@crbroughton/recul 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Craig R Broughton
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,132 @@
+# recul
+
+Stay N versions behind the latest published release of your npm dependencies to avoid supply chain attacks.
+
+recul is not a replacement for typical auditing via `npm audit` or third party security tools; it is a complementary layer that reduces the attack surface without requiring active effort on every release cycle.
+
+## How it works
+
+Given a lag of `N`, the target version is `versions[latest_index - N]`. Only stable releases are counted; pre-release versions (configurable, defaults to `-alpha`, `-beta`, `-rc`, `-next`, `-canary`) are excluded. If a package has fewer releases than the lag value, recul pins to the oldest available stable version.
+
+Packages already older than the lag target are left alone by default. The invariant is "never be too new", not "be exactly N behind".
+
+## Requirements
+
+- Node.js 18 or later
+
+## Installation
+
+```sh
+npm i -D recul
+# or
+pnpm add -D recul
+```
+
+## Quick start
+
+```sh
+# Create a config file in the current directory
+recul init
+
+# Audit your dependencies
+recul
+```
+
+## Configuration
+
+Commit a `recul.config.jsonc` to standardise settings across the team.
+
+```jsonc
+{
+  // How many versions to stay behind the latest published release.
+  // Counted in releases, not semver increments.
+  //
+  //   1  →  days to weeks   (fast-moving projects, minimal buffer)
+  //   2  →  weeks           (balanced default, recommended)
+  //   3  →  weeks to months (cautious teams, slower release cadences)
+  //   5+ →  months          (regulated environments, high-security contexts)
+  "lag": 2,
+
+  // Package manager: "npm" | "pnpm"
+  "packageManager": "pnpm",
+
+  // Path to the package.json to audit, relative to this config file.
+  "packageFile": "package.json",
+
+  // How to handle packages already older than the lag target.
+  //   "ignore"  →  treat as ok, no output (default)
+  //   "report"  →  surface them with a safe upgrade-to-target command
+  "behindBehavior": "ignore",
+
+  // Version prefix used in generated install commands.
+  //   "exact"  →  1.3.4    (recommended; audits are reliable)
+  //   "caret"  →  ^1.3.4   (allows minor/patch drift)
+  //   "tilde"  →  ~1.3.4   (allows patch drift only)
+  //
+  // Per-package map also supported:
+  //   { "default": "exact", "react": "tilde" }
+  "rangeSpecifier": "exact",
+
+  // Packages to skip entirely.
+  "ignore": [],
+
+  // Minimum days a version must have been published before it is eligible
+  // as a lag target. Combines with "lag" for defence-in-depth.
+  // Omit or set to 0 to disable.
+  "minimumReleaseAge": 3,
+
+  // Version strings containing any of these substrings are treated as
+  // pre-releases and excluded from the candidate list.
+  "preReleaseFilter": ["-alpha", "-beta", "-rc", "-next", "-canary"]
+}
+```
+
+A config file is required; run `recul init` if you do not have one.
+
+## Output
+
+```
+recul  staying 2 versions behind latest
+
+settings
+  lag       2           ;  stay 2 versions behind latest
+  pm        pnpm        ;  the chosen package manager
+  behind    ignore      ;  ignore packages behind target
+  range     exact       ;  pin exact versions
+  minAge    3           ;  skip versions published within the last 3 days
+
+package              declared          → target          latest            status
+────────────────────────────────────────────────────────────────────────────────
+express              ^4.19.2           4.17.3            4.19.2            ↓ will pin back
+react                ^18.3.1           18.1.0            18.3.1            ↓ will pin back
+typescript           5.4.5             5.4.5             5.4.5             ✓ ok
+
+to pin back:
+  pnpm add express@4.17.3 react@18.1.0
+```
+
+### Status values
+
+| Status | Meaning |
+|--------|---------|
+| `✓ ok` | At or behind the lag target |
+| `↓ will pin back` | Ahead of the lag target; install command shown |
+| `↑ safe to upgrade` | Behind the target (only shown when `behindBehavior: report`) |
+| `✗ unresolved` | Registry fetch failed or no stable versions found |
+
+A `⚠ declared <specifier>` warning is appended when a package is declared with a different range prefix than `rangeSpecifier`; this means the audited version may differ from what is actually installed.
+
+## pnpm catalog support
+
+When using pnpm workspaces with a `catalogs` block in `pnpm-workspace.yaml`, recul reads catalog entries to resolve `catalog:` and `catalog:<name>` references in `package.json`.
+
+Violations in catalog-managed packages are reported with the catalog entry to update rather than an install command. Pass `--fix` to apply the updates directly to `pnpm-workspace.yaml`.
+
+## Lockfile support
+
+When a lockfile is present, recul reads the installed version from it and uses that for comparison rather than the declared range. This gives accurate results for packages declared with `^` or `~`.
+
+| Package manager | Lockfile |
+|----------------|----------|
+| npm | `package-lock.json` (v3) |
+| pnpm | `pnpm-lock.yaml` (v6+) |

package/dist/bin/recul.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=recul.d.ts.map

package/dist/bin/recul.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"recul.d.ts","sourceRoot":"","sources":["../../bin/recul.ts"],"names":[],"mappings":""}

package/dist/bin/recul.js

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+import { readFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { defineCommand, runMain } from 'citty';
+import { defu } from 'defu';
+import { destr } from 'destr';
+import { auditDeps } from '../src/audit.js';
+import { DEFAULTS, loadConfigFile, resolveConfigDir } from '../src/config.js';
+import { runInit } from '../src/init.js';
+import { detectPackageManager, loadLockfile, loadPnpmCatalog, npmAdapter, pnpmAdapter, resolveCatalogRefs, updatePnpmCatalog } from '../src/lockfile.js';
+import { printResults } from '../src/output.js';
+const initCommand = defineCommand({
+    meta: { name: 'init', description: 'Create recul.config.jsonc with recommended settings' },
+    run() {
+        runInit(process.cwd());
+    },
+});
+const main = defineCommand({
+    meta: { name: 'recul', description: 'Stay N versions behind latest' },
+    args: {
+        file: { type: 'string', alias: 'f', description: 'Path to package.json (default: package.json)' },
+        fix: { type: 'boolean', description: 'Apply catalog fixes directly to pnpm-workspace.yaml' },
+    },
+    subCommands: { init: initCommand },
+    async run({ args }) {
+        const configDir = resolveConfigDir({ ...(args.file !== undefined ? { file: args.file } : {}), cwd: process.cwd() });
+        const fileConfig = loadConfigFile(configDir);
+        if (fileConfig === null) {
+            console.error('no config file found or config could not be parsed.\n');
+            console.error('run "recul init" to create recul.config.jsonc with recommended settings.');
+            process.exit(1);
+        }
+        const detectedPm = detectPackageManager(configDir);
+        const config = defu({ file: args.file }, { lag: fileConfig.lag, file: fileConfig.packageFile, pm: fileConfig.packageManager, behindBehavior: fileConfig.behindBehavior, rangeSpecifier: fileConfig.rangeSpecifier, ignore: fileConfig.ignore, minimumReleaseAge: fileConfig.minimumReleaseAge, preReleaseFilter: fileConfig.preReleaseFilter }, { pm: detectedPm ?? undefined }, DEFAULTS);
+        const { lag, file, pm, behindBehavior, rangeSpecifier, ignore, preReleaseFilter } = config;
+        const minimumReleaseAge = config.minimumReleaseAge !== null ? config.minimumReleaseAge : undefined;
+        const pkgPath = resolve(process.cwd(), file);
+        let raw;
+        try {
+            raw = destr(readFileSync(pkgPath, 'utf8'));
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.error(`error: could not read ${pkgPath}: ${message}`);
+            process.exit(1);
+        }
+        if (raw === null || typeof raw !== 'object') {
+            console.error(`error: ${pkgPath} is not a JSON object`);
+            process.exit(1);
+        }
+        const pkgDir = dirname(pkgPath);
+        const base = raw;
+        const catalogs = loadPnpmCatalog(pkgDir);
+        const pkgJson = catalogs !== null
+            ? {
+                ...(base.dependencies !== undefined ? { dependencies: resolveCatalogRefs(base.dependencies, catalogs) } : {}),
+                ...(base.devDependencies !== undefined ? { devDependencies: resolveCatalogRefs(base.devDependencies, catalogs) } : {}),
+            }
+            : base;
+        const catalogPackages = catalogs !== null
+            ? new Set(Object.values(catalogs).flatMap(Object.keys))
+            : undefined;
+        const installedMap = loadLockfile({ dir: pkgDir, adapters: [npmAdapter, pnpmAdapter] });
+        const results = await auditDeps({
+            pkgJson,
+            lag,
+            ...(minimumReleaseAge !== undefined ? { minimumReleaseAge } : {}),
+            preReleaseFilter,
+            rangeSpecifier,
+            ignore,
+            ...(installedMap !== null ? { installed: installedMap } : {}),
+            ...(catalogPackages !== undefined ? { catalogPackages } : {}),
+        });
+        let fixed;
+        if (args.fix && catalogPackages !== undefined) {
+            const updates = {};
+            for (const r of results) {
+                if (!r.fromCatalog)
+                    continue;
+                if (r.status === 'pin' && r.target !== null)
+                    updates[r.name] = r.target;
+                else if (r.status === 'behind' && behindBehavior === 'report' && r.target !== null)
+                    updates[r.name] = r.target;
+                else if (r.specifierMismatch && r.status !== 'pin')
+                    updates[r.name] = r.current;
+            }
+            if (Object.keys(updates).length > 0) {
+                updatePnpmCatalog(pkgDir, updates);
+                fixed = Object.keys(updates);
+            }
+        }
+        printResults({ results, lag, pm, behindBehavior, rangeSpecifier, ...(minimumReleaseAge !== undefined ? { minimumReleaseAge } : {}), ...(catalogPackages !== undefined ? { workspaceFile: 'pnpm-workspace.yaml' } : {}), ...(fixed !== undefined ? { fixed } : {}) });
+    },
+});
+runMain(main);
+//# sourceMappingURL=recul.js.map

package/dist/bin/recul.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"recul.js","sourceRoot":"","sources":["../../bin/recul.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAA;AACtC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAC5C,OAAO,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,OAAO,CAAA;AAC9C,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAA;AAC3B,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAA;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAA;AAC3C,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAA;AAC7E,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAA;AACxC,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AACxJ,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAA;AAE/C,MAAM,WAAW,GAAG,aAAa,CAAC;IAChC,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,WAAW,EAAE,qDAAqD,EAAE;IAC1F,GAAG;QACD,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IACxB,CAAC;CACF,CAAC,CAAA;AAEF,MAAM,IAAI,GAAG,aAAa,CAAC;IACzB,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,+BAA+B,EAAE;IACrE,IAAI,EAAE;QACJ,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,8CAA8C,EAAE;QACjG,GAAG,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,WAAW,EAAE,qDAAqD,EAAE;KAC7F;IACD,WAAW,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;IAClC,KAAK,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE;QAChB,MAAM,SAAS,GAAG,gBAAgB,CAAC,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;QACnH,MAAM,UAAU,GAAG,cAAc,CAAC,SAAS,CAAC,CAAA;QAE5C,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAA;YACtE,OAAO,CAAC,KAAK,CAAC,0EAA0E,CAAC,CAAA;YACzF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,UAAU,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAA;QAElD,MAAM,MAAM,GAAG,IAAI,CACjB,EAAE,IAAI,EAAE,IAAI,CAAC,IAA0B,EAAE,EACzC,EAAE,GAAG,EAAE,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE,EAAE,EAAE,UAAU,CAAC,cAA4C,EAAE,cAAc,EAAE,UAAU,CAAC,cAAc,EAAE,cAAc,EAAE,UAAU,CAAC,cAAc,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,iBAAiB,EAAE,UAAU,CAAC,iBAAiB,EAAE,gBAAgB,EAAE,UAAU,CAAC,gBAAgB,EAAE,EACnU,EAAE,EAAE,EAAE,UAAU,IAAI,SAAS,EAAE,EAC/B,QAAQ,CACT,CAAA;QAED,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,CAAA;QAC1F,MAAM,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,KAAK,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAA;QAElG,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,CAAA;QAE5C,IAAI,GAAuB,CAAA;QAC3B,IAAI,CAAC;YACH,GAAG,GAAG,KAAK,CAAqB,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,GAAG,EAAE,CAAC;YACX,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAChE,OAAO,CAAC,KAAK,CAAC,yBAAyB,OAAO,KAAK,OAAO,EAAE,CAAC,CAAA;YAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5C,OAAO,CAAC,KAAK,CAAC,UAAU,OAAO,uBAAuB,CAAC,CAAA;YACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAA;QAChB,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,CAAA;QACxC,MAAM,OAAO,GAAgB,QAAQ,KAAK,IAAI;YAC5C,CAAC,CAAC;gBACE,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,EAAE,kBAAkB,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7G,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,kBAAkB,CAAC,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACvH;YACH,CAAC,CAAC,IAAI,CAAA;QACR,MAAM,eAAe,GAAG,QAAQ,KAAK,IAAI;YACvC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACvD,CAAC,CAAC,SAAS,CAAA;QACb,MAAM,YAAY,GAAG,YAAY,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,UAAU,EAAE,WAAW,CAAC,EAAE,CAAC,CAAA;QACvF,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC;YAC9B,OAAO;YACP,GAAG;YACH,GAAG,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACjE,gBAAgB;YAChB,cAAc;YACd,MAAM;YACN,GAAG,CAAC,YAAY,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7D,GAAG,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC9D,CAAC,CAAA;QACF,IAAI,KAA2B,CAAA;QAC/B,IAAI,IAAI,CAAC,GAAG,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;YAC9C,MAAM,OAAO,GAA2B,EAAE,CAAA;YAC1C,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,CAAC,CAAC,WAAW;oBAChB,SAAQ;gBACV,IAAI,CAAC,CAAC,MAAM,KAAK,KAAK,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI;oBACzC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAA;qBACvB,IAAI,CAAC,CAAC,MAAM,KAAK,QAAQ,IAAI,cAAc,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,KAAK,IAAI;oBAChF,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAA;qBACvB,IAAI,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,MAAM,KAAK,KAAK;oBAChD,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAA;YAC/B,CAAC;YACD,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;gBAClC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;YAC9B,CAAC;QACH,CAAC;QAED,YAAY,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,cAAc,EAAE,cAAc,EAAE,GAAG,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,qBAAqB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;IACtQ,CAAC;CACF,CAAC,CAAA;AAEF,OAAO,CAAC,IAAI,CAAC,CAAA"}

package/dist/src/adapters/npm.d.ts

@@ -0,0 +1,10 @@
+import type { LockfileAdapter } from '../lockfile.js';
+import type { InstalledVersionMap } from '../types.js';
+interface NpmLockPackageEntry {
+    version?: string;
+}
+export declare function parsePackagesBlock(packages: Record<string, NpmLockPackageEntry>): InstalledVersionMap;
+export declare function parseNpmLock(content: string): InstalledVersionMap;
+export declare const npmAdapter: LockfileAdapter;
+export {};
+//# sourceMappingURL=npm.d.ts.map

package/dist/src/adapters/npm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.d.ts","sourceRoot":"","sources":["../../../src/adapters/npm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AACrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAGtD,UAAU,mBAAmB;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAMD,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,mBAAmB,CAAC,GAAG,mBAAmB,CAarG;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CAKjE;AAED,eAAO,MAAM,UAAU,EAAE,eAGxB,CAAA"}

package/dist/src/adapters/npm.js

@@ -0,0 +1,26 @@
+import { destr } from 'destr';
+export function parsePackagesBlock(packages) {
+    const result = {};
+    for (const [key, entry] of Object.entries(packages)) {
+        if (!key.startsWith('node_modules/'))
+            continue;
+        const name = key.slice('node_modules/'.length);
+        // Skip nested installs like "foo/node_modules/bar"
+        if (name.includes('node_modules'))
+            continue;
+        if (typeof entry.version === 'string')
+            result[name] = entry.version;
+    }
+    return result;
+}
+export function parseNpmLock(content) {
+    const raw = destr(content);
+    if (raw === null || typeof raw !== 'object')
+        return {};
+    return raw.packages ? parsePackagesBlock(raw.packages) : {};
+}
+export const npmAdapter = {
+    filename: 'package-lock.json',
+    parse: parseNpmLock,
+};
+//# sourceMappingURL=npm.js.map

package/dist/src/adapters/npm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm.js","sourceRoot":"","sources":["../../../src/adapters/npm.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,KAAK,EAAE,MAAM,OAAO,CAAA;AAU7B,MAAM,UAAU,kBAAkB,CAAC,QAA6C;IAC9E,MAAM,MAAM,GAAwB,EAAE,CAAA;IACtC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,eAAe,CAAC;YAClC,SAAQ;QACV,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;QAC9C,mDAAmD;QACnD,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAC/B,SAAQ;QACV,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,QAAQ;YACnC,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,OAAO,CAAA;IAChC,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,GAAG,GAAG,KAAK,CAAiB,OAAO,CAAC,CAAA;IAC1C,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QACzC,OAAO,EAAE,CAAA;IACX,OAAO,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;AAC7D,CAAC;AAED,MAAM,CAAC,MAAM,UAAU,GAAoB;IACzC,QAAQ,EAAE,mBAAmB;IAC7B,KAAK,EAAE,YAAY;CACpB,CAAA"}

package/dist/src/adapters/pnpm.d.ts

@@ -0,0 +1,34 @@
+import type { LockfileAdapter } from '../lockfile.js';
+import type { InstalledVersionMap } from '../types.js';
+/**
+ * Parse a pnpm-lock.yaml (v6–v9) into an installed version map.
+ *
+ * Reads only the root importer (`.`) from the `importers` block.
+ * Peer-dependency suffixes like `1.2.3(@types/node@22.0.0)` are stripped
+ * to leave only the bare version number.
+ */
+export declare function parsePnpmLock(content: string): InstalledVersionMap;
+export declare const pnpmAdapter: LockfileAdapter;
+/**
+ * Read all catalogs from pnpm-workspace.yaml and return a
+ * catalogName → (packageName → specifier) map.
+ *
+ * `catalog:` references use the `"default"` key.
+ * Named references like `catalog:testing` use the catalog name as key.
+ *
+ * Returns null if the file is absent or has no catalogs section.
+ */
+export declare function loadPnpmCatalog(dir: string): Record<string, Record<string, string>> | null;
+/**
+ * Substitute `catalog:` and `catalog:<name>` references in a deps map with
+ * the real specifier from the workspace catalogs.
+ * Entries not found in the catalog are left as-is.
+ */
+export declare function resolveCatalogRefs(deps: Record<string, string>, catalogs: Record<string, Record<string, string>>): Record<string, string>;
+/**
+ * Update catalog entries in pnpm-workspace.yaml in place.
+ * `updates` is a map of package name → new specifier (e.g. `"1.2.3"`).
+ * Only lines within the file that match a catalog entry for the given name are rewritten.
+ */
+export declare function updatePnpmCatalog(dir: string, updates: Record<string, string>): void;
+//# sourceMappingURL=pnpm.d.ts.map

package/dist/src/adapters/pnpm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pnpm.d.ts","sourceRoot":"","sources":["../../../src/adapters/pnpm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AACrD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAA;AAiBtD;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,CAkBlE;AAED,eAAO,MAAM,WAAW,EAAE,eAGzB,CAAA;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GAAG,IAAI,CAmB1F;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,GAC/C,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAexB;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CASpF"}

package/dist/src/adapters/pnpm.js

@@ -0,0 +1,97 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { parseYAML } from 'confbox';
+/**
+ * Parse a pnpm-lock.yaml (v6–v9) into an installed version map.
+ *
+ * Reads only the root importer (`.`) from the `importers` block.
+ * Peer-dependency suffixes like `1.2.3(@types/node@22.0.0)` are stripped
+ * to leave only the bare version number.
+ */
+export function parsePnpmLock(content) {
+    const raw = parseYAML(content);
+    const result = {};
+    const root = raw?.importers?.['.'];
+    if (!root)
+        return result;
+    for (const block of [root.dependencies, root.devDependencies]) {
+        if (!block)
+            continue;
+        for (const [name, entry] of Object.entries(block)) {
+            if (entry.version !== undefined) {
+                result[name] = entry.version.split('(')[0].trim();
+            }
+        }
+    }
+    return result;
+}
+export const pnpmAdapter = {
+    filename: 'pnpm-lock.yaml',
+    parse: parsePnpmLock,
+};
+/**
+ * Read all catalogs from pnpm-workspace.yaml and return a
+ * catalogName → (packageName → specifier) map.
+ *
+ * `catalog:` references use the `"default"` key.
+ * Named references like `catalog:testing` use the catalog name as key.
+ *
+ * Returns null if the file is absent or has no catalogs section.
+ */
+export function loadPnpmCatalog(dir) {
+    const path = resolve(dir, 'pnpm-workspace.yaml');
+    if (!existsSync(path))
+        return null;
+    try {
+        const raw = parseYAML(readFileSync(path, 'utf8'));
+        if (!raw?.catalogs)
+            return null;
+        const result = {};
+        for (const [catalogName, section] of Object.entries(raw.catalogs)) {
+            result[catalogName] = { ...section };
+        }
+        return Object.keys(result).length > 0 ? result : null;
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`error: could not parse ${path}: ${message}`);
+        return null;
+    }
+}
+/**
+ * Substitute `catalog:` and `catalog:<name>` references in a deps map with
+ * the real specifier from the workspace catalogs.
+ * Entries not found in the catalog are left as-is.
+ */
+export function resolveCatalogRefs(deps, catalogs) {
+    const result = {};
+    for (const [name, ver] of Object.entries(deps)) {
+        if (ver === 'catalog:') {
+            result[name] = catalogs.default?.[name] ?? ver;
+        }
+        else if (ver.startsWith('catalog:')) {
+            const catalogName = ver.slice('catalog:'.length);
+            result[name] = catalogs[catalogName]?.[name] ?? ver;
+        }
+        else {
+            result[name] = ver;
+        }
+    }
+    return result;
+}
+/**
+ * Update catalog entries in pnpm-workspace.yaml in place.
+ * `updates` is a map of package name → new specifier (e.g. `"1.2.3"`).
+ * Only lines within the file that match a catalog entry for the given name are rewritten.
+ */
+export function updatePnpmCatalog(dir, updates) {
+    const path = resolve(dir, 'pnpm-workspace.yaml');
+    let content = readFileSync(path, 'utf8');
+    for (const [name, version] of Object.entries(updates)) {
+        const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        const pattern = new RegExp(`^(\\s+(?:'${escaped}'|"${escaped}"|${escaped}):\\s*)(.+)$`, 'gm');
+        content = content.replace(pattern, `$1${version}`);
+    }
+    writeFileSync(path, content, 'utf8');
+}
+//# sourceMappingURL=pnpm.js.map

package/dist/src/adapters/pnpm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pnpm.js","sourceRoot":"","sources":["../../../src/adapters/pnpm.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AACjE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACnC,OAAO,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAcnC;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe;IAC3C,MAAM,GAAG,GAAG,SAAS,CAAW,OAAO,CAAC,CAAA;IACxC,MAAM,MAAM,GAAwB,EAAE,CAAA;IACtC,MAAM,IAAI,GAAG,GAAG,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,CAAA;IAClC,IAAI,CAAC,IAAI;QACP,OAAO,MAAM,CAAA;IAEf,KAAK,MAAM,KAAK,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC;QAC9D,IAAI,CAAC,KAAK;YACR,SAAQ;QACV,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAA;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,MAAM,CAAC,MAAM,WAAW,GAAoB;IAC1C,QAAQ,EAAE,gBAAgB;IAC1B,KAAK,EAAE,aAAa;CACrB,CAAA;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAA;IAChD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QACnB,OAAO,IAAI,CAAA;IACb,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,SAAS,CAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAA;QAChE,IAAI,CAAC,GAAG,EAAE,QAAQ;YAChB,OAAO,IAAI,CAAA;QACb,MAAM,MAAM,GAA2C,EAAE,CAAA;QACzD,KAAK,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClE,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,OAAO,EAAE,CAAA;QACtC,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAA;IACvD,CAAC;IACD,OAAO,GAAG,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAChE,OAAO,CAAC,KAAK,CAAC,0BAA0B,IAAI,KAAK,OAAO,EAAE,CAAC,CAAA;QAC3D,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA4B,EAC5B,QAAgD;IAEhD,MAAM,MAAM,GAA2B,EAAE,CAAA;IACzC,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;QAChD,CAAC;aACI,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAA;YAChD,MAAM,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,GAAG,CAAA;QACrD,CAAC;aACI,CAAC;YACJ,MAAM,CAAC,IAAI,CAAC,GAAG,GAAG,CAAA;QACpB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW,EAAE,OAA+B;IAC5E,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,qBAAqB,CAAC,CAAA;IAChD,IAAI,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IACxC,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAA;QAC3D,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,aAAa,OAAO,MAAM,OAAO,KAAK,OAAO,cAAc,EAAE,IAAI,CAAC,CAAA;QAC7F,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,KAAK,OAAO,EAAE,CAAC,CAAA;IACpD,CAAC;IACD,aAAa,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;AACtC,CAAC"}

package/dist/src/audit.d.ts

@@ -0,0 +1,19 @@
+import type { AuditResult, InstalledVersionMap, PackageJson, RangeSpecifierConfig } from './types.js';
+export interface AuditDepsOptions {
+    pkgJson: PackageJson;
+    lag: number;
+    minimumReleaseAge?: number;
+    preReleaseFilter?: string[];
+    rangeSpecifier: RangeSpecifierConfig;
+    ignore?: string[];
+    installed?: InstalledVersionMap;
+    catalogPackages?: ReadonlySet<string>;
+}
+/**
+ * Audit all dependencies in a package.json object.
+ * - `ignore`: skip these package names entirely.
+ * - `installed`: lockfile-resolved version map; used for comparison when present.
+ * - `rangeSpecifier`: global string or per-package record.
+ */
+export declare function auditDeps({ pkgJson, lag, minimumReleaseAge, preReleaseFilter, rangeSpecifier, ignore, installed, catalogPackages }: AuditDepsOptions): Promise<AuditResult[]>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/src/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAe,mBAAmB,EAAE,WAAW,EAAkB,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAyDlI,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,WAAW,CAAA;IACpB,GAAG,EAAE,MAAM,CAAA;IACX,iBAAiB,CAAC,EAAE,MAAM,CAAA;IAC1B,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,cAAc,EAAE,oBAAoB,CAAA;IACpC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,SAAS,CAAC,EAAE,mBAAmB,CAAA;IAC/B,eAAe,CAAC,EAAE,WAAW,CAAC,MAAM,CAAC,CAAA;CACtC;AAED;;;;;GAKG;AACH,wBAAsB,SAAS,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,iBAAiB,EAAE,gBAAqB,EAAE,cAAc,EAAE,MAAW,EAAE,SAAS,EAAE,eAAe,EAAE,EAAE,gBAAgB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CA0B7L"}

package/dist/src/audit.js

@@ -0,0 +1,65 @@
+import { resolveRangeSpecifier } from './config.js';
+import { resolvePackage } from './resolve.js';
+import { bareVersion, detectSpecifier, semverCompareForSpecifier } from './semver.js';
+async function auditOne({ name, rawVersion, lag, minimumReleaseAge, preReleaseFilter, rangeSpecifier, installedVersion, fromCatalog }) {
+    const declared = rawVersion;
+    const isCatalogRef = rawVersion.startsWith('catalog:');
+    // catalog: entries have no usable version in package.json — the lockfile is required
+    if (isCatalogRef && installedVersion === null) {
+        return { name, declared, current: '', installed: null, target: null, latest: null, status: 'unresolved', rangeSpecifier, declaredSpecifier: 'other', specifierMismatch: false, fromCatalog, error: 'catalog reference; pnpm lockfile required' };
+    }
+    const current = isCatalogRef ? installedVersion : bareVersion(rawVersion);
+    const installed = installedVersion;
+    const declaredSpecifier = isCatalogRef ? 'other' : detectSpecifier(rawVersion);
+    const specifierMismatch = declaredSpecifier !== 'other' && declaredSpecifier !== rangeSpecifier;
+    let resolved;
+    try {
+        resolved = await resolvePackage({ name, lag, preReleaseFilter, ...(minimumReleaseAge !== undefined ? { minimumReleaseAge } : {}) });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { name, declared, current, installed, target: null, latest: null, status: 'unresolved', rangeSpecifier, declaredSpecifier, specifierMismatch, fromCatalog, error: message };
+    }
+    const { target, latest } = resolved;
+    if (target === null) {
+        return { name, declared, current, installed, target: null, latest, status: 'unresolved', rangeSpecifier, declaredSpecifier, specifierMismatch, fromCatalog, error: 'no stable versions found' };
+    }
+    const compareVersion = installed ?? current;
+    const cmp = semverCompareForSpecifier({ versionA: compareVersion, versionB: target, specifier: rangeSpecifier });
+    let status;
+    if (cmp > 0)
+        status = 'pin';
+    else if (cmp === 0)
+        status = 'ok';
+    else
+        status = 'behind';
+    return { name, declared, current, installed, target, latest, status, rangeSpecifier, declaredSpecifier, specifierMismatch, fromCatalog };
+}
+/**
+ * Audit all dependencies in a package.json object.
+ * - `ignore`: skip these package names entirely.
+ * - `installed`: lockfile-resolved version map; used for comparison when present.
+ * - `rangeSpecifier`: global string or per-package record.
+ */
+export async function auditDeps({ pkgJson, lag, minimumReleaseAge, preReleaseFilter = [], rangeSpecifier, ignore = [], installed, catalogPackages }) {
+    const deps = {
+        ...(pkgJson.dependencies ?? {}),
+        ...(pkgJson.devDependencies ?? {}),
+    };
+    let names = Object.keys(deps);
+    if (ignore.length > 0) {
+        const ignoreSet = new Set(ignore);
+        names = names.filter(n => !ignoreSet.has(n));
+    }
+    return Promise.all(names.map(n => auditOne({
+        name: n,
+        rawVersion: deps[n] ?? '',
+        lag,
+        ...(minimumReleaseAge !== undefined ? { minimumReleaseAge } : {}),
+        preReleaseFilter,
+        rangeSpecifier: resolveRangeSpecifier({ config: rangeSpecifier, name: n }),
+        installedVersion: installed?.[n] ?? null,
+        fromCatalog: catalogPackages?.has(n) ?? false,
+    })));
+}
+//# sourceMappingURL=audit.js.map

package/dist/src/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/audit.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,yBAAyB,EAAE,MAAM,aAAa,CAAA;AAarF,KAAK,UAAU,QAAQ,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAmB;IACpJ,MAAM,QAAQ,GAAG,UAAU,CAAA;IAC3B,MAAM,YAAY,GAAG,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,CAAA;IAEtD,qFAAqF;IACrF,IAAI,YAAY,IAAI,gBAAgB,KAAK,IAAI,EAAE,CAAC;QAC9C,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,OAAO,EAAE,iBAAiB,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAA;IAClP,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,gBAAiB,CAAC,CAAC,CAAC,WAAW,CAAC,UAAU,CAAC,CAAA;IAC1E,MAAM,SAAS,GAAG,gBAAgB,CAAA;IAClC,MAAM,iBAAiB,GAAG,YAAY,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAA;IAC9E,MAAM,iBAAiB,GAAG,iBAAiB,KAAK,OAAO,IAAI,iBAAiB,KAAK,cAAc,CAAA;IAE/F,IAAI,QAAQ,CAAA;IACZ,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,cAAc,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,gBAAgB,EAAE,GAAG,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;IACrI,CAAC;IACD,OAAO,GAAG,EAAE,CAAC;QACX,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QAChE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,CAAA;IACpL,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAA;IAEnC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,cAAc,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAA;IACjM,CAAC;IAED,MAAM,cAAc,GAAG,SAAS,IAAI,OAAO,CAAA;IAC3C,MAAM,GAAG,GAAG,yBAAyB,CAAC,EAAE,QAAQ,EAAE,cAAc,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,CAAC,CAAA;IAChH,IAAI,MAAmB,CAAA;IACvB,IAAI,GAAG,GAAG,CAAC;QACT,MAAM,GAAG,KAAK,CAAA;SACX,IAAI,GAAG,KAAK,CAAC;QAChB,MAAM,GAAG,IAAI,CAAA;;QACV,MAAM,GAAG,QAAQ,CAAA;IAEtB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAA;AAC1I,CAAC;AAaD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,iBAAiB,EAAE,gBAAgB,GAAG,EAAE,EAAE,cAAc,EAAE,MAAM,GAAG,EAAE,EAAE,SAAS,EAAE,eAAe,EAAoB;IACnK,MAAM,IAAI,GAA2B;QACnC,GAAG,CAAC,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;QAC/B,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC;KACnC,CAAA;IAED,IAAI,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC7B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAA;QACjC,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;IAC9C,CAAC;IAED,OAAO,OAAO,CAAC,GAAG,CAChB,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CACZ,QAAQ,CAAC;QACP,IAAI,EAAE,CAAC;QACP,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE;QACzB,GAAG;QACH,GAAG,CAAC,iBAAiB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACjE,gBAAgB;QAChB,cAAc,EAAE,qBAAqB,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC1E,gBAAgB,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI;QACxC,WAAW,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK;KAC9C,CAAC,CACH,CACF,CAAA;AACH,CAAC"}

package/dist/src/config.d.ts

@@ -0,0 +1,23 @@
+import type { Config, ConfigFile, RangeSpecifier, RangeSpecifierConfig } from './types.js';
+/**
+ * Load the config file from `dir`.
+ * Returns the parsed config, or null if no config file was found.
+ */
+export declare function loadConfigFile(dir: string): ConfigFile | null;
+/** Resolve the directory to search for the config file, based on --file if provided. */
+export declare function resolveConfigDir({ file, cwd }: {
+    file?: string;
+    cwd: string;
+}): string;
+export declare const DEFAULTS: Config;
+/**
+ * Resolve the effective RangeSpecifier for a specific package.
+ * When config is a string it applies to all packages.
+ * When config is a record, looks up by name, then "default", then falls back to "exact".
+ */
+export declare function resolveRangeSpecifier({ config, name }: {
+    config: RangeSpecifierConfig;
+    name: string;
+}): RangeSpecifier;
+export declare function rangePrefix(specifier: RangeSpecifier): string;
+//# sourceMappingURL=config.d.ts.map

package/dist/src/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAa1F;;;GAGG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAiB7D;AAED,wFAAwF;AACxF,wBAAgB,gBAAgB,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,MAAM,CAEtF;AAED,eAAO,MAAM,QAAQ,EAAE,MAQtB,CAAA;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;IAAE,MAAM,EAAE,oBAAoB,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,cAAc,CAUtH;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,cAAc,GAAG,MAAM,CAM7D"}