@matthesketh/fleet 1.0.0 → 1.2.0

package/dist/core/deps/collectors/vulnerability.js

@@ -0,0 +1,102 @@
+import { readFileSync, existsSync } from 'node:fs';
+import { join } from 'node:path';
+import { severityFromCvss } from '../severity.js';
+export class VulnerabilityCollector {
+    type = 'vulnerability';
+    detect(appPath) {
+        return (existsSync(join(appPath, 'package.json')) ||
+            existsSync(join(appPath, 'composer.json')) ||
+            existsSync(join(appPath, 'requirements.txt')));
+    }
+    async collect(app) {
+        const packages = this.extractPackages(app.composePath);
+        if (packages.length === 0)
+            return [];
+        const findings = [];
+        const results = await Promise.allSettled(packages.map(pkg => this.queryOsv(app.name, pkg)));
+        for (const result of results) {
+            if (result.status === 'fulfilled') {
+                findings.push(...result.value);
+            }
+        }
+        return findings;
+    }
+    extractPackages(appPath) {
+        const packages = [];
+        const pkgPath = join(appPath, 'package.json');
+        if (existsSync(pkgPath)) {
+            try {
+                const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+                for (const [name, versionRaw] of Object.entries(pkg.dependencies ?? {})) {
+                    const version = versionRaw.replace(/^[\^~>=<]/, '');
+                    packages.push({ name, version, ecosystem: 'npm' });
+                }
+            }
+            catch { /* skip */ }
+        }
+        const composerPath = join(appPath, 'composer.json');
+        if (existsSync(composerPath)) {
+            try {
+                const composer = JSON.parse(readFileSync(composerPath, 'utf-8'));
+                for (const [name, versionRaw] of Object.entries(composer.require ?? {})) {
+                    if (name.startsWith('php') || name.startsWith('ext-'))
+                        continue;
+                    const version = versionRaw.replace(/^[\^~>=<*]/, '');
+                    packages.push({ name, version, ecosystem: 'Packagist' });
+                }
+            }
+            catch { /* skip */ }
+        }
+        const reqPath = join(appPath, 'requirements.txt');
+        if (existsSync(reqPath)) {
+            try {
+                const content = readFileSync(reqPath, 'utf-8');
+                for (const line of content.split('\n')) {
+                    const match = line.trim().match(/^([a-zA-Z0-9_-]+)==(.+)/);
+                    if (match)
+                        packages.push({ name: match[1], version: match[2], ecosystem: 'PyPI' });
+                }
+            }
+            catch { /* skip */ }
+        }
+        return packages;
+    }
+    async queryOsv(appName, pkg) {
+        try {
+            const res = await fetch('https://api.osv.dev/v1/query', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    version: pkg.version,
+                    package: { name: pkg.name, ecosystem: pkg.ecosystem },
+                }),
+            });
+            if (!res.ok)
+                return [];
+            const data = await res.json();
+            if (!data.vulns?.length)
+                return [];
+            return data.vulns.map(vuln => {
+                const cvssEntry = vuln.severity?.find(s => s.type === 'CVSS_V3');
+                const cvss = cvssEntry ? parseFloat(cvssEntry.score) : 5.0;
+                const severity = severityFromCvss(cvss);
+                return {
+                    appName,
+                    source: 'vulnerability',
+                    severity,
+                    category: 'vulnerability',
+                    title: `${pkg.name} ${pkg.version} — ${vuln.id}`,
+                    detail: vuln.summary ?? `Vulnerability ${vuln.id} in ${pkg.name}@${pkg.version}`,
+                    package: pkg.name,
+                    currentVersion: pkg.version,
+                    cveId: vuln.id,
+                    fixable: true,
+                    updatedAt: new Date().toISOString(),
+                };
+            });
+        }
+        catch {
+            return [];
+        }
+    }
+}

package/dist/core/deps/config.d.ts

@@ -0,0 +1,6 @@
+import type { DepsConfig } from './types.js';
+export declare function defaultConfig(): DepsConfig;
+export declare function mergeConfig(base: DepsConfig, overrides: Record<string, unknown>): DepsConfig;
+export declare function loadConfig(path?: string): DepsConfig;
+export declare function saveConfig(config: DepsConfig, path?: string): void;
+export declare function configPath(): string;

package/dist/core/deps/config.js

@@ -0,0 +1,55 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const DEFAULT_CONFIG_PATH = join(__dirname, '..', '..', '..', 'data', 'deps-config.json');
+export function defaultConfig() {
+    return {
+        scanIntervalHours: 6,
+        concurrency: 5,
+        notifications: {
+            telegram: {
+                enabled: true,
+                chatId: '',
+                minSeverity: 'info',
+            },
+        },
+        ignore: [],
+        severityOverrides: {
+            eolDaysWarning: 90,
+            majorVersionBehind: 'high',
+            minorVersionBehind: 'medium',
+            patchVersionBehind: 'low',
+        },
+    };
+}
+export function mergeConfig(base, overrides) {
+    const result = structuredClone(base);
+    for (const [key, value] of Object.entries(overrides)) {
+        if (value !== null && typeof value === 'object' && !Array.isArray(value) && key in result) {
+            const baseVal = result[key];
+            if (baseVal !== null && typeof baseVal === 'object' && !Array.isArray(baseVal)) {
+                result[key] = mergeConfig(baseVal, value);
+                continue;
+            }
+        }
+        result[key] = value;
+    }
+    return result;
+}
+export function loadConfig(path = DEFAULT_CONFIG_PATH) {
+    if (!existsSync(path))
+        return defaultConfig();
+    const raw = readFileSync(path, 'utf-8');
+    const parsed = JSON.parse(raw);
+    return mergeConfig(defaultConfig(), parsed);
+}
+export function saveConfig(config, path = DEFAULT_CONFIG_PATH) {
+    const dir = dirname(path);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(path, JSON.stringify(config, null, 2) + '\n');
+}
+export function configPath() {
+    return DEFAULT_CONFIG_PATH;
+}

package/dist/core/deps/reporters/cli.d.ts

@@ -0,0 +1,4 @@
+import type { DepsCache, Finding, Severity } from '../types.js';
+export declare function severityIcon(severity: Severity): string;
+export declare function formatSummary(cache: DepsCache, appCount: number): string[];
+export declare function formatAppDetail(appName: string, findings: Finding[]): string[];

package/dist/core/deps/reporters/cli.js

@@ -0,0 +1,123 @@
+import { c, icon } from '../../../ui/output.js';
+const SEVERITY_ORDER = ['critical', 'high', 'medium', 'low', 'info'];
+export function severityIcon(severity) {
+    switch (severity) {
+        case 'critical': return icon.err;
+        case 'high': return icon.warn;
+        case 'medium': return `${c.yellow}~${c.reset}`;
+        case 'low': return `${c.dim}.${c.reset}`;
+        case 'info': return icon.info;
+    }
+}
+export function formatSummary(cache, appCount) {
+    const lines = [];
+    const ago = formatAge(cache.lastScan);
+    if (cache.findings.length === 0) {
+        lines.push(`${icon.ok} All ${appCount} apps are up to date (scanned ${ago})`);
+        return lines;
+    }
+    const byApp = new Map();
+    for (const f of cache.findings) {
+        const arr = byApp.get(f.appName) ?? [];
+        arr.push(f);
+        byApp.set(f.appName, arr);
+    }
+    const rows = [];
+    for (const [app, findings] of byApp) {
+        rows.push({ name: app, findings, counts: countBySeverity(findings) });
+    }
+    rows.sort((a, b) => severityWeight(b.findings) - severityWeight(a.findings));
+    lines.push(`${c.dim}${appCount} apps, scanned ${ago}${c.reset}`);
+    lines.push('');
+    const header = `  ${'APP'.padEnd(24)}  ${'SCORE'.padEnd(5)}  ${'CRIT'.padEnd(4)}  ${'HIGH'.padEnd(4)}  ${'MED'.padEnd(4)}  LOW`;
+    lines.push(`${c.bold}${header}${c.reset}`);
+    lines.push(`  ${c.dim}${'-'.repeat(56)}${c.reset}`);
+    for (const row of rows) {
+        const score = healthScore(row.findings);
+        const crit = row.counts.critical > 0 ? `${c.red}${row.counts.critical}${c.reset}` : `${c.dim}0${c.reset}`;
+        const high = row.counts.high > 0 ? `${c.yellow}${row.counts.high}${c.reset}` : `${c.dim}0${c.reset}`;
+        lines.push(`  ${c.bold}${row.name.padEnd(24)}${c.reset}  ${score}  ${padAnsi(crit, 4)}  ${padAnsi(high, 4)}  ${String(row.counts.medium).padEnd(4)}  ${row.counts.low}`);
+    }
+    const critical = cache.findings.filter(f => f.severity === 'critical');
+    const high = cache.findings.filter(f => f.severity === 'high');
+    if (critical.length > 0) {
+        lines.push('');
+        lines.push(`${c.red}${c.bold}Critical (${critical.length})${c.reset}`);
+        for (const f of critical) {
+            lines.push(`  ${icon.err} ${c.bold}${f.appName}${c.reset}: ${f.title}`);
+        }
+    }
+    if (high.length > 0) {
+        lines.push('');
+        lines.push(`${c.yellow}${c.bold}High (${high.length})${c.reset}`);
+        for (const f of high) {
+            lines.push(`  ${icon.warn} ${c.bold}${f.appName}${c.reset}: ${f.title}`);
+        }
+    }
+    return lines;
+}
+export function formatAppDetail(appName, findings) {
+    const lines = [];
+    for (const severity of SEVERITY_ORDER) {
+        const group = findings.filter(f => f.severity === severity);
+        if (group.length === 0)
+            continue;
+        lines.push('');
+        lines.push(`${c.bold}${severity.toUpperCase()} (${group.length})${c.reset}`);
+        for (const f of group) {
+            lines.push(`  ${severityIcon(f.severity)} ${f.title}`);
+            lines.push(`    ${c.dim}${f.detail}${c.reset}`);
+        }
+    }
+    if (findings.length === 0) {
+        lines.push(`${icon.ok} ${appName} is fully up to date`);
+    }
+    return lines;
+}
+function healthScore(findings) {
+    const weights = findings.reduce((sum, f) => {
+        switch (f.severity) {
+            case 'critical': return sum + 4;
+            case 'high': return sum + 3;
+            case 'medium': return sum + 2;
+            case 'low': return sum + 1;
+            default: return sum;
+        }
+    }, 0);
+    const score = Math.max(0, 5 - Math.ceil(weights / 4));
+    const filled = `${c.green}${'#'.repeat(score)}${c.reset}`;
+    const empty = `${c.dim}${'_'.repeat(5 - score)}${c.reset}`;
+    return filled + empty;
+}
+function countBySeverity(findings) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const f of findings)
+        counts[f.severity]++;
+    return counts;
+}
+function severityWeight(findings) {
+    return findings.reduce((sum, f) => {
+        const w = { critical: 1000, high: 100, medium: 10, low: 1, info: 0 };
+        return sum + w[f.severity];
+    }, 0);
+}
+function formatAge(isoDate) {
+    const ms = Date.now() - new Date(isoDate).getTime();
+    const mins = Math.floor(ms / 60_000);
+    if (mins < 1)
+        return 'just now';
+    if (mins < 60)
+        return `${mins}m ago`;
+    const hours = Math.floor(mins / 60);
+    if (hours < 24)
+        return `${hours}h ago`;
+    return `${Math.floor(hours / 24)}d ago`;
+}
+function stripAnsi(str) {
+    return str.replace(/\x1b\[[0-9;]*m/g, '');
+}
+function padAnsi(str, width) {
+    const stripped = stripAnsi(str);
+    const pad = Math.max(0, width - stripped.length);
+    return str + ' '.repeat(pad);
+}

package/dist/core/deps/reporters/motd.d.ts

@@ -0,0 +1,3 @@
+import type { DepsCache } from '../types.js';
+export declare function formatMotd(cache: DepsCache, appCount: number): string;
+export declare function generateMotdScript(cachePath: string): string;

package/dist/core/deps/reporters/motd.js

@@ -0,0 +1,64 @@
+export function formatMotd(cache, appCount) {
+    const lines = [];
+    const ago = formatAge(cache.lastScan);
+    lines.push('-- Fleet Deps ' + '-'.repeat(40));
+    if (cache.findings.length === 0) {
+        lines.push(`  All ${appCount} apps up to date`);
+        lines.push(`  Last scan: ${ago} | Run: fleet deps`);
+        return lines.join('\n');
+    }
+    const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const f of cache.findings)
+        counts[f.severity]++;
+    const parts = [];
+    if (counts.critical > 0)
+        parts.push(`${counts.critical} critical`);
+    if (counts.high > 0)
+        parts.push(`${counts.high} high`);
+    if (counts.medium > 0)
+        parts.push(`${counts.medium} medium`);
+    if (counts.low > 0)
+        parts.push(`${counts.low} low`);
+    lines.push(`  ${parts.join(', ')} across ${appCount} apps`);
+    const urgent = cache.findings
+        .filter(f => f.severity === 'critical' || f.severity === 'high')
+        .slice(0, 5);
+    for (const f of urgent) {
+        const prefix = f.severity === 'critical' ? '!!' : ' !';
+        lines.push(`  ${prefix} ${f.appName}: ${f.title}`);
+    }
+    const appsWithFindings = new Set(cache.findings.map(f => f.appName)).size;
+    const healthyCount = appCount - appsWithFindings;
+    if (healthyCount > 0) {
+        lines.push(`  ${healthyCount} apps fully up to date`);
+    }
+    lines.push(`  Last scan: ${ago} | Run: fleet deps`);
+    return lines.join('\n');
+}
+export function generateMotdScript(cachePath) {
+    return `#!/bin/bash
+# fleet deps motd — auto-generated by fleet deps init
+# shows dependency health summary on ssh login
+
+CACHE="${cachePath}"
+
+if [ ! -f "$CACHE" ]; then
+  echo "-- Fleet Deps: no scan data. Run: fleet deps scan"
+  exit 0
+fi
+
+/usr/local/bin/fleet deps --motd 2>/dev/null || echo "-- Fleet Deps: run fleet deps scan"
+`;
+}
+function formatAge(isoDate) {
+    const ms = Date.now() - new Date(isoDate).getTime();
+    const mins = Math.floor(ms / 60_000);
+    if (mins < 1)
+        return 'just now';
+    if (mins < 60)
+        return `${mins}m ago`;
+    const hours = Math.floor(mins / 60);
+    if (hours < 24)
+        return `${hours}h ago`;
+    return `${Math.floor(hours / 24)}d ago`;
+}

package/dist/core/deps/reporters/telegram.d.ts

@@ -0,0 +1,6 @@
+import type { Finding, Severity } from '../types.js';
+export declare function formatTelegramMessage(findings: Finding[], appCount: number): string;
+export declare function findNewFindings(current: Finding[], previous: Finding[]): Finding[];
+export declare function sendTelegramNotification(findings: Finding[], appCount: number, previousFindings: Finding[], minSeverity: Severity): Promise<boolean>;
+export declare function loadNotifiedFindings(): Finding[];
+export declare function saveNotifiedFindings(findings: Finding[]): void;

package/dist/core/deps/reporters/telegram.js

@@ -0,0 +1,106 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const NOTIFIED_PATH = join(__dirname, '..', '..', '..', '..', 'data', 'notified-findings.json');
+const TELEGRAM_CONFIG_PATH = '/etc/fleet/telegram.json';
+export function formatTelegramMessage(findings, appCount) {
+    if (findings.length === 0)
+        return '';
+    const lines = [];
+    const date = new Date().toISOString().split('T')[0];
+    lines.push(`<b>Fleet Deps Scan — ${date}</b>\n`);
+    const groups = {
+        critical: [], high: [], medium: [], low: [], info: [],
+    };
+    for (const f of findings)
+        groups[f.severity].push(f);
+    for (const severity of ['critical', 'high', 'medium', 'low']) {
+        const group = groups[severity];
+        if (group.length === 0)
+            continue;
+        lines.push(`<b>${severity.charAt(0).toUpperCase() + severity.slice(1)} (${group.length}):</b>`);
+        for (const f of group.slice(0, 10)) {
+            lines.push(`• ${f.appName}: ${escapeHtml(f.title)}`);
+        }
+        if (group.length > 10) {
+            lines.push(`  <i>...and ${group.length - 10} more</i>`);
+        }
+        lines.push('');
+    }
+    const totalApps = new Set(findings.map(f => f.appName)).size;
+    lines.push(`${totalApps} apps affected out of ${appCount}`);
+    return lines.join('\n');
+}
+export function findNewFindings(current, previous) {
+    const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
+    return current.filter(f => {
+        const prev = previous.find(p => p.appName === f.appName && p.title === f.title);
+        if (!prev)
+            return true;
+        return severityOrder.indexOf(f.severity) > severityOrder.indexOf(prev.severity);
+    });
+}
+export async function sendTelegramNotification(findings, appCount, previousFindings, minSeverity) {
+    const config = loadTelegramConfig();
+    if (!config)
+        return false;
+    const newFindings = findNewFindings(findings, previousFindings);
+    if (newFindings.length === 0)
+        return false;
+    const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
+    const minIdx = severityOrder.indexOf(minSeverity);
+    const filtered = newFindings.filter(f => severityOrder.indexOf(f.severity) >= minIdx);
+    if (filtered.length === 0)
+        return false;
+    const message = formatTelegramMessage(filtered, appCount);
+    if (!message)
+        return false;
+    try {
+        const res = await fetch(`https://api.telegram.org/bot${config.botToken}/sendMessage`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                chat_id: config.chatId,
+                text: message,
+                parse_mode: 'HTML',
+            }),
+        });
+        return res.ok;
+    }
+    catch {
+        return false;
+    }
+}
+export function loadNotifiedFindings() {
+    if (!existsSync(NOTIFIED_PATH))
+        return [];
+    try {
+        return JSON.parse(readFileSync(NOTIFIED_PATH, 'utf-8'));
+    }
+    catch {
+        return [];
+    }
+}
+export function saveNotifiedFindings(findings) {
+    const dir = dirname(NOTIFIED_PATH);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    writeFileSync(NOTIFIED_PATH, JSON.stringify(findings, null, 2) + '\n');
+}
+function loadTelegramConfig() {
+    if (!existsSync(TELEGRAM_CONFIG_PATH))
+        return null;
+    try {
+        const raw = JSON.parse(readFileSync(TELEGRAM_CONFIG_PATH, 'utf-8'));
+        if (!raw.botToken || !raw.chatId)
+            return null;
+        return { botToken: raw.botToken, chatId: String(raw.chatId) };
+    }
+    catch {
+        return null;
+    }
+}
+function escapeHtml(text) {
+    return text.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}

package/dist/core/deps/scanner.d.ts

@@ -0,0 +1,4 @@
+import type { AppEntry } from '../registry.js';
+import type { Collector, DepsCache, DepsConfig } from './types.js';
+export declare function createCollectors(config: DepsConfig): Collector[];
+export declare function runScan(apps: AppEntry[], config: DepsConfig, collectors?: Collector[]): Promise<DepsCache>;

package/dist/core/deps/scanner.js

@@ -0,0 +1,89 @@
+import { NpmCollector } from './collectors/npm.js';
+import { ComposerCollector } from './collectors/composer.js';
+import { PipCollector } from './collectors/pip.js';
+import { DockerImageCollector } from './collectors/docker-image.js';
+import { DockerRunningCollector } from './collectors/docker-running.js';
+import { EolCollector } from './collectors/eol.js';
+import { VulnerabilityCollector } from './collectors/vulnerability.js';
+import { GitHubPrCollector } from './collectors/github-pr.js';
+export function createCollectors(config) {
+    return [
+        new NpmCollector(config.severityOverrides),
+        new ComposerCollector(config.severityOverrides),
+        new PipCollector(config.severityOverrides),
+        new DockerImageCollector(config.severityOverrides),
+        new DockerRunningCollector(config.severityOverrides),
+        new EolCollector(config.severityOverrides.eolDaysWarning),
+        new VulnerabilityCollector(),
+        new GitHubPrCollector(),
+    ];
+}
+export async function runScan(apps, config, collectors) {
+    const start = Date.now();
+    const allCollectors = collectors ?? createCollectors(config);
+    const findings = [];
+    const errors = [];
+    // build work items: [app, collector] pairs where collector.detect passes
+    const work = [];
+    for (const app of apps) {
+        for (const collector of allCollectors) {
+            if (collector.detect(app.composePath)) {
+                work.push({ app, collector });
+            }
+        }
+    }
+    // run with concurrency limit
+    const concurrency = config.concurrency;
+    for (let i = 0; i < work.length; i += concurrency) {
+        const batch = work.slice(i, i + concurrency);
+        const results = await Promise.allSettled(batch.map(async ({ app, collector }) => {
+            try {
+                return await collector.collect(app);
+            }
+            catch (err) {
+                errors.push({
+                    collector: collector.type,
+                    appName: app.name,
+                    message: err instanceof Error ? err.message : String(err),
+                    timestamp: new Date().toISOString(),
+                });
+                return [];
+            }
+        }));
+        for (const result of results) {
+            if (result.status === 'fulfilled') {
+                findings.push(...result.value);
+            }
+        }
+    }
+    const filtered = applyIgnoreRules(findings, config.ignore);
+    return {
+        version: 1,
+        lastScan: new Date().toISOString(),
+        scanDurationMs: Date.now() - start,
+        findings: filtered,
+        errors,
+        config,
+    };
+}
+function applyIgnoreRules(findings, rules) {
+    if (rules.length === 0)
+        return findings;
+    const now = Date.now();
+    const activeRules = rules.filter(r => {
+        if (r.until)
+            return new Date(r.until).getTime() > now;
+        return true;
+    });
+    return findings.filter(f => {
+        return !activeRules.some(rule => {
+            if (rule.appName && rule.appName !== f.appName)
+                return false;
+            if (rule.package && rule.package !== f.package)
+                return false;
+            if (rule.source && rule.source !== f.source)
+                return false;
+            return true;
+        });
+    });
+}

package/dist/core/deps/severity.d.ts

@@ -0,0 +1,6 @@
+import type { Severity, DepsConfig } from './types.js';
+type SeverityOverrides = DepsConfig['severityOverrides'];
+export declare function severityFromVersionDelta(current: string, latest: string, overrides: SeverityOverrides): Severity;
+export declare function severityFromEol(eolDate: string, warningDays: number): Severity;
+export declare function severityFromCvss(score: number): Severity;
+export {};

package/dist/core/deps/severity.js

@@ -0,0 +1,45 @@
+export function severityFromVersionDelta(current, latest, overrides) {
+    const cur = parseSemver(current);
+    const lat = parseSemver(latest);
+    if (!cur || !lat)
+        return 'medium';
+    if (cur.major < lat.major)
+        return overrides.majorVersionBehind;
+    if (cur.minor < lat.minor)
+        return overrides.minorVersionBehind;
+    if (cur.patch < lat.patch)
+        return overrides.patchVersionBehind;
+    return 'info';
+}
+export function severityFromEol(eolDate, warningDays) {
+    const eol = new Date(eolDate).getTime();
+    const now = Date.now();
+    const daysUntil = (eol - now) / (24 * 60 * 60 * 1000);
+    if (daysUntil <= 0)
+        return 'critical';
+    if (daysUntil <= 30)
+        return 'high';
+    if (daysUntil <= warningDays)
+        return 'medium';
+    return 'info';
+}
+export function severityFromCvss(score) {
+    if (score >= 9)
+        return 'critical';
+    if (score >= 7)
+        return 'high';
+    if (score >= 4)
+        return 'medium';
+    return 'low';
+}
+function parseSemver(version) {
+    const clean = version.replace(/^v/, '');
+    const match = clean.match(/^(\d+)\.(\d+)\.(\d+)/);
+    if (!match)
+        return null;
+    return {
+        major: parseInt(match[1], 10),
+        minor: parseInt(match[2], 10),
+        patch: parseInt(match[3], 10),
+    };
+}