@darrenjcoxon/vibeoptimise 1.0.1 → 1.0.3

package/dist/scanners/css-efficiency.js

@@ -174,12 +174,23 @@ export class CssEfficiencyScanner {
     }
     extractSelectors(content) {
         const selectors = [];
+        // Keyframe stops are NOT selectors — filter them out
+        const keyframeStops = new Set(['from', 'to', '0%', '100%', '50%', '25%', '75%']);
         const matches = content.matchAll(/^([^@{}/\n][^{]*)\{/gm);
         for (const match of matches) {
             const sel = match[1].trim();
-            if (sel && !sel.startsWith('/*') && !sel.startsWith('//')) {
-                selectors.push(sel);
-            }
+            if (!sel)
+                continue;
+            if (sel.startsWith('/*') || sel.startsWith('//'))
+                continue;
+            // Skip keyframe percentage stops and named stops
+            if (keyframeStops.has(sel))
+                continue;
+            if (/^\d+%$/.test(sel))
+                continue; // Any percentage like 30%, 60%
+            if (/^\d+%\s*,\s*\d+%/.test(sel))
+                continue; // Combined like "0%, 100%"
+            selectors.push(sel);
         }
         return selectors;
     }

package/dist/scanners/depcheck.js

@@ -10,18 +10,13 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class DepcheckScanner {
     name = 'Depcheck';
     description = 'Dependency analyzer — finds unused and missing npm packages';
     category = 'dead-code';
     async isAvailable() {
-        try {
-            execSync('npx --yes depcheck --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('depcheck');
     }
     async scan(targetDir, options) {
         const start = Date.now();
@@ -78,19 +73,30 @@ export class DepcheckScanner {
                 'tailwindcss', 'postcss', 'autoprefixer',
                 'husky', 'lint-staged', 'commitlint',
                 '@playwright/test', 'vitest',
+                'dotenv', 'dotenv-cli', 'cross-env', // Used by scripts, not detectable
+                'prisma', '@prisma/client', // Used via generate/migrate, not direct imports
+                'supabase', // CLI tool, not a direct import
             ]);
             // Unused dependencies
             if (report.dependencies && Array.isArray(report.dependencies)) {
                 for (const dep of report.dependencies) {
+                    // In monorepos, "unused" deps may be consumed via workspace packages
+                    // that depcheck can't trace — lower severity and note this
+                    const severity = isMonorepo ? 'medium' : 'high';
+                    const monorepoNote = isMonorepo
+                        ? ' Note: in a monorepo, this package may be used by a workspace dependency that depcheck cannot trace.'
+                        : '';
                     findings.push({
                         id: `depcheck-unused-${dep}`,
                         scanner: this.name,
                         category: 'dead-code',
-                        severity: 'high',
+                        severity: severity,
                         title: `Unused dependency: ${dep}`,
-                        description: `Package "${dep}" is in dependencies but no usage was detected in the source code.`,
+                        description: `Package "${dep}" is in dependencies but no usage was detected in the source code.${monorepoNote}`,
                         file: 'package.json',
-                        suggestion: `Run \`npm uninstall ${dep}\` to remove it. This reduces install size and potential supply chain risk.`,
+                        suggestion: isMonorepo
+                            ? `Verify "${dep}" isn't used via workspace resolution before removing. Run \`grep -r "${dep}" --include="*.ts" --include="*.tsx" .\` to double-check.`
+                            : `Run \`npm uninstall ${dep}\` to remove it. This reduces install size and potential supply chain risk.`,
                         estimatedImpact: 'Faster installs, smaller node_modules, reduced attack surface',
                     });
                 }

package/dist/scanners/eslint-perf.js

@@ -13,18 +13,13 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class EslintPerfScanner {
     name = 'ESLint Perf';
     description = 'Performance-focused linting — import cycles, unused imports, inefficient patterns';
     category = 'code-quality';
     async isAvailable() {
-        try {
-            execSync('npx --yes eslint --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('eslint');
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/jscpd.js

@@ -10,18 +10,13 @@
 import { execSync } from 'child_process';
 import { existsSync, readFileSync, mkdirSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class JscpdScanner {
     name = 'JSCPD';
     description = 'Copy/paste detector — finds duplicated code blocks across the codebase';
     category = 'duplication';
     async isAvailable() {
-        try {
-            execSync('npx --yes jscpd --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('jscpd');
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/knip.js

@@ -10,18 +10,13 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class KnipScanner {
     name = 'Knip';
     description = 'Dead code detector — unused files, exports, dependencies, types';
     category = 'dead-code';
     async isAvailable() {
-        try {
-            execSync('npx --yes knip --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('knip');
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/madge.js

@@ -10,18 +10,13 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class MadgeScanner {
     name = 'Madge';
     description = 'Circular dependency detector — finds import cycles and orphaned modules';
     category = 'performance';
     async isAvailable() {
-        try {
-            execSync('npx --yes madge --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('madge');
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/scanners/regex-safety.d.ts

@@ -25,18 +25,54 @@ export declare class RegexSafetyScanner implements Scanner {
     private extractRegexLiterals;
     private extractRegExpConstructors;
     /**
-     * Only flag genuinely dangerous patterns.
+     * Only flag genuinely dangerous patterns — patterns where the regex engine
+     * can enter exponential or polynomial backtracking.
      *
-     * We ONLY report:
-     * - Critical: Nested quantifiers (guaranteed exponential backtracking)
-     * - High: Overlapping alternation + quantifier (likely quadratic+)
-     * - Medium: 3+ greedy .* in same pattern (quadratic risk)
+     * KEY INSIGHT: A "nested quantifier" is only dangerous when the inner
+     * quantified expression can match the SAME characters as what follows.
      *
-     * We deliberately DO NOT flag:
-     * - Unanchored patterns (normal and expected)
-     * - Long regexes (complexity != vulnerability)
-     * - Single quantifiers (normal regex usage)
-     * - Two .* wildcards (common and usually fine)
+     * SAFE examples (we do NOT flag these):
+     * - ([^*\n]+?)[ \t]+   → [^*\n] is bounded, can't overlap with [ \t]
+     * - (\d+(?:\.\d+)?)    → \d is bounded, ? is not a loop quantifier
+     * - [\d+(?:\s*,\s*\d+)+] → requires , delimiter, can't backtrack
+     * - ([\s\S]*?)          → lazy quantifier with bounded context
+     *
+     * DANGEROUS examples (we DO flag these):
+     * - (a+)+              → unbounded a+ inside quantified group
+     * - (.*)*              → .* inside quantified group (classic ReDoS)
+     * - (\w+\s+)+          → \w+ and \s+ can alternate indefinitely
      */
     private analyzeRegex;
+    /**
+     * Check for genuinely dangerous nested quantifiers.
+     *
+     * Only flags when:
+     * 1. There's a group with a quantifier: (...)+  or (...)*  or (...){n,}
+     * 2. Inside that group, there's a quantified UNBOUNDED matcher
+     *    - . (dot), \w, \s, \d followed by + or *
+     *    - NOT [^specific]+ which is bounded by the exclusion
+     *    - NOT (?:...) non-capturing groups with ? (optional, not loop)
+     */
+    private hasDangerousNestedQuantifier;
+    /**
+     * Check if a group's content contains an inner quantifier that creates
+     * backtracking risk when the group itself is quantified.
+     *
+     * Key insight: (X+)+ is ALWAYS vulnerable for any X, because the regex
+     * engine can partition the input into the inner vs outer repetition in
+     * exponentially many ways. The exception is negated character classes
+     * with a following delimiter that prevents overlap.
+     *
+     * DANGEROUS: (a+)+, (.+)+, (\w+)+, (\s+\w+)+
+     * SAFE: ([^,]+,)+ — the comma delimiter prevents backtracking
+     * SAFE: (\d+(?:\.\d+)?) — ? is not a repeating quantifier
+     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class after
+     */
+    private hasUnboundedInnerQuantifier;
+    /**
+     * Check for overlapping alternation with quantifier.
+     * Only flags when alternation branches use unbounded matchers that
+     * can match the same characters.
+     */
+    private hasDangerousAlternation;
 }

package/dist/scanners/regex-safety.js

@@ -186,57 +186,43 @@ export class RegexSafetyScanner {
         return regexes;
     }
     /**
-     * Only flag genuinely dangerous patterns.
+     * Only flag genuinely dangerous patterns — patterns where the regex engine
+     * can enter exponential or polynomial backtracking.
      *
-     * We ONLY report:
-     * - Critical: Nested quantifiers (guaranteed exponential backtracking)
-     * - High: Overlapping alternation + quantifier (likely quadratic+)
-     * - Medium: 3+ greedy .* in same pattern (quadratic risk)
+     * KEY INSIGHT: A "nested quantifier" is only dangerous when the inner
+     * quantified expression can match the SAME characters as what follows.
      *
-     * We deliberately DO NOT flag:
-     * - Unanchored patterns (normal and expected)
-     * - Long regexes (complexity != vulnerability)
-     * - Single quantifiers (normal regex usage)
-     * - Two .* wildcards (common and usually fine)
+     * SAFE examples (we do NOT flag these):
+     * - ([^*\n]+?)[ \t]+   → [^*\n] is bounded, can't overlap with [ \t]
+     * - (\d+(?:\.\d+)?)    → \d is bounded, ? is not a loop quantifier
+     * - [\d+(?:\s*,\s*\d+)+] → requires , delimiter, can't backtrack
+     * - ([\s\S]*?)          → lazy quantifier with bounded context
+     *
+     * DANGEROUS examples (we DO flag these):
+     * - (a+)+              → unbounded a+ inside quantified group
+     * - (.*)*              → .* inside quantified group (classic ReDoS)
+     * - (\w+\s+)+          → \w+ and \s+ can alternate indefinitely
      */
     analyzeRegex(pattern) {
         const issues = [];
-        // Critical: Nested quantifiers — (a+)+, (.*)*
-        if (/\([^)]*[+*][^)]*\)\s*[+*{]/.test(pattern) ||
-            /\([^)]*[+*][^)]*[+*][^)]*\)/.test(pattern)) {
+        // Critical: TRUE nested quantifiers only
+        // Pattern: (X+)+ or (X*)+ where X is an UNBOUNDED matcher (. or \w or \s)
+        // NOT: ([^specific]+)+ which is bounded and safe
+        if (this.hasDangerousNestedQuantifier(pattern)) {
             issues.push({
                 severity: 'critical',
                 description: 'Nested quantifiers — exponential backtracking risk (ReDoS)',
                 suggestion: 'Rewrite to avoid nested quantifiers. Instead of `(a+)+`, use `a+`. For complex patterns, consider the RE2 engine (npm re2) which guarantees linear time.',
             });
         }
-        // High: Overlapping alternation with quantifier — (a|ab)+
-        if (/\([^)]*\|[^)]*\)[+*{]/.test(pattern)) {
-            const groupMatch = pattern.match(/\(([^)]*)\)\s*[+*{]/);
-            if (groupMatch) {
-                const altParts = groupMatch[1].split('|');
-                if (altParts.length > 1) {
-                    const hasOverlap = altParts.some((a, i) => altParts.some((b, j) => {
-                        if (i === j)
-                            return false;
-                        // Both contain wildcards — definite overlap
-                        if ((a.includes('.') || a.includes('\\w') || a.includes('\\d')) &&
-                            (b.includes('.') || b.includes('\\w') || b.includes('\\d')))
-                            return true;
-                        // Same starting char — potential overlap
-                        const aFirst = a.replace(/^\\/, '')[0];
-                        const bFirst = b.replace(/^\\/, '')[0];
-                        return aFirst && bFirst && aFirst === bFirst;
-                    }));
-                    if (hasOverlap) {
-                        issues.push({
-                            severity: 'high',
-                            description: 'Overlapping alternation with quantifier — potential backtracking',
-                            suggestion: 'Ensure alternation branches are mutually exclusive, or rewrite to avoid the quantifier on the group.',
-                        });
-                    }
-                }
-            }
+        // High: Overlapping alternation with quantifier where branches can match same input
+        // Only flag when alternatives use unbounded matchers (., \w, \s)
+        if (this.hasDangerousAlternation(pattern)) {
+            issues.push({
+                severity: 'high',
+                description: 'Overlapping alternation with quantifier — potential backtracking',
+                suggestion: 'Ensure alternation branches are mutually exclusive, or rewrite to avoid the quantifier on the group.',
+            });
         }
         // Medium: 3+ greedy wildcards (2 is normal, 3+ is risky)
         const wildcardCount = (pattern.match(/\.\*/g) || []).length;
@@ -249,4 +235,90 @@ export class RegexSafetyScanner {
         }
         return issues;
     }
+    /**
+     * Check for genuinely dangerous nested quantifiers.
+     *
+     * Only flags when:
+     * 1. There's a group with a quantifier: (...)+  or (...)*  or (...){n,}
+     * 2. Inside that group, there's a quantified UNBOUNDED matcher
+     *    - . (dot), \w, \s, \d followed by + or *
+     *    - NOT [^specific]+ which is bounded by the exclusion
+     *    - NOT (?:...) non-capturing groups with ? (optional, not loop)
+     */
+    hasDangerousNestedQuantifier(pattern) {
+        // Match groups followed by quantifiers: (...)+ or (...)* or (...){2,}
+        const groupWithQuantifier = /\(([^)]+)\)[+*]|\(([^)]+)\)\{[\d,]+\}/g;
+        let match;
+        while ((match = groupWithQuantifier.exec(pattern)) !== null) {
+            const groupContent = match[1] || match[2];
+            if (!groupContent)
+                continue;
+            // Check if group contains an unbounded quantified expression
+            // Dangerous: .+, .*, \w+, \w*, \s+, \s*
+            // Safe: [^x]+, [specific]+, \d+ (bounded), lazy .*? in limited context
+            if (this.hasUnboundedInnerQuantifier(groupContent)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if a group's content contains an inner quantifier that creates
+     * backtracking risk when the group itself is quantified.
+     *
+     * Key insight: (X+)+ is ALWAYS vulnerable for any X, because the regex
+     * engine can partition the input into the inner vs outer repetition in
+     * exponentially many ways. The exception is negated character classes
+     * with a following delimiter that prevents overlap.
+     *
+     * DANGEROUS: (a+)+, (.+)+, (\w+)+, (\s+\w+)+
+     * SAFE: ([^,]+,)+ — the comma delimiter prevents backtracking
+     * SAFE: (\d+(?:\.\d+)?) — ? is not a repeating quantifier
+     * SAFE: ([^*\n]+?)[ \t]+ — lazy quantifier + different char class after
+     */
+    hasUnboundedInnerQuantifier(content) {
+        // Check for any atom followed by + or * (greedy) inside the group
+        // This catches: a+, .+, \w+, \d+, [abc]+, etc.
+        const hasInnerQuantifier = /[^?][+*]/.test(content) || /^.[+*]/.test(content);
+        if (!hasInnerQuantifier)
+            return false;
+        // Now check for SAFE exceptions:
+        // Safe: negated char class followed by a delimiter
+        // e.g., [^,]+, or [^"]+\" — the delimiter prevents overlap
+        if (/\[\^[^\]]+\][+*].*[^\\][\w,;:"'|&]/.test(content)) {
+            // Has a negated class + a literal delimiter after — likely safe
+            // But only if the delimiter is in the negated class
+            return false;
+        }
+        // Safe: lazy quantifier (+? or *?) — prevents catastrophic backtracking
+        // e.g., ([^*\n]+?)[ \t]+ — the lazy ? means it yields to what follows
+        if (/[+*]\?/.test(content) && !/[+*][^?].*[+*]/.test(content)) {
+            // Has a lazy quantifier and no other greedy quantifier — safe
+            return false;
+        }
+        // Safe: \d+ is bounded (only digits) — ((\d+)\.?)+ is technically
+        // vulnerable but in practice \d is so bounded it rarely causes issues
+        // Exception: (\d+\s*)+ IS dangerous because \s* can match empty
+        if (/\\d[+*]/.test(content) && !/\\[sw.][+*]/.test(content)) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Check for overlapping alternation with quantifier.
+     * Only flags when alternation branches use unbounded matchers that
+     * can match the same characters.
+     */
+    hasDangerousAlternation(pattern) {
+        const match = pattern.match(/\(([^)]*\|[^)]*)\)\s*[+*{]/);
+        if (!match)
+            return false;
+        const altParts = match[1].split('|');
+        if (altParts.length < 2)
+            return false;
+        // Only flag if BOTH branches contain unbounded matchers
+        const hasUnbounded = (part) => /\.[+*]/.test(part) || /\\[ws][+*]/.test(part);
+        const unboundedCount = altParts.filter(hasUnbounded).length;
+        return unboundedCount >= 2;
+    }
 }

package/dist/scanners/source-map-explorer.js

@@ -10,18 +10,13 @@
 import { execSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
+import { isToolAvailable } from '../utils/tool-installer.js';
 export class SourceMapExplorerScanner {
     name = 'Source Map Explorer';
     description = 'Bundle composition analyzer — shows what code is in your production bundles';
     category = 'bundle-size';
     async isAvailable() {
-        try {
-            execSync('npx --yes source-map-explorer --version', { stdio: 'pipe', timeout: 30000 });
-            return true;
-        }
-        catch {
-            return false;
-        }
+        return isToolAvailable('source-map-explorer');
     }
     async scan(targetDir, options) {
         const start = Date.now();

package/dist/utils/tool-installer.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Tool Installer Utility
+ *
+ * Robust availability checking for npm-based scanning tools.
+ * Tries local npx → npx --yes → global install as fallback.
+ */
+/**
+ * Check if an npm tool is available, installing it if needed.
+ *
+ * Strategy:
+ * 1. Try npx (uses local or cached version — fast)
+ * 2. Try npx --yes (auto-installs if not cached — slower)
+ * 3. Try global install as last resort
+ *
+ * @param packageName - npm package name (e.g., 'knip', 'jscpd', 'madge')
+ * @param versionFlag - flag to check version (default: '--version')
+ * @returns true if tool is available
+ */
+export declare function isToolAvailable(packageName: string, versionFlag?: string): boolean;
+/**
+ * Build a command that runs a tool via npx --yes.
+ * Ensures the tool will be auto-installed if not present.
+ */
+export declare function npxCmd(packageName: string, args: string): string;

package/dist/utils/tool-installer.js

@@ -0,0 +1,56 @@
+/**
+ * Tool Installer Utility
+ *
+ * Robust availability checking for npm-based scanning tools.
+ * Tries local npx → npx --yes → global install as fallback.
+ */
+import { execSync } from 'child_process';
+/**
+ * Check if an npm tool is available, installing it if needed.
+ *
+ * Strategy:
+ * 1. Try npx (uses local or cached version — fast)
+ * 2. Try npx --yes (auto-installs if not cached — slower)
+ * 3. Try global install as last resort
+ *
+ * @param packageName - npm package name (e.g., 'knip', 'jscpd', 'madge')
+ * @param versionFlag - flag to check version (default: '--version')
+ * @returns true if tool is available
+ */
+export function isToolAvailable(packageName, versionFlag = '--version') {
+    // Try 1: Local/cached npx (fast path)
+    try {
+        execSync(`npx ${packageName} ${versionFlag}`, {
+            stdio: 'pipe',
+            timeout: 15000,
+        });
+        return true;
+    }
+    catch { }
+    // Try 2: npx --yes to auto-install (first-time download)
+    try {
+        execSync(`npx --yes ${packageName} ${versionFlag}`, {
+            stdio: 'pipe',
+            timeout: 90000, // 90s for first download
+        });
+        return true;
+    }
+    catch { }
+    // Try 3: Global install as fallback
+    try {
+        execSync(`npm install -g ${packageName} 2>/dev/null && npx ${packageName} ${versionFlag}`, {
+            stdio: 'pipe',
+            timeout: 90000,
+        });
+        return true;
+    }
+    catch { }
+    return false;
+}
+/**
+ * Build a command that runs a tool via npx --yes.
+ * Ensures the tool will be auto-installed if not present.
+ */
+export function npxCmd(packageName, args) {
+    return `npx --yes ${packageName} ${args}`;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@darrenjcoxon/vibeoptimise",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "🚀 VibeOptimise — The ultimate codebase optimisation scanner. Find dead code, duplication, circular deps, bundle bloat & more. Get OPTIMISE.md for AI agents to fix everything.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",