@openrewrite/recipes-nodejs 0.36.0-20251211-172625 → 0.36.0-20251212-170419

package/src/security/dependency-vulnerability-check.ts

@@ -0,0 +1,934 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import {Column, DataTable, ExecutionContext, Option, Recipe, ScanningRecipe, Tree, TreeVisitor, markupWarn} from "@openrewrite/rewrite";
+import {getMemberKeyName, isLiteral, Json, JsonParser, JsonVisitor, isJson} from "@openrewrite/rewrite/json";
+import {TreePrinters} from "@openrewrite/rewrite";
+import {PlainText, PlainTextParser, isPlainText} from "@openrewrite/rewrite/text";
+import {isDocuments, isYaml, Yaml, YamlParser} from "@openrewrite/rewrite/yaml";
+import {
+    DependencyScope,
+    findNodeResolutionResult,
+    ResolvedDependency,
+    PackageManager,
+    createDependencyRecipeAccumulator,
+    DependencyRecipeAccumulator,
+    getUpdatedLockFileContent,
+    runInstallIfNeeded,
+    runInstallInTempDir,
+    storeInstallResult,
+    updateNodeResolutionMarker
+} from "@openrewrite/rewrite/javascript";
+import * as semver from "semver";
+import * as path from "path";
+import {parseSeverity, Severity, severityOrdinal, Vulnerability, VulnerabilityDatabase} from "./vulnerability";
+
+/**
+ * Maximum upgrade delta for version upgrades.
+ * Use 'none' to only report vulnerabilities without making any changes.
+ */
+export type UpgradeDelta = 'none' | 'patch' | 'minor' | 'major';
+
+/**
+ * Row for the vulnerability report data table.
+ */
+class VulnerabilityReportRow {
+    @Column({
+        displayName: "Source Path",
+        description: "Path to the package.json file where the vulnerability was found"
+    })
+    sourcePath!: string;
+
+    @Column({
+        displayName: "CVE",
+        description: "The CVE identifier of the vulnerability"
+    })
+    cve!: string;
+
+    @Column({
+        displayName: "Package",
+        description: "The name of the vulnerable package"
+    })
+    packageName!: string;
+
+    @Column({
+        displayName: "Version",
+        description: "The resolved version of the package"
+    })
+    version!: string;
+
+    @Column({
+        displayName: "Fixed Version",
+        description: "The version that fixes the vulnerability"
+    })
+    fixedVersion!: string;
+
+    @Column({
+        displayName: "Last Affected",
+        description: "The last version affected by the vulnerability"
+    })
+    lastAffectedVersion!: string;
+
+    @Column({
+        displayName: "Upgradeable",
+        description: "Whether the vulnerability can be fixed with a version upgrade within the maximum delta"
+    })
+    upgradeable!: boolean;
+
+    @Column({
+        displayName: "Summary",
+        description: "Brief description of the vulnerability"
+    })
+    summary!: string;
+
+    @Column({
+        displayName: "Severity",
+        description: "Severity level of the vulnerability"
+    })
+    severity!: string;
+
+    @Column({
+        displayName: "Depth",
+        description: "Depth in the dependency tree (0 = direct, 1+ = transitive)"
+    })
+    depth!: number;
+
+    @Column({
+        displayName: "CWEs",
+        description: "CWE identifiers associated with this vulnerability"
+    })
+    cwes!: string;
+
+    @Column({
+        displayName: "Is Direct",
+        description: "Whether this is a direct dependency"
+    })
+    isDirect!: boolean;
+
+    @Column({
+        displayName: "Dependency Path",
+        description: "Path showing how the vulnerable dependency is brought in (e.g., 'dependencies > lodash@4.0.0 > vulnerable-pkg@1.0.0')"
+    })
+    dependencyPath!: string;
+
+    constructor(
+        sourcePath: string,
+        cve: string,
+        packageName: string,
+        version: string,
+        fixedVersion: string,
+        lastAffectedVersion: string,
+        upgradeable: boolean,
+        summary: string,
+        severity: string,
+        depth: number,
+        cwes: string,
+        isDirect: boolean,
+        dependencyPath: string
+    ) {
+        this.sourcePath = sourcePath;
+        this.cve = cve;
+        this.packageName = packageName;
+        this.version = version;
+        this.fixedVersion = fixedVersion;
+        this.lastAffectedVersion = lastAffectedVersion;
+        this.upgradeable = upgradeable;
+        this.summary = summary;
+        this.severity = severity;
+        this.depth = depth;
+        this.cwes = cwes;
+        this.isDirect = isDirect;
+        this.dependencyPath = dependencyPath;
+    }
+}
+
+/**
+ * Represents a segment in the dependency path.
+ */
+interface PathSegment {
+    name: string;
+    version: string;
+}
+
+/**
+ * Represents a vulnerable dependency found during scanning.
+ */
+interface VulnerableDependency {
+    /** The resolved dependency that is vulnerable */
+    resolved: ResolvedDependency;
+    /** The vulnerability affecting it */
+    vulnerability: Vulnerability;
+    /** Depth in dependency tree (0 = direct) */
+    depth: number;
+    /** Whether this is a direct dependency */
+    isDirect: boolean;
+    /** The scope where this dependency was found (for direct deps) */
+    scope?: DependencyScope;
+    /** Path from root to this dependency */
+    path: PathSegment[];
+}
+
+/**
+ * Represents a fix to apply for a vulnerability.
+ */
+interface VulnerabilityFix {
+    /** Package name to upgrade */
+    packageName: string;
+    /** Version to upgrade to */
+    newVersion: string;
+    /** Whether this is a transitive dependency fix */
+    isTransitive: boolean;
+    /** CVEs this fix resolves */
+    cves: string[];
+    /** The scope where this dependency was found (for direct deps) */
+    scope?: DependencyScope;
+}
+
+/**
+ * Project info for lock file updates.
+ */
+interface ProjectUpdateInfo {
+    /** Absolute path to the project directory */
+    projectDir: string;
+    /** Relative path to package.json (from source root) */
+    packageJsonPath: string;
+    /** Original package.json content */
+    originalPackageJson: string;
+    /** The package manager used by this project */
+    packageManager: PackageManager;
+}
+
+/**
+ * Accumulator for the scanning recipe.
+ */
+interface Accumulator extends DependencyRecipeAccumulator<ProjectUpdateInfo> {
+    /** Vulnerability database */
+    db: VulnerabilityDatabase;
+    /** Vulnerable dependencies found, grouped by package.json path */
+    vulnerableByProject: Map<string, VulnerableDependency[]>;
+    /** Fixes to apply, grouped by package.json path */
+    fixesByProject: Map<string, VulnerabilityFix[]>;
+}
+
+/**
+ * Finds and fixes vulnerable npm dependencies.
+ *
+ * This software composition analysis (SCA) tool detects and upgrades dependencies with publicly
+ * disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and
+ * upgrades to newer versions with fixes.
+ *
+ * This recipe by default only upgrades to the latest **patch** version. If a minor or major upgrade
+ * is required to reach the fixed version, this can be controlled using the `maximumUpgradeDelta` option.
+ *
+ * Vulnerability information comes from the GitHub Security Advisory Database,
+ * which aggregates vulnerability data from several public databases, including
+ * the National Vulnerability Database maintained by the United States government.
+ */
+export class DependencyVulnerabilityCheck extends ScanningRecipe<Accumulator> {
+    readonly name = "org.openrewrite.node.dependency-vulnerability-check";
+    readonly displayName = "Find and fix vulnerable npm dependencies";
+    readonly description = "This software composition analysis (SCA) tool detects and upgrades dependencies with publicly " +
+        "disclosed vulnerabilities. This recipe both generates a report of vulnerable dependencies and " +
+        "upgrades to newer versions with fixes. This recipe by default only upgrades to the latest **patch** version. " +
+        "If a minor or major upgrade is required to reach the fixed version, this can be controlled using the `maximumUpgradeDelta` option. " +
+        "Vulnerability information comes from the GitHub Security Advisory Database.";
+
+    private readonly vulnerabilityReport = new DataTable<VulnerabilityReportRow>(
+        "org.openrewrite.nodejs.table.VulnerabilityReport",
+        "Vulnerability Report",
+        "Lists all vulnerabilities found in project dependencies.",
+        VulnerabilityReportRow
+    );
+
+    @Option({
+        displayName: "Scope",
+        description: "Match dependencies with the specified scope. Default includes all scopes. " +
+            "Use 'dependencies' for production dependencies, 'devDependencies' for development only, etc.",
+        required: false,
+        example: "dependencies",
+        valid: ["dependencies", "devDependencies", "peerDependencies", "optionalDependencies"]
+    })
+    scope?: DependencyScope;
+
+    @Option({
+        displayName: "Override transitives",
+        description: "When enabled, transitive dependencies with vulnerabilities will have their versions overridden " +
+            "using npm overrides, yarn resolutions, or pnpm overrides. " +
+            "By default only direct dependencies have their version numbers upgraded.",
+        required: false,
+        example: "true"
+    })
+    overrideTransitive?: boolean;
+
+    @Option({
+        displayName: "Maximum upgrade delta",
+        description: "The maximum difference to allow when upgrading a dependency version. " +
+            "Use 'none' to only report vulnerabilities without making any changes. " +
+            "Patch version upgrades are the default and safest option. " +
+            "Minor version upgrades can introduce new features but typically no breaking changes. " +
+            "Major version upgrades may require code changes.",
+        required: false,
+        example: "patch",
+        valid: ["none", "patch", "minor", "major"]
+    })
+    maximumUpgradeDelta?: UpgradeDelta;
+
+    @Option({
+        displayName: "Minimum severity",
+        description: "Only fix vulnerabilities with a severity level equal to or higher than the specified minimum. " +
+            "Vulnerabilities are classified as LOW, MODERATE, HIGH, or CRITICAL based on their potential impact. " +
+            "Default is LOW, which includes all severity levels.",
+        required: false,
+        example: "MODERATE",
+        valid: ["LOW", "MODERATE", "HIGH", "CRITICAL"]
+    })
+    minimumSeverity?: string;
+
+    @Option({
+        displayName: "CVE pattern",
+        description: "Only fix vulnerabilities matching this regular expression pattern. " +
+            "This allows filtering to specific CVEs or CVE ranges. " +
+            "For example, 'CVE-2023-.*' will only check for CVEs from 2023. " +
+            "If not specified, all CVEs will be checked.",
+        required: false,
+        example: "CVE-2023-.*"
+    })
+    cvePattern?: string;
+
+    initialValue(_ctx: ExecutionContext): Accumulator {
+        return {
+            // DependencyRecipeAccumulator fields
+            ...createDependencyRecipeAccumulator<ProjectUpdateInfo>(),
+            // Our custom fields
+            db: VulnerabilityDatabase.load(),
+            vulnerableByProject: new Map(),
+            fixesByProject: new Map()
+        };
+    }
+
+    private getMinimumSeverity(): Severity {
+        return this.minimumSeverity ? parseSeverity(this.minimumSeverity) : Severity.LOW;
+    }
+
+    private getMaximumUpgradeDelta(): UpgradeDelta {
+        return this.maximumUpgradeDelta || 'patch';
+    }
+
+    private isReportOnly(): boolean {
+        return this.getMaximumUpgradeDelta() === 'none';
+    }
+
+    /**
+     * Checks if a vulnerability matches the CVE pattern filter.
+     */
+    private matchesCvePattern(vulnerability: Vulnerability): boolean {
+        if (!this.cvePattern) {
+            return true;
+        }
+        try {
+            const regex = new RegExp(this.cvePattern);
+            return regex.test(vulnerability.cve);
+        } catch {
+            return true; // Invalid regex, don't filter
+        }
+    }
+
+    /**
+     * Checks if a version is affected by a vulnerability.
+     */
+    private isVersionAffected(version: string, vulnerability: Vulnerability): boolean {
+        try {
+            const v = semver.parse(version);
+            if (!v) return false;
+
+            // Check introduced version
+            if (vulnerability.introducedVersion && vulnerability.introducedVersion !== '0') {
+                const introduced = semver.parse(vulnerability.introducedVersion);
+                if (introduced && semver.lt(v, introduced)) {
+                    return false; // Version is before the vulnerability was introduced
+                }
+            }
+
+            // Check if fixed
+            if (vulnerability.fixedVersion) {
+                const fixed = semver.parse(vulnerability.fixedVersion);
+                if (fixed && semver.gte(v, fixed)) {
+                    return false; // Version is at or after the fix
+                }
+                return true; // Version is in the vulnerable range
+            }
+
+            // Check last affected version
+            if (vulnerability.lastAffectedVersion) {
+                const lastAffected = semver.parse(vulnerability.lastAffectedVersion);
+                if (lastAffected && semver.gt(v, lastAffected)) {
+                    return false; // Version is after the last affected
+                }
+                return true;
+            }
+
+            return true; // No fix information, assume vulnerable
+        } catch {
+            return false; // Invalid version, skip
+        }
+    }
+
+    /**
+     * Checks if a vulnerability can be fixed within the maximum upgrade delta.
+     */
+    private isUpgradeableWithinDelta(currentVersion: string, vulnerability: Vulnerability): boolean {
+        if (this.isReportOnly()) {
+            return false;
+        }
+
+        try {
+            const current = semver.parse(currentVersion);
+            if (!current) return false;
+
+            const delta = this.getMaximumUpgradeDelta();
+
+            // If we have a fixed version, check if it's reachable within delta
+            if (vulnerability.fixedVersion) {
+                const fixed = semver.parse(vulnerability.fixedVersion);
+                if (!fixed) return false;
+
+                switch (delta) {
+                    case 'patch':
+                        return current.major === fixed.major && current.minor === fixed.minor;
+                    case 'minor':
+                        return current.major === fixed.major;
+                    case 'major':
+                        return true;
+                    case 'none':
+                        return false;
+                }
+            }
+
+            // If we only have lastAffectedVersion, check if upgrading within delta
+            // could get us past it (i.e., to a non-vulnerable version)
+            if (vulnerability.lastAffectedVersion) {
+                const lastAffected = semver.parse(vulnerability.lastAffectedVersion);
+                if (!lastAffected) return false;
+
+                switch (delta) {
+                    case 'patch':
+                        return current.major === lastAffected.major &&
+                               current.minor === lastAffected.minor;
+                    case 'minor':
+                        return current.major === lastAffected.major;
+                    case 'major':
+                        return true;
+                    case 'none':
+                        return false;
+                }
+            }
+
+            return false;
+        } catch {
+            return false;
+        }
+    }
+
+    /**
+     * Gets the version to upgrade to for a vulnerability.
+     */
+    private getUpgradeVersion(vulnerability: Vulnerability): string | undefined {
+        if (vulnerability.fixedVersion) {
+            return vulnerability.fixedVersion;
+        }
+        // For lastAffectedVersion, we need the next version after it
+        // We can't determine this exactly, so return undefined and let the
+        // upgrade recipe handle version selection
+        return undefined;
+    }
+
+    /**
+     * Renders a dependency path as a string.
+     * Example: "dependencies > lodash@4.17.20 > vulnerable-pkg@1.0.0"
+     */
+    private renderPath(scope: DependencyScope | undefined, path: PathSegment[]): string {
+        const parts: string[] = [];
+        if (scope) {
+            parts.push(scope);
+        }
+        for (const seg of path) {
+            parts.push(`${seg.name}@${seg.version}`);
+        }
+        return parts.join(' > ');
+    }
+
+    /**
+     * Finds vulnerabilities in a resolved dependency and its transitives.
+     */
+    private findVulnerabilities(
+        resolved: ResolvedDependency,
+        db: VulnerabilityDatabase,
+        depth: number,
+        isDirect: boolean,
+        scope: DependencyScope | undefined,
+        path: PathSegment[],
+        visited: Set<string>,
+        results: VulnerableDependency[]
+    ): void {
+        const key = `${resolved.name}@${resolved.version}`;
+        if (visited.has(key)) return;
+        visited.add(key);
+
+        // Build current path
+        const currentPath = [...path, { name: resolved.name, version: resolved.version }];
+
+        // Check for vulnerabilities in this package
+        const vulns = db.getVulnerabilities(resolved.name);
+        for (const vuln of vulns) {
+            // Filter by severity
+            if (severityOrdinal(vuln.severity) < severityOrdinal(this.getMinimumSeverity())) {
+                continue;
+            }
+
+            // Filter by CVE pattern
+            if (!this.matchesCvePattern(vuln)) {
+                continue;
+            }
+
+            // Check if this version is affected
+            if (this.isVersionAffected(resolved.version, vuln)) {
+                results.push({
+                    resolved,
+                    vulnerability: vuln,
+                    depth,
+                    isDirect,
+                    scope,
+                    path: currentPath
+                });
+            }
+        }
+
+        // Recurse into transitive dependencies if overrideTransitive is enabled
+        if (this.overrideTransitive) {
+            const transitives = [
+                ...(resolved.dependencies || []),
+                ...(resolved.devDependencies || []),
+                ...(resolved.peerDependencies || []),
+                ...(resolved.optionalDependencies || [])
+            ];
+
+            for (const dep of transitives) {
+                if (dep.resolved) {
+                    this.findVulnerabilities(
+                        dep.resolved,
+                        db,
+                        depth + 1,
+                        false,
+                        scope, // Keep original scope for path rendering
+                        currentPath,
+                        visited,
+                        results
+                    );
+                }
+            }
+        }
+    }
+
+    /**
+     * Computes the fixes to apply for the vulnerabilities found.
+     * Groups vulnerabilities by package and determines the best fix version.
+     */
+    private computeFixes(vulnerabilities: VulnerableDependency[]): VulnerabilityFix[] {
+        if (this.isReportOnly()) {
+            return [];
+        }
+
+        // Group vulnerabilities by package name
+        const byPackage = new Map<string, VulnerableDependency[]>();
+        for (const vuln of vulnerabilities) {
+            const existing = byPackage.get(vuln.resolved.name) || [];
+            existing.push(vuln);
+            byPackage.set(vuln.resolved.name, existing);
+        }
+
+        const fixes: VulnerabilityFix[] = [];
+
+        for (const [packageName, vulns] of byPackage) {
+            // Find the highest fix version needed across all vulnerabilities for this package
+            let highestFixVersion: string | undefined;
+            const cves: string[] = [];
+            let isTransitive = true;
+            let scope: DependencyScope | undefined;
+
+            for (const vuln of vulns) {
+                // Check if upgradeable within delta
+                if (!this.isUpgradeableWithinDelta(vuln.resolved.version, vuln.vulnerability)) {
+                    continue;
+                }
+
+                const fixVersion = this.getUpgradeVersion(vuln.vulnerability);
+                if (fixVersion) {
+                    if (!highestFixVersion || semver.gt(fixVersion, highestFixVersion)) {
+                        highestFixVersion = fixVersion;
+                    }
+                }
+
+                cves.push(vuln.vulnerability.cve);
+
+                if (vuln.isDirect) {
+                    isTransitive = false;
+                    scope = vuln.scope;
+                }
+            }
+
+            if (highestFixVersion && cves.length > 0) {
+                fixes.push({
+                    packageName,
+                    newVersion: highestFixVersion,
+                    isTransitive,
+                    cves,
+                    scope
+                });
+            }
+        }
+
+        return fixes;
+    }
+
+    async scanner(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>> {
+        const recipe = this;
+
+        return new class extends JsonVisitor<ExecutionContext> {
+            protected async visitDocument(doc: Json.Document, _ctx: ExecutionContext): Promise<Json | undefined> {
+                // Only process package.json files
+                if (!doc.sourcePath.endsWith('package.json')) {
+                    return doc;
+                }
+
+                const marker = findNodeResolutionResult(doc);
+                if (!marker) {
+                    return doc;
+                }
+
+                const vulnerabilities: VulnerableDependency[] = [];
+                const visited = new Set<string>();
+
+                // Determine which scopes to check
+                const scopesToCheck: DependencyScope[] = recipe.scope
+                    ? [recipe.scope]
+                    : ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies'];
+
+                for (const scope of scopesToCheck) {
+                    const deps = marker[scope] || [];
+                    for (const dep of deps) {
+                        if (dep.resolved) {
+                            recipe.findVulnerabilities(
+                                dep.resolved,
+                                acc.db,
+                                0,
+                                true,
+                                scope,
+                                [], // Start with empty path
+                                visited,
+                                vulnerabilities
+                            );
+                        }
+                    }
+                }
+
+                if (vulnerabilities.length > 0) {
+                    acc.vulnerableByProject.set(doc.sourcePath, vulnerabilities);
+
+                    // Compute fixes
+                    const fixes = recipe.computeFixes(vulnerabilities);
+                    if (fixes.length > 0) {
+                        acc.fixesByProject.set(doc.sourcePath, fixes);
+
+                        // Store project info for lock file updates
+                        const projectDir = path.dirname(path.resolve(doc.sourcePath));
+                        const pm = marker.packageManager ?? PackageManager.Npm;
+
+                        acc.projectsToUpdate.set(doc.sourcePath, {
+                            projectDir,
+                            packageJsonPath: doc.sourcePath,
+                            originalPackageJson: await this.printDocument(doc),
+                            packageManager: pm
+                        });
+                    }
+                }
+
+                return doc;
+            }
+
+            private async printDocument(doc: Json.Document): Promise<string> {
+                return TreePrinters.print(doc);
+            }
+        };
+    }
+
+    /**
+     * Returns sub-recipes to apply the fixes.
+     */
+    async getRecipeList(): Promise<Recipe[]> {
+        // This method is called before scanning, so we can't return fix recipes here.
+        // Instead, we'll apply fixes in the editor phase.
+        return [];
+    }
+
+    async editorWithData(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>> {
+        const recipe = this;
+
+        // YAML lock file names (pnpm-lock.yaml, and yarn.lock for Berry)
+        const YAML_LOCK_FILES = ['pnpm-lock.yaml', 'yarn.lock'];
+
+        // Use a TreeVisitor that handles JSON, YAML, and PlainText lock files
+        return new class extends TreeVisitor<Tree, ExecutionContext> {
+            protected async accept(tree: Tree, ctx: ExecutionContext): Promise<Tree | undefined> {
+                // Handle JSON documents (package.json and JSON lock files like bun.lock, package-lock.json)
+                if (isJson(tree) && tree.kind === Json.Kind.Document) {
+                    return this.handleJsonDocument(tree as Json.Document, ctx);
+                }
+
+                // Handle YAML documents (pnpm-lock.yaml and Yarn Berry yarn.lock)
+                if (isYaml(tree) && isDocuments(tree)) {
+                    const basename = path.basename(tree.sourcePath);
+                    if (YAML_LOCK_FILES.includes(basename)) {
+                        return this.handleYamlLockFile(tree, ctx);
+                    }
+                }
+
+                // Handle PlainText files only for Yarn Classic yarn.lock
+                if (isPlainText(tree)) {
+                    const basename = path.basename(tree.sourcePath);
+                    if (basename === 'yarn.lock') {
+                        return this.handlePlainTextLockFile(tree as PlainText, ctx);
+                    }
+                }
+
+                return tree;
+            }
+
+            private async handleJsonDocument(doc: Json.Document, ctx: ExecutionContext): Promise<Json | undefined> {
+                const sourcePath = doc.sourcePath;
+
+                // Handle package.json files
+                if (sourcePath.endsWith('package.json')) {
+                    return this.handlePackageJson(doc, ctx);
+                }
+
+                // Handle JSON lock files (bun.lock, package-lock.json)
+                const updatedLockContent = getUpdatedLockFileContent(sourcePath, acc);
+                if (updatedLockContent) {
+                    return await new JsonParser({}).parseOne({
+                        text: updatedLockContent,
+                        sourcePath: doc.sourcePath
+                    }) as Json.Document;
+                }
+
+                return doc;
+            }
+
+            private async handleYamlLockFile(docs: Yaml.Documents, _ctx: ExecutionContext): Promise<Yaml.Documents | undefined> {
+                const sourcePath = docs.sourcePath;
+
+                // Handle YAML lock files (pnpm-lock.yaml, Yarn Berry yarn.lock)
+                const updatedLockContent = getUpdatedLockFileContent(sourcePath, acc);
+                if (updatedLockContent) {
+                    return await new YamlParser({}).parseOne({
+                        text: updatedLockContent,
+                        sourcePath: docs.sourcePath
+                    }) as Yaml.Documents;
+                }
+
+                return docs;
+            }
+
+            private async handlePlainTextLockFile(text: PlainText, _ctx: ExecutionContext): Promise<PlainText | undefined> {
+                const sourcePath = text.sourcePath;
+
+                // Handle Yarn Classic yarn.lock (plain text format)
+                const updatedLockContent = getUpdatedLockFileContent(sourcePath, acc);
+                if (updatedLockContent) {
+                    // Parse as plain text and return with new content
+                    const parsed = await new PlainTextParser({}).parseOne({
+                        text: updatedLockContent,
+                        sourcePath: text.sourcePath
+                    });
+                    return parsed as PlainText;
+                }
+
+                return text;
+            }
+
+            private async handlePackageJson(doc: Json.Document, ctx: ExecutionContext): Promise<Json | undefined> {
+                const vulnerabilities = acc.vulnerableByProject.get(doc.sourcePath);
+                if (!vulnerabilities || vulnerabilities.length === 0) {
+                    return doc;
+                }
+
+                // Insert rows into the data table for each vulnerability
+                for (const vuln of vulnerabilities) {
+                    const upgradeable = recipe.isUpgradeableWithinDelta(
+                        vuln.resolved.version,
+                        vuln.vulnerability
+                    );
+
+                    recipe.vulnerabilityReport.insertRow(ctx, new VulnerabilityReportRow(
+                        doc.sourcePath,
+                        vuln.vulnerability.cve,
+                        vuln.resolved.name,
+                        vuln.resolved.version,
+                        vuln.vulnerability.fixedVersion || '',
+                        vuln.vulnerability.lastAffectedVersion || '',
+                        upgradeable,
+                        vuln.vulnerability.summary,
+                        vuln.vulnerability.severity,
+                        vuln.depth,
+                        vuln.vulnerability.cwes,
+                        vuln.isDirect,
+                        recipe.renderPath(vuln.scope, vuln.path)
+                    ));
+                }
+
+                // Apply fixes if not in report-only mode
+                if (recipe.isReportOnly()) {
+                    return doc;
+                }
+
+                const fixes = acc.fixesByProject.get(doc.sourcePath);
+                const updateInfo = acc.projectsToUpdate.get(doc.sourcePath);
+                if (!fixes || fixes.length === 0 || !updateInfo) {
+                    return doc;
+                }
+
+                // Run package manager install if needed
+                const failureMessage = await runInstallIfNeeded(doc.sourcePath, acc, () =>
+                    recipe.runPackageManagerInstall(acc, updateInfo, fixes)
+                );
+                if (failureMessage) {
+                    return markupWarn(
+                        doc,
+                        `Failed to fix vulnerabilities in ${doc.sourcePath}`,
+                        failureMessage
+                    );
+                }
+
+                // Update the dependency versions in the JSON AST (preserves formatting)
+                let result: Json.Document = doc;
+                for (const fix of fixes) {
+                    if (!fix.isTransitive && fix.scope) {
+                        const visitor = new UpdateVersionVisitor(
+                            fix.packageName,
+                            fix.newVersion,
+                            fix.scope
+                        );
+                        result = await visitor.visit(result, undefined) as Json.Document;
+                    }
+                }
+
+                // Update the NodeResolutionResult marker
+                return updateNodeResolutionMarker(result, updateInfo, acc);
+            }
+        };
+    }
+
+    /**
+     * Runs the package manager in a temporary directory to update the lock file.
+     * Writes a modified package.json with all new versions, then runs install.
+     */
+    private async runPackageManagerInstall(
+        acc: Accumulator,
+        updateInfo: ProjectUpdateInfo,
+        fixes: VulnerabilityFix[]
+    ): Promise<void> {
+        // Create modified package.json with all the new version constraints
+        const modifiedPackageJson = this.createModifiedPackageJson(
+            updateInfo.originalPackageJson,
+            fixes
+        );
+
+        const result = await runInstallInTempDir(
+            updateInfo.projectDir,
+            updateInfo.packageManager,
+            modifiedPackageJson
+        );
+
+        storeInstallResult(result, acc, updateInfo, modifiedPackageJson);
+    }
+
+    /**
+     * Creates a modified package.json with all the updated dependency versions.
+     */
+    private createModifiedPackageJson(
+        originalContent: string,
+        fixes: VulnerabilityFix[]
+    ): string {
+        const packageJson = JSON.parse(originalContent);
+
+        for (const fix of fixes) {
+            if (!fix.isTransitive && fix.scope) {
+                if (packageJson[fix.scope] && packageJson[fix.scope][fix.packageName]) {
+                    packageJson[fix.scope][fix.packageName] = fix.newVersion;
+                }
+            }
+        }
+
+        return JSON.stringify(packageJson, null, 2);
+    }
+}
+
+/**
+ * Visitor that updates the version of a specific dependency in a specific scope.
+ */
+class UpdateVersionVisitor extends JsonVisitor<void> {
+    private readonly packageName: string;
+    private readonly newVersion: string;
+    private readonly targetScope: DependencyScope;
+    private inTargetScope = false;
+
+    constructor(packageName: string, newVersion: string, targetScope: DependencyScope) {
+        super();
+        this.packageName = packageName;
+        this.newVersion = newVersion;
+        this.targetScope = targetScope;
+    }
+
+    protected async visitMember(member: Json.Member, p: void): Promise<Json | undefined> {
+        // Check if we're entering the target scope
+        const keyName = getMemberKeyName(member);
+
+        if (keyName === this.targetScope) {
+            // We're entering the dependencies scope
+            this.inTargetScope = true;
+            const result = await super.visitMember(member, p);
+            this.inTargetScope = false;
+            return result;
+        }
+
+        // Check if this is the dependency we're looking for
+        if (this.inTargetScope && keyName === this.packageName) {
+            // Update the version value
+            return this.updateVersion(member);
+        }
+
+        return super.visitMember(member, p);
+    }
+
+    private updateVersion(member: Json.Member): Json.Member {
+        const value = member.value;
+
+        if (!isLiteral(value)) {
+            return member; // Not a literal value, can't update
+        }
+
+        // Create new literal with updated version
+        const newLiteral: Json.Literal = {
+            ...value,
+            source: `"${this.newVersion}"`,
+            value: this.newVersion
+        };
+
+        return {
+            ...member,
+            value: newLiteral
+        };
+    }
+}