@humaan/patch-patrol 0.2.2 → 0.3.0

package/README.md

@@ -1,8 +1,8 @@
 # Patch Patrol
 
-Patch Patrol is an interactive CLI for rolling out advisory-driven package bumps across many local repositories.
+Patch Patrol is an interactive CLI for rolling out advisory-driven package bumps across GitHub or local repositories.
 
-It scans a repo or folder of repos, shows which projects are affected, then lets you choose exactly which projects should get update branches and pull requests.
+It scans a GitHub owner, GitHub repo, local repo, or folder of local repos, shows which projects are affected, then lets you choose exactly which projects should get update branches and pull requests.
 
 ## Install
 
@@ -39,7 +39,8 @@ The CLI guides you through two phases.
 
 **1. Scan**
 
-- Enter a single repo path or a parent folder containing repos.
+- Choose GitHub or local scanning.
+- Enter a GitHub owner, GitHub repo, GitHub URL, local repo path, or local parent folder containing repos.
 - Choose an advisory rule from the list.
 - Choose which bump levels to include: major, minor, patch, or any combination.
 - Review the affected-project summary.
@@ -56,6 +57,8 @@ Use arrow keys to move through selections, spacebar to toggle multiselect items,
 
 For each selected project, Patch Patrol:
 
+- Reads GitHub `package.json` files through the GitHub API during scan.
+- Clones only selected GitHub repos into a temporary workspace for patching, or uses the selected local checkout.
 - Checks the worktree is clean before editing.
 - Checks out and fast-forwards the default branch.
 - Creates an advisory-specific branch under `patch-patrol/`.
@@ -149,6 +152,8 @@ patch-patrol --list-rules
 Scan without changing files:
 
 ```sh
+patch-patrol --github humaan --rule next-may-2026 --dry-run
+patch-patrol --github humaan/my-app --rule next-may-2026 --dry-run
 patch-patrol --root /Users/sam/repos --rule next-may-2026 --dry-run
 ```
 
@@ -166,6 +171,7 @@ Bump filters compare the installed version in `package.json` with the advisory t
 Update all affected repos without selection prompts:
 
 ```sh
+patch-patrol --github humaan --rule next-may-2026 --yes
 patch-patrol --root /Users/sam/repos --rule next-may-2026 --yes
 ```
 

package/dist/cli.js

@@ -1,12 +1,12 @@
-import path from 'node:path';
 import { intro, outro } from '@clack/prompts';
 import { loadRules } from './advisories.js';
 import { actionRepo } from './repo-actions.js';
 import { finish, printRules } from './output.js';
-import { findRepos, runScan } from './scanner.js';
+import { runScan } from './scanner.js';
 import { getRuleOrThrow, parseArgs } from './options.js';
 import { printAffectedRepos } from './format.js';
 import { promptForAffectedRepos, promptForScanOptions } from './prompts.js';
+import { resolveTargets } from './targets.js';
 export async function runCli(argv = process.argv.slice(2)) {
     const options = parseArgs(argv);
     const rules = await loadRules(options.advisoryDir);
@@ -19,23 +19,27 @@ export async function runCli(argv = process.argv.slice(2)) {
         await promptForScanOptions(options, rules);
     }
     const rule = getRuleOrThrow(rules, options.rule);
-    const root = path.resolve(options.root);
-    const repos = await findRepos(root);
-    const affectedRepos = await runScan(repos, root, rule, options);
-    printAffectedRepos(affectedRepos, options);
-    if (affectedRepos.length === 0 || options.dryRun) {
+    const targets = await resolveTargets(options);
+    try {
+        const affectedRepos = await runScan(targets.repos, targets.root, rule, options);
+        printAffectedRepos(affectedRepos, options);
+        if (affectedRepos.length === 0 || options.dryRun) {
+            if (options.interactive)
+                outro('Scan complete.');
+            return;
+        }
+        const selectedRepos = options.yes ? affectedRepos : await promptForAffectedRepos(affectedRepos, options);
+        if (selectedRepos.length === 0) {
+            finish(options, 'No projects selected. Nothing changed.');
+            return;
+        }
+        for (const affectedRepo of selectedRepos) {
+            await actionRepo(affectedRepo, rule, options);
+        }
         if (options.interactive)
-            outro('Scan complete.');
-        return;
-    }
-    const selectedRepos = options.yes ? affectedRepos : await promptForAffectedRepos(affectedRepos, options);
-    if (selectedRepos.length === 0) {
-        finish(options, 'No projects selected. Nothing changed.');
-        return;
+            outro('Selected projects processed.');
     }
-    for (const affectedRepo of selectedRepos) {
-        await actionRepo(affectedRepo, rule, options);
+    finally {
+        await targets.cleanup?.();
     }
-    if (options.interactive)
-        outro('Selected projects processed.');
 }

package/dist/git.js

@@ -1,31 +1,65 @@
 import path from 'node:path';
 import { promptForGithubRemote } from './prompts.js';
-import { run } from './shell.js';
+import { run, runAsync } from './shell.js';
 export function ensureClean(repo) {
     const status = run('git', ['status', '--porcelain'], repo, { capture: true });
     if (status.stdout.trim())
         throw new Error(`${repo} has uncommitted changes; skipping to avoid overwriting local work.`);
 }
-export function checkoutFreshBranch(repo, rule, options) {
+export function checkoutFreshBranch(repo, rule, options, quiet = false) {
     const defaultBranch = getDefaultBranch(repo);
-    run('git', ['checkout', defaultBranch], repo);
-    run('git', ['pull', '--ff-only'], repo);
-    run('git', ['checkout', '-B', getBranchName(rule, options)], repo);
+    run('git', ['checkout', defaultBranch], repo, { quiet });
+    run('git', ['pull', '--ff-only'], repo, { quiet });
+    run('git', ['checkout', '-B', getBranchName(rule, options)], repo, { quiet });
 }
-export function commitChanges(repo, rule) {
-    run('git', ['add', ...getChangedFiles(repo)], repo);
-    run('git', ['commit', '-m', rule.commitMessage], repo);
+export async function checkoutFreshBranchAsync(repo, rule, options, quiet = false) {
+    const defaultBranch = getDefaultBranch(repo);
+    await runAsync('git', ['checkout', defaultBranch], repo, { quiet });
+    await runAsync('git', ['pull', '--ff-only'], repo, { quiet });
+    await runAsync('git', ['checkout', '-B', getBranchName(rule, options)], repo, { quiet });
+}
+export function getCheckoutState(repo) {
+    const commit = run('git', ['rev-parse', 'HEAD'], repo, { capture: true }).stdout.trim();
+    const branch = run('git', ['branch', '--show-current'], repo, { capture: true }).stdout.trim();
+    return { ref: branch || commit, commit, detached: !branch };
+}
+export function restoreCheckout(repo, state, quiet = false) {
+    run('git', ['checkout', state.ref], repo, { quiet });
+}
+export async function restoreCheckoutAsync(repo, state, quiet = false) {
+    await runAsync('git', ['checkout', state.ref], repo, { quiet });
+}
+export function commitChanges(repo, rule, quiet = false) {
+    run('git', ['add', ...getChangedFiles(repo)], repo, { quiet });
+    run('git', ['commit', '-m', rule.commitMessage], repo, { quiet });
+}
+export async function commitChangesAsync(repo, rule, quiet = false) {
+    await runAsync('git', ['add', ...getChangedFiles(repo)], repo, { quiet });
+    await runAsync('git', ['commit', '-m', rule.commitMessage], repo, { quiet });
+}
+export async function pushAndCreatePr(repo, rule, options, quiet = false) {
+    const branchName = getBranchName(rule, options);
+    const githubRemote = await ensureGithubRemote(repo);
+    run('git', ['push', '-u', githubRemote.name, branchName], repo, { quiet });
+    if (!githubRemote.ownerRepo)
+        throw new Error(`Could not determine GitHub repo for remote ${githubRemote.name}.`);
+    const prArgs = ['pr', 'create', '--repo', githubRemote.ownerRepo, '--head', branchName, '--title', rule.prTitle, '--body', getPrBody(rule)];
+    if (options.base)
+        prArgs.push('--base', options.base);
+    const result = run('gh', prArgs, repo, { quiet });
+    return quiet ? result.stdout.trim() || undefined : undefined;
 }
-export async function pushAndCreatePr(repo, rule, options) {
+export async function pushAndCreatePrAsync(repo, rule, options, quiet = false) {
     const branchName = getBranchName(rule, options);
     const githubRemote = await ensureGithubRemote(repo);
-    run('git', ['push', '-u', githubRemote.name, branchName], repo);
+    await runAsync('git', ['push', '-u', githubRemote.name, branchName], repo, { quiet });
     if (!githubRemote.ownerRepo)
         throw new Error(`Could not determine GitHub repo for remote ${githubRemote.name}.`);
-    const prArgs = ['pr', 'create', '--repo', githubRemote.ownerRepo, '--head', branchName, '--title', rule.prTitle, '--body', rule.prBody];
+    const prArgs = ['pr', 'create', '--repo', githubRemote.ownerRepo, '--head', branchName, '--title', rule.prTitle, '--body', getPrBody(rule)];
     if (options.base)
         prArgs.push('--base', options.base);
-    run('gh', prArgs, repo);
+    const result = await runAsync('gh', prArgs, repo, { quiet });
+    return quiet ? result.stdout.trim() || undefined : undefined;
 }
 function getDefaultBranch(repo) {
     const symbolic = run('git', ['symbolic-ref', 'refs/remotes/origin/HEAD', '--short'], repo, { capture: true, allowFailure: true });
@@ -37,6 +71,15 @@ function getDefaultBranch(repo) {
 function getBranchName(rule, options) {
     return `${options.branchPrefix}/${rule.branchName}`;
 }
+function getPrBody(rule) {
+    return [
+        'This is an automated PR created by `@humaan/patch-patrol`.',
+        '',
+        `Rule: ${rule.title}`,
+        '',
+        rule.prBody,
+    ].join('\n');
+}
 function hasChanges(repo) {
     return Boolean(run('git', ['status', '--porcelain'], repo, { capture: true }).stdout.trim());
 }
@@ -56,7 +99,7 @@ async function ensureGithubRemote(repo) {
     const suggestion = origin ? convertOriginToGithub(origin.url) : '';
     const url = await promptForGithubRemote(path.basename(repo), suggestion, parseRemote);
     const name = remotes.some((remote) => remote.name === 'github') ? 'github-pr' : 'github';
-    run('git', ['remote', 'add', name, url], repo);
+    run('git', ['remote', 'add', name, url], repo, { quiet: true });
     return parseRemote(name, url);
 }
 function listRemotes(repo) {

package/dist/options.js

@@ -1,9 +1,11 @@
-import path from 'node:path';
-import process from 'node:process';
-import { BUMP_LEVELS, DEFAULT_ADVISORY_DIR, DEFAULT_BRANCH_PREFIX, DEFAULT_RULE_ID } from './constants.js';
+import path from "node:path";
+import process from "node:process";
+import { BUMP_LEVELS, DEFAULT_ADVISORY_DIR, DEFAULT_BRANCH_PREFIX, DEFAULT_RULE_ID } from "./constants.js";
 export function parseArgs(args) {
     const options = {
+        source: "github",
         root: process.cwd(),
+        github: undefined,
         rule: DEFAULT_RULE_ID,
         base: undefined,
         branchPrefix: DEFAULT_BRANCH_PREFIX,
@@ -22,7 +24,7 @@ export function parseArgs(args) {
         const arg = args[index];
         const readValue = () => {
             const value = args[index + 1];
-            if (!value || value.startsWith('--'))
+            if (!value || value.startsWith("--"))
                 throw new Error(`Missing value for ${arg}`);
             index += 1;
             return value;
@@ -38,39 +40,48 @@ export function parseArgs(args) {
                 options.bumpLevels.add(level);
             }
         };
-        if (arg === '--root')
+        if (arg === "--root") {
             options.root = readValue();
-        else if (arg === '--rule')
+            options.source = "local";
+        }
+        else if (arg === "--github") {
+            options.github = readValue();
+            options.source = "github";
+        }
+        else if (arg === "--rule")
             options.rule = readValue();
-        else if (arg === '--advisory-dir')
+        else if (arg === "--advisory-dir")
             options.advisoryDir = path.resolve(readValue());
-        else if (arg === '--base')
+        else if (arg === "--base")
             options.base = readValue();
-        else if (arg === '--branch-prefix')
+        else if (arg === "--branch-prefix")
             options.branchPrefix = readValue();
-        else if (arg === '--limit')
+        else if (arg === "--limit")
             options.limit = Number(readValue());
-        else if (arg === '--bump')
-            addBumpFilter(readValue().split(',').map((level) => level.trim()).filter(Boolean));
-        else if (arg === '--major')
-            addBumpFilter(['major']);
-        else if (arg === '--minor')
-            addBumpFilter(['minor']);
-        else if (arg === '--patch')
-            addBumpFilter(['patch']);
-        else if (arg === '--dry-run')
+        else if (arg === "--bump")
+            addBumpFilter(readValue()
+                .split(",")
+                .map((level) => level.trim())
+                .filter(Boolean));
+        else if (arg === "--major")
+            addBumpFilter(["major"]);
+        else if (arg === "--minor")
+            addBumpFilter(["minor"]);
+        else if (arg === "--patch")
+            addBumpFilter(["patch"]);
+        else if (arg === "--dry-run")
             options.dryRun = true;
-        else if (arg === '--interactive')
+        else if (arg === "--interactive")
             options.interactive = true;
-        else if (arg === '--list-rules')
+        else if (arg === "--list-rules")
             options.listRules = true;
-        else if (arg === '--yes' || arg === '-y')
+        else if (arg === "--yes" || arg === "-y")
             options.yes = true;
-        else if (arg === '--no-pr')
+        else if (arg === "--no-pr")
             options.createPr = false;
-        else if (arg === '--skip-install')
+        else if (arg === "--skip-install")
             options.skipInstall = true;
-        else if (arg === '--help' || arg === '-h') {
+        else if (arg === "--help" || arg === "-h") {
             printHelp();
             process.exit(0);
         }
@@ -79,13 +90,15 @@ export function parseArgs(args) {
         }
     }
     if (options.bumpLevels.size === 0)
-        throw new Error('Select at least one bump level.');
+        throw new Error("Select at least one bump level.");
+    if (options.source === "github" && !options.github)
+        throw new Error("Missing GitHub target.");
     return options;
 }
 export function getRuleOrThrow(rules, ruleId) {
     const rule = rules.get(ruleId);
     if (!rule)
-        throw new Error(`Unknown rule "${ruleId}". Available rules: ${[...rules.keys()].join(', ')}`);
+        throw new Error(`Unknown rule "${ruleId}". Available rules: ${[...rules.keys()].join(", ")}`);
     return rule;
 }
 function printHelp() {
@@ -94,8 +107,11 @@ function printHelp() {
 Usage:
   patch-patrol
   patch-patrol --root /path/to/repos [options]
+  patch-patrol --github owner-or-owner/repo [options]
 
 Options:
+  --root <path>            Local repo or folder of repos. Default: current directory.
+  --github <target>        GitHub owner, owner/repo, or github.com owner/repo URL.
   --rule <name>            Rule to apply. Default: ${DEFAULT_RULE_ID}
   --advisory-dir <path>    Directory containing advisory JSON files.
   --base <branch>          Base branch for PRs. Defaults to GitHub default branch.

package/dist/package-manager.js

@@ -1,16 +1,27 @@
 import path from 'node:path';
 import { fsSyncExists } from './files.js';
-import { run } from './shell.js';
-export function refreshLockfile(repo) {
+import { run, runAsync } from './shell.js';
+export function refreshLockfile(repo, quiet = false) {
     const manager = detectPackageManager(repo);
     if (manager === 'pnpm')
-        run('pnpm', ['install', '--lockfile-only'], repo);
+        run('pnpm', ['install', '--lockfile-only'], repo, { quiet });
     else if (manager === 'yarn')
-        run('yarn', ['install', '--mode=update-lockfile'], repo, { allowFailure: true }) || run('yarn', ['install'], repo);
+        run('yarn', ['install', '--mode=update-lockfile'], repo, { allowFailure: true, quiet }) || run('yarn', ['install'], repo, { quiet });
     else if (manager === 'bun')
-        run('bun', ['install', '--lockfile-only'], repo);
+        run('bun', ['install', '--lockfile-only'], repo, { quiet });
     else
-        run('npm', ['install', '--package-lock-only'], repo);
+        run('npm', ['install', '--package-lock-only'], repo, { quiet });
+}
+export async function refreshLockfileAsync(repo, quiet = false) {
+    const manager = detectPackageManager(repo);
+    if (manager === 'pnpm')
+        await runAsync('pnpm', ['install', '--lockfile-only'], repo, { quiet });
+    else if (manager === 'yarn')
+        await runAsync('yarn', ['install', '--mode=update-lockfile'], repo, { allowFailure: true, quiet }) || await runAsync('yarn', ['install'], repo, { quiet });
+    else if (manager === 'bun')
+        await runAsync('bun', ['install', '--lockfile-only'], repo, { quiet });
+    else
+        await runAsync('npm', ['install', '--package-lock-only'], repo, { quiet });
 }
 function detectPackageManager(repo) {
     if (fsSyncExists(path.join(repo, 'pnpm-lock.yaml')))

package/dist/prompts.js

@@ -4,10 +4,26 @@ import { cancel, confirm, isCancel, multiselect, select, text } from '@clack/pro
 import { parseSelection } from './selection.js';
 import { summarizeUpdates } from './format.js';
 export async function promptForScanOptions(options, rules) {
-    options.root = await promptForRoot(options.root);
+    options.source = await promptForSource(options.source);
+    if (options.source === 'github')
+        options.github = await promptForGithubTarget(options.github ?? '');
+    else
+        options.root = await promptForRoot(options.root);
     options.rule = await promptForRule(rules, options.rule);
     options.bumpLevels = new Set(await promptForBumpLevels(options.bumpLevels));
 }
+export async function promptForSource(defaultSource) {
+    const source = await select({
+        message: 'Where should Patch Patrol scan?',
+        initialValue: defaultSource,
+        options: [
+            { value: 'github', label: 'GitHub', hint: 'Clone repos from an owner or repo URL' },
+            { value: 'local', label: 'Local', hint: 'Use a local repo or folder of repos' },
+        ],
+    });
+    handleCancel(source);
+    return source;
+}
 export async function promptForRoot(defaultRoot) {
     const root = await text({
         message: 'Repo or folder of repos',
@@ -24,6 +40,20 @@ export async function promptForRoot(defaultRoot) {
     handleCancel(root);
     return path.resolve(root);
 }
+export async function promptForGithubTarget(defaultTarget) {
+    const target = await text({
+        message: 'GitHub owner, owner/repo, or repo URL',
+        placeholder: 'humaan or humaan/my-app',
+        initialValue: defaultTarget,
+        validate(value) {
+            if (!value.trim())
+                return 'Enter a GitHub owner, owner/repo, or repo URL.';
+            return undefined;
+        },
+    });
+    handleCancel(target);
+    return target.trim();
+}
 export async function promptForRule(rules, defaultRuleId) {
     const selectedRule = await select({
         message: 'Select an advisory rule',

package/dist/repo-actions.js

@@ -1,41 +1,211 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
+import { spinner } from '@clack/prompts';
 import { getUpdates } from './advisories.js';
-import { checkoutFreshBranch, commitChanges, ensureClean, hasChanges, pushAndCreatePr } from './git.js';
-import { refreshLockfile } from './package-manager.js';
+import { checkoutFreshBranch, checkoutFreshBranchAsync, commitChanges, commitChangesAsync, ensureClean, getCheckoutState, hasChanges, pushAndCreatePr, pushAndCreatePrAsync, restoreCheckout, restoreCheckoutAsync } from './git.js';
+import { refreshLockfile, refreshLockfileAsync } from './package-manager.js';
+import { cloneGithubRepo } from './targets.js';
 export async function actionRepo(affectedRepo, rule, options) {
+    const repoName = path.basename(affectedRepo.repo);
+    const status = createActionStatus(options, repoName);
+    try {
+        const result = affectedRepo.github
+            ? await actionGithubRepo(affectedRepo, rule, options, status, repoName)
+            : await actionLocalRepo(affectedRepo, rule, options, status, repoName);
+        status?.stop(result);
+    }
+    catch (error) {
+        status?.stop(`Processing ${repoName} failed.`);
+        throw error;
+    }
+}
+async function actionGithubRepo(affectedRepo, rule, options, status, repoName) {
+    if (affectedRepo.github) {
+        status?.message(`Cloning ${repoName}`);
+        const clone = await cloneGithubRepo(affectedRepo.github, options.interactive);
+        let cleaned = false;
+        try {
+            const result = await actionLocalRepo({
+                repo: clone.repoPath,
+                packageJsonPath: path.join(clone.repoPath, 'package.json'),
+                updates: affectedRepo.updates,
+            }, rule, options, status, repoName);
+            status?.message(`Cleaning up ${repoName}`);
+            await clone.cleanup();
+            cleaned = true;
+            return result;
+        }
+        finally {
+            if (!cleaned) {
+                status?.message(`Cleaning up ${repoName}`);
+                await clone.cleanup();
+            }
+        }
+    }
+    throw new Error(`${repoName} is not a GitHub repo target.`);
+}
+async function actionLocalRepo(affectedRepo, rule, options, status, repoName) {
     const { repo, packageJsonPath, updates } = affectedRepo;
-    console.log(`\n${path.basename(repo)}`);
-    for (const update of updates) {
-        console.log(`  [${update.bumpLevel}] ${update.section}.${update.name}: ${update.from} -> ${update.to} (${update.reason})`);
+    if (!options.interactive) {
+        console.log(`\n${path.basename(repo)}`);
+        for (const update of updates) {
+            console.log(`  [${update.bumpLevel}] ${update.section}.${update.name}: ${update.from} -> ${update.to} (${update.reason})`);
+        }
     }
     ensureClean(repo);
-    checkoutFreshBranch(repo, rule, options);
-    const packageJson = JSON.parse(await fs.readFile(packageJsonPath, 'utf8'));
+    const originalCheckout = getCheckoutState(repo);
+    status?.message(`Preparing update branch for ${repoName}`);
+    if (options.interactive)
+        await checkoutFreshBranchAsync(repo, rule, options, true);
+    else
+        checkoutFreshBranch(repo, rule, options);
+    const packageJsonText = await fs.readFile(packageJsonPath, 'utf8');
+    const packageJson = JSON.parse(packageJsonText);
     const freshUpdates = getUpdates(packageJson, rule, options.bumpLevels);
     if (freshUpdates.length === 0) {
-        console.log('  No affected dependencies after updating the base branch; skipping.');
-        return;
+        if (!options.interactive)
+            console.log('  No affected dependencies after updating the base branch; skipping.');
+        return `Skipped ${repoName}: no affected dependencies after updating the base branch.`;
+    }
+    status?.message(`Updating package files for ${repoName}`);
+    await fs.writeFile(packageJsonPath, applyUpdates(packageJsonText, freshUpdates));
+    if (!options.skipInstall) {
+        status?.message(`Refreshing lockfile for ${repoName}`);
+        if (options.interactive)
+            await refreshLockfileAsync(repo, true);
+        else
+            refreshLockfile(repo);
     }
-    applyUpdates(packageJson, freshUpdates);
-    await fs.writeFile(packageJsonPath, `${JSON.stringify(packageJson, null, 2)}\n`);
-    if (!options.skipInstall)
-        refreshLockfile(repo);
     if (!hasChanges(repo)) {
-        console.log('  No changes after update; skipping.');
-        return;
+        if (!options.interactive)
+            console.log('  No changes after update; skipping.');
+        return `Skipped ${repoName}: no changes after update.`;
     }
-    commitChanges(repo, rule);
+    status?.message(`Committing changes for ${repoName}`);
+    if (options.interactive)
+        await commitChangesAsync(repo, rule, true);
+    else
+        commitChanges(repo, rule);
     if (!options.createPr) {
-        console.log('  Updated locally; PR creation disabled.');
-        return;
+        if (!options.interactive)
+            console.log('  Updated locally; PR creation disabled.');
+        return `Updated ${repoName} locally; PR creation disabled.`;
     }
-    await pushAndCreatePr(repo, rule, options);
+    status?.message(`Creating PR for ${repoName}`);
+    const prUrl = options.interactive ? await pushAndCreatePrAsync(repo, rule, options, true) : await pushAndCreatePr(repo, rule, options);
+    status?.message(`Restoring checkout for ${repoName}`);
+    if (options.interactive)
+        await restoreCheckoutAsync(repo, originalCheckout, true);
+    else
+        restoreCheckout(repo, originalCheckout);
+    return prUrl ? `Created PR for ${repoName}: ${prUrl}` : `Created PR for ${repoName}.`;
+}
+function createActionStatus(options, repoName) {
+    if (!options.interactive)
+        return null;
+    const statusSpinner = spinner();
+    statusSpinner.start(`Processing ${repoName}`);
+    return statusSpinner;
 }
-function applyUpdates(packageJson, updates) {
+function applyUpdates(packageJsonText, updates) {
+    let updatedPackageJsonText = packageJsonText;
     for (const update of updates) {
-        const dependencies = packageJson[update.section];
-        if (dependencies)
-            dependencies[update.name] = update.to;
+        updatedPackageJsonText = applyUpdate(updatedPackageJsonText, update);
     }
+    JSON.parse(updatedPackageJsonText);
+    return updatedPackageJsonText;
+}
+function applyUpdate(packageJsonText, update) {
+    const sectionRange = findObjectRange(packageJsonText, update.section);
+    if (!sectionRange)
+        throw new Error(`Could not find ${update.section} in package.json.`);
+    const sectionText = packageJsonText.slice(sectionRange.start, sectionRange.end);
+    const dependencyPattern = new RegExp(`(${escapeRegExp(JSON.stringify(update.name))}\\s*:\\s*)("(?:\\\\.|[^"\\\\])*")`);
+    const match = dependencyPattern.exec(sectionText);
+    if (!match?.[2])
+        throw new Error(`Could not find ${update.section}.${update.name} in package.json.`);
+    if (JSON.parse(match[2]) !== update.from) {
+        throw new Error(`Expected ${update.section}.${update.name} to be ${update.from}, but found ${JSON.parse(match[2])}.`);
+    }
+    const updatedSectionText = sectionText.replace(dependencyPattern, `$1${JSON.stringify(update.to)}`);
+    return `${packageJsonText.slice(0, sectionRange.start)}${updatedSectionText}${packageJsonText.slice(sectionRange.end)}`;
+}
+function findObjectRange(jsonText, propertyName) {
+    let depth = 0;
+    let inString = false;
+    let escaped = false;
+    let stringStart = -1;
+    for (let index = 0; index < jsonText.length; index += 1) {
+        const char = jsonText[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (char === '\\') {
+            escaped = inString;
+            continue;
+        }
+        if (char === '"') {
+            if (!inString) {
+                inString = true;
+                stringStart = index;
+                continue;
+            }
+            inString = false;
+            const colonIndex = skipWhitespace(jsonText, index + 1);
+            if (depth !== 1 || jsonText[colonIndex] !== ':' || JSON.parse(jsonText.slice(stringStart, index + 1)) !== propertyName) {
+                continue;
+            }
+            const objectStart = skipWhitespace(jsonText, colonIndex + 1);
+            if (jsonText[objectStart] !== '{')
+                return null;
+            const objectEnd = findObjectEnd(jsonText, objectStart);
+            return objectEnd === -1 ? null : { start: objectStart, end: objectEnd };
+        }
+        if (inString)
+            continue;
+        if (char === '{' || char === '[')
+            depth += 1;
+        if (char === '}' || char === ']')
+            depth -= 1;
+    }
+    return null;
+}
+function findObjectEnd(jsonText, objectStart) {
+    let depth = 0;
+    let inString = false;
+    let escaped = false;
+    for (let index = objectStart; index < jsonText.length; index += 1) {
+        const char = jsonText[index];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (char === '\\') {
+            escaped = inString;
+            continue;
+        }
+        if (char === '"') {
+            inString = !inString;
+            continue;
+        }
+        if (inString)
+            continue;
+        if (char === '{')
+            depth += 1;
+        if (char === '}')
+            depth -= 1;
+        if (depth === 0)
+            return index + 1;
+    }
+    return -1;
+}
+function skipWhitespace(value, start) {
+    let index = start;
+    while (/\s/.test(value[index] ?? ''))
+        index += 1;
+    return index;
+}
+function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
 }

package/dist/scanner.js

@@ -3,13 +3,15 @@ import path from 'node:path';
 import { spinner } from '@clack/prompts';
 import { getUpdates } from './advisories.js';
 import { exists } from './files.js';
+import { run } from './shell.js';
 export async function runScan(repos, root, rule, options) {
+    const targetDescription = options.source === 'github' ? `${repos.length} GitHub repos via the GitHub API` : `${repos.length} repos in ${root}`;
     if (!options.interactive) {
-        console.log(`Scanning ${repos.length} repos in ${root} using rule: ${rule.title}`);
+        console.log(`Scanning ${targetDescription} using rule: ${rule.title}`);
         return scanRepos(repos, rule, options);
     }
     const scanSpinner = spinner();
-    scanSpinner.start(`Scanning ${repos.length} repos in ${root}`);
+    scanSpinner.start(`Scanning ${targetDescription}`);
     const affectedRepos = await scanRepos(repos, rule, options);
     scanSpinner.stop(`Found ${affectedRepos.length} affected repo${affectedRepos.length === 1 ? '' : 's'}.`);
     return affectedRepos;
@@ -44,6 +46,11 @@ async function scanRepos(repos, rule, options) {
     return affectedRepos;
 }
 async function scanRepo(repo, rule, options) {
+    if (repo.source === 'github')
+        return scanGithubRepo(repo, rule, options);
+    return scanLocalRepo(repo.path, rule, options);
+}
+async function scanLocalRepo(repo, rule, options) {
     const packageJsonPath = path.join(repo, 'package.json');
     const packageJson = JSON.parse(await fs.readFile(packageJsonPath, 'utf8'));
     const updates = getUpdates(packageJson, rule, options.bumpLevels);
@@ -51,3 +58,31 @@ async function scanRepo(repo, rule, options) {
         return null;
     return { repo, packageJsonPath, updates };
 }
+async function scanGithubRepo(repo, rule, options) {
+    const packageJsonText = getGithubPackageJson(repo);
+    if (!packageJsonText)
+        return null;
+    const packageJson = JSON.parse(packageJsonText);
+    const updates = getUpdates(packageJson, rule, options.bumpLevels);
+    if (updates.length === 0)
+        return null;
+    return {
+        repo: repo.nameWithOwner,
+        packageJsonPath: 'package.json',
+        updates,
+        github: repo,
+    };
+}
+function getGithubPackageJson(repo) {
+    const result = run('gh', [
+        'api',
+        `repos/${repo.nameWithOwner}/contents/package.json`,
+        '--method',
+        'GET',
+        '--field',
+        `ref=${repo.defaultBranch}`,
+        '--header',
+        'Accept: application/vnd.github.raw',
+    ], process.cwd(), { capture: true, allowFailure: true });
+    return result?.stdout.trim() ? result.stdout : null;
+}

package/dist/shell.js

@@ -1,9 +1,9 @@
-import { spawnSync } from 'node:child_process';
+import { spawn, spawnSync } from 'node:child_process';
 export function run(command, args, cwd, options = {}) {
     const result = spawnSync(command, args, {
         cwd,
         encoding: 'utf8',
-        stdio: options.capture ? ['ignore', 'pipe', 'pipe'] : 'inherit',
+        stdio: options.capture || options.quiet ? ['ignore', 'pipe', 'pipe'] : 'inherit',
     });
     if (result.status !== 0) {
         if (options.allowFailure)
@@ -13,3 +13,36 @@ export function run(command, args, cwd, options = {}) {
     }
     return result;
 }
+export async function runAsync(command, args, cwd, options = {}) {
+    const capture = options.capture || options.quiet;
+    return new Promise((resolve, reject) => {
+        const child = spawn(command, args, {
+            cwd,
+            stdio: capture ? ['ignore', 'pipe', 'pipe'] : 'inherit',
+        });
+        const stdout = [];
+        const stderr = [];
+        if (capture) {
+            child.stdout?.on('data', (chunk) => stdout.push(chunk));
+            child.stderr?.on('data', (chunk) => stderr.push(chunk));
+        }
+        child.on('error', reject);
+        child.on('close', (status) => {
+            const result = {
+                stdout: Buffer.concat(stdout).toString('utf8'),
+                stderr: Buffer.concat(stderr).toString('utf8'),
+                status,
+            };
+            if (status !== 0) {
+                if (options.allowFailure) {
+                    resolve(null);
+                    return;
+                }
+                const stderrText = result.stderr ? `\n${result.stderr}` : '';
+                reject(new Error(`${command} ${args.join(' ')} failed in ${cwd}.${stderrText}`));
+                return;
+            }
+            resolve(result);
+        });
+    });
+}

package/dist/targets.js

@@ -0,0 +1,111 @@
+import fs from 'node:fs/promises';
+import fsSync from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+import { spinner } from '@clack/prompts';
+import { run, runAsync } from './shell.js';
+import { findRepos } from './scanner.js';
+const cleanupPaths = new Set();
+let cleanupHooksRegistered = false;
+export async function resolveTargets(options) {
+    if (options.source === 'github')
+        return resolveGithubTargets(options.github ?? '', options);
+    const root = path.resolve(options.root);
+    return { root, repos: (await findRepos(root)).map((repoPath) => ({ source: 'local', path: repoPath })) };
+}
+export async function cloneGithubRepo(repo, quiet = false) {
+    const root = await fs.mkdtemp(path.join(os.tmpdir(), 'patch-patrol-'));
+    registerCleanupPath(root);
+    try {
+        const repoPath = path.join(root, getRepoName(repo));
+        if (quiet)
+            await runAsync('git', ['clone', repo.sshUrl, repoPath], process.cwd(), { quiet });
+        else
+            run('git', ['clone', repo.sshUrl, repoPath], process.cwd());
+        return {
+            cleanup: async () => {
+                unregisterCleanupPath(root);
+                await removeCleanupPath(root);
+            },
+            repoPath,
+        };
+    }
+    catch (error) {
+        unregisterCleanupPath(root);
+        await removeCleanupPath(root);
+        throw error;
+    }
+}
+async function resolveGithubTargets(target, options) {
+    const targetSpinner = options.interactive ? spinner() : null;
+    targetSpinner?.start(`Loading GitHub repos from ${target}`);
+    const repos = getGithubRepos(target);
+    targetSpinner?.stop(`Loaded ${repos.length} GitHub repo${repos.length === 1 ? '' : 's'}.`);
+    return { root: normalizeGithubTarget(target), repos: repos.map(toGithubRepoTarget) };
+}
+function getGithubRepos(target) {
+    const normalizedTarget = normalizeGithubTarget(target);
+    if (isGithubRepoTarget(normalizedTarget))
+        return [getGithubRepo(normalizedTarget)];
+    const result = run('gh', ['repo', 'list', normalizedTarget, '--json', 'nameWithOwner,sshUrl,defaultBranchRef', '--limit', '1000'], process.cwd(), { capture: true });
+    return JSON.parse(result.stdout);
+}
+function getGithubRepo(target) {
+    const result = run('gh', ['repo', 'view', target, '--json', 'nameWithOwner,sshUrl,defaultBranchRef'], process.cwd(), { capture: true });
+    return JSON.parse(result.stdout);
+}
+function toGithubRepoTarget(repo) {
+    return {
+        source: 'github',
+        nameWithOwner: repo.nameWithOwner,
+        sshUrl: repo.sshUrl,
+        defaultBranch: repo.defaultBranchRef.name,
+    };
+}
+function getRepoName(repo) {
+    return repo.nameWithOwner.split('/').at(-1) ?? repo.nameWithOwner;
+}
+function normalizeGithubTarget(target) {
+    const trimmed = target.trim().replace(/\.git$/, '');
+    const orgMatch = trimmed.match(/github\.com\/orgs\/(?<owner>[^/#?]+)/i);
+    if (orgMatch?.groups?.owner)
+        return orgMatch.groups.owner;
+    const userMatch = trimmed.match(/github\.com\/users\/(?<owner>[^/#?]+)/i);
+    if (userMatch?.groups?.owner)
+        return userMatch.groups.owner;
+    const repoMatch = trimmed.match(/github\.com[:/](?<owner>[^/]+)\/(?<repo>[^/#?]+)/i);
+    if (repoMatch?.groups?.owner && repoMatch.groups.repo)
+        return `${repoMatch.groups.owner}/${repoMatch.groups.repo}`;
+    const ownerMatch = trimmed.match(/github\.com\/(?<owner>[^/#?]+)/i);
+    if (ownerMatch?.groups?.owner)
+        return ownerMatch.groups.owner;
+    return trimmed.replace(/^@/, '');
+}
+function isGithubRepoTarget(target) {
+    return /^[^/]+\/[^/]+$/.test(target);
+}
+function registerCleanupPath(cleanupPath) {
+    cleanupPaths.add(cleanupPath);
+    if (cleanupHooksRegistered)
+        return;
+    cleanupHooksRegistered = true;
+    process.once('exit', removeRegisteredCleanupPathsSync);
+    process.once('SIGINT', () => exitAfterCleanup(130));
+    process.once('SIGTERM', () => exitAfterCleanup(143));
+}
+function unregisterCleanupPath(cleanupPath) {
+    cleanupPaths.delete(cleanupPath);
+}
+async function removeCleanupPath(cleanupPath) {
+    await fs.rm(cleanupPath, { recursive: true, force: true });
+}
+function exitAfterCleanup(code) {
+    removeRegisteredCleanupPathsSync();
+    process.exit(code);
+}
+function removeRegisteredCleanupPathsSync() {
+    for (const cleanupPath of cleanupPaths) {
+        fsSync.rmSync(cleanupPath, { recursive: true, force: true });
+    }
+    cleanupPaths.clear();
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@humaan/patch-patrol",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Scan local repositories for advisory-driven package bumps, update them, and open pull requests.",
   "type": "module",
   "bin": {
@@ -37,6 +37,7 @@
   "license": "MIT",
   "scripts": {
     "build": "tsc",
+    "start": "node bin/patch-patrol.js",
     "typecheck": "tsc --noEmit",
     "check": "pnpm run typecheck && pnpm run build && node --check bin/patch-patrol.js && node --check dist/*.js",
     "scan:dry": "pnpm run build && node bin/patch-patrol.js --root .. --dry-run --no-pr"