npm - @matthesketh/fleet - Versions diffs - 1.0.0 → 1.2.0 - Mend

@matthesketh/fleet 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/README.md +27 -4
package/dist/cli.js +8 -0
package/dist/commands/deps.d.ts +1 -0
package/dist/commands/deps.js +223 -0
package/dist/commands/motd.d.ts +1 -0
package/dist/commands/motd.js +10 -0
package/dist/core/deps/actors/pr-creator.d.ts +14 -0
package/dist/core/deps/actors/pr-creator.js +103 -0
package/dist/core/deps/cache.d.ts +5 -0
package/dist/core/deps/cache.js +28 -0
package/dist/core/deps/collectors/composer.d.ts +12 -0
package/dist/core/deps/collectors/composer.js +70 -0
package/dist/core/deps/collectors/docker-image.d.ts +18 -0
package/dist/core/deps/collectors/docker-image.js +132 -0
package/dist/core/deps/collectors/docker-running.d.ts +17 -0
package/dist/core/deps/collectors/docker-running.js +55 -0
package/dist/core/deps/collectors/eol.d.ts +16 -0
package/dist/core/deps/collectors/eol.js +139 -0
package/dist/core/deps/collectors/github-pr.d.ts +8 -0
package/dist/core/deps/collectors/github-pr.js +40 -0
package/dist/core/deps/collectors/npm.d.ts +12 -0
package/dist/core/deps/collectors/npm.js +63 -0
package/dist/core/deps/collectors/pip.d.ts +15 -0
package/dist/core/deps/collectors/pip.js +94 -0
package/dist/core/deps/collectors/vulnerability.d.ts +9 -0
package/dist/core/deps/collectors/vulnerability.js +102 -0
package/dist/core/deps/config.d.ts +6 -0
package/dist/core/deps/config.js +55 -0
package/dist/core/deps/reporters/cli.d.ts +4 -0
package/dist/core/deps/reporters/cli.js +123 -0
package/dist/core/deps/reporters/motd.d.ts +3 -0
package/dist/core/deps/reporters/motd.js +64 -0
package/dist/core/deps/reporters/telegram.d.ts +6 -0
package/dist/core/deps/reporters/telegram.js +106 -0
package/dist/core/deps/scanner.d.ts +4 -0
package/dist/core/deps/scanner.js +89 -0
package/dist/core/deps/severity.d.ts +6 -0
package/dist/core/deps/severity.js +45 -0
package/dist/core/deps/types.d.ts +64 -0
package/dist/core/deps/types.js +1 -0
package/dist/mcp/deps-tools.d.ts +2 -0
package/dist/mcp/deps-tools.js +81 -0
package/dist/mcp/server.js +2 -0
package/dist/templates/motd.d.ts +1 -0
package/dist/templates/motd.js +7 -0
package/dist/tui/components/AppList.js +1 -1
package/dist/tui/components/Confirm.js +3 -4
package/dist/tui/components/Header.js +37 -8
package/dist/tui/components/KeyHint.js +4 -5
package/dist/tui/hooks/use-terminal-size.d.ts +1 -0
package/dist/tui/hooks/use-terminal-size.js +1 -0
package/dist/tui/router.js +81 -9
package/dist/tui/state.js +15 -0
package/dist/tui/tests/flicker.test.d.ts +1 -0
package/dist/tui/tests/flicker.test.js +105 -0
package/dist/tui/tests/keyboard-integration.test.d.ts +1 -0
package/dist/tui/tests/keyboard-integration.test.js +117 -0
package/dist/tui/tests/test-app.d.ts +4 -0
package/dist/tui/tests/test-app.js +79 -0
package/dist/tui/types.d.ts +13 -0
package/dist/tui/views/AppDetail.js +41 -26
package/dist/tui/views/Dashboard.js +34 -9
package/dist/tui/views/HealthView.js +36 -12
package/dist/tui/views/LogsView.js +14 -9
package/dist/tui/views/SecretEdit.js +8 -4
package/dist/tui/views/SecretsView.js +49 -36
package/package.json +17 -1

package/dist/core/deps/collectors/docker-image.js ADDED Viewed

@@ -0,0 +1,132 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromVersionDelta } from '../severity.js';
+export class DockerImageCollector {
+    overrides;
+    type = 'docker-image';
+    constructor(overrides) {
+        this.overrides = overrides;
+    }
+    detect(appPath) {
+        return (existsSync(join(appPath, 'Dockerfile')) ||
+            existsSync(join(appPath, 'docker-compose.yml')) ||
+            existsSync(join(appPath, 'docker-compose.yaml')));
+    }
+    async collect(app) {
+        const images = new Map();
+        const dockerfilePath = join(app.composePath, 'Dockerfile');
+        if (existsSync(dockerfilePath)) {
+            for (const img of this.parseDockerfile(readFileSync(dockerfilePath, 'utf-8'))) {
+                images.set(`${img.image}:${img.tag}`, img);
+            }
+        }
+        const composeFile = app.composeFile ?? 'docker-compose.yml';
+        const composePath = join(app.composePath, composeFile);
+        if (existsSync(composePath)) {
+            for (const img of this.parseComposeImages(readFileSync(composePath, 'utf-8'))) {
+                images.set(`${img.image}:${img.tag}`, img);
+            }
+        }
+        const composeYaml = join(app.composePath, 'docker-compose.yaml');
+        if (!existsSync(composePath) && existsSync(composeYaml)) {
+            for (const img of this.parseComposeImages(readFileSync(composeYaml, 'utf-8'))) {
+                images.set(`${img.image}:${img.tag}`, img);
+            }
+        }
+        const findings = [];
+        const results = await Promise.allSettled(Array.from(images.values()).map(img => this.checkImage(app.name, img)));
+        for (const result of results) {
+            if (result.status === 'fulfilled' && result.value) {
+                findings.push(result.value);
+            }
+        }
+        return findings;
+    }
+    parseDockerfile(content) {
+        const images = [];
+        for (const line of content.split('\n')) {
+            const match = line.match(/^FROM\s+(\S+?)(?::(\S+?))?(?:\s+AS\s+\S+)?$/i);
+            if (match) {
+                images.push({ image: match[1], tag: match[2] ?? 'latest' });
+            }
+        }
+        return images;
+    }
+    parseComposeImages(content) {
+        const images = [];
+        for (const line of content.split('\n')) {
+            const match = line.match(/^\s+image:\s*['"]?(\S+?)(?::(\S+?))?['"]?\s*$/);
+            if (match) {
+                images.push({ image: match[1], tag: match[2] ?? 'latest' });
+            }
+        }
+        return images;
+    }
+    async checkImage(appName, img) {
+        const tagVersion = img.tag.match(/^v?(\d+)(?:\.(\d+))?(?:\.(\d+))?/);
+        if (!tagVersion)
+            return null;
+        // only check docker hub library images for now
+        const isLibrary = !img.image.includes('/') || img.image.startsWith('library/');
+        if (img.image.includes('.') && !img.image.startsWith('docker.io'))
+            return null;
+        const namespace = isLibrary ? 'library' : img.image.split('/').slice(0, -1).join('/');
+        const repo = isLibrary ? img.image.replace('library/', '') : img.image.split('/').pop();
+        try {
+            const res = await fetch(`https://hub.docker.com/v2/repositories/${namespace}/${repo}/tags?page_size=50&ordering=last_updated`);
+            if (!res.ok)
+                return null;
+            const data = await res.json();
+            const suffix = img.tag.replace(/^v?\d+(?:\.\d+)*/, '');
+            const semverTags = data.results
+                .map(t => t.name)
+                .filter(name => {
+                if (suffix && !name.endsWith(suffix))
+                    return false;
+                return /^v?\d+\.\d+/.test(name);
+            })
+                .sort((a, b) => {
+                const av = a.replace(/^v/, '').replace(suffix, '');
+                const bv = b.replace(/^v/, '').replace(suffix, '');
+                return compareVersions(bv, av);
+            });
+            if (semverTags.length === 0)
+                return null;
+            const latestTag = semverTags[0];
+            const currentClean = img.tag.replace(suffix, '').replace(/^v/, '');
+            const latestClean = latestTag.replace(suffix, '').replace(/^v/, '');
+            if (currentClean === latestClean)
+                return null;
+            const severity = severityFromVersionDelta(currentClean, latestClean, this.overrides);
+            if (severity === 'info')
+                return null;
+            return {
+                appName,
+                source: 'docker-image',
+                severity,
+                category: 'image-update',
+                title: `${img.image}:${img.tag} -> ${latestTag}`,
+                detail: `Docker image ${img.image} has newer tag ${latestTag} available`,
+                package: img.image,
+                currentVersion: img.tag,
+                latestVersion: latestTag,
+                fixable: true,
+                updatedAt: new Date().toISOString(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}
+function compareVersions(a, b) {
+    const pa = a.split('.').map(Number);
+    const pb = b.split('.').map(Number);
+    for (let i = 0; i < Math.max(pa.length, pb.length); i++) {
+        const va = pa[i] ?? 0;
+        const vb = pb[i] ?? 0;
+        if (va !== vb)
+            return va - vb;
+    }
+    return 0;
+}

package/dist/core/deps/collectors/docker-running.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding, DepsConfig } from '../types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+interface InspectResult {
+    image: string;
+    tag: string;
+    digest: string;
+}
+export declare class DockerRunningCollector implements Collector {
+    private _overrides;
+    type: "docker-running";
+    constructor(_overrides: SeverityOverrides);
+    detect(_appPath: string, app?: AppEntry): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    parseInspectOutput(json: string): InspectResult | null;
+}
+export {};

package/dist/core/deps/collectors/docker-running.js ADDED Viewed

@@ -0,0 +1,55 @@
+import { exec } from '../../exec.js';
+export class DockerRunningCollector {
+    _overrides;
+    type = 'docker-running';
+    constructor(_overrides) {
+        this._overrides = _overrides;
+    }
+    detect(_appPath, app) {
+        return (app?.containers?.length ?? 0) > 0;
+    }
+    async collect(app) {
+        const findings = [];
+        for (const container of app.containers) {
+            const result = exec(`docker inspect ${container}`, { timeout: 10_000 });
+            if (!result.ok)
+                continue;
+            const info = this.parseInspectOutput(result.stdout);
+            if (!info)
+                continue;
+            // check if running image differs from what compose/dockerfile specifies
+            // this is drift detection — the container is running but may be stale
+            const tagVersion = info.tag.match(/^v?(\d+)(?:\.(\d+))?/);
+            if (!tagVersion)
+                continue;
+            findings.push({
+                appName: app.name,
+                source: 'docker-running',
+                severity: 'info',
+                category: 'image-update',
+                title: `${container} running ${info.image}:${info.tag}`,
+                detail: `Container ${container} is running image ${info.image}:${info.tag} (digest: ${info.digest.slice(0, 19)})`,
+                package: info.image,
+                currentVersion: info.tag,
+                fixable: false,
+                updatedAt: new Date().toISOString(),
+            });
+        }
+        return findings;
+    }
+    parseInspectOutput(json) {
+        try {
+            const data = JSON.parse(json);
+            if (!data[0])
+                return null;
+            const imageStr = data[0].Config.Image;
+            const parts = imageStr.split(':');
+            const tag = parts.length > 1 ? parts.pop() : 'latest';
+            const image = parts.join(':');
+            return { image, tag, digest: data[0].Image };
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/core/deps/collectors/eol.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding } from '../types.js';
+interface RuntimeRef {
+    product: string;
+    version: string;
+}
+export declare class EolCollector implements Collector {
+    private warningDays;
+    type: "eol";
+    constructor(warningDays: number);
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    detectRuntimes(appPath: string): RuntimeRef[];
+    private checkEol;
+}
+export {};

package/dist/core/deps/collectors/eol.js ADDED Viewed

@@ -0,0 +1,139 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromEol } from '../severity.js';
+export class EolCollector {
+    warningDays;
+    type = 'eol';
+    constructor(warningDays) {
+        this.warningDays = warningDays;
+    }
+    detect(appPath) {
+        return this.detectRuntimes(appPath).length > 0;
+    }
+    async collect(app) {
+        const runtimes = this.detectRuntimes(app.composePath);
+        const findings = [];
+        const results = await Promise.allSettled(runtimes.map(rt => this.checkEol(app.name, rt)));
+        for (const result of results) {
+            if (result.status === 'fulfilled' && result.value) {
+                findings.push(result.value);
+            }
+        }
+        return findings;
+    }
+    detectRuntimes(appPath) {
+        const runtimes = [];
+        // node from package.json engines
+        const pkgPath = join(appPath, 'package.json');
+        if (existsSync(pkgPath)) {
+            try {
+                const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+                const nodeEngine = pkg.engines?.node;
+                if (nodeEngine) {
+                    const ver = nodeEngine.match(/(\d+)/);
+                    if (ver)
+                        runtimes.push({ product: 'node', version: ver[1] });
+                }
+            }
+            catch { /* skip */ }
+        }
+        // node from .nvmrc
+        const nvmrcPath = join(appPath, '.nvmrc');
+        if (existsSync(nvmrcPath)) {
+            const ver = readFileSync(nvmrcPath, 'utf-8').trim().match(/(\d+)/);
+            if (ver && !runtimes.some(r => r.product === 'node')) {
+                runtimes.push({ product: 'node', version: ver[1] });
+            }
+        }
+        // php from composer.json
+        const composerPath = join(appPath, 'composer.json');
+        if (existsSync(composerPath)) {
+            try {
+                const composer = JSON.parse(readFileSync(composerPath, 'utf-8'));
+                const phpReq = composer.require?.php;
+                if (phpReq) {
+                    const ver = phpReq.match(/(\d+\.\d+)/);
+                    if (ver)
+                        runtimes.push({ product: 'php', version: ver[1] });
+                }
+            }
+            catch { /* skip */ }
+        }
+        // python from pyproject.toml
+        const pyprojectPath = join(appPath, 'pyproject.toml');
+        if (existsSync(pyprojectPath)) {
+            try {
+                const content = readFileSync(pyprojectPath, 'utf-8');
+                const ver = content.match(/requires-python\s*=\s*">=?(\d+\.\d+)"/);
+                if (ver)
+                    runtimes.push({ product: 'python', version: ver[1] });
+            }
+            catch { /* skip */ }
+        }
+        // runtimes from dockerfile FROM lines
+        const dockerfilePath = join(appPath, 'Dockerfile');
+        if (existsSync(dockerfilePath)) {
+            try {
+                const content = readFileSync(dockerfilePath, 'utf-8');
+                for (const line of content.split('\n')) {
+                    const match = line.match(/^FROM\s+(node|php|python):(\d+(?:\.\d+)?)/i);
+                    if (match) {
+                        const product = match[1].toLowerCase();
+                        if (!runtimes.some(r => r.product === product)) {
+                            runtimes.push({ product, version: match[2] });
+                        }
+                    }
+                }
+            }
+            catch { /* skip */ }
+        }
+        return runtimes;
+    }
+    async checkEol(appName, rt) {
+        try {
+            const res = await fetch(`https://endoflife.date/api/${rt.product}/${rt.version}.json`);
+            if (!res.ok)
+                return null;
+            const data = await res.json();
+            if (typeof data.eol === 'boolean') {
+                if (data.eol) {
+                    return {
+                        appName,
+                        source: 'eol',
+                        severity: 'critical',
+                        category: 'eol-warning',
+                        title: `${rt.product} ${rt.version} is end-of-life`,
+                        detail: `${rt.product} ${rt.version} has reached end of life and no longer receives updates`,
+                        package: rt.product,
+                        currentVersion: rt.version,
+                        fixable: false,
+                        updatedAt: new Date().toISOString(),
+                    };
+                }
+                return null;
+            }
+            const severity = severityFromEol(data.eol, this.warningDays);
+            if (severity === 'info')
+                return null;
+            const daysUntil = Math.ceil((new Date(data.eol).getTime() - Date.now()) / (24 * 60 * 60 * 1000));
+            return {
+                appName,
+                source: 'eol',
+                severity,
+                category: 'eol-warning',
+                title: daysUntil <= 0
+                    ? `${rt.product} ${rt.version} is end-of-life`
+                    : `${rt.product} ${rt.version} EOL in ${daysUntil} days`,
+                detail: `${rt.product} ${rt.version} reaches end of life on ${data.eol}`,
+                eolDate: data.eol,
+                package: rt.product,
+                currentVersion: rt.version,
+                fixable: false,
+                updatedAt: new Date().toISOString(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/core/deps/collectors/github-pr.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding } from '../types.js';
+export declare class GitHubPrCollector implements Collector {
+    type: "github-pr";
+    detect(_appPath: string, app?: AppEntry): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    private isDependencyPr;
+}

package/dist/core/deps/collectors/github-pr.js ADDED Viewed

@@ -0,0 +1,40 @@
+import { exec } from '../../exec.js';
+export class GitHubPrCollector {
+    type = 'github-pr';
+    detect(_appPath, app) {
+        return !!app?.gitRepo;
+    }
+    async collect(app) {
+        if (!app.gitRepo)
+            return [];
+        const result = exec(`gh pr list --repo ${app.gitRepo} --state open --json number,title,url,labels --limit 50`, { timeout: 15_000 });
+        if (!result.ok)
+            return [];
+        try {
+            const prs = JSON.parse(result.stdout);
+            return prs
+                .filter(pr => this.isDependencyPr(pr))
+                .map(pr => ({
+                appName: app.name,
+                source: 'github-pr',
+                severity: 'info',
+                category: 'pending-pr',
+                title: `PR #${pr.number}: ${pr.title}`,
+                detail: `Open dependency PR: ${pr.url}`,
+                prUrl: pr.url,
+                fixable: false,
+                updatedAt: new Date().toISOString(),
+            }));
+        }
+        catch {
+            return [];
+        }
+    }
+    isDependencyPr(pr) {
+        const depLabels = ['dependencies', 'deps', 'renovate', 'dependabot'];
+        if (pr.labels.some(l => depLabels.includes(l.name.toLowerCase())))
+            return true;
+        const depPrefixes = ['chore(deps)', 'fix(deps)', 'deps/', 'build(deps)'];
+        return depPrefixes.some(prefix => pr.title.toLowerCase().startsWith(prefix));
+    }
+}

package/dist/core/deps/collectors/npm.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding, DepsConfig } from '../types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+export declare class NpmCollector implements Collector {
+    private overrides;
+    type: "npm";
+    constructor(overrides: SeverityOverrides);
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    private checkPackage;
+}
+export {};

package/dist/core/deps/collectors/npm.js ADDED Viewed

@@ -0,0 +1,63 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromVersionDelta } from '../severity.js';
+export class NpmCollector {
+    overrides;
+    type = 'npm';
+    constructor(overrides) {
+        this.overrides = overrides;
+    }
+    detect(appPath) {
+        return existsSync(join(appPath, 'package.json'));
+    }
+    async collect(app) {
+        const pkgPath = join(app.composePath, 'package.json');
+        if (!existsSync(pkgPath))
+            return [];
+        const raw = readFileSync(pkgPath, 'utf-8');
+        const pkg = JSON.parse(raw);
+        const allDeps = {
+            ...pkg.dependencies,
+            ...pkg.devDependencies,
+        };
+        const findings = [];
+        const results = await Promise.allSettled(Object.entries(allDeps).map(([name, version]) => this.checkPackage(app.name, name, version)));
+        for (const result of results) {
+            if (result.status === 'fulfilled' && result.value) {
+                findings.push(result.value);
+            }
+        }
+        return findings;
+    }
+    async checkPackage(appName, name, currentRaw) {
+        const current = currentRaw.replace(/^[\^~>=<]/, '');
+        try {
+            const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(name)}/latest`);
+            if (!res.ok)
+                return null;
+            const data = await res.json();
+            const latest = data.version;
+            if (current === latest)
+                return null;
+            const severity = severityFromVersionDelta(current, latest, this.overrides);
+            if (severity === 'info')
+                return null;
+            return {
+                appName,
+                source: 'npm',
+                severity,
+                category: 'outdated-dep',
+                title: `${name} ${current} -> ${latest}`,
+                detail: `npm package ${name} can be updated from ${current} to ${latest}`,
+                package: name,
+                currentVersion: current,
+                latestVersion: latest,
+                fixable: true,
+                updatedAt: new Date().toISOString(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/core/deps/collectors/pip.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding, DepsConfig } from '../types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+export declare class PipCollector implements Collector {
+    private overrides;
+    type: "pip";
+    constructor(overrides: SeverityOverrides);
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    private parseDeps;
+    private parseRequirementsTxt;
+    private parsePyprojectToml;
+    private checkPackage;
+}
+export {};

package/dist/core/deps/collectors/pip.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromVersionDelta } from '../severity.js';
+export class PipCollector {
+    overrides;
+    type = 'pip';
+    constructor(overrides) {
+        this.overrides = overrides;
+    }
+    detect(appPath) {
+        return (existsSync(join(appPath, 'requirements.txt')) ||
+            existsSync(join(appPath, 'pyproject.toml')));
+    }
+    async collect(app) {
+        const deps = this.parseDeps(app.composePath);
+        if (deps.length === 0)
+            return [];
+        const findings = [];
+        const results = await Promise.allSettled(deps.map(([name, version]) => this.checkPackage(app.name, name, version)));
+        for (const result of results) {
+            if (result.status === 'fulfilled' && result.value) {
+                findings.push(result.value);
+            }
+        }
+        return findings;
+    }
+    parseDeps(appPath) {
+        const reqPath = join(appPath, 'requirements.txt');
+        if (existsSync(reqPath)) {
+            return this.parseRequirementsTxt(readFileSync(reqPath, 'utf-8'));
+        }
+        const pyprojectPath = join(appPath, 'pyproject.toml');
+        if (existsSync(pyprojectPath)) {
+            return this.parsePyprojectToml(readFileSync(pyprojectPath, 'utf-8'));
+        }
+        return [];
+    }
+    parseRequirementsTxt(content) {
+        return content
+            .split('\n')
+            .map(line => line.trim())
+            .filter(line => line && !line.startsWith('#') && !line.startsWith('-'))
+            .map(line => {
+            const match = line.match(/^([a-zA-Z0-9_-]+)==([^\s;]+)/);
+            if (!match)
+                return null;
+            return [match[1], match[2]];
+        })
+            .filter((entry) => entry !== null);
+    }
+    parsePyprojectToml(content) {
+        const deps = [];
+        const depMatch = content.match(/dependencies\s*=\s*\[([\s\S]*?)\]/);
+        if (!depMatch)
+            return deps;
+        const lines = depMatch[1].split('\n');
+        for (const line of lines) {
+            const match = line.match(/"([a-zA-Z0-9_-]+)==([^"]+)"/);
+            if (match)
+                deps.push([match[1], match[2]]);
+        }
+        return deps;
+    }
+    async checkPackage(appName, name, current) {
+        try {
+            const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(name)}/json`);
+            if (!res.ok)
+                return null;
+            const data = await res.json();
+            const latest = data.info.version;
+            if (current === latest)
+                return null;
+            const severity = severityFromVersionDelta(current, latest, this.overrides);
+            if (severity === 'info')
+                return null;
+            return {
+                appName,
+                source: 'pip',
+                severity,
+                category: 'outdated-dep',
+                title: `${name} ${current} -> ${latest}`,
+                detail: `Python package ${name} can be updated from ${current} to ${latest}`,
+                package: name,
+                currentVersion: current,
+                latestVersion: latest,
+                fixable: true,
+                updatedAt: new Date().toISOString(),
+            };
+        }
+        catch {
+            return null;
+        }
+    }
+}

package/dist/core/deps/collectors/vulnerability.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+import type { AppEntry } from '../../registry.js';
+import type { Collector, Finding } from '../types.js';
+export declare class VulnerabilityCollector implements Collector {
+    type: "vulnerability";
+    detect(appPath: string): boolean;
+    collect(app: AppEntry): Promise<Finding[]>;
+    private extractPackages;
+    private queryOsv;
+}