@herodevs/cli 1.5.0-beta.2 → 1.6.0-beta.0

package/README.md

@@ -9,6 +9,16 @@ The HeroDevs CLI
 <!-- toc -->
 * [@herodevs/cli](#herodevscli)
 <!-- tocstop -->
+
+## Scanning Behavior
+
+The CLI's scanning commands (`hd scan eol` and `hd scan sbom`) are designed to be non-invasive:
+
+* They do not install dependencies or modify package manager files (package-lock.json, yarn.lock, etc.)
+* They analyze the project in its current state
+* If you need dependencies installed for accurate scanning, please install them manually before running the scan
+
+
 ## Usage
 <!-- usage -->
 ```sh-session
@@ -16,7 +26,7 @@ $ npm install -g @herodevs/cli
 $ hd COMMAND
 running command...
 $ hd (--version)
-@herodevs/cli/1.5.0-beta.2 linux-x64 node-v22.14.0
+@herodevs/cli/1.6.0-beta.0 linux-x64 node-v22.14.0
 $ hd --help [COMMAND]
 USAGE
   $ hd COMMAND
@@ -63,7 +73,7 @@ USAGE
 FLAGS
   -c, --csv             Output in CSV format
   -m, --months=<value>  [default: 12] The number of months of git history to review
-  -s, --save            Save the committers report as nes.committers.<output>
+  -s, --save            Save the committers report as eol.committers.<output>
 
 GLOBAL FLAGS
   --json  Format output as json.
@@ -81,7 +91,7 @@ EXAMPLES
   $ hd report committers --csv
 ```
 
-_See code: [src/commands/report/committers.ts](https://github.com/herodevs/cli/blob/v1.5.0-beta.2/src/commands/report/committers.ts)_
+_See code: [src/commands/report/committers.ts](https://github.com/herodevs/cli/blob/v1.6.0-beta.0/src/commands/report/committers.ts)_
 
 ## `hd report purls`
 
@@ -95,7 +105,7 @@ FLAGS
   -c, --csv           Save output in CSV format (only applies when using --save)
   -d, --dir=<value>   The directory to scan in order to create a cyclonedx sbom
   -f, --file=<value>  The file path of an existing cyclonedx sbom to scan for EOL
-  -s, --save          Save the list of purls as nes.purls.<output>
+  -s, --save          Save the list of purls as eol.purls.<output>
 
 GLOBAL FLAGS
   --json  Format output as json.
@@ -115,7 +125,7 @@ EXAMPLES
   $ hd report purls --save --csv
 ```
 
-_See code: [src/commands/report/purls.ts](https://github.com/herodevs/cli/blob/v1.5.0-beta.2/src/commands/report/purls.ts)_
+_See code: [src/commands/report/purls.ts](https://github.com/herodevs/cli/blob/v1.6.0-beta.0/src/commands/report/purls.ts)_
 
 ## `hd scan eol`
 
@@ -130,7 +140,7 @@ FLAGS
   -d, --dir=<value>    The directory to scan in order to create a cyclonedx sbom
   -f, --file=<value>   The file path of an existing cyclonedx sbom to scan for EOL
   -p, --purls=<value>  The file path of a list of purls to scan for EOL
-  -s, --save           Save the generated SBOM as nes.sbom.json in the scanned directory
+  -s, --save           Save the generated report as eol.report.json in the scanned directory
   -t, --table          Display the results in a table
 
 GLOBAL FLAGS
@@ -149,7 +159,7 @@ EXAMPLES
   $ hd scan eol -a --dir=./my-project
 ```
 
-_See code: [src/commands/scan/eol.ts](https://github.com/herodevs/cli/blob/v1.5.0-beta.2/src/commands/scan/eol.ts)_
+_See code: [src/commands/scan/eol.ts](https://github.com/herodevs/cli/blob/v1.6.0-beta.0/src/commands/scan/eol.ts)_
 
 ## `hd scan sbom`
 
@@ -163,7 +173,7 @@ FLAGS
   -b, --background    Run the scan in the background
   -d, --dir=<value>   The directory to scan in order to create a cyclonedx sbom
   -f, --file=<value>  The file path of an existing cyclonedx sbom to scan for EOL
-  -s, --save          Save the generated SBOM as nes.sbom.json in the scanned directory
+  -s, --save          Save the generated SBOM as eol.sbom.json in the scanned directory
 
 GLOBAL FLAGS
   --json  Format output as json.
@@ -177,7 +187,7 @@ EXAMPLES
   $ hd scan sbom --file=path/to/sbom.json
 ```
 
-_See code: [src/commands/scan/sbom.ts](https://github.com/herodevs/cli/blob/v1.5.0-beta.2/src/commands/scan/sbom.ts)_
+_See code: [src/commands/scan/sbom.ts](https://github.com/herodevs/cli/blob/v1.6.0-beta.0/src/commands/scan/sbom.ts)_
 
 ## `hd update [CHANNEL]`
 
@@ -215,5 +225,5 @@ EXAMPLES
     $ hd update --available
 ```
 
-_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.6.37/src/commands/update.ts)_
+_See code: [@oclif/plugin-update](https://github.com/oclif/plugin-update/blob/v4.6.38/src/commands/update.ts)_
 <!-- commandsstop -->

package/bin/dev.js

@@ -1,14 +1,18 @@
 #!/usr/bin/env node
 
-import { execute } from '@oclif/core';
-
 // Localhost
-process.env.GRAPHQL_HOST = 'http://localhost:3000';
+// process.env.GRAPHQL_HOST = 'http://localhost:3000';
 
 // Dev
-// process.env.GRAPHQL_HOST = 'https://api.dev.nes.herodevs.com';
+process.env.GRAPHQL_HOST = 'https://api.dev.nes.herodevs.com';
 
 // Prod
 // process.env.GRAPHQL_HOST = 'https://api.nes.herodevs.com';
 
-await execute({ development: true, dir: import.meta.url });
+import main from './main.js';
+
+try {
+  await main(false);
+} catch (error) {
+  process.exit(1);
+}

package/bin/main.js

@@ -0,0 +1,29 @@
+import { parseArgs } from 'node:util';
+import { execute } from '@oclif/core';
+
+async function main(isProduction = false) {
+  const { positionals } = parseArgs({
+    allowPositionals: true,
+    strict: false, // Don't validate flags
+  });
+
+  // If no arguments at all, default to scan:eol -t
+  if (positionals.length === 0) {
+    process.argv.splice(2, 0, 'scan:eol', '-t');
+  }
+  // If only flags are provided, set scan:eol as the command for those flags
+  else if (positionals.length === 1 && positionals[0].startsWith('-')) {
+    process.argv.splice(2, 0, 'scan:eol');
+  }
+
+  try {
+    await execute({
+      development: !isProduction,
+      dir: new URL('./dev.js', import.meta.url),
+    });
+  } catch (error) {
+    process.exit(1);
+  }
+}
+
+export default main;

package/bin/run.js

@@ -1,5 +1,9 @@
 #!/usr/bin/env node
 
-import { execute } from '@oclif/core';
+import main from './main.js';
 
-await execute({ dir: import.meta.url });
+try {
+  await main(true);
+} catch (error) {
+  process.exit(1);
+}

package/dist/commands/report/committers.js

@@ -26,7 +26,7 @@ export default class Committers extends Command {
         }),
         save: Flags.boolean({
             char: 's',
-            description: 'Save the committers report as nes.committers.<output>',
+            description: 'Save the committers report as eol.committers.<output>',
             default: false,
         }),
     };
@@ -46,7 +46,7 @@ export default class Committers extends Command {
                 // JSON mode
                 if (save) {
                     try {
-                        fs.writeFileSync(path.resolve('nes.committers.json'), JSON.stringify(reportData, null, 2));
+                        fs.writeFileSync(path.resolve('eol.committers.json'), JSON.stringify(reportData, null, 2));
                         this.log('Report written to json');
                     }
                     catch (error) {
@@ -61,7 +61,7 @@ export default class Committers extends Command {
                 const csvOutput = formatAsCsv(reportData);
                 if (save) {
                     try {
-                        fs.writeFileSync(path.resolve('nes.committers.csv'), csvOutput);
+                        fs.writeFileSync(path.resolve('eol.committers.csv'), csvOutput);
                         this.log('Report written to csv');
                     }
                     catch (error) {
@@ -75,7 +75,7 @@ export default class Committers extends Command {
             }
             if (save) {
                 try {
-                    fs.writeFileSync(path.resolve('nes.committers.txt'), textOutput);
+                    fs.writeFileSync(path.resolve('eol.committers.txt'), textOutput);
                     this.log('Report written to txt');
                 }
                 catch (error) {

package/dist/commands/report/purls.js

@@ -26,7 +26,7 @@ export default class ReportPurls extends Command {
         save: Flags.boolean({
             char: 's',
             default: false,
-            description: 'Save the list of purls as nes.purls.<output>',
+            description: 'Save the list of purls as eol.purls.<output>',
         }),
         csv: Flags.boolean({
             char: 'c',
@@ -50,7 +50,7 @@ export default class ReportPurls extends Command {
             if (save) {
                 try {
                     const outputFile = csv && !this.jsonEnabled() ? 'csv' : 'json';
-                    const outputPath = path.join(_dirFlag || process.cwd(), `nes.purls.${outputFile}`);
+                    const outputPath = path.join(_dirFlag || process.cwd(), `eol.purls.${outputFile}`);
                     const purlOutput = getPurlOutput(purls, outputFile);
                     fs.writeFileSync(outputPath, purlOutput);
                     this.log('Purls saved to %s', outputPath);

package/dist/commands/scan/eol.js

@@ -32,7 +32,7 @@ export default class ScanEol extends Command {
         save: Flags.boolean({
             char: 's',
             default: false,
-            description: 'Save the generated SBOM as nes.sbom.json in the scanned directory',
+            description: 'Save the generated report as eol.report.json in the scanned directory',
         }),
         all: Flags.boolean({
             char: 'a',
@@ -107,10 +107,10 @@ export default class ScanEol extends Command {
     }
     async saveReport(components) {
         const { flags } = await this.parse(ScanEol);
-        const reportPath = path.join(flags.dir || process.cwd(), 'nes.eol.json');
+        const reportPath = path.join(flags.dir || process.cwd(), 'eol.report.json');
         try {
             fs.writeFileSync(reportPath, JSON.stringify({ components }, null, 2));
-            this.log('Report saved to nes.eol.json');
+            this.log('Report saved to eol.report.json');
         }
         catch (error) {
             if (!isErrnoException(error)) {
@@ -118,10 +118,10 @@ export default class ScanEol extends Command {
             }
             switch (error.code) {
                 case 'EACCES':
-                    this.error('Permission denied. Unable to save report to nes.eol.json');
+                    this.error('Permission denied. Unable to save report to eol.report.json');
                     break;
                 case 'ENOSPC':
-                    this.error('No space left on device. Unable to save report to nes.eol.json');
+                    this.error('No space left on device. Unable to save report to eol.report.json');
                     break;
                 default:
                     this.error(`Failed to save report: ${getErrorMessage(error)}`);

package/dist/commands/scan/sbom.js

@@ -23,7 +23,7 @@ export default class ScanSbom extends Command {
         save: Flags.boolean({
             char: 's',
             default: false,
-            description: 'Save the generated SBOM as nes.sbom.json in the scanned directory',
+            description: 'Save the generated SBOM as eol.sbom.json in the scanned directory',
         }),
         background: Flags.boolean({
             char: 'b',
@@ -72,7 +72,7 @@ export default class ScanSbom extends Command {
         }
         else if (background) {
             this._getSbomInBackground(path);
-            this.log(`The scan is running in the background. The file will be saved at ${path}/nes.sbom.json`);
+            this.log(`The scan is running in the background. The file will be saved at ${path}/eol.sbom.json`);
             return;
         }
         else {
@@ -146,7 +146,7 @@ export default class ScanSbom extends Command {
     }
     _saveSbom(dir, sbom) {
         try {
-            const outputPath = join(dir, 'nes.sbom.json');
+            const outputPath = join(dir, 'eol.sbom.json');
             fs.writeFileSync(outputPath, JSON.stringify(sbom, null, 2));
             if (!this.jsonEnabled()) {
                 this.log(`SBOM saved to ${outputPath}`);

package/dist/service/eol/cdx.svc.d.ts

@@ -1,4 +1,8 @@
 import type { CdxGenOptions } from './eol.svc.ts';
+export interface SbomDependency {
+    ref: string;
+    dependsOn: string[];
+}
 export interface SbomEntry {
     group: string;
     name: string;
@@ -7,7 +11,7 @@ export interface SbomEntry {
 }
 export interface Sbom {
     components: SbomEntry[];
-    dependencies: SbomEntry[];
+    dependencies: SbomDependency[];
 }
 export declare const SBOM_DEFAULT__OPTIONS: {
     $0: string;
@@ -29,8 +33,8 @@ export declare const SBOM_DEFAULT__OPTIONS: {
     'include-formulation': boolean;
     includeCrypto: boolean;
     includeFormulation: boolean;
-    'install-deps': boolean;
-    installDeps: boolean;
+    'no-install-deps': boolean;
+    noInstallDeps: boolean;
     'min-confidence': number;
     minConfidence: number;
     multiProject: boolean;

package/dist/service/eol/cdx.svc.js

@@ -21,8 +21,8 @@ export const SBOM_DEFAULT__OPTIONS = {
     'include-formulation': false,
     includeCrypto: false,
     includeFormulation: false,
-    'install-deps': true,
-    installDeps: true,
+    'no-install-deps': true,
+    noInstallDeps: true,
     'min-confidence': 0,
     minConfidence: 0,
     multiProject: true,

package/dist/service/eol/sbom.worker.js

@@ -15,7 +15,7 @@ try {
     const options = JSON.parse(process.argv[2]);
     const { path, opts } = options;
     const { bomJson } = await createBom(path, { ...SBOM_DEFAULT__OPTIONS, ...opts });
-    const outputPath = join(path, 'nes.sbom.json');
+    const outputPath = join(path, 'eol.sbom.json');
     writeFileSync(outputPath, JSON.stringify(bomJson, null, 2));
     process.exit(0);
 }

package/dist/service/purls.svc.d.ts

@@ -12,12 +12,12 @@ export declare function formatCsvValue(value: string): string;
  */
 export declare function getPurlOutput(purls: string[], output: string): string;
 /**
- * Translate an SBOM to a list of purls for api request.
+ * Extract all PURLs from a CycloneDX SBOM, including components and dependencies
  */
-export declare function extractPurls(sbom: Sbom): Promise<string[]>;
+export declare function extractPurls(sbom: Sbom): string[];
 /**
  * Parse a purls file in either JSON or text format, including the format of
- * nes.purls.json - { purls: [ 'pkg:npm/express@4.18.2', 'pkg:npm/react@18.3.1' ] }
+ * eol.purls.json - { purls: [ 'pkg:npm/express@4.18.2', 'pkg:npm/react@18.3.1' ] }
  * or a text file with one purl per line.
  */
 export declare function parsePurlsFile(purlsFileString: string): string[];

package/dist/service/purls.svc.js

@@ -21,19 +21,57 @@ export function getPurlOutput(purls, output) {
     }
 }
 /**
- * Translate an SBOM to a list of purls for api request.
+ * Extract PURLs from components recursively
  */
-export async function extractPurls(sbom) {
-    const { components: comps } = sbom;
-    return comps.map((c) => c.purl) ?? [];
+function extractPurlsFromComponents(components, purlSet) {
+    for (const component of components) {
+        if (component.purl) {
+            purlSet.add(component.purl);
+        }
+    }
+}
+/**
+ * Extract PURLs from dependencies
+ */
+function extractPurlsFromDependencies(dependencies, purlSet) {
+    for (const dependency of dependencies) {
+        if (dependency.ref) {
+            purlSet.add(dependency.ref);
+        }
+        if (dependency.dependsOn) {
+            for (const dep of dependency.dependsOn) {
+                purlSet.add(dep);
+            }
+        }
+    }
+}
+/**
+ * Extract all PURLs from a CycloneDX SBOM, including components and dependencies
+ */
+export function extractPurls(sbom) {
+    const purlSet = new Set();
+    // Extract from direct components
+    if (sbom.components) {
+        extractPurlsFromComponents(sbom.components, purlSet);
+    }
+    // Extract from dependencies
+    if (sbom.dependencies) {
+        extractPurlsFromDependencies(sbom.dependencies, purlSet);
+    }
+    return Array.from(purlSet);
 }
 /**
  * Parse a purls file in either JSON or text format, including the format of
- * nes.purls.json - { purls: [ 'pkg:npm/express@4.18.2', 'pkg:npm/react@18.3.1' ] }
+ * eol.purls.json - { purls: [ 'pkg:npm/express@4.18.2', 'pkg:npm/react@18.3.1' ] }
  * or a text file with one purl per line.
  */
 export function parsePurlsFile(purlsFileString) {
+    // Handle empty string
+    if (!purlsFileString.trim()) {
+        return [];
+    }
     try {
+        // Try parsing as JSON first
         const parsed = JSON.parse(purlsFileString);
         if (parsed && Array.isArray(parsed.purls)) {
             return parsed.purls;
@@ -43,10 +81,16 @@ export function parsePurlsFile(purlsFileString) {
         }
     }
     catch {
+        // If not JSON, try parsing as text file
         const lines = purlsFileString
             .split('\n')
             .map((line) => line.trim())
             .filter((line) => line.length > 0 && line.startsWith('pkg:'));
+        // Handle single purl case (no newlines)
+        if (lines.length === 0 && purlsFileString.trim().startsWith('pkg:')) {
+            return [purlsFileString.trim()];
+        }
+        // Return any valid purls found
         if (lines.length > 0) {
             return lines;
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@herodevs/cli",
-  "version": "1.5.0-beta.2",
+  "version": "1.6.0-beta.0",
   "author": "HeroDevs, Inc",
   "bin": {
     "hd": "./bin/run.js"
@@ -17,7 +17,7 @@
     "ci": "biome ci",
     "ci:fix": "biome check --write",
     "clean": "shx rm -rf dist && npm run clean:files && shx rm -rf node_modules",
-    "clean:files": "shx rm -f nes.**.csv nes.**.json nes.**.text",
+    "clean:files": "shx rm -f eol.**.csv eol.**.json eol.**.text",
     "dev": "npm run build && ./bin/dev.js",
     "dev:debug": "npm run build && DEBUG=oclif:* ./bin/dev.js",
     "format": "biome format --write",
@@ -26,10 +26,6 @@
     "prepack": "oclif manifest && oclif readme",
     "pretest": "npm run lint && npm run typecheck",
     "readme": "npm run ci:fix && npm run build && npm exec oclif readme",
-    "release": "./scripts/release.sh",
-    "pre:release:publish": "npm run prepack && git add README.md",
-    "release:publish:beta": "npm run release -- --publish",
-    "release:publish:latest": "npm run release -- --latest --publish",
     "test": "globstar -- node --import tsx --test \"test/**/*.test.ts\"",
     "test:e2e": "globstar -- node --import tsx --test \"e2e/**/*.test.ts\"",
     "typecheck": "tsc --noEmit"
@@ -41,7 +37,7 @@
   ],
   "dependencies": {
     "@apollo/client": "^3.13.8",
-    "@cyclonedx/cdxgen": "^11.2.4",
+    "@cyclonedx/cdxgen": "^11.2.5",
     "@oclif/core": "^4",
     "@oclif/plugin-help": "^6",
     "@oclif/plugin-update": "^4",
@@ -57,7 +53,6 @@
     "@types/node": "^22",
     "@types/sinon": "^17.0.4",
     "@types/update-notifier": "^6.0.8",
-    "commit-and-tag-version": "^12.5.1",
     "globstar": "^1.0.0",
     "oclif": "^4",
     "shx": "^0.4.0",
@@ -86,7 +81,7 @@
       "@oclif/plugin-update"
     ],
     "hooks": {
-      "init": "./dist/hooks/npm-update-notifier",
+      "init": "./dist/hooks/npm-update-notifier.js",
       "prerun": "./dist/hooks/prerun.js"
     },
     "topicSeparator": " ",