "low", "info"];
 declare const packageAuditLevelSchema: z.ZodEnum<["critical", "high", "moderate", "low", "info"]>;
 export type PackageAuditLevel = z.infer<typeof packageAuditLevelSchema>;
-export declare function fillAuditLevelMapping(mapping: Partial<Record<PackageAuditLevel, IssueSeverity>>): Record<PackageAuditLevel, IssueSeverity>;
+export type AuditSeverity = Record<PackageAuditLevel, IssueSeverity>;
+export declare function fillAuditLevelMapping(mapping: Partial<AuditSeverity>): AuditSeverity;
 export declare const jsPackagesPluginConfigSchema: z.ZodObject<{
     checks: z.ZodDefault<z.ZodArray<z.ZodEnum<["audit", "outdated"]>, "many">>;
     packageManager: z.ZodEnum<["npm", "yarn-classic", "yarn-modern", "pnpm"]>;
-    auditLevelMapping: z.ZodEffects<z.ZodDefault<z.ZodRecord<z.ZodEnum<["critical", "high", "moderate", "low", "info"]>, z.ZodEnum<["info", "warning", "error"]>>>, Record<"info" | "critical" | "high" | "moderate" | "low", "error" | "info" | "warning">, Partial<Record<"info" | "critical" | "high" | "moderate" | "low", "error" | "info" | "warning">> | undefined>;
+    auditLevelMapping: z.ZodEffects<z.ZodDefault<z.ZodRecord<z.ZodEnum<["critical", "high", "moderate", "low", "info"]>, z.ZodEnum<["info", "warning", "error"]>>>, AuditSeverity, Partial<Record<"info" | "critical" | "high" | "moderate" | "low", "error" | "info" | "warning">> | undefined>;
 }, "strip", z.ZodTypeAny, {
     checks: ("audit" | "outdated")[];
     packageManager: "npm" | "pnpm" | "yarn-classic" | "yarn-modern";
-    auditLevelMapping: Record<"info" | "critical" | "high" | "moderate" | "low", "error" | "info" | "warning">;
+    auditLevelMapping: AuditSeverity;
 }, {
     packageManager: "npm" | "pnpm" | "yarn-classic" | "yarn-modern";
     checks?: ("audit" | "outdated")[] | undefined;

package/src/lib/constants.d.ts

@@ -1,6 +1,9 @@
 import { IssueSeverity, MaterialIcon } from '@code-pushup/models';
 import type { DependencyGroup, PackageAuditLevel, PackageManager } from './config';
+import { DependencyGroupLong } from './runner/outdated/types';
 export declare const defaultAuditLevelMapping: Record<PackageAuditLevel, IssueSeverity>;
+export declare const dependencyGroupToLong: Record<DependencyGroup, DependencyGroupLong>;
+export declare const pkgManagerCommands: Record<PackageManager, string>;
 export declare const pkgManagerNames: Record<PackageManager, string>;
 export declare const pkgManagerIcons: Record<PackageManager, MaterialIcon>;
 export declare const pkgManagerDocs: Record<PackageManager, string>;

package/src/lib/runner/audit/constants.d.ts

@@ -1,2 +1,6 @@
-import { PackageAuditLevel } from '../../config';
+import { DependencyGroup, PackageAuditLevel, PackageManager } from '../../config';
+import { AuditResult } from './types';
 export declare const auditScoreModifiers: Record<PackageAuditLevel, number>;
+export declare const normalizeAuditMapper: Record<PackageManager, (output: string) => AuditResult>;
+export declare const postProcessingAuditMapper: Partial<Record<PackageManager, (result: Record<DependencyGroup, AuditResult>) => Record<DependencyGroup, AuditResult>>>;
+export declare const auditArgs: (groupDep: DependencyGroup) => Record<PackageManager, string[]>;

package/src/lib/runner/audit/transform.d.ts

@@ -1,7 +1,7 @@
-import type { AuditOutput, Issue, IssueSeverity } from '@code-pushup/models';
-import { DependencyGroup, PackageAuditLevel } from '../../config';
-import { NpmAuditResultJson, Vulnerabilities } from './types';
-export declare function auditResultToAuditOutput(result: NpmAuditResultJson, dependenciesType: DependencyGroup, auditLevelMapping: Record<PackageAuditLevel, IssueSeverity>): AuditOutput;
-export declare function calculateAuditScore(stats: Record<PackageAuditLevel | 'total', number>): number;
-export declare function vulnerabilitiesToDisplayValue(vulnerabilities: Record<PackageAuditLevel | 'total', number>): string;
-export declare function vulnerabilitiesToIssues(vulnerabilities: Vulnerabilities, auditLevelMapping: Record<PackageAuditLevel, IssueSeverity>): Issue[];
+import type { AuditOutput, Issue } from '@code-pushup/models';
+import { AuditSeverity, DependencyGroup, PackageManager } from '../../config';
+import { AuditResult, AuditSummary, Vulnerability } from './types';
+export declare function auditResultToAuditOutput(result: AuditResult, packageManager: PackageManager, dependenciesType: DependencyGroup, auditLevelMapping: AuditSeverity): AuditOutput;
+export declare function calculateAuditScore(stats: AuditSummary): number;
+export declare function summaryToDisplayValue(summary: AuditSummary): string;
+export declare function vulnerabilitiesToIssues(vulnerabilities: Vulnerability[], auditLevelMapping: AuditSeverity): Issue[];

package/src/lib/runner/audit/types.d.ts

@@ -1,27 +1,103 @@
 import type { PackageAuditLevel } from '../../config';
-type Advisory = {
+export type Vulnerability = {
+    name: string;
+    id?: number;
+    title?: string;
+    url?: string;
+    severity: PackageAuditLevel;
+    versionRange: string;
+    directDependency: string | true;
+    fixInformation: string | false;
+};
+export type AuditSummary = Record<PackageAuditLevel | 'total', number>;
+export type AuditResult = {
+    vulnerabilities: Vulnerability[];
+    summary: AuditSummary;
+};
+export type NpmAdvisory = {
     title: string;
     url: string;
 };
-type FixInformation = {
+export type NpmFixInformation = {
     name: string;
     version: string;
     isSemVerMajor: boolean;
 };
-export type Vulnerability = {
+export type NpmVulnerability = {
     name: string;
     severity: PackageAuditLevel;
-    via: Advisory[] | string[];
+    isDirect: boolean;
+    effects: string[];
+    via: NpmAdvisory[] | string[];
     range: string;
-    fixAvailable: boolean | FixInformation;
-};
-export type Vulnerabilities = {
-    [key: string]: Vulnerability;
+    fixAvailable: boolean | NpmFixInformation;
 };
+export type NpmVulnerabilities = Record<string, NpmVulnerability>;
 export type NpmAuditResultJson = {
-    vulnerabilities: Vulnerabilities;
+    vulnerabilities: NpmVulnerabilities;
+    metadata: {
+        vulnerabilities: AuditSummary;
+    };
+};
+export type Yarnv1AuditAdvisory = {
+    type: 'auditAdvisory';
+    data: {
+        resolution: {
+            id: number;
+            path: string;
+        };
+        advisory: {
+            module_name: string;
+            severity: PackageAuditLevel;
+            vulnerable_versions: string;
+            recommendation: string;
+            title: string;
+            url: string;
+        };
+    };
+};
+export type Yarnv1AuditSummary = {
+    type: 'auditSummary';
+    data: {
+        vulnerabilities: Record<PackageAuditLevel, number>;
+    };
+};
+export type Yarnv1AuditResultJson = [
+    ...Yarnv1AuditAdvisory[],
+    Yarnv1AuditSummary
+];
+export type Yarnv2AuditAdvisory = {
+    module_name: string;
+    severity: PackageAuditLevel;
+    vulnerable_versions: string;
+    recommendation: string;
+    title: string;
+    url: string;
+    findings: {
+        paths: string[];
+    }[];
+};
+export type Yarnv2AuditResultJson = {
+    advisories: Record<string, Yarnv2AuditAdvisory>;
+    metadata: {
+        vulnerabilities: Record<PackageAuditLevel, number>;
+    };
+};
+export type PnpmAuditAdvisory = {
+    module_name: string;
+    id: number;
+    severity: PackageAuditLevel;
+    vulnerable_versions: string;
+    recommendation: string;
+    title: string;
+    url: string;
+    findings: {
+        paths: string[];
+    }[];
+};
+export type PnpmAuditResultJson = {
+    advisories: Record<string, PnpmAuditAdvisory>;
     metadata: {
-        vulnerabilities: Record<PackageAuditLevel | 'total', number>;
+        vulnerabilities: Record<PackageAuditLevel, number>;
     };
 };
-export {};

package/src/lib/runner/audit/unify-type.d.ts

@@ -0,0 +1,8 @@
+import { AuditResult, NpmAdvisory, NpmFixInformation, NpmVulnerabilities } from './types';
+export declare function npmToAuditResult(output: string): AuditResult;
+export declare function npmToFixInformation(fixAvailable: boolean | NpmFixInformation): string;
+export declare function npmToAdvisory(name: string, vulnerabilities: NpmVulnerabilities, prevNodes?: Set<string>): NpmAdvisory | null;
+export declare function yarnv1ToAuditResult(output: string): AuditResult;
+export declare function yarnv2ToAuditResult(output: string): AuditResult;
+export declare function pnpmToAuditResult(output: string): AuditResult;
+export declare function pnpmToDirectDependency(path: string): string | true;

package/src/lib/runner/outdated/constants.d.ts

@@ -1,3 +1,6 @@
 import { IssueSeverity } from '@code-pushup/models';
-import { VersionType } from './types';
+import { PackageManager } from '../../config';
+import { OutdatedResult, VersionType } from './types';
 export declare const outdatedSeverity: Record<VersionType, IssueSeverity>;
+export declare const normalizeOutdatedMapper: Record<PackageManager, (output: string) => OutdatedResult>;
+export declare const outdatedArgs: Record<PackageManager, string[]>;

package/src/lib/runner/outdated/transform.d.ts

@@ -1,7 +1,7 @@
 import { Issue } from '@code-pushup/models';
-import { DependencyGroup } from '../../config';
-import { NormalizedOutdatedEntries, NpmOutdatedResultJson, PackageVersion, VersionType } from './types';
-export declare function outdatedResultToAuditOutput(result: NpmOutdatedResultJson, dependenciesType: DependencyGroup): {
+import { DependencyGroup, PackageManager } from '../../config';
+import { OutdatedResult, PackageVersion, VersionType } from './types';
+export declare function outdatedResultToAuditOutput(result: OutdatedResult, packageManager: PackageManager, dependencyGroup: DependencyGroup): {
     details?: {
         issues: {
             message: string;
@@ -23,7 +23,7 @@ export declare function outdatedResultToAuditOutput(result: NpmOutdatedResultJso
     displayValue: string;
 };
 export declare function calculateOutdatedScore(majorOutdated: number, totalDeps: number): number;
-export declare function outdatedToDisplayValue(majorOutdated: number, totalOutdated: number): string;
-export declare function outdatedToIssues(dependencies: NormalizedOutdatedEntries): Issue[];
-export declare function getOutdatedLevel(currentFullVersion: string, wantedFullVersion: string): VersionType;
+export declare function outdatedToDisplayValue(stats: Record<VersionType, number>): string;
+export declare function outdatedToIssues(dependencies: OutdatedResult): Issue[];
+export declare function getOutdatedLevel(currentFullVersion: string, latestFullVersion: string): VersionType;
 export declare function splitPackageVersion(fullVersion: string): PackageVersion;

package/src/lib/runner/outdated/types.d.ts

@@ -1,15 +1,54 @@
-export type VersionType = 'major' | 'minor' | 'patch';
+export declare const versionType: readonly ["major", "minor", "patch"];
+export type VersionType = (typeof versionType)[number];
 export type PackageVersion = Record<VersionType, number>;
-export type VersionOverview = {
+export type DependencyGroupLong = 'dependencies' | 'devDependencies' | 'optionalDependencies';
+export type OutdatedResult = {
+    name: string;
+    current: string;
+    latest: string;
+    type: DependencyGroupLong;
+    url?: string;
+}[];
+export type NpmVersionOverview = {
     current?: string;
-    wanted: string;
-    type: 'dependencies' | 'devDependencies' | 'optionalDependencies';
+    latest: string;
+    type: DependencyGroupLong;
     homepage?: string;
 };
-export type NormalizedVersionOverview = Omit<VersionOverview, 'current'> & {
+export type NpmNormalizedOverview = Omit<NpmVersionOverview, 'current'> & {
+    current: string;
+};
+export type NpmOutdatedResultJson = Record<string, NpmVersionOverview>;
+export type Yarnv1VersionOverview = [
+    string,
+    string,
+    string,
+    string,
+    string,
+    DependencyGroupLong,
+    string
+];
+type Yarnv1Info = {
+    type: 'info';
+};
+type Yarnv1Table = {
+    type: 'table';
+    data: {
+        body: Yarnv1VersionOverview[];
+    };
+};
+export type Yarnv1OutdatedResultJson = [Yarnv1Info, Yarnv1Table];
+export type Yarnv2VersionOverview = {
     current: string;
+    latest: string;
+    name: string;
+    type: DependencyGroupLong;
 };
-export type NormalizedOutdatedEntries = [string, NormalizedVersionOverview][];
-export type NpmOutdatedResultJson = {
-    [key: string]: VersionOverview;
+export type Yarnv2OutdatedResultJson = Yarnv2VersionOverview[];
+export type PnpmVersionOverview = {
+    current: string;
+    latest: string;
+    dependencyType: DependencyGroupLong;
 };
+export type PnpmOutdatedResultJson = Record<string, PnpmVersionOverview>;
+export {};

package/src/lib/runner/outdated/unify-type.d.ts

@@ -0,0 +1,5 @@
+import { OutdatedResult } from './types';
+export declare function npmToOutdatedResult(output: string): OutdatedResult;
+export declare function yarnv1ToOutdatedResult(output: string): OutdatedResult;
+export declare function yarnv2ToOutdatedResult(output: string): OutdatedResult;
+export declare function pnpmToOutdatedResult(output: string): OutdatedResult;

package/src/lib/runner/utils.d.ts

@@ -0,0 +1,2 @@
+import { AuditResult, Vulnerability } from './audit/types';
+export declare function filterAuditResult(result: AuditResult, key: keyof Vulnerability, referenceResult?: AuditResult): AuditResult;