@kevinrabun/judges 2.2.0 → 3.0.0

package/dist/evaluators/database.js

@@ -1,21 +1,23 @@
-import { getLineNumbers, getLangFamily } from "./shared.js";
+import { getLineNumbers, getLangLineNumbers, getLangFamily } from "./shared.js";
+import * as LP from "../language-patterns.js";
 export function analyzeDatabase(code, language) {
     const findings = [];
     let ruleNum = 1;
     const prefix = "DB";
     const lang = getLangFamily(language);
-    // SQL injection via string concatenation
-    const sqlInjectionPattern = /(?:execute|query|raw|prepare)\s*\(\s*(?:`[^`]*(?:\$\{[^}]*\b(?:req|request|params|query|body|input|user|id|name|email)\b|\$\{[^}]*\+)|['"][^'"]*['"]\s*\+\s*(?:req\.|request\.|params\.|query\.|body\.|input|user|id|name|email)|['"][^'"]*['"]\s*\.\s*concat\s*\()/gi;
-    const sqlInjectionLines = getLineNumbers(code, sqlInjectionPattern);
+    // SQL injection via string concatenation (multi-language)
+    const sqlInjectionLines = getLangLineNumbers(code, language, LP.SQL_INJECTION);
     if (sqlInjectionLines.length > 0) {
         findings.push({
             ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
             severity: "critical",
             title: "SQL injection via string concatenation",
-            description: `Found ${sqlInjectionLines.length} instance(s) of SQL queries built with string concatenation or template literals containing user input. This is the most common and dangerous database vulnerability.`,
+            description: `Found ${sqlInjectionLines.length} instance(s) of SQL queries built with string concatenation or interpolation containing user input. This is the most common and dangerous database vulnerability.`,
             lineNumbers: sqlInjectionLines,
             recommendation: "Use parameterized queries (placeholders) or prepared statements. ORMs handle this automatically. Never concatenate user input into SQL strings.",
             reference: "OWASP SQL Injection Prevention Cheat Sheet / CWE-89",
+            suggestedFix: "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId]) (JS), cursor.execute('...WHERE id = %s', (uid,)) (Python), db.Query('...WHERE id = $1', id) (Go).",
+            confidence: 0.95,
         });
     }
     // SELECT * usage
@@ -30,24 +32,30 @@ export function analyzeDatabase(code, language) {
             lineNumbers: selectStarLines,
             recommendation: "Select only the columns you need: SELECT id, name, email FROM users. This reduces network transfer, memory usage, and improves query plan optimization.",
             reference: "SQL Performance Best Practices",
+            suggestedFix: "Replace SELECT * with explicit columns: SELECT id, name, email FROM users WHERE active = true; — reduces data transfer and enables index-only scans.",
+            confidence: 0.9,
         });
     }
-    // N+1 query pattern (query in a loop)
+    // N+1 query pattern (query in a loop) (multi-language)
     const lines = code.split("\n");
     const n1Lines = [];
+    const dbQueryLines = new Set(getLangLineNumbers(code, language, LP.DB_QUERY));
+    const loopLines = new Set(getLangLineNumbers(code, language, LP.FOR_LOOP));
     let inLoop = false;
     let loopDepth = 0;
     for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        if (/\b(?:for|while|forEach|\.map|\.each)\b/.test(line)) {
+        if (loopLines.has(i + 1) || /\b(?:for|while|forEach|\.map|\.each)\b/.test(line)) {
             inLoop = true;
             loopDepth++;
         }
-        if (inLoop && /(?:await\s+)?(?:db\.|query|find|findOne|findMany|execute|select|fetch)\s*\(/.test(line)) {
+        if (inLoop &&
+            (dbQueryLines.has(i + 1) ||
+                /(?:await\s+)?(?:db\.|query|find|findOne|findMany|execute|select|fetch)\s*\(/.test(line))) {
             n1Lines.push(i + 1);
         }
         if (inLoop) {
-            const opens = (line.match(/\{/g) || []).length;
+            const opens = (line.match(/\{/g) || []).length + (line.match(/:\s*$/g) || []).length;
             const closes = (line.match(/\}/g) || []).length;
             loopDepth += opens - closes;
             if (loopDepth <= 0) {
@@ -65,6 +73,8 @@ export function analyzeDatabase(code, language) {
             lineNumbers: n1Lines,
             recommendation: "Use batch queries (WHERE id IN (...)), JOINs, or ORM eager loading (include/populate) to fetch related data in a single query.",
             reference: "N+1 Query Problem / ORM Performance Patterns",
+            suggestedFix: "Batch queries: const items = await db.query('SELECT * FROM items WHERE parent_id = ANY($1)', [parentIds]); instead of querying in a loop.",
+            confidence: 0.75,
         });
     }
     // No connection pooling
@@ -78,6 +88,8 @@ export function analyzeDatabase(code, language) {
             description: "Database connection created without visible connection pooling. Creating a new connection per request is expensive and unsustainable under load.",
             recommendation: "Use connection pooling (e.g., pg.Pool, mysql2.createPool, mongoose connection pooling). Configure pool size based on expected concurrent connections.",
             reference: "Database Connection Pooling Best Practices",
+            suggestedFix: "Use connection pool: const pool = new Pool({ max: 20, idleTimeoutMillis: 30000 }); const client = await pool.connect(); try { ... } finally { client.release(); }",
+            confidence: 0.7,
         });
     }
     // Raw SQL queries (no ORM/query builder)
@@ -92,6 +104,8 @@ export function analyzeDatabase(code, language) {
             lineNumbers: rawSqlLines.slice(0, 5),
             recommendation: "Consider using a query builder (Knex, Prisma, Drizzle, SQLAlchemy) or ORM for type safety, parameterization, and database portability.",
             reference: "ORM vs Raw SQL Best Practices",
+            suggestedFix: "Use a query builder: const users = await knex('users').select('id', 'name').where({ active: true }); — provides parameterization and type safety.",
+            confidence: 0.8,
         });
     }
     // No transaction handling
@@ -105,6 +119,8 @@ export function analyzeDatabase(code, language) {
             description: "Data is modified (INSERT/UPDATE/DELETE) without transaction wrappers. If an error occurs mid-operation, data could be left in an inconsistent state.",
             recommendation: "Wrap multi-step data mutations in transactions. Use BEGIN/COMMIT/ROLLBACK or ORM transaction APIs to ensure atomicity.",
             reference: "ACID Properties / Database Transaction Best Practices",
+            suggestedFix: "Wrap mutations in transaction: await db.transaction(async (trx) => { await trx('orders').insert(order); await trx('inventory').decrement('qty', 1); });",
+            confidence: 0.7,
         });
     }
     // Hardcoded connection strings
@@ -119,6 +135,8 @@ export function analyzeDatabase(code, language) {
             lineNumbers: connStringLines,
             recommendation: "Use environment variables for connection strings. Store credentials in a secrets manager. Use different connection strings per environment.",
             reference: "12-Factor App: Config / OWASP Secrets Management",
+            suggestedFix: "Use env vars: const connectionString = process.env.DATABASE_URL; never hardcode credentials in source code.",
+            confidence: 0.9,
         });
     }
     // DROP TABLE / TRUNCATE without safeguards
@@ -133,6 +151,8 @@ export function analyzeDatabase(code, language) {
             lineNumbers: destructiveDbLines,
             recommendation: "Never run destructive DDL from application code. Use migration tools (Prisma, Flyway, Alembic) with review and rollback support. Require elevated permissions for DDL.",
             reference: "Database Migration Best Practices / Least Privilege",
+            suggestedFix: "Move DDL to migration files: npx prisma migrate dev --name drop_legacy_table; never embed DROP TABLE in application code.",
+            confidence: 0.95,
         });
     }
     // No migration tooling
@@ -146,6 +166,8 @@ export function analyzeDatabase(code, language) {
             description: "DDL statements (CREATE TABLE, ALTER TABLE) found without migration tooling. Manual schema changes are unreproducible and error-prone across environments.",
             recommendation: "Use a database migration tool (Prisma, Knex, Flyway, Alembic) to version schema changes. Migrations should be idempotent and reversible.",
             reference: "Database Migration Best Practices / Evolutionary Database Design",
+            suggestedFix: "Use migration tool: npx prisma migrate dev --name add_users_table; or knex migrate:make create_users — version-controlled, reversible schema changes.",
+            confidence: 0.7,
         });
     }
     // Missing database indexes heuristic
@@ -159,6 +181,8 @@ export function analyzeDatabase(code, language) {
             description: "SQL queries filter on columns but no index creation is visible. Without indexes, queries perform full table scans which degrade exponentially with data volume.",
             recommendation: "Create indexes on columns used in WHERE, JOIN, and ORDER BY clauses. Monitor slow query logs. Use EXPLAIN to verify query plans.",
             reference: "SQL Indexing Best Practices / Use The Index, Luke!",
+            suggestedFix: "Add indexes: CREATE INDEX idx_users_email ON users(email); CREATE INDEX idx_orders_user_date ON orders(user_id, created_at); use EXPLAIN to verify.",
+            confidence: 0.7,
         });
     }
     // Database credentials in connection string
@@ -173,6 +197,8 @@ export function analyzeDatabase(code, language) {
             lineNumbers: credInConnLines,
             recommendation: "Use separate credential parameters or environment variables. Consider IAM/managed identity for passwordless database connections in cloud environments.",
             reference: "OWASP: Credential Management / Azure Managed Identity",
+            suggestedFix: "Use env vars: const client = new Client({ host: process.env.DB_HOST, user: process.env.DB_USER, password: process.env.DB_PASSWORD });",
+            confidence: 0.9,
         });
     }
     return findings;

package/dist/evaluators/database.js.map

@@ -1 +1 @@
-{"version":3,"file":"database.js","sourceRoot":"","sources":["../../src/evaluators/database.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAsB,aAAa,EAAE,MAAM,aAAa,CAAC;AAGhF,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,QAAgB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,uQAAuQ,CAAC;IACpS,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,iBAAiB,CAAC,MAAM,uKAAuK;YACrN,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EAAE,iJAAiJ;YACjK,SAAS,EAAE,qDAAqD;SACjE,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB;IACjB,MAAM,iBAAiB,GAAG,eAAe,CAAC;IAC1C,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,eAAe,CAAC,MAAM,uIAAuI;YACnL,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,yJAAyJ;YACzK,SAAS,EAAE,gCAAgC;SAC5C,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,MAAM,GAAG,IAAI,CAAC;YACd,SAAS,EAAE,CAAC;QACd,CAAC;QACD,IAAI,MAAM,IAAI,6EAA6E,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvG,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAC/C,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAChD,SAAS,IAAI,KAAK,GAAG,MAAM,CAAC;YAC5B,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;gBACnB,MAAM,GAAG,KAAK,CAAC;gBACf,SAAS,GAAG,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,4BAA4B;YACnC,WAAW,EAAE,SAAS,OAAO,CAAC,MAAM,mJAAmJ;YACvL,WAAW,EAAE,OAAO;YACpB,cAAc,EAAE,gIAAgI;YAChJ,SAAS,EAAE,8CAA8C;SAC1D,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,eAAe,GAAG,gHAAgH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpJ,MAAM,UAAU,GAAG,iFAAiF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChH,IAAI,eAAe,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EAAE,kJAAkJ;YAC/J,cAAc,EAAE,uJAAuJ;YACvK,SAAS,EAAE,4CAA4C;SACxD,CAAC,CAAC;IACL,CAAC;IAED,yCAAyC;IACzC,MAAM,aAAa,GAAG,wFAAwF,CAAC;IAC/G,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,SAAS,WAAW,CAAC,MAAM,8GAA8G;YACtJ,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACpC,cAAc,EAAE,wIAAwI;YACxJ,SAAS,EAAE,+BAA+B;SAC3C,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,YAAY,GAAG,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClG,MAAM,eAAe,GAAG,sEAAsE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1G,IAAI,YAAY,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,6CAA6C;YACpD,WAAW,EAAE,sJAAsJ;YACnK,cAAc,EAAE,wHAAwH;YACxI,SAAS,EAAE,uDAAuD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,4DAA4D,CAAC;IACvF,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EAAE,mJAAmJ;YAChK,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,6IAA6I;YAC7J,SAAS,EAAE,kDAAkD;SAC9D,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,oBAAoB,GAAG,mEAAmE,CAAC;IACjG,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;IACtE,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,SAAS,kBAAkB,CAAC,MAAM,kJAAkJ;YACjM,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EAAE,wKAAwK;YACxL,SAAS,EAAE,qDAAqD;SACjE,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,sJAAsJ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxL,MAAM,gBAAgB,GAAG,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChG,IAAI,gBAAgB,IAAI,CAAC,aAAa,EAAE,CAAC;QACvC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EAAE,2JAA2J;YACxK,cAAc,EAAE,0IAA0I;YAC1J,SAAS,EAAE,kEAAkE;SAC9E,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,MAAM,cAAc,GAAG,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpG,IAAI,cAAc,IAAI,CAAC,YAAY,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,qDAAqD;YAC5D,WAAW,EAAE,iKAAiK;YAC9K,cAAc,EAAE,kIAAkI;YAClJ,SAAS,EAAE,oDAAoD;SAChE,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,MAAM,iBAAiB,GAAG,iDAAiD,CAAC;IAC5E,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,oDAAoD;YAC3D,WAAW,EAAE,oIAAoI;YACjJ,WAAW,EAAE,eAAe;YAC5B,cAAc,EAAE,yJAAyJ;YACzK,SAAS,EAAE,uDAAuD;SACnE,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"database.js","sourceRoot":"","sources":["../../src/evaluators/database.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAE9C,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,QAAgB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,IAAI,CAAC;IACpB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,0DAA0D;IAC1D,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAC/E,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,iBAAiB,CAAC,MAAM,mKAAmK;YACjN,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,iJAAiJ;YACnJ,SAAS,EAAE,qDAAqD;YAChE,YAAY,EACV,sLAAsL;YACxL,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,iBAAiB;IACjB,MAAM,iBAAiB,GAAG,eAAe,CAAC;IAC1C,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,eAAe,CAAC,MAAM,uIAAuI;YACnL,WAAW,EAAE,eAAe;YAC5B,cAAc,EACZ,yJAAyJ;YAC3J,SAAS,EAAE,gCAAgC;YAC3C,YAAY,EACV,sJAAsJ;YACxJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,uDAAuD;IACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC9E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3E,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAChF,MAAM,GAAG,IAAI,CAAC;YACd,SAAS,EAAE,CAAC;QACd,CAAC;QACD,IACE,MAAM;YACN,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC;gBACtB,6EAA6E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC3F,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACtB,CAAC;QACD,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YACrF,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAChD,SAAS,IAAI,KAAK,GAAG,MAAM,CAAC;YAC5B,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;gBACnB,MAAM,GAAG,KAAK,CAAC;gBACf,SAAS,GAAG,CAAC,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,4BAA4B;YACnC,WAAW,EAAE,SAAS,OAAO,CAAC,MAAM,mJAAmJ;YACvL,WAAW,EAAE,OAAO;YACpB,cAAc,EACZ,gIAAgI;YAClI,SAAS,EAAE,8CAA8C;YACzD,YAAY,EACV,2IAA2I;YAC7I,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,MAAM,eAAe,GACnB,gHAAgH,CAAC,IAAI,CACnH,IAAI,CACL,CAAC;IACJ,MAAM,UAAU,GAAG,iFAAiF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChH,IAAI,eAAe,IAAI,CAAC,UAAU,EAAE,CAAC;QACnC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,kJAAkJ;YACpJ,cAAc,EACZ,uJAAuJ;YACzJ,SAAS,EAAE,4CAA4C;YACvD,YAAY,EACV,mKAAmK;YACrK,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,yCAAyC;IACzC,MAAM,aAAa,GAAG,wFAAwF,CAAC;IAC/G,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IACxD,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,SAAS,WAAW,CAAC,MAAM,8GAA8G;YACtJ,WAAW,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACpC,cAAc,EACZ,wIAAwI;YAC1I,SAAS,EAAE,+BAA+B;YAC1C,YAAY,EACV,mJAAmJ;YACrJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,YAAY,GAAG,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClG,MAAM,eAAe,GAAG,sEAAsE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1G,IAAI,YAAY,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,6CAA6C;YACpD,WAAW,EACT,sJAAsJ;YACxJ,cAAc,EACZ,wHAAwH;YAC1H,SAAS,EAAE,uDAAuD;YAClE,YAAY,EACV,yJAAyJ;YAC3J,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,+BAA+B;IAC/B,MAAM,iBAAiB,GAAG,4DAA4D,CAAC;IACvF,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,sCAAsC;YAC7C,WAAW,EACT,mJAAmJ;YACrJ,WAAW,EAAE,eAAe;YAC5B,cAAc,EACZ,6IAA6I;YAC/I,SAAS,EAAE,kDAAkD;YAC7D,YAAY,EACV,6GAA6G;YAC/G,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,oBAAoB,GAAG,mEAAmE,CAAC;IACjG,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;IACtE,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,SAAS,kBAAkB,CAAC,MAAM,kJAAkJ;YACjM,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EACZ,wKAAwK;YAC1K,SAAS,EAAE,qDAAqD;YAChE,YAAY,EACV,2HAA2H;YAC7H,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GACjB,sJAAsJ,CAAC,IAAI,CACzJ,IAAI,CACL,CAAC;IACJ,MAAM,gBAAgB,GAAG,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChG,IAAI,gBAAgB,IAAI,CAAC,aAAa,EAAE,CAAC;QACvC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EACT,2JAA2J;YAC7J,cAAc,EACZ,0IAA0I;YAC5I,SAAS,EAAE,kEAAkE;YAC7E,YAAY,EACV,uJAAuJ;YACzJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,MAAM,cAAc,GAAG,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpG,IAAI,cAAc,IAAI,CAAC,YAAY,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,qDAAqD;YAC5D,WAAW,EACT,iKAAiK;YACnK,cAAc,EACZ,kIAAkI;YACpI,SAAS,EAAE,oDAAoD;YAC/D,YAAY,EACV,qJAAqJ;YACvJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,MAAM,iBAAiB,GAAG,iDAAiD,CAAC;IAC5E,MAAM,eAAe,GAAG,cAAc,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;IAChE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,oDAAoD;YAC3D,WAAW,EACT,oIAAoI;YACtI,WAAW,EAAE,eAAe;YAC5B,cAAc,EACZ,yJAAyJ;YAC3J,SAAS,EAAE,uDAAuD;YAClE,YAAY,EACV,uIAAuI;YACzI,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/evaluators/dependencies.d.ts

@@ -0,0 +1,6 @@
+import type { DependencyVerdict } from "../types.js";
+/**
+ * Parse a manifest file and analyze dependencies for supply-chain risks.
+ */
+export declare function analyzeDependencies(manifest: string, manifestType: string): DependencyVerdict;
+//# sourceMappingURL=dependencies.d.ts.map

package/dist/evaluators/dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../src/evaluators/dependencies.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,iBAAiB,EAA4B,MAAM,aAAa,CAAC;AAG/E;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,iBAAiB,CA2M7F"}

package/dist/evaluators/dependencies.js

@@ -0,0 +1,204 @@
+// ─── Dependency / Supply-chain Analysis ───────────────────────────────────────
+// Parses manifest files (package.json, requirements.txt, Cargo.toml, etc.)
+// and detects supply-chain risks such as unpinned versions, typosquatting,
+// and misclassified dev dependencies.
+// ──────────────────────────────────────────────────────────────────────────────
+import { calculateScore, deriveVerdict } from "./shared.js";
+/**
+ * Parse a manifest file and analyze dependencies for supply-chain risks.
+ */
+export function analyzeDependencies(manifest, manifestType) {
+    const dependencies = [];
+    const findings = [];
+    let ruleNum = 1;
+    const prefix = "SUPPLY";
+    // Parse manifest based on type
+    if (manifestType === "package.json") {
+        try {
+            const pkg = JSON.parse(manifest);
+            for (const [name, version] of Object.entries(pkg.dependencies ?? {})) {
+                dependencies.push({
+                    name,
+                    version: String(version),
+                    isDev: false,
+                    source: manifestType,
+                });
+            }
+            for (const [name, version] of Object.entries(pkg.devDependencies ?? {})) {
+                dependencies.push({
+                    name,
+                    version: String(version),
+                    isDev: true,
+                    source: manifestType,
+                });
+            }
+        }
+        catch {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+                severity: "high",
+                title: "Invalid package.json",
+                description: "Failed to parse package.json. The file may be malformed.",
+                recommendation: "Validate and fix the JSON structure.",
+            });
+        }
+    }
+    else if (manifestType === "requirements.txt") {
+        for (const line of manifest.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith("#"))
+                continue;
+            const match = trimmed.match(/^([a-zA-Z0-9_-]+)\s*(?:[>=<~!]+\s*(.+))?$/);
+            if (match) {
+                dependencies.push({
+                    name: match[1],
+                    version: match[2] ?? "*",
+                    isDev: false,
+                    source: manifestType,
+                });
+            }
+        }
+    }
+    else if (manifestType === "Cargo.toml") {
+        // Match [dependencies] section up to the next [section] header or EOF
+        const depSection = manifest.match(/\[dependencies\]\s*\n([\s\S]*?)(?=\n\s*\[|\s*$)/)?.[1];
+        if (depSection) {
+            for (const line of depSection.split("\n")) {
+                // Simple: name = "version"
+                const simple = line.match(/^(\w[\w-]*)\s*=\s*"([^"]+)"/);
+                if (simple) {
+                    dependencies.push({
+                        name: simple[1],
+                        version: simple[2],
+                        isDev: false,
+                        source: manifestType,
+                    });
+                    continue;
+                }
+                // Inline table: name = { version = "...", ... }
+                const table = line.match(/^(\w[\w-]*)\s*=\s*\{[^}]*version\s*=\s*"([^"]+)"/);
+                if (table) {
+                    dependencies.push({
+                        name: table[1],
+                        version: table[2],
+                        isDev: false,
+                        source: manifestType,
+                    });
+                }
+            }
+        }
+    }
+    else if (manifestType === "go.mod") {
+        for (const line of manifest.split("\n")) {
+            const match = line.trim().match(/^([\w./\-@]+)\s+(v[\d.]+(?:-[\w.]+)?)/);
+            if (match) {
+                dependencies.push({
+                    name: match[1],
+                    version: match[2],
+                    isDev: false,
+                    source: manifestType,
+                });
+            }
+        }
+    }
+    else if (manifestType === "pom.xml") {
+        const depRegex = /<dependency>[\s\S]*?<groupId>([^<]+)<\/groupId>[\s\S]*?<artifactId>([^<]+)<\/artifactId>[\s\S]*?(?:<version>([^<]*)<\/version>)?[\s\S]*?<\/dependency>/g;
+        let m;
+        while ((m = depRegex.exec(manifest)) !== null) {
+            dependencies.push({
+                name: `${m[1]}:${m[2]}`,
+                version: m[3] ?? "managed",
+                isDev: false,
+                source: manifestType,
+            });
+        }
+    }
+    else if (manifestType === "csproj") {
+        const pkgRegex = /<PackageReference\s+Include="([^"]+)"\s+Version="([^"]*)"/g;
+        let m;
+        while ((m = pkgRegex.exec(manifest)) !== null) {
+            dependencies.push({
+                name: m[1],
+                version: m[2],
+                isDev: false,
+                source: manifestType,
+            });
+        }
+    }
+    // Supply-chain analysis rules
+    // Wildcard / unpinned versions
+    const unpinned = dependencies.filter((d) => d.version === "*" ||
+        d.version === "latest" ||
+        /^\^/.test(d.version) ||
+        /^~/.test(d.version) ||
+        />=/.test(d.version));
+    if (unpinned.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Unpinned dependency versions",
+            description: `${unpinned.length} dependencies use unpinned/loose version ranges: ${unpinned
+                .slice(0, 5)
+                .map((d) => `${d.name}@${d.version}`)
+                .join(", ")}. This can lead to unexpected breaking changes and supply-chain attacks.`,
+            recommendation: "Pin dependencies to exact versions or use a lockfile (package-lock.json, Cargo.lock, go.sum).",
+            reference: "Supply Chain Security Best Practices",
+        });
+    }
+    // Too many dependencies
+    if (dependencies.filter((d) => !d.isDev).length > 50) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "low",
+            title: "Large number of production dependencies",
+            description: `${dependencies.filter((d) => !d.isDev).length} production dependencies detected. Each dependency increases attack surface and maintenance burden.`,
+            recommendation: "Audit dependencies regularly. Remove unused packages. Consider inlining small utilities.",
+            reference: "Dependency Minimization Best Practices",
+        });
+    }
+    // Known risky package name patterns (typosquatting indicators)
+    const knownPrefixes = ["lodash", "express", "react", "vue", "angular", "axios", "moment"];
+    const suspicious = dependencies.filter((d) => knownPrefixes.some((p) => d.name !== p && d.name.startsWith(p) && d.name.length <= p.length + 3));
+    if (suspicious.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "high",
+            title: "Potentially typosquatted package names",
+            description: `Suspicious package names detected that are similar to popular packages: ${suspicious.map((d) => d.name).join(", ")}. These may be typosquatting attempts.`,
+            recommendation: "Verify these package names are intentional and not typos of well-known packages.",
+            reference: "NPM Typosquatting / Supply Chain Attacks",
+        });
+    }
+    // Dev dependencies in production flag
+    const devInProd = dependencies.filter((d) => !d.isDev && /test|jest|mocha|chai|sinon|eslint|prettier|typescript|ts-node|nodemon/i.test(d.name));
+    if (devInProd.length > 0) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
+            severity: "medium",
+            title: "Development tools in production dependencies",
+            description: `The following look like dev tools but are listed as production dependencies: ${devInProd.map((d) => d.name).join(", ")}. This inflates deployment size and attack surface.`,
+            recommendation: "Move development tools to devDependencies (or equivalent dev scope).",
+        });
+    }
+    // No lockfile hint
+    if (manifestType === "package.json" && !manifest.includes("lockfileVersion")) {
+        findings.push({
+            ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+            severity: "info",
+            title: "Reminder: ensure a lockfile is committed",
+            description: "This analysis is based on the manifest. Ensure a lockfile (package-lock.json, yarn.lock) is committed for reproducible builds.",
+            recommendation: "Commit your lockfile to version control. Run npm ci in CI/CD instead of npm install.",
+        });
+    }
+    const score = calculateScore(findings);
+    const verdict = deriveVerdict(findings, score);
+    return {
+        totalDependencies: dependencies.length,
+        findings,
+        dependencies,
+        score,
+        verdict,
+        summary: `Dependency analysis: ${dependencies.length} dependencies, ${findings.length} findings, score ${score}/100 — ${verdict.toUpperCase()}`,
+    };
+}
+//# sourceMappingURL=dependencies.js.map

package/dist/evaluators/dependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../src/evaluators/dependencies.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,2EAA2E;AAC3E,2EAA2E;AAC3E,sCAAsC;AACtC,iFAAiF;AAGjF,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5D;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB,EAAE,YAAoB;IACxE,MAAM,YAAY,GAAsB,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,QAAQ,CAAC;IAExB,+BAA+B;IAC/B,IAAI,YAAY,KAAK,cAAc,EAAE,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACjC,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC,EAAE,CAAC;gBACrE,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI;oBACJ,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC;oBACxB,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,YAAY;iBACrB,CAAC,CAAC;YACL,CAAC;YACD,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC,EAAE,CAAC;gBACxE,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI;oBACJ,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC;oBACxB,KAAK,EAAE,IAAI;oBACX,MAAM,EAAE,YAAY;iBACrB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACzD,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,sBAAsB;gBAC7B,WAAW,EAAE,0DAA0D;gBACvE,cAAc,EAAE,sCAAsC;aACvD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,KAAK,kBAAkB,EAAE,CAAC;QAC/C,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;YACzE,IAAI,KAAK,EAAE,CAAC;gBACV,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG;oBACxB,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,YAAY;iBACrB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,KAAK,YAAY,EAAE,CAAC;QACzC,sEAAsE;QACtE,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,iDAAiD,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC1F,IAAI,UAAU,EAAE,CAAC;YACf,KAAK,MAAM,IAAI,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1C,2BAA2B;gBAC3B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACzD,IAAI,MAAM,EAAE,CAAC;oBACX,YAAY,CAAC,IAAI,CAAC;wBAChB,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;wBACf,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;wBAClB,KAAK,EAAE,KAAK;wBACZ,MAAM,EAAE,YAAY;qBACrB,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;gBACD,gDAAgD;gBAChD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBAC7E,IAAI,KAAK,EAAE,CAAC;oBACV,YAAY,CAAC,IAAI,CAAC;wBAChB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;wBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;wBACjB,KAAK,EAAE,KAAK;wBACZ,MAAM,EAAE,YAAY;qBACrB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACzE,IAAI,KAAK,EAAE,CAAC;gBACV,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;oBACjB,KAAK,EAAE,KAAK;oBACZ,MAAM,EAAE,YAAY;iBACrB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QACtC,MAAM,QAAQ,GACZ,yJAAyJ,CAAC;QAC5J,IAAI,CAAC,CAAC;QACN,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,YAAY,CAAC,IAAI,CAAC;gBAChB,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBACvB,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS;gBAC1B,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;SAAM,IAAI,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,4DAA4D,CAAC;QAC9E,IAAI,CAAC,CAAC;QACN,OAAO,CAAC,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,YAAY,CAAC,IAAI,CAAC;gBAChB,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBACV,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;gBACb,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,YAAY;aACrB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAClC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,OAAO,KAAK,GAAG;QACjB,CAAC,CAAC,OAAO,KAAK,QAAQ;QACtB,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACrB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CACvB,CAAC;IACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,8BAA8B;YACrC,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,oDAAoD,QAAQ;iBACxF,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;iBACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;iBACpC,IAAI,CAAC,IAAI,CAAC,0EAA0E;YACvF,cAAc,EAAE,+FAA+F;YAC/G,SAAS,EAAE,sCAAsC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,wBAAwB;IACxB,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACrD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,yCAAyC;YAChD,WAAW,EAAE,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,MAAM,qGAAqG;YAChK,cAAc,EAAE,0FAA0F;YAC1G,SAAS,EAAE,wCAAwC;SACpD,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,MAAM,aAAa,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1F,MAAM,UAAU,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAC3C,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CACjG,CAAC;IACF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,2EAA2E,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,wCAAwC;YACxK,cAAc,EAAE,kFAAkF;YAClG,SAAS,EAAE,0CAA0C;SACtD,CAAC,CAAC;IACL,CAAC;IAED,sCAAsC;IACtC,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,wEAAwE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CACzG,CAAC;IACF,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,8CAA8C;YACrD,WAAW,EAAE,gFAAgF,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,qDAAqD;YACzL,cAAc,EAAE,sEAAsE;SACvF,CAAC,CAAC;IACL,CAAC;IAED,mBAAmB;IACnB,IAAI,YAAY,KAAK,cAAc,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC7E,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACvD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,0CAA0C;YACjD,WAAW,EACT,gIAAgI;YAClI,cAAc,EAAE,sFAAsF;SACvG,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE/C,OAAO;QACL,iBAAiB,EAAE,YAAY,CAAC,MAAM;QACtC,QAAQ;QACR,YAAY;QACZ,KAAK;QACL,OAAO;QACP,OAAO,EAAE,wBAAwB,YAAY,CAAC,MAAM,kBAAkB,QAAQ,CAAC,MAAM,oBAAoB,KAAK,UAAU,OAAO,CAAC,WAAW,EAAE,EAAE;KAChJ,CAAC;AACJ,CAAC"}

package/dist/evaluators/dependency-health.d.ts

@@ -1,3 +1,3 @@
-import { Finding } from "../types.js";
+import type { Finding } from "../types.js";
 export declare function analyzeDependencyHealth(code: string, language: string): Finding[];
 //# sourceMappingURL=dependency-health.d.ts.map

package/dist/evaluators/dependency-health.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dependency-health.d.ts","sourceRoot":"","sources":["../../src/evaluators/dependency-health.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA+MjF"}
+{"version":3,"file":"dependency-health.d.ts","sourceRoot":"","sources":["../../src/evaluators/dependency-health.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAI3C,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAggBjF"}