@mifort-solutions/qmetrix 1.0.0

package/src/dashboard/collectors/composition.mjs

@@ -0,0 +1,360 @@
+/**
+ * 6. Component composition — an app-rooted containment tree of feature widgets.
+ *
+ * The dashboard draws this as nested rectangles: one box per app-router root
+ * (page.tsx / layout.tsx) with every feature component it renders nested inside,
+ * recursively, following "renders" relationships (a JSX <Tag>, a Next default
+ * re-export, or a `dynamic()`/`lazy()` import whose binding is a component).
+ * Design-system widgets from src/common are deliberately NOT shown — this view is
+ * about how the *features* compose, not the shared UI kit.
+ *
+ * Each box carries the metadata the renderer prints next to it (description,
+ * props, state, events, public API) — see collectors/composition-meta.mjs for the
+ * extraction. Feature barrels (`@/features/x` → index.ts) are followed through to
+ * the concrete component file. Cycles are broken per branch; a component rendered
+ * by several parents is intentionally duplicated under each (containment tree, not
+ * a DAG). Feature components never reached from a page are surfaced in a separate
+ * "unattached" list so dead/unused components are not silently dropped.
+ */
+import { readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { SRC } from '../config.mjs';
+import { resolveImport } from './graph.mjs';
+import { rel, walk } from '../utils/fs.mjs';
+import {
+  extractDescription,
+  extractEvents,
+  extractExports,
+  extractProps,
+  extractState,
+  isComponentFile,
+  parseBindings,
+  primaryName,
+  stripComments,
+  usedJsxTags,
+} from './composition-meta.mjs';
+import { buildTransitions, siteHost } from './composition-transitions.mjs';
+
+const APP_DIR = path.join(SRC, 'app');
+const FEATURES_DIR = path.join(SRC, 'features');
+const COMMON_DIR = path.join(SRC, 'common');
+
+const CODE_RE = /\.(ts|tsx|js|jsx|mjs|cjs)$/;
+const EXCLUDE_RE = /\.(test|spec|stories)\.[jt]sx?$/;
+const APP_ROOT_RE = /(^|\/)(page|layout)\.[jt]sx?$/;
+const INDEX_RE = /(^|\/)index\.tsx?$/;
+const MAX_DEPTH = 9;
+
+function layerOf(abs) {
+  if (abs === APP_DIR || abs.startsWith(APP_DIR + path.sep)) {
+    return 'app';
+  }
+  if (abs.startsWith(FEATURES_DIR + path.sep)) {
+    return 'feature';
+  }
+  if (abs.startsWith(COMMON_DIR + path.sep)) {
+    return 'common';
+  }
+  return 'other';
+}
+
+const featureOf = (relPath) => relPath.match(/^src\/features\/([^/]+)\//)?.[1] ?? null;
+const appKind = (relPath) => (/(^|\/)layout\.[jt]sx?$/.test(relPath) ? 'layout' : 'page');
+const routeOf = (relPath) => {
+  const r = relPath.replace(/^src\/app/, '').replace(/\/(page|layout)\.[jt]sx?$/, '');
+  return r === '' ? '/' : r;
+};
+
+/** Index every (production) code file under app / features / common. */
+function indexFiles() {
+  const fileByAbs = new Map();
+  for (const dir of [APP_DIR, FEATURES_DIR, COMMON_DIR]) {
+    for (const abs of walk(dir)) {
+      if (!CODE_RE.test(abs) || abs.endsWith('.d.ts') || EXCLUDE_RE.test(abs)) {
+        continue;
+      }
+      let raw = '';
+      try {
+        raw = readFileSync(abs, 'utf8');
+      } catch {
+        raw = '';
+      }
+      fileByAbs.set(abs, {
+        abs,
+        rel: rel(abs),
+        layer: layerOf(abs),
+        raw,
+        code: stripComments(raw),
+      });
+    }
+  }
+  return fileByAbs;
+}
+
+/** feature → Set of names it re-exports through index.ts (its public API). */
+function computePublicNames(fileByAbs) {
+  const map = new Map();
+  for (const f of fileByAbs.values()) {
+    if (f.layer === 'feature' && /\/index\.ts$/.test(f.rel)) {
+      const feat = f.rel.match(/^src\/features\/([^/]+)\//)?.[1];
+      if (feat) {
+        map.set(feat, new Set(extractExports(f.code)));
+      }
+    }
+  }
+  return map;
+}
+
+/** The component names a file "renders": JSX tags + default re-export + lazy. */
+function renderedNames(code) {
+  const names = usedJsxTags(code);
+  const def = code.match(/export\s+default\s+([A-Za-z_]\w*)\s*;/);
+  if (def) {
+    names.add(def[1]);
+  }
+  let m;
+  const asDefaultRe = /export\s*\{([^}]*)\}/g;
+  while ((m = asDefaultRe.exec(code))) {
+    for (const part of m[1].split(',')) {
+      const as = part.trim().match(/^([A-Za-z_]\w*)\s+as\s+default$/);
+      if (as) {
+        names.add(as[1]);
+      }
+    }
+  }
+  return names;
+}
+
+export function collectComposition() {
+  const fileByAbs = indexFiles();
+  const publicNames = computePublicNames(fileByAbs);
+  const components = {}; // id (rel path) → serialisable descriptor
+  const descCache = new Map();
+  const barrelCache = new Map();
+  const childCache = new Map();
+
+  // ── Component descriptors (cached by abs path) ──
+  function descriptorFor(abs) {
+    if (descCache.has(abs)) {
+      return descCache.get(abs);
+    }
+    const f = fileByAbs.get(abs);
+    if (!f) {
+      return null;
+    }
+    const cname = primaryName(f.code, f.rel);
+    const props = extractProps(f.code, cname);
+    const feature = f.layer === 'feature' ? featureOf(f.rel) : null;
+    const isPublic = f.layer === 'feature' && (publicNames.get(feature)?.has(cname) ?? false);
+    // App-layer files split into route roots (page/layout) and plain helpers
+    // (providers.tsx, error.tsx …) that happen to be rendered by a root.
+    const isAppRoot = f.layer === 'app' && APP_ROOT_RE.test(f.rel);
+    const role =
+      f.layer === 'app' ? (isAppRoot ? appKind(f.rel) : 'app') : isPublic ? 'public' : 'internal';
+    const d = {
+      id: f.rel,
+      name: f.layer === 'app' ? (isAppRoot ? routeOf(f.rel) : cname) : cname,
+      component: cname,
+      file: f.rel.split('/').pop(),
+      rel: f.rel,
+      layer: f.layer,
+      feature,
+      kind: f.layer === 'app' ? (isAppRoot ? appKind(f.rel) : 'component') : 'component',
+      role,
+      public: isPublic,
+      description: extractDescription(f.raw, cname),
+      props,
+      state: extractState(f.code),
+      events: extractEvents(f.code, props),
+      exports: extractExports(f.code),
+    };
+    descCache.set(abs, d);
+    components[d.id] = d;
+    return d;
+  }
+
+  // ── Feature barrel: exported name → concrete source file ──
+  function barrelReexports(indexAbs) {
+    if (barrelCache.has(indexAbs)) {
+      return barrelCache.get(indexAbs);
+    }
+    const map = new Map();
+    const f = fileByAbs.get(indexAbs);
+    if (f) {
+      const re = /export\s*(?:type\s*)?\{([^}]*)\}\s*from\s*['"]([^'"]+)['"]/g;
+      let m;
+      while ((m = re.exec(f.code))) {
+        const target = resolveImport(m[2], indexAbs);
+        if (!target) {
+          continue;
+        }
+        for (const part of m[1].split(',')) {
+          const seg = part.trim();
+          const as = seg.match(/\s+as\s+([A-Za-z_]\w*)/);
+          const exported = as ? as[1] : seg.split(/\s/)[0];
+          if (exported) {
+            map.set(exported, target);
+          }
+        }
+      }
+    }
+    barrelCache.set(indexAbs, map);
+    return map;
+  }
+
+  // ── "Renders" edges: a rendered binding → its concrete component file ──
+  function childTargets(abs) {
+    if (childCache.has(abs)) {
+      return childCache.get(abs);
+    }
+    const f = fileByAbs.get(abs);
+    const out = [];
+    if (f && /\.(tsx|jsx)$/.test(f.rel)) {
+      const rendered = renderedNames(f.code);
+      if (rendered.size) {
+        const seen = new Set();
+        // Resolve a binding against an import spec (following barrels), then keep
+        // it iff it's a shown app/feature component (common widgets are omitted).
+        const consider = (b, spec) => {
+          let real = resolveImport(spec, abs);
+          if (real && fileByAbs.has(real) && INDEX_RE.test(fileByAbs.get(real).rel)) {
+            real = barrelReexports(real).get(b);
+          }
+          if (!real || !fileByAbs.has(real) || real === abs || seen.has(real)) {
+            return;
+          }
+          const layer = fileByAbs.get(real).layer;
+          if (layer === 'common' || layer === 'other') {
+            return;
+          }
+          seen.add(real);
+          out.push(real);
+        };
+
+        let m;
+        const fromRe = /\bimport\s+(type\s+)?([^;]*?)\s+from\s*["']([^"']+)["']/g;
+        while ((m = fromRe.exec(f.code))) {
+          if (m[1]) {
+            continue; // type-only import — never a render
+          }
+          for (const b of parseBindings(m[2])) {
+            if (rendered.has(b)) {
+              consider(b, m[3]);
+            }
+          }
+        }
+        const dynRe =
+          /(?:const|let|var)\s+([A-Za-z_]\w*)\s*=\s*(?:[\w.]*\.)?(?:dynamic|lazy)\s*\(\s*(?:async\s*)?\(\s*\)\s*=>\s*import\(\s*["']([^"']+)["']/g;
+        while ((m = dynRe.exec(f.code))) {
+          if (rendered.has(m[1])) {
+            consider(m[1], m[2]);
+          }
+        }
+      }
+    }
+    childCache.set(abs, out);
+    return out;
+  }
+
+  // ── Build one containment tree (cycles broken per branch) ──
+  function buildTree(abs, ancestry) {
+    const d = descriptorFor(abs);
+    if (!d) {
+      return null;
+    }
+    const node = { id: d.id, children: [] };
+    if (ancestry.size >= MAX_DEPTH) {
+      return node;
+    }
+    const next = new Set(ancestry).add(abs);
+    for (const childAbs of childTargets(abs)) {
+      if (ancestry.has(childAbs) || childAbs === abs) {
+        const cd = descriptorFor(childAbs);
+        if (cd) {
+          node.children.push({ id: cd.id, children: [], cycle: true });
+        }
+        continue;
+      }
+      const sub = buildTree(childAbs, next);
+      if (sub) {
+        node.children.push(sub);
+      }
+    }
+    return node;
+  }
+
+  // ── The forest, rooted at app pages/layouts ──
+  const roots = [...fileByAbs.values()]
+    .filter((f) => f.layer === 'app' && APP_ROOT_RE.test(f.rel))
+    .sort((a, b) => {
+      const ra = routeOf(a.rel);
+      const rb = routeOf(b.rel);
+      return ra === rb ? appKind(a.rel).localeCompare(appKind(b.rel)) : ra.localeCompare(rb);
+    })
+    .map((f) => buildTree(f.abs, new Set()))
+    .filter(Boolean);
+
+  const reached = new Set();
+  const collectIds = (node) => {
+    reached.add(node.id);
+    (node.children || []).forEach(collectIds);
+  };
+  roots.forEach(collectIds);
+
+  const unattached = findUnattached(fileByAbs, reached, buildTree, collectIds);
+  const fileByRel = new Map([...fileByAbs.values()].map((f) => [f.rel, f]));
+  const transitions = buildTransitions(components, roots, fileByRel);
+  return {
+    available: roots.length > 0 || unattached.length > 0,
+    components,
+    roots,
+    unattached,
+    transitions,
+    host: siteHost(),
+    stats: stats(components, roots, unattached),
+  };
+}
+
+/** Feature components never reached from a page → flat roots (absorbing nests). */
+function findUnattached(fileByAbs, reached, buildTree, collectIds) {
+  const candidates = [...fileByAbs.values()]
+    .filter(
+      (f) =>
+        f.layer === 'feature' &&
+        !INDEX_RE.test(f.rel) &&
+        isComponentFile(f.rel, f.code) &&
+        !reached.has(f.rel),
+    )
+    .sort((a, b) => a.rel.localeCompare(b.rel));
+  const unattached = [];
+  const claimed = new Set(reached);
+  for (const f of candidates) {
+    if (claimed.has(f.rel)) {
+      continue;
+    }
+    const tree = buildTree(f.abs, new Set());
+    if (tree) {
+      collectIds(tree);
+      const mark = (n) => {
+        claimed.add(n.id);
+        (n.children || []).forEach(mark);
+      };
+      mark(tree);
+      unattached.push(tree);
+    }
+  }
+  return unattached;
+}
+
+function stats(components, roots, unattached) {
+  const countBoxes = (nodes) => nodes.reduce((acc, n) => acc + 1 + countBoxes(n.children || []), 0);
+  const featureDescs = Object.values(components).filter((c) => c.layer === 'feature');
+  return {
+    pages: roots.filter((r) => components[r.id]?.kind === 'page').length,
+    layouts: roots.filter((r) => components[r.id]?.kind === 'layout').length,
+    featureComponents: featureDescs.length,
+    features: [...new Set(featureDescs.map((c) => c.feature))].filter(Boolean).sort(),
+    boxes: countBoxes(roots) + countBoxes(unattached),
+  };
+}

package/src/dashboard/collectors/coverage.mjs

@@ -0,0 +1,98 @@
+/** 2. Test coverage — per suite (unit / e2e / storybook) plus their global merge.
+ *
+ * Collect-only: this reads whatever `npm run coverage:*` last wrote to
+ * dist/reports/coverage/<suite>/coverage-summary.json (see dev/scripts/coverage/* and
+ * .config/jest.config.mjs). It never runs jest itself — when no summary exists the
+ * section is marked missing with the command that generates it.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { ROOT } from '../config.mjs';
+import { rel } from '../utils/fs.mjs';
+
+const SUITES = [
+  { key: 'unit', label: 'Unit' },
+  { key: 'e2e', label: 'E2E' },
+  { key: 'storybook', label: 'Storybook' },
+  { key: 'global', label: 'Global' },
+];
+
+// Istanbul emits the string "Unknown" for pct when a category has zero measurable
+// items; coerce anything non-numeric to null so renderers show an em-dash.
+const pctOf = (m) => (typeof m?.pct === 'number' ? m.pct : null);
+
+const summaryPath = (key) =>
+  path.join(ROOT, 'dist', 'reports', 'coverage', key, 'coverage-summary.json');
+
+// Istanbul's html reporter writes a browsable index.html next to the summary —
+// the per-file / per-folder drill-down the dashboard links to.
+const reportIndexPath = (key) => path.join(ROOT, 'dist', 'reports', 'coverage', key, 'index.html');
+
+/** Link to a suite's HTML report, relative to the dashboard output dir when known. */
+function reportHrefFor(key, outDir) {
+  const idx = reportIndexPath(key);
+  if (!existsSync(idx)) {
+    return null;
+  }
+  if (!outDir) {
+    return rel(idx);
+  }
+  return path.relative(outDir, idx).split(path.sep).join('/');
+}
+
+function readSuite({ key, label }, outDir) {
+  const p = summaryPath(key);
+  if (!existsSync(p)) {
+    return { key, label, available: false };
+  }
+  let data;
+  try {
+    data = JSON.parse(readFileSync(p, 'utf8'));
+  } catch {
+    return { key, label, available: false, note: `${key}: summary could not be parsed.` };
+  }
+  const total = data.total || {};
+  const files = Object.entries(data)
+    .filter(([k]) => k !== 'total')
+    .map(([file, m]) => ({ file: rel(path.resolve(ROOT, file)), lines: pctOf(m.lines) }))
+    .sort((a, b) => (a.lines ?? 101) - (b.lines ?? 101));
+  return {
+    key,
+    label,
+    available: true,
+    statements: pctOf(total.statements),
+    branches: pctOf(total.branches),
+    functions: pctOf(total.functions),
+    lines: pctOf(total.lines),
+    fileCount: files.length,
+    files,
+    reportHref: reportHrefFor(key, outDir),
+  };
+}
+
+/** @param {string} [outDir] directory the dashboard html is written to (for relative report links). */
+export function collectCoverage(outDir) {
+  const suites = SUITES.map((s) => readSuite(s, outDir));
+  const byKey = Object.fromEntries(suites.map((s) => [s.key, s]));
+  // Headline (chip + bars + per-file table) prefers the global merge, else unit.
+  const head = byKey.global?.available ? byKey.global : byKey.unit;
+  const available = suites.some((s) => s.available);
+
+  return {
+    available,
+    note: available
+      ? 'Per-suite coverage over the full src/ tree. Run `npm run coverage:all` to refresh e2e / storybook / global.'
+      : 'No coverage artifact found. Run `npm run coverage:unit` (or `npm run coverage:all`) to generate it.',
+    // Headline fields consumed by the existing summary chip + gauge bars.
+    statements: head?.statements ?? null,
+    branches: head?.branches ?? null,
+    functions: head?.functions ?? null,
+    lines: head?.lines ?? null,
+    headLabel: head?.label ?? null,
+    files: head?.files ?? [],
+    reportHref: head?.reportHref ?? null,
+    // Per-suite breakdown (files[] omitted to keep the JSON dump small).
+    suites: suites.map(({ files, ...rest }) => rest),
+  };
+}

package/src/dashboard/collectors/deps.mjs

@@ -0,0 +1,187 @@
+/** 4. Dependencies + audit — package.json deps enriched with git/npm metadata.
+ *
+ * Collect-only for the vulnerability/outdated columns: they read artifacts rather
+ * than running npm. Generate them with:
+ *   npm audit --json    > dist/reports/npm-audit.json
+ *   npm outdated --json > dist/reports/npm-outdated.json
+ * The inventory itself (names, versions, why/when added) is read from package.json
+ * and `git log` over package.json.
+ */
+import { existsSync, readFileSync } from 'node:fs';
+import path from 'node:path';
+
+import { ROOT, SCRIPTS_DIR } from '../config.mjs';
+import { exec, log } from '../utils/exec.mjs';
+
+/** description field from an installed package's own package.json (what it is). */
+function pkgDescription(name) {
+  try {
+    const j = JSON.parse(
+      readFileSync(path.join(ROOT, 'node_modules', name, 'package.json'), 'utf8'),
+    );
+    return (j.description || '').trim();
+  } catch {
+    return '';
+  }
+}
+
+/**
+ * For each dependency name, find the git commit that first introduced it into
+ * package.json — gives us "when added" (date) and "why / which task" (subject).
+ * One `git log -p` pass over package.json, oldest-first; first time we see a
+ * line added for a known dep name wins.
+ */
+function gitDepHistory(names) {
+  const want = new Set(names);
+  const info = {};
+  const r = exec('git log --reverse --date=short --format="@@C@@%h|%ad|%s" -p -- package.json', {
+    timeout: 120_000,
+  });
+  if (r.code !== 0 || !r.stdout) {
+    return info;
+  }
+  let cur = null;
+  for (const line of r.stdout.split(/\r?\n/)) {
+    if (line.startsWith('@@C@@')) {
+      const [hash, date, ...subj] = line.slice(5).split('|');
+      cur = { hash, date, subject: subj.join('|') };
+      continue;
+    }
+    if (!cur) {
+      continue;
+    }
+    const m = /^\+\s*"([^"]+)"\s*:/.exec(line); // an added "name": ... line in a hunk
+    if (m && want.has(m[1]) && !info[m[1]]) {
+      info[m[1]] = { ...cur };
+    }
+  }
+  return info;
+}
+
+const AUDIT_ARTIFACT = path.join(ROOT, 'dist', 'reports', 'npm-audit.json');
+const OUTDATED_ARTIFACT = path.join(ROOT, 'dist', 'reports', 'npm-outdated.json');
+const AUDIT_HINT = 'npm audit --json > dist/reports/npm-audit.json';
+const OUTDATED_HINT = 'npm outdated --json > dist/reports/npm-outdated.json';
+
+/** Parse a saved `npm audit --json` file into a JSON object, or null. */
+function readJsonArtifact(file) {
+  if (!existsSync(file)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync(file, 'utf8') || 'null');
+  } catch {
+    return null;
+  }
+}
+
+export function collectDeps(importedExternals) {
+  let pkg = {};
+  try {
+    pkg = JSON.parse(readFileSync(path.join(ROOT, 'package.json'), 'utf8'));
+  } catch {}
+
+  const prodNames = Object.keys(pkg.dependencies || {});
+  const devNames = Object.keys(pkg.devDependencies || {});
+  const prodCount = prodNames.length;
+  const devCount = devNames.length;
+
+  // npm audit — read the saved artifact (collect-only).
+  let audit = { available: false, note: `Not generated. Run: ${AUDIT_HINT}` };
+  const vulnByPkg = {}; // name -> severity (direct or transitive entry present in the tree)
+  const auditJson = readJsonArtifact(AUDIT_ARTIFACT);
+  if (auditJson) {
+    const v = auditJson.metadata?.vulnerabilities;
+    if (v) {
+      audit = {
+        available: true,
+        info: v.info || 0,
+        low: v.low || 0,
+        moderate: v.moderate || 0,
+        high: v.high || 0,
+        critical: v.critical || 0,
+        total: v.total || 0,
+        deps: auditJson.metadata?.dependencies?.total ?? null,
+      };
+    }
+    for (const [name, entry] of Object.entries(auditJson.vulnerabilities || {})) {
+      if (entry?.severity) {
+        vulnByPkg[name] = entry.severity;
+      }
+    }
+  }
+
+  // npm outdated — read the saved artifact (collect-only). `npm outdated --json`
+  // emits {} when everything is current, a {name:{current,wanted,latest}} map when
+  // packages are behind, or {"error":{code,summary,…}} when the registry call failed
+  // (e.g. offline / ECONNRESET). Only the first two are usable — an error blob must
+  // NOT be read as "0 need update", which is what made the section look illogical.
+  const outdatedByPkg = {};
+  const outdatedJson = readJsonArtifact(OUTDATED_ARTIFACT);
+  const outdatedError =
+    outdatedJson && outdatedJson.error && typeof outdatedJson.error === 'object'
+      ? outdatedJson.error
+      : null;
+  const outdatedAvailable = outdatedJson != null && !outdatedError;
+  if (outdatedAvailable) {
+    for (const [name, m] of Object.entries(outdatedJson)) {
+      if (!m || typeof m !== 'object') {
+        continue;
+      } // skip stray non-package keys
+      outdatedByPkg[name] = { current: m.current, wanted: m.wanted, latest: m.latest };
+    }
+  }
+
+  // when + why each dep was added (git), and an optional curated notes override.
+  log('Reading dependency history (git) …');
+  const gitInfo = gitDepHistory([...prodNames, ...devNames]);
+  let notes = {};
+  try {
+    notes = JSON.parse(readFileSync(path.join(SCRIPTS_DIR, 'dependency-notes.json'), 'utf8'));
+  } catch {}
+
+  const build = (names, type) =>
+    names.map((name) => {
+      const n = notes[name] || {};
+      const g = gitInfo[name] || {};
+      const out = outdatedByPkg[name] || null;
+      const version = (type === 'prod' ? pkg.dependencies : pkg.devDependencies)[name];
+      return {
+        name,
+        type,
+        version,
+        imported: importedExternals.has(name),
+        description: n.description || pkgDescription(name) || '',
+        reason: n.reason || g.subject || '',
+        task: n.task || '',
+        added: n.added || g.date || '',
+        addedHash: g.hash || '',
+        outdated: out,
+        needsUpdate: !!(out && out.latest && out.current !== out.latest),
+        vuln: vulnByPkg[name] || null,
+      };
+    });
+
+  const packages = [...build(prodNames, 'prod'), ...build(devNames, 'dev')].sort((a, b) =>
+    a.name.localeCompare(b.name),
+  );
+
+  return {
+    prodCount,
+    devCount,
+    packages,
+    audit,
+    outdatedAvailable,
+    outdatedNote: outdatedAvailable
+      ? null
+      : outdatedError
+        ? `npm outdated could not reach the registry (${outdatedError.code || 'error'}: ${(outdatedError.summary || 'network error').split('\n')[0]}). Re-run: ${OUTDATED_HINT}`
+        : `Not generated. Run: ${OUTDATED_HINT}`,
+    outdatedCount: packages.filter((p) => p.needsUpdate).length,
+    // Direct dependencies (in package.json) flagged by npm audit. This is a subset of
+    // audit.total, which counts every advisory path including transitive packages —
+    // hence vulnCount ≤ audit.total (they measure different things).
+    vulnCount: packages.filter((p) => p.vuln).length,
+    engines: pkg.engines || null,
+  };
+}