@cyclonedx/cdxgen 12.1.5 → 12.2.0

package/types/lib/validator/index.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Run structural + compliance validation against a parsed BOM.
+ *
+ * @param {object} bomJson Parsed CycloneDX JSON BOM.
+ * @param {object} [options]
+ * @param {boolean} [options.schema]            Run JSON-Schema validation (default true).
+ * @param {boolean} [options.deep]              Run purl/ref/metadata deep checks (default true).
+ * @param {Array<string>} [options.benchmarks]  Aliases to include in the scorecards (default: all).
+ * @param {Array<string>} [options.categories]  Restrict compliance rules to these categories.
+ * @param {string} [options.minSeverity]        Minimum severity for returned findings.
+ * @param {boolean} [options.includeManual]     Include manual-review findings (default true).
+ * @param {boolean} [options.includePass]       Include passing findings (default false).
+ * @param {string} [options.publicKey]          If set, verify the BOM signature.
+ * @returns {{
+ *   schemaValid: boolean,
+ *   deepValid: boolean,
+ *   signatureVerified: boolean | null,
+ *   signatureDetails: object | null,
+ *   findings: Array<object>,
+ *   allFindings: Array<object>,
+ *   benchmarks: Array<object>,
+ *   summary: object
+ * }}
+ */
+export function validateBomAdvanced(bomJson: object, options?: {
+    schema?: boolean | undefined;
+    deep?: boolean | undefined;
+    benchmarks?: string[] | undefined;
+    categories?: string[] | undefined;
+    minSeverity?: string | undefined;
+    includeManual?: boolean | undefined;
+    includePass?: boolean | undefined;
+    publicKey?: string | undefined;
+}): {
+    schemaValid: boolean;
+    deepValid: boolean;
+    signatureVerified: boolean | null;
+    signatureDetails: object | null;
+    findings: Array<object>;
+    allFindings: Array<object>;
+    benchmarks: Array<object>;
+    summary: object;
+};
+/**
+ * Decide whether a report should trigger a non-zero CLI exit.
+ *
+ * @param {object} report
+ * @param {object} opts
+ * @param {string} [opts.failSeverity] Severity level at or above which failing findings are considered a failure (default "high").
+ * @param {boolean} [opts.strict]      When true, failing on any `fail` status regardless of severity, and a failing schema/deep validation also counts.
+ * @param {boolean} [opts.requireSignature] Require a valid signature when verification was requested.
+ * @returns {{ shouldFail: boolean, reason: string | null }}
+ */
+export function shouldFail(report: object, opts?: {
+    failSeverity?: string | undefined;
+    strict?: boolean | undefined;
+    requireSignature?: boolean | undefined;
+}): {
+    shouldFail: boolean;
+    reason: string | null;
+};
+export namespace SEVERITY_ORDER {
+    let info: number;
+    let low: number;
+    let medium: number;
+    let high: number;
+    let critical: number;
+}
+export { buildBenchmarkReports, evaluateAll } from "./complianceEngine.js";
+//# sourceMappingURL=index.d.ts.map

package/types/lib/validator/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../lib/validator/index.js"],"names":[],"mappings":"AAqHA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,6CArBW,MAAM,YAEd;IAA0B,MAAM;IACN,IAAI;IACE,UAAU;IACV,UAAU;IACjB,WAAW;IACV,aAAa;IACb,WAAW;IACZ,SAAS;CAClC,GAAU;IACR,WAAW,EAAE,OAAO,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,iBAAiB,EAAE,OAAO,GAAG,IAAI,CAAC;IAClC,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAC;IAChC,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACxB,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3B,UAAU,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAA;CAChB,CA2CH;AAED;;;;;;;;;GASG;AACH,mCAPW,MAAM,SAEd;IAAsB,YAAY;IACX,MAAM;IACN,gBAAgB;CACvC,GAAU;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CA0B1D"}

package/types/lib/validator/reporters/annotations.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Render a set of findings into CycloneDX annotations.
+ *
+ * @param {Array<object>} findings Finding objects emitted by the validator or auditBom engine.
+ * @param {object} bomJson Full CycloneDX BOM (needed for annotator/subject wiring).
+ * @returns {Array<object>} CycloneDX annotation objects.
+ */
+export function buildAnnotations(findings: Array<object>, bomJson: object): Array<object>;
+/**
+ * Produce a new BOM object with findings embedded as annotations. The caller
+ * is responsible for writing the result to disk.
+ *
+ * @param {object} bomJson
+ * @param {Array<object>} findings
+ * @returns {object}
+ */
+export function renderBom(bomJson: object, findings: Array<object>): object;
+/**
+ * Convenience wrapper matching the signature of the other reporters. The
+ * second argument expects `{ bomJson }` because annotations are BOM-shaped,
+ * not report-shaped.
+ *
+ * @param {object} report Output of validateBomAdvanced().
+ * @param {object} options
+ * @param {object} options.bomJson The BOM to annotate.
+ * @returns {string} JSON string of the annotated BOM.
+ */
+export function render(report: object, options?: {
+    bomJson: object;
+}): string;
+//# sourceMappingURL=annotations.d.ts.map

package/types/lib/validator/reporters/annotations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"annotations.d.ts","sourceRoot":"","sources":["../../../../lib/validator/reporters/annotations.js"],"names":[],"mappings":"AAYA;;;;;;GAMG;AACH,2CAJW,KAAK,CAAC,MAAM,CAAC,WACb,MAAM,GACJ,KAAK,CAAC,MAAM,CAAC,CAqEzB;AAED;;;;;;;GAOG;AACH,mCAJW,MAAM,YACN,KAAK,CAAC,MAAM,CAAC,GACX,MAAM,CAUlB;AAED;;;;;;;;;GASG;AACH,+BALW,MAAM,YAEd;IAAwB,OAAO,EAAvB,MAAM;CACd,GAAU,MAAM,CAMlB"}

package/types/lib/validator/reporters/console.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Produce a human-readable summary of findings.
+ *
+ * @param {Array<object>} findings
+ * @param {object} [options]
+ * @returns {string}
+ */
+export function formatFindings(findings: Array<object>, options?: object): string;
+/**
+ * Produce a scorecard table for benchmark reports.
+ *
+ * @param {Array<object>} reports
+ * @returns {string}
+ */
+export function formatBenchmarks(reports: Array<object>): string;
+/**
+ * Produce a compact one-line summary for CI logs.
+ *
+ * @param {object} summary
+ * @returns {string}
+ */
+export function formatSummary(summary: object): string;
+/**
+ * Render the full report as a single string.
+ *
+ * @param {object} report Output of validateBomAdvanced().
+ * @returns {string}
+ */
+export function render(report: object): string;
+//# sourceMappingURL=console.d.ts.map

package/types/lib/validator/reporters/console.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"console.d.ts","sourceRoot":"","sources":["../../../../lib/validator/reporters/console.js"],"names":[],"mappings":"AAuBA;;;;;;GAMG;AACH,yCAJW,KAAK,CAAC,MAAM,CAAC,YACb,MAAM,GACJ,MAAM,CAiClB;AAED;;;;;GAKG;AACH,0CAHW,KAAK,CAAC,MAAM,CAAC,GACX,MAAM,CAmClB;AAED;;;;;GAKG;AACH,uCAHW,MAAM,GACJ,MAAM,CAWlB;AAED;;;;;GAKG;AACH,+BAHW,MAAM,GACJ,MAAM,CAuBlB"}

package/types/lib/validator/reporters/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Render a validation report using the named reporter.
+ *
+ * @param {string} name   Reporter identifier.
+ * @param {object} report Output of validateBomAdvanced().
+ * @param {object} [opts] Reporter-specific options.
+ * @returns {string}
+ */
+export function render(name: string, report: object, opts?: object): string;
+export namespace reporters {
+    export { consoleReporter as console };
+    export { json };
+    export { sarif };
+    export { annotations };
+}
+import * as consoleReporter from "./console.js";
+import * as json from "./json.js";
+import * as sarif from "./sarif.js";
+import * as annotations from "./annotations.js";
+export { annotations, consoleReporter as console, json, sarif };
+//# sourceMappingURL=index.d.ts.map

package/types/lib/validator/reporters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../lib/validator/reporters/index.js"],"names":[],"mappings":"AAsBA;;;;;;;GAOG;AACH,6BALW,MAAM,UACN,MAAM,SACN,MAAM,GACJ,MAAM,CAUlB;;;;;;;iCA9BgC,cAAc;sBACzB,WAAW;uBACV,YAAY;6BAHN,kBAAkB"}

package/types/lib/validator/reporters/json.d.ts

@@ -0,0 +1,11 @@
+/**
+ * JSON reporter — emits a stable, documented structure for programmatic use.
+ * No dependencies.
+ */
+/**
+ * @param {object} report Output of validateBomAdvanced().
+ * @param {object} [_options] Unused
+ * @returns {string}
+ */
+export function render(report: object, _options?: object): string;
+//# sourceMappingURL=json.d.ts.map

package/types/lib/validator/reporters/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../../../lib/validator/reporters/json.js"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;;;GAIG;AACH,+BAJW,MAAM,aACN,MAAM,GACJ,MAAM,CA4BlB"}

package/types/lib/validator/reporters/sarif.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Render a validation report as SARIF.
+ *
+ * @param {object} report Output of validateBomAdvanced().
+ * @param {object} [options]
+ * @param {string} [options.toolName]    Override driver name.
+ * @param {string} [options.toolVersion] Driver version to embed.
+ * @param {boolean} [options.includeManual] Include manual-review findings (default false).
+ * @returns {string}
+ */
+export function render(report: object, options?: {
+    toolName?: string | undefined;
+    toolVersion?: string | undefined;
+    includeManual?: boolean | undefined;
+}): string;
+//# sourceMappingURL=sarif.d.ts.map

package/types/lib/validator/reporters/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../../../lib/validator/reporters/sarif.js"],"names":[],"mappings":"AAqIA;;;;;;;;;GASG;AACH,+BAPW,MAAM,YAEd;IAAyB,QAAQ;IACR,WAAW;IACV,aAAa;CACvC,GAAU,MAAM,CA0ClB"}

package/lib/helpers/db.js

@@ -1,162 +0,0 @@
-import path from "node:path";
-
-import sqlite3 from "@appthreat/sqlite3";
-
-const {
-  Database,
-  OPEN_READWRITE,
-  OPEN_CREATE,
-  OPEN_NOMUTEX,
-  OPEN_SHAREDCACHE,
-} = sqlite3;
-
-/**
- * A lightweight Model wrapper to mimic Sequelize behavior using raw sqlite3
- */
-class Model {
-  constructor(db, tableName) {
-    this.db = db;
-    this.tableName = tableName;
-  }
-
-  /**
-   * Initialize table
-   */
-  async init() {
-    const sql = `CREATE TABLE IF NOT EXISTS ${this.tableName} (
-      purl TEXT PRIMARY KEY, 
-      data JSON NOT NULL,
-      createdAt DATETIME NOT NULL,
-      updatedAt DATETIME NOT NULL
-    )`;
-    return new Promise((resolve, reject) => {
-      this.db.run(sql, (err) => {
-        if (err) reject(err);
-        else resolve();
-      });
-    });
-  }
-
-  /**
-   * findByPk
-   * Returns null if not found, or an object { purl, data (parsed object) }
-   */
-  async findByPk(purl) {
-    const sql = `SELECT * FROM ${this.tableName} WHERE purl = ?`;
-    return new Promise((resolve, reject) => {
-      this.db.get(sql, [purl], (err, row) => {
-        if (err) {
-          reject(err);
-        } else if (!row) {
-          resolve(null);
-        } else {
-          try {
-            row.data = JSON.parse(row.data);
-          } catch (_e) {
-            // ignore
-          }
-          resolve(row);
-        }
-      });
-    });
-  }
-
-  /**
-   * findOrCreate
-   * @param {Object} options { where: { purl }, defaults: { purl, data } }
-   */
-  async findOrCreate(options) {
-    const { where, defaults } = options;
-    const existing = await this.findByPk(where.purl);
-
-    if (existing) {
-      return [existing, false];
-    }
-
-    const insertSql = `INSERT INTO ${this.tableName} (purl, data, createdAt, updatedAt) VALUES (?, ?, ?, ?)`;
-    const dataStr =
-      typeof defaults.data === "string"
-        ? defaults.data
-        : JSON.stringify(defaults.data);
-    const now = new Date().toISOString();
-    return new Promise((resolve, reject) => {
-      this.db.run(insertSql, [defaults.purl, dataStr, now, now], (err) => {
-        if (err) reject(err);
-        else {
-          const instance = {
-            purl: defaults.purl,
-            data: defaults.data,
-            createdAt: now,
-            updatedAt: now,
-          };
-          resolve([instance, true]);
-        }
-      });
-    });
-  }
-
-  /**
-   * findAll to handle the specific LIKE query from evinser.js
-   * @param {Object} options
-   */
-  async findAll(options) {
-    let sql = `SELECT * FROM ${this.tableName}`;
-    const params = [];
-
-    if (options?.where?.data) {
-      if (options.where.data.like) {
-        sql += " WHERE data LIKE ?";
-        params.push(options.where.data.like);
-      }
-    }
-
-    return new Promise((resolve, reject) => {
-      this.db.all(sql, params, (err, rows) => {
-        if (err) {
-          reject(err);
-        } else {
-          const results = rows.map((r) => {
-            try {
-              r.data = JSON.parse(r.data);
-            } catch (_e) {
-              // ignore
-            }
-            return r;
-          });
-          resolve(results);
-        }
-      });
-    });
-  }
-}
-
-export const createOrLoad = async (dbName, dbPath, logging = false) => {
-  const fullPath = dbPath.includes("memory")
-    ? dbPath
-    : path.join(dbPath, dbName);
-
-  const mode = OPEN_READWRITE | OPEN_CREATE | OPEN_NOMUTEX | OPEN_SHAREDCACHE;
-
-  const db = new Database(fullPath, mode, (err) => {
-    if (err && logging) console.error(err.message);
-  });
-
-  if (logging) {
-    db.on("trace", (sql) => console.log(`[sqlite] ${sql}`));
-  }
-
-  const Namespaces = new Model(db, "Namespaces");
-  const Usages = new Model(db, "Usages");
-  const DataFlows = new Model(db, "DataFlows");
-
-  await Namespaces.init();
-  await Usages.init();
-  await DataFlows.init();
-
-  return {
-    sequelize: db,
-    Namespaces,
-    Usages,
-    DataFlows,
-  };
-};

package/lib/stages/pregen/env-audit.js

@@ -1,34 +0,0 @@
-import process from "node:process";
-
-const SUSPICIOUS_NODE_OPTIONS_PATTERNS = [
-  /--require/i,
-  /--eval/i,
-  /--import/i,
-  /--loader/i,
-  /--inspect/i,
-];
-
-const DANGEROUS_VARS = [
-  "NODE_NO_WARNINGS",
-  "NODE_PENDING_DEPRECATION",
-  "UV_THREADPOOL_SIZE",
-];
-
-export function auditEnvironment(env = process.env) {
-  const warnings = [];
-  for (const varName of DANGEROUS_VARS) {
-    if (env[varName]) {
-      warnings.push(
-        `Unset ${varName} before running cdxgen on untrusted repos.`,
-      );
-    }
-  }
-  for (const pattern of SUSPICIOUS_NODE_OPTIONS_PATTERNS) {
-    if (pattern.test(env.NODE_OPTIONS)) {
-      warnings.push(
-        `NODE_OPTIONS contains code execution flag: ${pattern.toString()}.`,
-      );
-    }
-  }
-  return warnings;
-}

package/lib/stages/pregen/env-audit.poku.js

@@ -1,290 +0,0 @@
-import { strict as assert } from "node:assert";
-
-import { describe, test } from "poku";
-
-import { auditEnvironment } from "./env-audit.js";
-
-const NODE_OPTIONS_ATTACK_VECTORS = [
-  {
-    name: "--require flag",
-    value: "--require ./evil.js",
-    expectedMatch: true,
-  },
-  {
-    name: "--require with uppercase",
-    value: "--REQUIRE ./evil.js",
-    expectedMatch: true,
-  },
-  {
-    name: "-r short flag",
-    value: "-r ./evil.js",
-    expectedMatch: false,
-  },
-  {
-    name: "--eval flag",
-    value: "--eval \"console.log('pwned')\"",
-    expectedMatch: true,
-  },
-  {
-    name: "--eval with complex payload",
-    value: "--eval \"require('child_process').execSync('id')\"",
-    expectedMatch: true,
-  },
-  {
-    name: "-e short flag",
-    value: "-e \"console.log('test')\"",
-    expectedMatch: false,
-  },
-  {
-    name: "--import flag (Node 18+)",
-    value: "--import ./malicious.mjs",
-    expectedMatch: true,
-  },
-  {
-    name: "--loader flag",
-    value: "--loader ./hook-loader.js",
-    expectedMatch: true,
-  },
-  {
-    name: "--inspect flag",
-    value: "--inspect=0.0.0.0:9229",
-    expectedMatch: true,
-  },
-  {
-    name: "--inspect-brk flag",
-    value: "--inspect-brk=9229",
-    expectedMatch: true,
-  },
-  {
-    name: "--inspect with host",
-    value: "--inspect 127.0.0.1:9229",
-    expectedMatch: true,
-  },
-  {
-    name: "safe memory flag",
-    value: "--max-old-space-size=4096",
-    expectedMatch: false,
-  },
-  {
-    name: "safe GC flag",
-    value: "--expose-gc",
-    expectedMatch: false,
-  },
-  {
-    name: "safe trace flag",
-    value: "--trace-warnings",
-    expectedMatch: false,
-  },
-  {
-    name: "multiple flags with one malicious",
-    value: "--max-old-space-size=4096 --require ./evil.js",
-    expectedMatch: true,
-  },
-  {
-    name: "empty string",
-    value: "",
-    expectedMatch: false,
-  },
-  {
-    name: "whitespace only",
-    value: "   ",
-    expectedMatch: false,
-  },
-];
-
-const DANGEROUS_ENV_VAR_CASES = [
-  {
-    name: "NODE_NO_WARNINGS set",
-    env: { NODE_NO_WARNINGS: "1" },
-    expectedWarnings: 1,
-    expectedVar: "NODE_NO_WARNINGS",
-  },
-  {
-    name: "NODE_PENDING_DEPRECATION set",
-    env: { NODE_PENDING_DEPRECATION: "1" },
-    expectedWarnings: 1,
-    expectedVar: "NODE_PENDING_DEPRECATION",
-  },
-  {
-    name: "UV_THREADPOOL_SIZE set",
-    env: { UV_THREADPOOL_SIZE: "128" },
-    expectedWarnings: 1,
-    expectedVar: "UV_THREADPOOL_SIZE",
-  },
-  {
-    name: "all dangerous vars set",
-    env: {
-      NODE_NO_WARNINGS: "1",
-      NODE_PENDING_DEPRECATION: "1",
-      UV_THREADPOOL_SIZE: "128",
-    },
-    expectedWarnings: 3,
-    expectedVar: null,
-  },
-  {
-    name: "no dangerous vars",
-    env: { PATH: "/usr/bin", HOME: "/home/user" },
-    expectedWarnings: 0,
-    expectedVar: null,
-  },
-  {
-    name: "dangerous var with empty value (falsy)",
-    env: { NODE_NO_WARNINGS: "" },
-    expectedWarnings: 0,
-    expectedVar: null,
-  },
-];
-
-const COMBINED_ATTACK_CASES = [
-  {
-    name: "NODE_OPTIONS attack + dangerous vars",
-    env: {
-      NODE_OPTIONS: "--require ./evil.js",
-      NODE_NO_WARNINGS: "1",
-      UV_THREADPOOL_SIZE: "128",
-    },
-    minWarnings: 3,
-  },
-  {
-    name: "multiple NODE_OPTIONS patterns",
-    env: {
-      NODE_OPTIONS: '--require ./a.js --eval "code" --inspect',
-    },
-    minWarnings: 3,
-  },
-  {
-    name: "clean environment",
-    env: {},
-    minWarnings: 0,
-  },
-];
-
-describe("auditEnvironment - NODE_OPTIONS Detection", () => {
-  for (const tc of NODE_OPTIONS_ATTACK_VECTORS) {
-    test(`should detect ${tc.name}`, () => {
-      const env = { NODE_OPTIONS: tc.value };
-      const warnings = auditEnvironment(env);
-
-      const hasSuspiciousWarning = warnings.some((w) =>
-        w.includes("NODE_OPTIONS contains code execution flag"),
-      );
-
-      if (tc.expectedMatch) {
-        assert.ok(
-          hasSuspiciousWarning,
-          `Expected warning for ${tc.name} but got: ${warnings.join(", ")}`,
-        );
-      } else {
-        assert.ok(
-          !hasSuspiciousWarning,
-          `Unexpected warning for ${tc.name}: ${warnings.join(", ")}`,
-        );
-      }
-    });
-  }
-});
-
-describe("auditEnvironment - Dangerous Env Vars", () => {
-  for (const tc of DANGEROUS_ENV_VAR_CASES) {
-    test(`should handle ${tc.name}`, () => {
-      const warnings = auditEnvironment(tc.env);
-
-      assert.strictEqual(
-        warnings.length,
-        tc.expectedWarnings,
-        `Expected ${tc.expectedWarnings} warnings, got ${warnings.length}: ${warnings.join(", ")}`,
-      );
-
-      if (tc.expectedVar) {
-        assert.ok(
-          warnings.some((w) => w.includes(tc.expectedVar)),
-          `Expected warning about ${tc.expectedVar} but got: ${warnings.join(", ")}`,
-        );
-      }
-    });
-  }
-});
-
-describe("auditEnvironment - Combined Attacks", () => {
-  for (const tc of COMBINED_ATTACK_CASES) {
-    test(`should handle ${tc.name}`, () => {
-      const warnings = auditEnvironment(tc.env);
-
-      assert.ok(
-        warnings.length >= tc.minWarnings,
-        `Expected at least ${tc.minWarnings} warnings, got ${warnings.length}: ${warnings.join(", ")}`,
-      );
-    });
-  }
-});
-
-describe("auditEnvironment - Edge Cases", () => {
-  test("should handle undefined NODE_OPTIONS", () => {
-    const warnings = auditEnvironment({});
-    const hasSuspiciousWarning = warnings.some((w) =>
-      w.includes("NODE_OPTIONS contains code execution flag"),
-    );
-    assert.ok(!hasSuspiciousWarning);
-  });
-
-  test("should handle null env (uses process.env)", () => {
-    const warnings = auditEnvironment();
-    assert.ok(Array.isArray(warnings));
-  });
-
-  test("should return empty array for completely clean env", () => {
-    const warnings = auditEnvironment({
-      PATH: "/usr/bin",
-      HOME: "/home/user",
-      LANG: "en_US.UTF-8",
-    });
-    assert.deepStrictEqual(warnings, []);
-  });
-
-  test("should detect all dangerous vars individually", () => {
-    const warnings1 = auditEnvironment({ NODE_NO_WARNINGS: "1" });
-    const warnings2 = auditEnvironment({ NODE_PENDING_DEPRECATION: "1" });
-    const warnings3 = auditEnvironment({ UV_THREADPOOL_SIZE: "128" });
-
-    assert.strictEqual(warnings1.length, 1);
-    assert.strictEqual(warnings2.length, 1);
-    assert.strictEqual(warnings3.length, 1);
-
-    assert.ok(warnings1[0].includes("NODE_NO_WARNINGS"));
-    assert.ok(warnings2[0].includes("NODE_PENDING_DEPRECATION"));
-    assert.ok(warnings3[0].includes("UV_THREADPOOL_SIZE"));
-  });
-
-  test("should be case-sensitive for env var names", () => {
-    const warnings = auditEnvironment({
-      node_no_warnings: "1",
-      Node_Options: "--require ./evil.js",
-    });
-    assert.strictEqual(warnings.length, 0);
-  });
-});
-
-describe("auditEnvironment - Warning Message Format", () => {
-  test("dangerous var warning should mention unsetting", () => {
-    const warnings = auditEnvironment({ NODE_NO_WARNINGS: "1" });
-    assert.ok(warnings[0].includes("Unset"));
-    assert.ok(warnings[0].includes("NODE_NO_WARNINGS"));
-  });
-
-  test("NODE_OPTIONS warning should mention the pattern", () => {
-    const warnings = auditEnvironment({ NODE_OPTIONS: "--require ./evil.js" });
-    assert.ok(warnings[0].includes("NODE_OPTIONS"));
-    assert.ok(warnings[0].includes("code execution flag"));
-  });
-
-  test("warnings should be human-readable strings", () => {
-    const warnings = auditEnvironment({
-      NODE_OPTIONS: "--eval test",
-      NODE_NO_WARNINGS: "1",
-    });
-    for (const w of warnings) {
-      assert.strictEqual(typeof w, "string");
-      assert.ok(w.length > 0);
-    }
-  });
-});