@mongodb-js/sbom-tools 0.2.0

package/LICENSE

@@ -0,0 +1,201 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work
+(an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate
+as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or
+Derivative Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work,
+excluding those notices that do not pertain to any part of
+the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify
+the terms of any separate license agreement you may have executed
+with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following
+boilerplate notice, with the fields enclosed by brackets "{}"
+replaced with your own identifying information. (Don't include
+the brackets!)  The text should be enclosed in the appropriate
+comment syntax for the file format. We also recommend that a
+file or class name and description of purpose be included on the
+same "printed page" as the copyright notice for easier
+identification within third-party archives.
+
+Copyright {yyyy} {name of copyright owner}
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/README.md

@@ -0,0 +1,3 @@
+# @mongodb-js/sbom-tools
+
+Utilities to generate sbom reports for webpack bundles.

package/bin/mongodb-sbom-tools.js

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+
+require('../dist/bin.js');

package/dist/.esm-wrapper.mjs

@@ -0,0 +1,4 @@
+import mod from "./index.js";
+
+export default mod;
+export const WebpackDependenciesPlugin = mod.WebpackDependenciesPlugin;

package/dist/bin.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/dist/bin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.d.ts","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":""}

package/dist/bin.js

@@ -0,0 +1,46 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const generate_third_party_notices_1 = require("./commands/generate-third-party-notices");
+const generate_vulnerability_report_1 = require("./commands/generate-vulnerability-report");
+const scan_node_js_1 = require("./commands/scan-node-js");
+function commaSeparatedList(value) {
+    return value.split(',');
+}
+commander_1.program
+    .command('generate-vulnerability-report')
+    .description('Generate vulnerabilities report')
+    .option('--dependencies <paths>', 'Comma-separated list of dependency files', commaSeparatedList, [])
+    .option('--snyk-reports <paths>', 'Comma-separated list of snyk result files', commaSeparatedList, [])
+    .option('--fail-on [level]', 'Fail on the specified severity level')
+    .action(async (options) => {
+    await (0, generate_vulnerability_report_1.generateVulnerabilityReport)({
+        dependencyFiles: options.dependencies,
+        snykReports: options.snykReports,
+        failOn: options.failOn,
+    });
+});
+commander_1.program
+    .command('generate-3rd-party-notices')
+    .description('Generate third-party notices')
+    .option('--product <productName>', 'Product name')
+    .option('--config [config]', 'Path of the configuration file', 'licenses.json')
+    .option('--dependencies <paths>', 'Comma-separated list of dependency files', commaSeparatedList, [])
+    .action(async (options) => {
+    await (0, generate_third_party_notices_1.generate3rdPartyNotices)({
+        productName: options.product,
+        dependencyFiles: options.dependencies,
+        configPath: options.config,
+    });
+});
+commander_1.program
+    .command('scan-node-js')
+    .description('Scan node.js version for known vulnerabilities')
+    .option('--version <version>', 'Path to the node.js security-wg core database of vulnerabilities')
+    .action(async (options) => {
+    await (0, scan_node_js_1.scanNodeJs)({
+        version: options.version,
+    });
+});
+commander_1.program.parse(process.argv);
+//# sourceMappingURL=bin.js.map

package/dist/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";;AAAA,yCAAoC;AACpC,0FAAkF;AAClF,4FAAuF;AACvF,0DAAqD;AAErD,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,mBAAO;KACJ,OAAO,CAAC,+BAA+B,CAAC;KACxC,WAAW,CAAC,iCAAiC,CAAC;KAC9C,MAAM,CACL,wBAAwB,EACxB,0CAA0C,EAC1C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CACL,wBAAwB,EACxB,2CAA2C,EAC3C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;KACnE,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,IAAA,2DAA2B,EAAC;QAChC,eAAe,EAAE,OAAO,CAAC,YAAY;QACrC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,mBAAO;KACJ,OAAO,CAAC,4BAA4B,CAAC;KACrC,WAAW,CAAC,8BAA8B,CAAC;KAC3C,MAAM,CAAC,yBAAyB,EAAE,cAAc,CAAC;KACjD,MAAM,CACL,mBAAmB,EACnB,gCAAgC,EAChC,eAAe,CAChB;KACA,MAAM,CACL,wBAAwB,EACxB,0CAA0C,EAC1C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,IAAA,sDAAuB,EAAC;QAC5B,WAAW,EAAE,OAAO,CAAC,OAAO;QAC5B,eAAe,EAAE,OAAO,CAAC,YAAY;QACrC,UAAU,EAAE,OAAO,CAAC,MAAM;KAC3B,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,mBAAO;KACJ,OAAO,CAAC,cAAc,CAAC;KACvB,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CACL,qBAAqB,EACrB,kEAAkE,CACnE;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,IAAA,yBAAU,EAAC;QACf,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEL,mBAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/commands/generate-third-party-notices.d.ts

@@ -0,0 +1,8 @@
+import type { Package } from '../get-package-info';
+export declare function printLicenseInformation(productName: string, packages: Package[]): string;
+export declare function generate3rdPartyNotices({ productName, dependencyFiles, configPath, }: {
+    productName: string;
+    dependencyFiles: string[];
+    configPath?: string;
+}): Promise<void>;
+//# sourceMappingURL=generate-third-party-notices.d.ts.map

package/dist/commands/generate-third-party-notices.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-third-party-notices.d.ts","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AA4LnD,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,OAAO,EAAE,GAClB,MAAM,CAuDR;AAyCD,wBAAsB,uBAAuB,CAAC,EAC5C,WAAW,EACX,eAAe,EACf,UAAU,GACX,EAAE;IACD,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAQhB"}

package/dist/commands/generate-third-party-notices.js

@@ -0,0 +1,214 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generate3rdPartyNotices = exports.printLicenseInformation = void 0;
+const crypto_1 = __importDefault(require("crypto"));
+const spdx_satisfies_1 = __importDefault(require("spdx-satisfies"));
+const find_up_1 = __importDefault(require("find-up"));
+const fs_1 = require("fs");
+const load_dependency_files_1 = require("../load-dependency-files");
+const cross_spawn_1 = __importDefault(require("cross-spawn"));
+const ALLOWED_LICENSES = [
+    'MIT',
+    'BSD-2-Clause',
+    'BSD-3-Clause',
+    'BSD-4-Clause',
+    'Apache-2.0',
+    'ISC',
+    'CC-BY-4.0',
+    'WTFPL',
+    'OFL-1.1',
+    'Unlicense',
+];
+function checkOverrides(packagesToCheck, packageLockJson) {
+    const allDepsInLock = new Set();
+    const traverseDependencies = (dependencies) => {
+        for (const packageName in dependencies) {
+            const packageInfo = dependencies[packageName];
+            allDepsInLock.add(`${packageName}@${packageInfo.version}`);
+            if (packageInfo.dependencies) {
+                traverseDependencies(packageInfo.dependencies);
+            }
+        }
+    };
+    traverseDependencies(packageLockJson.dependencies);
+    for (const packageName of packagesToCheck) {
+        if (!allDepsInLock.has(packageName)) {
+            throw new Error(`The package "${packageName}" is not installed, please remove it from the configured ignoredPackages or licenseOverrides.`);
+        }
+    }
+}
+async function readPackageLock() {
+    const packageLockJsonPath = await (0, find_up_1.default)('package-lock.json');
+    if (packageLockJsonPath) {
+        const packageLock = JSON.parse(await fs_1.promises.readFile(packageLockJsonPath, 'utf-8'));
+        if (packageLock.lockfileVersion !== 2) {
+            throw new Error('Invalid package-lock.json version: !== 2');
+        }
+        return { path: packageLockJsonPath, content: packageLock };
+    }
+}
+function id(pkg) {
+    return crypto_1.default
+        .createHash('sha256')
+        .update(`${pkg.name}@${pkg.version}`)
+        .digest('hex');
+}
+function normalizeLicenseProperty(license) {
+    if (typeof license === 'object') {
+        return license.type || '';
+    }
+    if (typeof license === 'string') {
+        return license;
+    }
+    return '';
+}
+function getLicenses(pkg) {
+    var _a;
+    return (pkg.license ? [pkg.license] : (_a = pkg.licenses) !== null && _a !== void 0 ? _a : [])
+        .filter(Boolean)
+        .map(normalizeLicenseProperty);
+}
+function licenseSpdx(pkg) {
+    const licenses = getLicenses(pkg);
+    if (!licenses.length) {
+        return '';
+    }
+    if (licenses.length === 1) {
+        return licenses[0];
+    }
+    return '(' + licenses.filter(Boolean).join(' OR ') + ')';
+}
+function indent(input, depth) {
+    return input.replace(/^/gm, ' '.repeat(depth));
+}
+function validatePackage(pkg) {
+    return ALLOWED_LICENSES.some((allowedLicense) => {
+        const spdx = licenseSpdx(pkg);
+        try {
+            return (0, spdx_satisfies_1.default)(allowedLicense, spdx);
+        }
+        catch (error) {
+            return allowedLicense === spdx;
+        }
+    });
+}
+function getMonorepoPackages(packageLock) {
+    var _a, _b;
+    if (!((_b = (_a = packageLock === null || packageLock === void 0 ? void 0 : packageLock.packages) === null || _a === void 0 ? void 0 : _a[''].workspaces) === null || _b === void 0 ? void 0 : _b.length)) {
+        return [];
+    }
+    const output = cross_spawn_1.default.sync('npm', ['query', '.workspace'], {
+        encoding: 'utf-8',
+    });
+    if (output.error) {
+        console.error('Error executing command:', output.error);
+        process.exit(1);
+    }
+    const packages = JSON.parse(output.stdout);
+    return packages.map((pkg) => `${pkg.name}@${pkg.version}`);
+}
+async function readConfig(configPath) {
+    var _a, _b, _c, _d, _e;
+    const packageLock = await readPackageLock();
+    const monorepoPackages = getMonorepoPackages(packageLock === null || packageLock === void 0 ? void 0 : packageLock.content);
+    const originalConfig = JSON.parse(await fs_1.promises.readFile(configPath, 'utf-8'));
+    if (packageLock === null || packageLock === void 0 ? void 0 : packageLock.content) {
+        checkOverrides([
+            ...((_a = originalConfig.ignoredPackages) !== null && _a !== void 0 ? _a : []),
+            ...Object.keys((_b = originalConfig.licenseOverrides) !== null && _b !== void 0 ? _b : {}),
+        ], packageLock.content);
+    }
+    return Promise.resolve({
+        ignoredOrgs: [...((_c = originalConfig.ignoredOrgs) !== null && _c !== void 0 ? _c : [])],
+        ignoredPackages: [
+            ...((_d = originalConfig.ignoredPackages) !== null && _d !== void 0 ? _d : []),
+            ...(monorepoPackages !== null && monorepoPackages !== void 0 ? monorepoPackages : []),
+        ],
+        licenseOverrides: { ...((_e = originalConfig.licenseOverrides) !== null && _e !== void 0 ? _e : {}) },
+    });
+}
+function printLicenseInformation(productName, packages) {
+    var _a, _b;
+    let output = `\
+The following third-party software is used by and included in **${productName}**.
+This document was automatically generated on ${new Date().toDateString()}.
+
+## List of dependencies
+
+Package|Version|License
+-------|-------|-------
+${packages
+        .map((pkg) => `**[${pkg.name}](#${id(pkg)})**|${pkg.version}|${licenseSpdx(pkg)}`)
+        .join('\n')}
+
+## Package details
+`;
+    for (const pkg of packages) {
+        const spdx = licenseSpdx(pkg);
+        const linkedPackageName = pkg.private
+            ? pkg.name
+            : `[${pkg.name}](https://www.npmjs.com/package/${pkg.name})`;
+        output += `
+<a id="${id(pkg)}"></a>
+### ${linkedPackageName} (version ${pkg.version})
+`;
+        if (pkg.description) {
+            output += `> ${pkg.description}\n\n`;
+        }
+        output += `License tags: ${spdx}\n\n`;
+        if ((_a = pkg.licenseFiles) === null || _a === void 0 ? void 0 : _a.length) {
+            output += 'License files:\n';
+            for (const file of pkg.licenseFiles) {
+                output += `* ${file.filename}:\n\n${indent(file.content, 6)}\n\n`;
+            }
+        }
+        if ((_b = pkg.contributors) === null || _b === void 0 ? void 0 : _b.length) {
+            output += 'Authors:\n';
+            for (const person of pkg.contributors) {
+                const name = typeof person !== 'object'
+                    ? person
+                    : person.name +
+                        (person.email ? ` <[${person.email}](nomail)>` : '') +
+                        (person.url ? ` (${person.url})` : '');
+                output += `* ${name}\n`;
+            }
+            output += '\n';
+        }
+    }
+    return output;
+}
+exports.printLicenseInformation = printLicenseInformation;
+function validatePackages(packages) {
+    const invalidPackages = packages.filter((pkg) => !validatePackage(pkg));
+    if (invalidPackages.length) {
+        console.error(`Generation failed, found ${invalidPackages.length} invalid packages:`);
+        for (const pkg of invalidPackages) {
+            console.error(`${pkg.name}@${pkg.version}:`, licenseSpdx(pkg));
+        }
+        process.exit(1);
+    }
+}
+async function loadPackages(dependencyFiles, config) {
+    return (await (0, load_dependency_files_1.loadDependencyFiles)(dependencyFiles))
+        .filter((pkg) => !(config.ignoredOrgs || []).some((org) => pkg.name.startsWith(org + '/')))
+        .filter((pkg) => !(config.ignoredPackages || []).includes(`${pkg.name}@${pkg.version}`))
+        .map((pkg) => {
+        var _a;
+        return ({
+            ...pkg,
+            license: (_a = (config.licenseOverrides || {})[`${pkg.name}@${pkg.version}`]) !== null && _a !== void 0 ? _a : pkg.license,
+        });
+    });
+}
+async function generate3rdPartyNotices({ productName, dependencyFiles, configPath, }) {
+    const config = await readConfig(configPath !== null && configPath !== void 0 ? configPath : 'licenses.json');
+    const packages = await loadPackages(dependencyFiles, config);
+    validatePackages(packages);
+    const markdown = printLicenseInformation(productName, packages);
+    console.info(markdown);
+}
+exports.generate3rdPartyNotices = generate3rdPartyNotices;
+//# sourceMappingURL=generate-third-party-notices.js.map

package/dist/commands/generate-third-party-notices.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-third-party-notices.js","sourceRoot":"","sources":["../../src/commands/generate-third-party-notices.ts"],"names":[],"mappings":";;;;;;AAAA,oDAA4B;AAC5B,oEAA2C;AAC3C,sDAA6B;AAC7B,2BAAoC;AAGpC,oEAA+D;AAC/D,8DAAqC;AAsBrC,MAAM,gBAAgB,GAAG;IACvB,KAAK;IACL,cAAc;IACd,cAAc;IACd,cAAc;IACd,YAAY;IACZ,KAAK;IACL,WAAW;IACX,OAAO;IACP,SAAS;IACT,WAAW;CACZ,CAAC;AAEF,SAAS,cAAc,CACrB,eAAyB,EACzB,eAAgC;IAEhC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAE,CAAC;IAChC,MAAM,oBAAoB,GAAG,CAC3B,YAA6C,EAC7C,EAAE;QACF,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE;YACtC,MAAM,WAAW,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;YAC9C,aAAa,CAAC,GAAG,CAAC,GAAG,WAAW,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAE3D,IAAI,WAAW,CAAC,YAAY,EAAE;gBAC5B,oBAAoB,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;aAChD;SACF;IACH,CAAC,CAAC;IAEF,oBAAoB,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IAEnD,KAAK,MAAM,WAAW,IAAI,eAAe,EAAE;QACzC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE;YACnC,MAAM,IAAI,KAAK,CACb,gBAAgB,WAAW,+FAA+F,CAC3H,CAAC;SACH;KACF;AACH,CAAC;AAED,KAAK,UAAU,eAAe;IAG5B,MAAM,mBAAmB,GAAG,MAAM,IAAA,iBAAM,EAAC,mBAAmB,CAAC,CAAC;IAE9D,IAAI,mBAAmB,EAAE;QACvB,MAAM,WAAW,GAAoB,IAAI,CAAC,KAAK,CAC7C,MAAM,aAAE,CAAC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC,CAChD,CAAC;QAEF,IAAI,WAAW,CAAC,eAAe,KAAK,CAAC,EAAE;YACrC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;SAC7D;QAED,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;KAC5D;AACH,CAAC;AAGD,SAAS,EAAE,CAAC,GAAY;IACtB,OAAO,gBAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;SACpC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnB,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAkC;IAClE,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;QAC/B,OAAO,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;KAC3B;IAED,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE;QAC/B,OAAO,OAAO,CAAC;KAChB;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,GAAY;;IAC/B,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,MAAA,GAAG,CAAC,QAAQ,mCAAI,EAAE,CAAC;SACtD,MAAM,CAAC,OAAO,CAAC;SACf,GAAG,CAAC,wBAAwB,CAAC,CAAC;AACnC,CAAC;AAGD,SAAS,WAAW,CAAC,GAAY;IAC/B,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE;QACpB,OAAO,EAAE,CAAC;KACX;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;QACzB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;KACpB;IAED,OAAO,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC;AAC3D,CAAC;AAED,SAAS,MAAM,CAAC,KAAa,EAAE,KAAa;IAC1C,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,eAAe,CAAC,GAAY;IACnC,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,cAAc,EAAE,EAAE;QAC9C,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI;YACF,OAAO,IAAA,wBAAa,EAAC,cAAc,EAAE,IAAI,CAAC,CAAC;SAC5C;QAAC,OAAO,KAAK,EAAE;YACd,OAAO,cAAc,KAAK,IAAI,CAAC;SAChC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,WAAwC;;IACnE,IAAI,CAAC,CAAA,MAAA,MAAA,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,QAAQ,0CAAG,EAAE,EAAE,UAAU,0CAAE,MAAM,CAAA,EAAE;QACnD,OAAO,EAAE,CAAC;KACX;IAED,MAAM,MAAM,GAAG,qBAAU,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE;QAC7D,QAAQ,EAAE,OAAO;KAClB,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,KAAK,EAAE;QAChB,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;KACjB;IAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC3C,OAAO,QAAQ,CAAC,GAAG,CACjB,CAAC,GAAsC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CACzE,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,UAAkB;;IAC1C,MAAM,WAAW,GAAG,MAAM,eAAe,EAAE,CAAC;IAC5C,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,CAAC,CAAC;IAEnE,MAAM,cAAc,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,aAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;IAE1E,IAAI,WAAW,aAAX,WAAW,uBAAX,WAAW,CAAE,OAAO,EAAE;QACxB,cAAc,CACZ;YACE,GAAG,CAAC,MAAA,cAAc,CAAC,eAAe,mCAAI,EAAE,CAAC;YACzC,GAAG,MAAM,CAAC,IAAI,CAAC,MAAA,cAAc,CAAC,gBAAgB,mCAAI,EAAE,CAAC;SACtD,EACD,WAAW,CAAC,OAAO,CACpB,CAAC;KACH;IAED,OAAO,OAAO,CAAC,OAAO,CAAC;QACrB,WAAW,EAAE,CAAC,GAAG,CAAC,MAAA,cAAc,CAAC,WAAW,mCAAI,EAAE,CAAC,CAAC;QACpD,eAAe,EAAE;YACf,GAAG,CAAC,MAAA,cAAc,CAAC,eAAe,mCAAI,EAAE,CAAC;YACzC,GAAG,CAAC,gBAAgB,aAAhB,gBAAgB,cAAhB,gBAAgB,GAAI,EAAE,CAAC;SAC5B;QACD,gBAAgB,EAAE,EAAE,GAAG,CAAC,MAAA,cAAc,CAAC,gBAAgB,mCAAI,EAAE,CAAC,EAAE;KACjE,CAAC,CAAC;AACL,CAAC;AAID,SAAgB,uBAAuB,CACrC,WAAmB,EACnB,QAAmB;;IAEnB,IAAI,MAAM,GAAG;kEACmD,WAAW;+CAC9B,IAAI,IAAI,EAAE,CAAC,YAAY,EAAE;;;;;;EAMtE,QAAQ;SACP,GAAG,CACF,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,EAAE,CAAC,GAAG,CAAC,OAAO,GAAG,CAAC,OAAO,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAC7E;SACA,IAAI,CAAC,IAAI,CAAC;;;CAGZ,CAAC;IAEA,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE;QAC1B,MAAM,IAAI,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,iBAAiB,GAAG,GAAG,CAAC,OAAO;YACnC,CAAC,CAAC,GAAG,CAAC,IAAI;YACV,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,mCAAmC,GAAG,CAAC,IAAI,GAAG,CAAC;QAC/D,MAAM,IAAI;SACL,EAAE,CAAC,GAAG,CAAC;MACV,iBAAiB,aAAa,GAAG,CAAC,OAAO;CAC9C,CAAC;QACE,IAAI,GAAG,CAAC,WAAW,EAAE;YACnB,MAAM,IAAI,KAAK,GAAG,CAAC,WAAW,MAAM,CAAC;SACtC;QAED,MAAM,IAAI,iBAAiB,IAAI,MAAM,CAAC;QAEtC,IAAI,MAAA,GAAG,CAAC,YAAY,0CAAE,MAAM,EAAE;YAC5B,MAAM,IAAI,kBAAkB,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,YAAY,EAAE;gBACnC,MAAM,IAAI,KAAK,IAAI,CAAC,QAAQ,QAAQ,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;aACnE;SACF;QAED,IAAI,MAAA,GAAG,CAAC,YAAY,0CAAE,MAAM,EAAE;YAC5B,MAAM,IAAI,YAAY,CAAC;YACvB,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,YAAY,EAAE;gBACrC,MAAM,IAAI,GACR,OAAO,MAAM,KAAK,QAAQ;oBACxB,CAAC,CAAC,MAAM;oBACR,CAAC,CAAC,MAAM,CAAC,IAAI;wBACX,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpD,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC7C,MAAM,IAAI,KAAK,IAAI,IAAI,CAAC;aACzB;YACD,MAAM,IAAI,IAAI,CAAC;SAChB;KACF;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AA1DD,0DA0DC;AAED,SAAS,gBAAgB,CAAC,QAAmB;IAC3C,MAAM,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;IAExE,IAAI,eAAe,CAAC,MAAM,EAAE;QAC1B,OAAO,CAAC,KAAK,CACX,4BAA4B,eAAe,CAAC,MAAM,oBAAoB,CACvE,CAAC;QAEF,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE;YACjC,OAAO,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,GAAG,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;SAChE;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;KACjB;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,eAAyB,EACzB,MAAc;IAEd,OAAO,CAAC,MAAM,IAAA,2CAAmB,EAAU,eAAe,CAAC,CAAC;SACzD,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACvC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,GAAG,GAAG,CAAC,CAC/B,CACJ;SACA,MAAM,CACL,CAAC,GAAG,EAAE,EAAE,CACN,CAAC,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CACzE;SACA,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;;QAAC,OAAA,CAAC;YACb,GAAG,GAAG;YACN,OAAO,EACL,MAAA,CAAC,MAAM,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,mCAC7D,GAAG,CAAC,OAAO;SACd,CAAC,CAAA;KAAA,CAAC,CAAC;AACR,CAAC;AAEM,KAAK,UAAU,uBAAuB,CAAC,EAC5C,WAAW,EACX,eAAe,EACf,UAAU,GAKX;IACC,MAAM,MAAM,GAAW,MAAM,UAAU,CAAC,UAAU,aAAV,UAAU,cAAV,UAAU,GAAI,eAAe,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAc,MAAM,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAExE,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAE3B,MAAM,QAAQ,GAAG,uBAAuB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAChE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACzB,CAAC;AAhBD,0DAgBC"}

package/dist/commands/generate-vulnerability-report.d.ts

@@ -0,0 +1,23 @@
+export declare function loadReports(files: string[]): Promise<SnykTestProjectResult[]>;
+declare type SnykTestProjectResult = {
+    vulnerabilities: SnykVulnerability[];
+};
+declare type SnykVulnerability = {
+    moduleName: string;
+    from: string[];
+    name: string;
+    version: string;
+    cvssScore: number;
+    severity: 'low' | 'medium' | 'high' | 'critical';
+    id: string;
+    url: string;
+    title: string;
+    fixedIn: string[];
+};
+export declare function generateVulnerabilityReport(options: {
+    dependencyFiles: string[];
+    snykReports: string[];
+    failOn: 'low' | 'medium' | 'high' | 'critical';
+}): Promise<void>;
+export {};
+//# sourceMappingURL=generate-vulnerability-report.d.ts.map

package/dist/commands/generate-vulnerability-report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-vulnerability-report.d.ts","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":"AASA,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EAAE,GACd,OAAO,CAAC,qBAAqB,EAAE,CAAC,CAUlC;AAED,aAAK,qBAAqB,GAAG;IAC3B,eAAe,EAAE,iBAAiB,EAAE,CAAC;CACtC,CAAC;AAEF,aAAK,iBAAiB,GAAG;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB,CAAC;AA8HF,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CAChD,GAAG,OAAO,CAAC,IAAI,CAAC,CAiBhB"}

package/dist/commands/generate-vulnerability-report.js

@@ -0,0 +1,100 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateVulnerabilityReport = exports.loadReports = void 0;
+const fs_1 = require("fs");
+const snykPolicy = require('snyk-policy');
+const lodash_1 = __importDefault(require("lodash"));
+const chalk_1 = __importDefault(require("chalk"));
+const load_dependency_files_1 = require("../load-dependency-files");
+async function loadReports(files) {
+    return (await Promise.all(files.map(async (fileName) => JSON.parse(await fs_1.promises.readFile(fileName, 'utf-8'))))).flat();
+}
+exports.loadReports = loadReports;
+async function fetchSnykVulnerabilities(snykTestResults, dependencies) {
+    const rules = await snykPolicy.load(process.cwd());
+    const affectedDependencies = [];
+    snykTestResults.forEach((projectResult) => {
+        projectResult.vulnerabilities.forEach((vuln) => {
+            dependencies.forEach((dep) => {
+                if (vuln.moduleName === dep.name &&
+                    vuln.from.includes(`${dep.name}@${dep.version}`)) {
+                    affectedDependencies.push(vuln);
+                }
+            });
+        });
+    });
+    const uniqueVulnerabilities = new Map();
+    affectedDependencies.forEach((vuln) => {
+        const key = `${vuln.name}@${vuln.version}_${vuln.id}`;
+        const origin = '-';
+        if (uniqueVulnerabilities.has(key)) {
+            const existingVuln = uniqueVulnerabilities.get(key);
+            if (!existingVuln.origins.includes(origin)) {
+                existingVuln.origins.push(origin);
+            }
+        }
+        else {
+            uniqueVulnerabilities.set(key, {
+                name: `${vuln.name}@${vuln.version}`,
+                id: vuln.id,
+                score: vuln.cvssScore,
+                severity: `${vuln.severity
+                    .charAt(0)
+                    .toUpperCase()}${vuln.severity.slice(1)}`,
+                fixedIn: vuln.fixedIn.join(', '),
+                origins: [origin],
+                policy: snykPolicy.getByVuln(rules, vuln),
+            });
+        }
+    });
+    const sortedVulnerabilities = Array.from(uniqueVulnerabilities.values()).sort((a, b) => a.name.localeCompare(b.name));
+    return sortedVulnerabilities;
+}
+function printTable(title, vulnerabilities) {
+    var _a, _b;
+    console.info(`## ${title} (${vulnerabilities.length} vulnerabilities)`);
+    console.info('| dep@version | id | score | fixed in | origin | ignored |');
+    console.info('| ----------- | -- | ----- | -------- | ------ | ------- |');
+    const sortedVulns = lodash_1.default.orderBy(vulnerabilities, ['score', 'name'], ['desc', 'asc']);
+    for (const vuln of sortedVulns) {
+        const severity = `${vuln.score} (${vuln.severity})`;
+        const ignored = ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.type) === 'ignore'
+            ? (_b = vuln.policy) === null || _b === void 0 ? void 0 : _b.reason
+            : !vuln.fixedIn
+                ? 'Remediation not available yet'
+                : '-';
+        console.info(`| ${vuln.name} | ${vuln.id} | ${severity} | ${vuln.fixedIn} | ${ignored} |`);
+    }
+}
+const SEVERITY_TO_SCORE = {
+    low: 0,
+    medium: 4,
+    high: 7,
+    critical: 9,
+};
+function fail(failOn, bundleVulnerabilities) {
+    var _a;
+    const minScore = SEVERITY_TO_SCORE[failOn];
+    for (const vuln of bundleVulnerabilities) {
+        if (vuln.score >= minScore &&
+            vuln.fixedIn &&
+            ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.type) !== 'ignore') {
+            console.error(chalk_1.default.red(`Vulnerabilities check failed: found vulnerabilies >= "${failOn}"`));
+            process.exit(1);
+        }
+    }
+}
+async function generateVulnerabilityReport(options) {
+    const productionDependencies = await (0, load_dependency_files_1.loadDependencyFiles)(options.dependencyFiles);
+    const snykTestResult = await loadReports(options.snykReports);
+    const bundleVulnerabilities = await fetchSnykVulnerabilities(snykTestResult, productionDependencies);
+    printTable('Snyk Report', bundleVulnerabilities);
+    if (options.failOn) {
+        fail(options.failOn, bundleVulnerabilities);
+    }
+}
+exports.generateVulnerabilityReport = generateVulnerabilityReport;
+//# sourceMappingURL=generate-vulnerability-report.js.map

package/dist/commands/generate-vulnerability-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate-vulnerability-report.js","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AAGpC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;AAC1C,oDAAuB;AACvB,kDAA0B;AAE1B,oEAA+D;AAExD,KAAK,UAAU,WAAW,CAC/B,KAAe;IAIf,OAAO,CACL,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CACjD,CACF,CACF,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AAZD,kCAYC;AAqCD,KAAK,UAAU,wBAAwB,CACrC,eAAwC,EACxC,YAA0B;IAE1B,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACnD,MAAM,oBAAoB,GAAwB,EAAE,CAAC;IAErD,eAAe,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;QACxC,aAAa,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC7C,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC3B,IACE,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,IAAI;oBAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,EAChD;oBACA,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBACjC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAE,CAAC;IAExC,oBAAoB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;QACtD,MAAM,MAAM,GAAG,GAAG,CAAC;QAEnB,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;YAClC,MAAM,YAAY,GAAG,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACpD,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;gBAC1C,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;aACnC;SACF;aAAM;YACL,qBAAqB,CAAC,GAAG,CAAC,GAAG,EAAE;gBAC7B,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE;gBACpC,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,KAAK,EAAE,IAAI,CAAC,SAAS;gBACrB,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ;qBACvB,MAAM,CAAC,CAAC,CAAC;qBACT,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;gBAC3C,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChC,OAAO,EAAE,CAAC,MAAM,CAAC;gBACjB,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC;aAC1C,CAAC,CAAC;SACJ;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAC3E,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CACvC,CAAC;IAEF,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,SAAS,UAAU,CAAC,KAAa,EAAE,eAAgC;;IACjE,OAAO,CAAC,IAAI,CAAC,MAAM,KAAK,KAAK,eAAe,CAAC,MAAM,mBAAmB,CAAC,CAAC;IACxE,OAAO,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IAC3E,OAAO,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;IAE3E,MAAM,WAAW,GAAG,gBAAC,CAAC,OAAO,CAC3B,eAAe,EACf,CAAC,OAAO,EAAE,MAAM,CAAC,EACjB,CAAC,MAAM,EAAE,KAAK,CAAC,CAChB,CAAC;IACF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE;QAC9B,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,QAAQ,GAAG,CAAC;QACpD,MAAM,OAAO,GACX,CAAA,MAAA,IAAI,CAAC,MAAM,0CAAE,IAAI,MAAK,QAAQ;YAC5B,CAAC,CAAC,MAAA,IAAI,CAAC,MAAM,0CAAE,MAAM;YACrB,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO;gBACf,CAAC,CAAC,+BAA+B;gBACjC,CAAC,CAAC,GAAG,CAAC;QAEV,OAAO,CAAC,IAAI,CACV,KAAK,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,MAAM,QAAQ,MAAM,IAAI,CAAC,OAAO,MAAM,OAAO,IAAI,CAC7E,CAAC;KACH;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG;IACxB,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,SAAS,IAAI,CACX,MAA8C,EAC9C,qBAAsC;;IAEtC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE;QACxC,IACE,IAAI,CAAC,KAAK,IAAI,QAAQ;YACtB,IAAI,CAAC,OAAO;YACZ,CAAA,MAAA,IAAI,CAAC,MAAM,0CAAE,IAAI,MAAK,QAAQ,EAC9B;YACA,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CACP,yDAAyD,MAAM,GAAG,CACnE,CACF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;SACjB;KACF;AACH,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,OAIjD;IACC,MAAM,sBAAsB,GAAG,MAAM,IAAA,2CAAmB,EACtD,OAAO,CAAC,eAAe,CACxB,CAAC;IAEF,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAE9D,MAAM,qBAAqB,GAAG,MAAM,wBAAwB,CAC1D,cAAc,EACd,sBAAsB,CACvB,CAAC;IAEF,UAAU,CAAC,aAAa,EAAE,qBAAqB,CAAC,CAAC;IAEjD,IAAI,OAAO,CAAC,MAAM,EAAE;QAClB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;KAC7C;AACH,CAAC;AArBD,kEAqBC"}

package/dist/commands/scan-node-js.d.ts

@@ -0,0 +1,4 @@
+export declare function scanNodeJs({ version }: {
+    version: string;
+}): Promise<void>;
+//# sourceMappingURL=scan-node-js.d.ts.map

package/dist/commands/scan-node-js.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-node-js.d.ts","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":"AA2HA,wBAAsB,UAAU,CAAC,EAAE,OAAO,EAAE,EAAE;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,iBAoBhE"}

package/dist/commands/scan-node-js.js

@@ -0,0 +1,113 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanNodeJs = void 0;
+const node_fetch_1 = __importDefault(require("node-fetch"));
+const semver_1 = __importDefault(require("semver"));
+const nv_1 = __importDefault(require("@pkgjs/nv"));
+function scoreToSeverity(score) {
+    if (score >= 9) {
+        return 'critical';
+    }
+    if (score >= 7) {
+        return 'high';
+    }
+    if (score >= 4) {
+        return 'medium';
+    }
+    return 'low';
+}
+async function formatVuln(id, nodeVuln, nodeVersion) {
+    let score;
+    try {
+        const cves = await Promise.all(nodeVuln.cve.map((cve) => (0, node_fetch_1.default)(`https://cve.circl.lu/api/cve/${cve}`).then((res) => res.json())));
+        const allCvss = cves.map((cve) => cve.cvss);
+        score = Math.max(...allCvss);
+    }
+    catch (e) {
+        console.error(e);
+    }
+    return {
+        id: `NSWG-COR-${id}`,
+        title: `Node.js core vulnerability #${id}`,
+        CVSSv3: '-',
+        credit: ['-'],
+        semver: {
+            vulnerable: nodeVuln.vulnerable,
+        },
+        exploit: '-',
+        patched: [nodeVuln.patched],
+        patches: [],
+        fixedIn: (nodeVuln.patched || '').split(' || '),
+        insights: {
+            triageAdvice: null,
+        },
+        language: 'js',
+        severity: scoreToSeverity(score !== null && score !== void 0 ? score : 9),
+        cvssScore: score,
+        functions: [],
+        moduleName: '.node.js',
+        references: [
+            {
+                url: nodeVuln.ref,
+                title: 'Ref',
+            },
+        ],
+        cvssDetails: [],
+        description: nodeVuln.overview,
+        epssDetails: null,
+        identifiers: {
+            CVE: nodeVuln.cve,
+        },
+        packageName: '.node.js',
+        proprietary: true,
+        creationTime: '-',
+        functions_new: [],
+        alternativeIds: [],
+        disclosureTime: '-',
+        packageManager: 'npm',
+        publicationTime: '-',
+        modificationTime: '-',
+        socialTrendAlert: false,
+        severityWithCritical: 'high',
+        from: [`.node.js@${nodeVersion}`],
+        upgradePath: [],
+        isUpgradable: true,
+        isPatchable: false,
+        name: '.node.js',
+        version: nodeVersion,
+    };
+}
+async function downloadCoreDb() {
+    const url = 'https://raw.githubusercontent.com/nodejs/security-wg/main/vuln/core/index.json';
+    const response = await (0, node_fetch_1.default)(url);
+    if (!response.ok) {
+        throw new Error(`Download failed: ${response.status}`);
+    }
+    return await response.json();
+}
+async function isSupported(version) {
+    const supported = (await (0, nv_1.default)('supported'))
+        .map((v) => `${v.major}.x`)
+        .join(' || ');
+    return semver_1.default.satisfies(version, supported);
+}
+async function scanNodeJs({ version }) {
+    if (!(await isSupported(version))) {
+        throw new Error(`Failed: node.js@${version} is not supported anymore.`);
+    }
+    const coreDbVuln = await downloadCoreDb();
+    const affectedBy = [];
+    for (const [id, vuln] of Object.entries(coreDbVuln)) {
+        if (semver_1.default.satisfies(version, vuln.vulnerable) &&
+            vuln.patched &&
+            !semver_1.default.satisfies(version, vuln.patched)) {
+            affectedBy.push(await formatVuln(id, vuln, version));
+        }
+    }
+    console.log(JSON.stringify({ vulnerabilities: affectedBy }, null, 2));
+}
+exports.scanNodeJs = scanNodeJs;
+//# sourceMappingURL=scan-node-js.js.map

package/dist/commands/scan-node-js.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-node-js.js","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAC/B,oDAA4B;AAC5B,mDAA2B;AAc3B,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,UAAU,CAAC;KACnB;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,MAAM,CAAC;KACf;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,QAAQ,CAAC;KACjB;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,EAAU,EACV,QAAkB,EAClB,WAAmB;IAEnB,IAAI,KAAK,CAAC;IAEV,IAAI;QACF,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5B,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CACvB,IAAA,oBAAK,EAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CACvE,CACF,CAAC;QAEF,MAAM,OAAO,GAAa,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAEtD,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC;KAC9B;IAAC,OAAO,CAAC,EAAE;QACV,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;KAClB;IAED,OAAO;QACL,EAAE,EAAE,YAAY,EAAE,EAAE;QACpB,KAAK,EAAE,+BAA+B,EAAE,EAAE;QAC1C,MAAM,EAAE,GAAG;QACX,MAAM,EAAE,CAAC,GAAG,CAAC;QACb,MAAM,EAAE;YACN,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC;QACD,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC3B,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,CAAC,QAAQ,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAC/C,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;SACnB;QACD,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,eAAe,CAAC,KAAK,aAAL,KAAK,cAAL,KAAK,GAAI,CAAC,CAAC;QACrC,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,EAAE;QACb,UAAU,EAAE,UAAU;QACtB,UAAU,EAAE;YACV;gBACE,GAAG,EAAE,QAAQ,CAAC,GAAG;gBACjB,KAAK,EAAE,KAAK;aACb;SACF;QACD,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,QAAQ,CAAC,QAAQ;QAC9B,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE;YACX,GAAG,EAAE,QAAQ,CAAC,GAAG;SAClB;QACD,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,GAAG;QACjB,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,cAAc,EAAE,GAAG;QACnB,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,GAAG;QACpB,gBAAgB,EAAE,GAAG;QACrB,gBAAgB,EAAE,KAAK;QACvB,oBAAoB,EAAE,MAAM;QAC5B,IAAI,EAAE,CAAC,YAAY,WAAW,EAAE,CAAC;QACjC,WAAW,EAAE,EAAE;QACf,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,KAAK;QAClB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,WAAW;KACrB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,MAAM,GAAG,GACP,gFAAgF,CAAC;IAEnF,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAK,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;KACxD;IAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAe;IACxC,MAAM,SAAS,GAAG,CAAC,MAAM,IAAA,YAAE,EAAC,WAAW,CAAC,CAAC;SACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC;SAC1B,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAEM,KAAK,UAAU,UAAU,CAAC,EAAE,OAAO,EAAuB;IAC/D,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE;QACjC,MAAM,IAAI,KAAK,CAAC,mBAAmB,OAAO,4BAA4B,CAAC,CAAC;KACzE;IAED,MAAM,UAAU,GAAG,MAAM,cAAc,EAAE,CAAC;IAE1C,MAAM,UAAU,GAAG,EAAE,CAAC;IAEtB,KAAK,MAAM,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;QACnD,IACE,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC;YAC1C,IAAI,CAAC,OAAO;YACZ,CAAC,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,EACxC;YACA,UAAU,CAAC,IAAI,CAAC,MAAM,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;SACtD;KACF;IAED,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AACxE,CAAC;AApBD,gCAoBC"}

package/dist/get-package-info.d.ts

@@ -0,0 +1,38 @@
+interface PackageJSON {
+    name: string;
+    version: string;
+    description?: string;
+    license?: string | {
+        type: string;
+    };
+    licenses?: {
+        type: string;
+    }[];
+    dependencies?: {
+        [key: string]: string;
+    };
+    optionalDependencies?: {
+        [key: string]: string;
+    };
+    author?: string | {
+        name: string;
+        email?: string;
+        url?: string;
+    };
+    contributors?: (string | {
+        name: string;
+        email?: string;
+        url?: string;
+    })[];
+    private?: boolean;
+}
+export interface Package extends PackageJSON {
+    path: string;
+    licenseFiles: {
+        filename: string;
+        content: string;
+    }[];
+}
+export declare function getPackageInfo(modulePath: string): Promise<Package>;
+export {};
+//# sourceMappingURL=get-package-info.d.ts.map

package/dist/get-package-info.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-package-info.d.ts","sourceRoot":"","sources":["../src/get-package-info.ts"],"names":[],"mappings":"AAMA,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACpC,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC9B,YAAY,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACzC,oBAAoB,CAAC,EAAE;QAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,CAAC;IACjD,MAAM,CAAC,EAAE,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACjE,YAAY,CAAC,EAAE,CAAC,MAAM,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,CAAC;IAC3E,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,OAAQ,SAAQ,WAAW;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CACvD;AA6CD,wBAAsB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAoCzE"}

package/dist/get-package-info.js

@@ -0,0 +1,62 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getPackageInfo = void 0;
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
+const find_up_1 = __importDefault(require("find-up"));
+const licenseRegexp = /^(license|copyright|copying)/i;
+const fileCache = {};
+function readFileWithCache(filePath) {
+    var _a;
+    (_a = fileCache[filePath]) !== null && _a !== void 0 ? _a : (fileCache[filePath] = fs_1.promises.readFile(filePath, 'utf-8'));
+    return fileCache[filePath];
+}
+const findPackageJson = async (modulePath) => {
+    const candidatePath = await (0, find_up_1.default)('package.json', {
+        cwd: path_1.default.dirname(modulePath),
+    });
+    if (!candidatePath) {
+        return;
+    }
+    try {
+        const packageJson = JSON.parse(await readFileWithCache(candidatePath));
+        if (typeof packageJson.name === 'string' &&
+            typeof packageJson.version === 'string') {
+            return { path: candidatePath, content: packageJson };
+        }
+    }
+    catch (e) {
+    }
+    return await findPackageJson(path_1.default.dirname(candidatePath));
+};
+async function getPackageInfo(modulePath) {
+    const packageJSONInfo = await findPackageJson(modulePath);
+    if (!packageJSONInfo) {
+        throw new Error(`package.json not found for ${modulePath}`);
+    }
+    const { path: packageJSONPath, content: packageJSON } = packageJSONInfo;
+    const packagePath = path_1.default.dirname(packageJSONPath);
+    packageJSON.contributors = [
+        ...new Set([packageJSON.author, packageJSON.contributors].flat()),
+    ].filter(Boolean);
+    const licenseFiles = await Promise.all((await fs_1.promises.readdir(packagePath))
+        .filter((filename) => licenseRegexp.test(filename))
+        .sort()
+        .map(async (filename) => ({
+        filename,
+        content: await readFileWithCache(path_1.default.join(packagePath, filename)),
+    })));
+    return {
+        name: packageJSON.name,
+        version: packageJSON.version,
+        license: packageJSON.license,
+        licenses: packageJSON.licenses,
+        path: packagePath,
+        licenseFiles,
+    };
+}
+exports.getPackageInfo = getPackageInfo;
+//# sourceMappingURL=get-package-info.js.map

package/dist/get-package-info.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-package-info.js","sourceRoot":"","sources":["../src/get-package-info.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AACpC,gDAAwB;AACxB,sDAA6B;AAsB7B,MAAM,aAAa,GAAG,+BAA+B,CAAC;AAItD,MAAM,SAAS,GAAoC,EAAE,CAAC;AACtD,SAAS,iBAAiB,CAAC,QAAgB;;IACzC,MAAA,SAAS,CAAC,QAAQ,qCAAlB,SAAS,CAAC,QAAQ,IAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAC;IACvD,OAAO,SAAS,CAAC,QAAQ,CAAC,CAAC;AAC7B,CAAC;AAED,MAAM,eAAe,GAAG,KAAK,EAC3B,UAAkB,EAC2C,EAAE;IAC/D,MAAM,aAAa,GAAG,MAAM,IAAA,iBAAM,EAAC,cAAc,EAAE;QACjD,GAAG,EAAE,cAAI,CAAC,OAAO,CAAC,UAAU,CAAC;KAC9B,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,EAAE;QAClB,OAAO;KACR;IAED,IAAI;QACF,MAAM,WAAW,GAAgB,IAAI,CAAC,KAAK,CACzC,MAAM,iBAAiB,CAAC,aAAa,CAAC,CACvC,CAAC;QAEF,IACE,OAAO,WAAW,CAAC,IAAI,KAAK,QAAQ;YACpC,OAAO,WAAW,CAAC,OAAO,KAAK,QAAQ,EACvC;YACA,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC;SACtD;KACF;IAAC,OAAO,CAAC,EAAE;KAEX;IAKD,OAAO,MAAM,eAAe,CAAC,cAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;AAC5D,CAAC,CAAC;AAGK,KAAK,UAAU,cAAc,CAAC,UAAkB;IACrD,MAAM,eAAe,GAAG,MAAM,eAAe,CAAC,UAAU,CAAC,CAAC;IAE1D,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,8BAA8B,UAAU,EAAE,CAAC,CAAC;KAC7D;IAED,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,eAAe,CAAC;IAExE,MAAM,WAAW,GAAG,cAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAGlD,WAAW,CAAC,YAAY,GAAG;QACzB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC;KAClE,CAAC,MAAM,CAAC,OAAO,CAAQ,CAAC;IAEzB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,CACE,MAAM,aAAE,CAAC,OAAO,CAAC,WAAW,CAAC,CAC9B;SACE,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;SAClD,IAAI,EAAE;SACN,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;QACxB,QAAQ;QACR,OAAO,EAAE,MAAM,iBAAiB,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;KACnE,CAAC,CAAC,CACN,CAAC;IAEF,OAAO;QACL,IAAI,EAAE,WAAW,CAAC,IAAI;QACtB,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,OAAO,EAAE,WAAW,CAAC,OAAO;QAC5B,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,IAAI,EAAE,WAAW;QACjB,YAAY;KACb,CAAC;AACJ,CAAC;AApCD,wCAoCC"}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export { WebpackDependenciesPlugin } from './webpack-dependencies-plugin';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebpackDependenciesPlugin = void 0;
+var webpack_dependencies_plugin_1 = require("./webpack-dependencies-plugin");
+Object.defineProperty(exports, "WebpackDependenciesPlugin", { enumerable: true, get: function () { return webpack_dependencies_plugin_1.WebpackDependenciesPlugin; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAA,6EAA0E;AAAjE,wIAAA,yBAAyB,OAAA"}

package/dist/load-dependency-files.d.ts

@@ -0,0 +1,5 @@
+export declare function loadDependencyFiles<T extends {
+    name: string;
+    version: string;
+}>(files: string[]): Promise<T[]>;
+//# sourceMappingURL=load-dependency-files.d.ts.map

package/dist/load-dependency-files.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-dependency-files.d.ts","sourceRoot":"","sources":["../src/load-dependency-files.ts"],"names":[],"mappings":"AAGA,wBAAsB,mBAAmB,CACvC,CAAC,SAAS;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAC3C,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,EAAE,CAAC,CAkB/B"}

package/dist/load-dependency-files.js

@@ -0,0 +1,15 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadDependencyFiles = void 0;
+const fs_1 = require("fs");
+const lodash_1 = __importDefault(require("lodash"));
+async function loadDependencyFiles(files) {
+    const data = (await Promise.all(files.map(async (fileName) => JSON.parse(await fs_1.promises.readFile(fileName, 'utf-8'))))).flat();
+    const uniqueData = lodash_1.default.uniqBy(data, ({ name, version }) => `${name}@${version}`);
+    return lodash_1.default.sortBy(uniqueData, ({ name, version }) => `${name}@${version}`);
+}
+exports.loadDependencyFiles = loadDependencyFiles;
+//# sourceMappingURL=load-dependency-files.js.map

package/dist/load-dependency-files.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-dependency-files.js","sourceRoot":"","sources":["../src/load-dependency-files.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AACpC,oDAAuB;AAEhB,KAAK,UAAU,mBAAmB,CAEvC,KAAe;IACf,MAAM,IAAI,GAAG,CACX,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CACjD,CACF,CACF,CAAC,IAAI,EAAE,CAAC;IAET,MAAM,UAAU,GAAG,gBAAC,CAAC,MAAM,CACzB,IAAI,EACJ,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,GAAG,IAAc,IAAI,OAAiB,EAAE,CAChE,CAAC;IAEF,OAAO,gBAAC,CAAC,MAAM,CACb,UAAU,EACV,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,GAAG,IAAc,IAAI,OAAiB,EAAE,CAChE,CAAC;AACJ,CAAC;AApBD,kDAoBC"}

package/dist/production-deps.d.ts

@@ -0,0 +1,3 @@
+export declare function findPackageLocation(packageName: string): string;
+export declare function findAllProdDepsTreeLocations(): string[];
+//# sourceMappingURL=production-deps.d.ts.map

package/dist/production-deps.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"production-deps.d.ts","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":"AAeA,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,UAWtD;AAiBD,wBAAgB,4BAA4B,IAAI,MAAM,EAAE,CA6CvD"}

package/dist/production-deps.js

@@ -0,0 +1,81 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findAllProdDepsTreeLocations = exports.findPackageLocation = void 0;
+const path_1 = __importDefault(require("path"));
+const find_up_1 = __importDefault(require("find-up"));
+const fs_1 = __importDefault(require("fs"));
+function resolvePackage(packageName) {
+    const resolved = require.resolve(packageName);
+    if (resolved === packageName) {
+        return require.resolve(packageName + '/');
+    }
+    return resolved;
+}
+function findPackageLocation(packageName) {
+    const packageJsonPath = find_up_1.default.sync('package.json', {
+        cwd: resolvePackage(packageName),
+        allowSymlinks: false,
+    });
+    if (!packageJsonPath) {
+        throw new Error(`Failed to find package.json for ${packageName}`);
+    }
+    return path_1.default.dirname(packageJsonPath);
+}
+exports.findPackageLocation = findPackageLocation;
+function getProductionDeps(packageLocation) {
+    const packageJsonPath = path_1.default.join(packageLocation, 'package.json');
+    let dependencies = {};
+    let optionalDependencies = {};
+    try {
+        const packageJsonContents = fs_1.default.readFileSync(packageJsonPath, 'utf8');
+        const packageJson = JSON.parse(packageJsonContents);
+        dependencies = packageJson.dependencies || {};
+        optionalDependencies = packageJson.optionalDependencies || {};
+    }
+    catch (err) {
+        console.error(`Failed to read package.json in ${packageLocation}`);
+    }
+    return { dependencies, optionalDependencies };
+}
+function findAllProdDepsTreeLocations() {
+    const rootPackageJsonPath = find_up_1.default.sync('package.json');
+    if (!rootPackageJsonPath) {
+        throw new Error('cannot find root package.json');
+    }
+    const root = path_1.default.dirname(rootPackageJsonPath);
+    const allLocations = new Set();
+    const visited = new Set();
+    const queue = [root];
+    while (queue.length > 0) {
+        const packageLocation = queue.shift();
+        if (!packageLocation) {
+            continue;
+        }
+        if (visited.has(packageLocation)) {
+            continue;
+        }
+        visited.add(packageLocation);
+        const { dependencies, optionalDependencies } = getProductionDeps(packageLocation);
+        [
+            ...Object.keys(dependencies),
+            ...Object.keys(optionalDependencies),
+        ].forEach((dep) => {
+            try {
+                const depLocation = findPackageLocation(dep);
+                if (depLocation) {
+                    allLocations.add(depLocation);
+                    queue.push(depLocation);
+                }
+            }
+            catch (error) {
+                console.error(`Warning: failed to resolve ${dep} from ${packageLocation}. This is normal if this dependency is optional. ${error.message}`);
+            }
+        });
+    }
+    return Array.from(allLocations);
+}
+exports.findAllProdDepsTreeLocations = findAllProdDepsTreeLocations;
+//# sourceMappingURL=production-deps.js.map

package/dist/production-deps.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"production-deps.js","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AACxB,sDAA6B;AAC7B,4CAAoB;AAEpB,SAAS,cAAc,CAAC,WAAmB;IACzC,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAG9C,IAAI,QAAQ,KAAK,WAAW,EAAE;QAC5B,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC,CAAC;KAC3C;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAgB,mBAAmB,CAAC,WAAmB;IACrD,MAAM,eAAe,GAAG,iBAAM,CAAC,IAAI,CAAC,cAAc,EAAE;QAClD,GAAG,EAAE,cAAc,CAAC,WAAW,CAAC;QAChC,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;IAEH,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,mCAAmC,WAAW,EAAE,CAAC,CAAC;KACnE;IAED,OAAO,cAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;AACvC,CAAC;AAXD,kDAWC;AAED,SAAS,iBAAiB,CAAC,eAAuB;IAChD,MAAM,eAAe,GAAG,cAAI,CAAC,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;IACnE,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,oBAAoB,GAAG,EAAE,CAAC;IAC9B,IAAI;QACF,MAAM,mBAAmB,GAAG,YAAE,CAAC,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACrE,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACpD,YAAY,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;QAC9C,oBAAoB,GAAG,WAAW,CAAC,oBAAoB,IAAI,EAAE,CAAC;KAC/D;IAAC,OAAO,GAAG,EAAE;QACZ,OAAO,CAAC,KAAK,CAAC,kCAAkC,eAAe,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,CAAC;AAChD,CAAC;AAED,SAAgB,4BAA4B;IAC1C,MAAM,mBAAmB,GAAG,iBAAM,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACxD,IAAI,CAAC,mBAAmB,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IAED,MAAM,IAAI,GAAG,cAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,CAAC;IAErB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;QACvB,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QACtC,IAAI,CAAC,eAAe,EAAE;YACpB,SAAS;SACV;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE;YAChC,SAAS;SACV;QACD,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,MAAM,EAAE,YAAY,EAAE,oBAAoB,EAAE,GAC1C,iBAAiB,CAAC,eAAe,CAAC,CAAC;QACrC;YACE,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;YAC5B,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC;SACrC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YAChB,IAAI;gBACF,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;gBAC7C,IAAI,WAAW,EAAE;oBACf,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;oBAC9B,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;iBACzB;aACF;YAAC,OAAO,KAAK,EAAE;gBACd,OAAO,CAAC,KAAK,CACX,8BAA8B,GAAG,SAAS,eAAe,oDACtD,KAAe,CAAC,OACnB,EAAE,CACH,CAAC;aACH;QACH,CAAC,CAAC,CAAC;KACJ;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AA7CD,oEA6CC"}

package/dist/webpack-dependencies-plugin.d.ts

@@ -0,0 +1,18 @@
+import type { Compiler, WebpackPluginInstance } from 'webpack';
+declare type WebpackDependenciesPluginOptions = {
+    outputFilename?: string;
+    includePackages?: string[];
+    includeExternalProductionDependencies?: boolean;
+};
+export declare class WebpackDependenciesPlugin implements WebpackPluginInstance {
+    private options;
+    private readonly pluginName;
+    outputPath: string;
+    includePackages: string[];
+    resolvedModules: Set<string>;
+    constructor(options?: WebpackDependenciesPluginOptions);
+    private handleTap;
+    apply(compiler: Compiler): void;
+}
+export default WebpackDependenciesPlugin;
+//# sourceMappingURL=webpack-dependencies-plugin.d.ts.map

package/dist/webpack-dependencies-plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"webpack-dependencies-plugin.d.ts","sourceRoot":"","sources":["../src/webpack-dependencies-plugin.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAe,QAAQ,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAW5E,aAAK,gCAAgC,GAAG;IACtC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,qCAAqC,CAAC,EAAE,OAAO,CAAC;CACjD,CAAC;AAMF,qBAAa,yBAA0B,YAAW,qBAAqB;IAMzD,OAAO,CAAC,OAAO;IAL3B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAe;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,EAAE,CAAM;IAC/B,eAAe,cAAqB;gBAEhB,OAAO,GAAE,gCAAqC;IAWlE,OAAO,CAAC,SAAS,CAkBf;IAEF,KAAK,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI;CAyBhC;AAED,eAAe,yBAAyB,CAAC"}

package/dist/webpack-dependencies-plugin.js

@@ -0,0 +1,59 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebpackDependenciesPlugin = void 0;
+const path_1 = __importDefault(require("path"));
+const fs_1 = require("fs");
+const lodash_1 = __importDefault(require("lodash"));
+const production_deps_1 = require("./production-deps");
+const get_package_info_1 = require("./get-package-info");
+const PLUGIN_NAME = 'WebpackDependenciesPlugin';
+class WebpackDependenciesPlugin {
+    constructor(options = {}) {
+        this.options = options;
+        this.pluginName = PLUGIN_NAME;
+        this.includePackages = [];
+        this.resolvedModules = new Set();
+        this.handleTap = (compilation) => {
+            for (const module of compilation.modules) {
+                const resource = module.resource;
+                if (resource) {
+                    const modulePath = resource;
+                    if (typeof modulePath === 'string') {
+                        this.resolvedModules.add(modulePath);
+                    }
+                }
+            }
+            for (const includedPackagePath of this.includePackages) {
+                const packageJsonPath = path_1.default.join(includedPackagePath, 'package.json');
+                if (packageJsonPath) {
+                    this.resolvedModules.add(packageJsonPath);
+                }
+            }
+        };
+        this.includePackages = [
+            ...(options.includeExternalProductionDependencies
+                ? (0, production_deps_1.findAllProdDepsTreeLocations)()
+                : []),
+            ...(options.includePackages || []).map(production_deps_1.findPackageLocation),
+        ];
+        this.outputPath = options.outputFilename || 'dependencies.json';
+    }
+    apply(compiler) {
+        compiler.hooks.shutdown.tapPromise(PLUGIN_NAME, async () => {
+            const dependencyList = await Promise.all(Array.from(this.resolvedModules).map(get_package_info_1.getPackageInfo));
+            const uniqueList = lodash_1.default.uniqBy(dependencyList, ({ name, version }) => `${name}@${version}`);
+            const sortedList = lodash_1.default.sortBy(uniqueList, ({ name, version }) => `${name}@${version}`);
+            await fs_1.promises.mkdir(path_1.default.dirname(path_1.default.resolve(this.outputPath)), {
+                recursive: true,
+            });
+            await fs_1.promises.writeFile(this.outputPath, JSON.stringify(sortedList, null, 2));
+        });
+        compiler.hooks.emit.tap(PLUGIN_NAME, this.handleTap);
+    }
+}
+exports.WebpackDependenciesPlugin = WebpackDependenciesPlugin;
+exports.default = WebpackDependenciesPlugin;
+//# sourceMappingURL=webpack-dependencies-plugin.js.map

package/dist/webpack-dependencies-plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"webpack-dependencies-plugin.js","sourceRoot":"","sources":["../src/webpack-dependencies-plugin.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AACxB,2BAAoC;AAEpC,oDAAuB;AAEvB,uDAG2B;AAC3B,yDAAoD;AAEpD,MAAM,WAAW,GAAG,2BAA2B,CAAC;AAYhD,MAAa,yBAAyB;IAMpC,YAAoB,UAA4C,EAAE;QAA9C,YAAO,GAAP,OAAO,CAAuC;QALjD,eAAU,GAAG,WAAW,CAAC;QAE1C,oBAAe,GAAa,EAAE,CAAC;QAC/B,oBAAe,GAAG,IAAI,GAAG,EAAU,CAAC;QAa5B,cAAS,GAAG,CAAC,WAAwB,EAAE,EAAE;YAC/C,KAAK,MAAM,MAAM,IAAI,WAAW,CAAC,OAAO,EAAE;gBACxC,MAAM,QAAQ,GAAI,MAAyB,CAAC,QAAQ,CAAC;gBACrD,IAAI,QAAQ,EAAE;oBACZ,MAAM,UAAU,GAAG,QAAQ,CAAC;oBAC5B,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE;wBAClC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;qBACtC;iBACF;aACF;YAED,KAAK,MAAM,mBAAmB,IAAI,IAAI,CAAC,eAAe,EAAE;gBACtD,MAAM,eAAe,GAAG,cAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,cAAc,CAAC,CAAC;gBAEvE,IAAI,eAAe,EAAE;oBACnB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;iBAC3C;aACF;QACH,CAAC,CAAC;QA5BA,IAAI,CAAC,eAAe,GAAG;YACrB,GAAG,CAAC,OAAO,CAAC,qCAAqC;gBAC/C,CAAC,CAAC,IAAA,8CAA4B,GAAE;gBAChC,CAAC,CAAC,EAAE,CAAC;YACP,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,qCAAmB,CAAC;SAC5D,CAAC;QAEF,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,cAAc,IAAI,mBAAmB,CAAC;IAClE,CAAC;IAsBD,KAAK,CAAC,QAAkB;QACtB,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,GAAG,CACtC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,GAAG,CAAC,iCAAc,CAAC,CACrD,CAAC;YAEF,MAAM,UAAU,GAAG,gBAAC,CAAC,MAAM,CACzB,cAAc,EACd,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAC5C,CAAC;YAEF,MAAM,UAAU,GAAG,gBAAC,CAAC,MAAM,CACzB,UAAU,EACV,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,GAAG,IAAI,IAAI,OAAO,EAAE,CAC5C,CAAC;YAEF,MAAM,aAAE,CAAC,KAAK,CAAC,cAAI,CAAC,OAAO,CAAC,cAAI,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE;gBAC1D,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC;YAEH,MAAM,aAAE,CAAC,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QAEH,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IACvD,CAAC;CACF;AA9DD,8DA8DC;AAED,kBAAe,yBAAyB,CAAC"}

package/package.json

@@ -0,0 +1,88 @@
+{
+  "name": "@mongodb-js/sbom-tools",
+  "description": "Reporting tools for 3rd party vulnerabilities and licenses",
+  "author": {
+    "name": "MongoDB Inc",
+    "email": "compass@mongodb.com"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "bin": {
+    "mongodb-sbom-tools": "./bin/mongodb-sbom-tools.js"
+  },
+  "bugs": {
+    "url": "https://jira.mongodb.org/projects/COMPASS/issues",
+    "email": "compass@mongodb.com"
+  },
+  "homepage": "https://github.com/mongodb-js/devtools-shared",
+  "version": "0.2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mongodb-js/devtools-shared.git"
+  },
+  "files": [
+    "dist"
+  ],
+  "license": "Apache-2.0",
+  "main": "dist/index.js",
+  "exports": {
+    "require": "./dist/index.js",
+    "import": "./dist/.esm-wrapper.mjs"
+  },
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "bootstrap": "npm run compile",
+    "prepublishOnly": "npm run compile",
+    "compile": "tsc -p tsconfig.json && gen-esm-wrapper . ./dist/.esm-wrapper.mjs",
+    "typecheck": "tsc --noEmit",
+    "eslint": "eslint",
+    "prettier": "prettier",
+    "lint": "npm run eslint . && npm run prettier -- --check .",
+    "depcheck": "depcheck",
+    "check": "npm run typecheck && npm run lint && npm run depcheck",
+    "check-ci": "npm run check",
+    "test": "mocha",
+    "test-cov": "nyc -x \"**/*.spec.*\" --reporter=lcov --reporter=text --reporter=html npm run test",
+    "test-watch": "npm run test -- --watch",
+    "test-ci": "npm run test-cov",
+    "reformat": "npm run prettier -- --write ."
+  },
+  "devDependencies": {
+    "@mongodb-js/eslint-config-devtools": "0.9.3",
+    "@mongodb-js/mocha-config-compass": "^0.10.0",
+    "@mongodb-js/prettier-config-compass": "^0.5.0",
+    "@mongodb-js/tsconfig-compass": "^0.6.0",
+    "@types/chai": "^4.2.21",
+    "@types/cross-spawn": "^6.0.2",
+    "@types/lodash": "^4.14.194",
+    "@types/mocha": "^9.0.0",
+    "@types/node": "^17.0.35",
+    "@types/node-fetch": "^2.6.3",
+    "@types/sinon-chai": "^3.2.5",
+    "@types/spdx-satisfies": "^0.1.0",
+    "chai": "^4.3.6",
+    "depcheck": "^1.4.1",
+    "eslint": "^7.25.0",
+    "gen-esm-wrapper": "^1.1.0",
+    "mocha": "^8.4.0",
+    "nyc": "^15.1.0",
+    "prettier": "2.3.2",
+    "sinon": "^9.2.3",
+    "typescript": "^4.3.5"
+  },
+  "dependencies": {
+    "@pkgjs/nv": "^0.2.1",
+    "chalk": "^4.1.2",
+    "commander": "^10.0.1",
+    "cross-spawn": "^7.0.3",
+    "find-up": "^4.1.0",
+    "lodash": "^4.17.21",
+    "node-fetch": "^2.6.7",
+    "semver": "^7.5.0",
+    "snyk-policy": "^2.0.4",
+    "spdx-satisfies": "^5.0.1",
+    "webpack": "^5.82.0"
+  },
+  "gitHead": "74f42368e64635116eff6ccaa0bdfbaf97ea0d14"
+}