@openrewrite/recipes-nodejs 0.37.0-20260106-082310 → 0.37.0-20260106-104324

package/src/security/remove-redundant-overrides.ts

@@ -21,22 +21,12 @@ import {
 } from "@openrewrite/rewrite/javascript";
 import * as semver from "semver";
 import {extractVersionFromLockFile} from "./npm-utils";
-
-/**
- * Information about an override that might be redundant.
- */
-interface OverrideInfo {
-    /** The package name (or version-specific key like "package@^1") */
-    key: string;
-    /** The base package name (without version specifier) */
-    packageName: string;
-    /** The version the override pins to */
-    version: string;
-    /** Whether this is a version-specific override (e.g., "package@^1") */
-    isVersionSpecific: boolean;
-    /** The version range specifier if version-specific (e.g., "^1") */
-    versionRange?: string;
-}
+import {
+    OverrideInfo,
+    extractOverrides,
+    removeOverrideFromObject,
+    removeOverridesFromContent
+} from "./override-utils";
 
 /**
  * Project information for override analysis.
@@ -138,7 +128,7 @@ export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
                 }
 
                 // Extract overrides based on package manager
-                const overrides = recipe.extractOverrides(packageJson, pm);
+                const overrides = extractOverrides(packageJson, pm);
                 if (overrides.length === 0) {
                     return doc;
                 }
@@ -205,7 +195,7 @@ export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
                 }
 
                 // Remove redundant overrides
-                const modifiedContent = recipe.removeOverrides(
+                const modifiedContent = removeOverridesFromContent(
                     project.originalPackageJson,
                     project.packageManager,
                     redundant
@@ -226,82 +216,6 @@ export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
         };
     }
 
-    /**
-     * Extracts override information from package.json.
-     */
-    private extractOverrides(
-        packageJson: Record<string, any>,
-        pm: PackageManager
-    ): OverrideInfo[] {
-        const overrides: OverrideInfo[] = [];
-
-        let overrideObj: Record<string, any> | undefined;
-
-        switch (pm) {
-            case PackageManager.Npm:
-            case PackageManager.Bun:
-                overrideObj = packageJson.overrides;
-                break;
-            case PackageManager.Pnpm:
-                overrideObj = packageJson.pnpm?.overrides;
-                break;
-            case PackageManager.YarnClassic:
-            case PackageManager.YarnBerry:
-                overrideObj = packageJson.resolutions;
-                break;
-        }
-
-        if (!overrideObj) {
-            return overrides;
-        }
-
-        for (const [key, value] of Object.entries(overrideObj)) {
-            // Skip nested overrides (npm supports objects as values)
-            if (typeof value !== 'string') {
-                continue;
-            }
-
-            // Parse the key to extract package name and version range
-            const atIndex = key.lastIndexOf('@');
-            let packageName: string;
-            let versionRange: string | undefined;
-            let isVersionSpecific = false;
-
-            // Check if this is a version-specific override like "package@^1"
-            // But be careful with scoped packages like "@scope/package"
-            if (atIndex > 0 && !key.startsWith('@')) {
-                // Unscoped package with version specifier
-                packageName = key.substring(0, atIndex);
-                versionRange = key.substring(atIndex + 1);
-                isVersionSpecific = true;
-            } else if (atIndex > 0 && key.startsWith('@')) {
-                // Scoped package - check if there's another @ after the scope
-                const secondAtIndex = key.indexOf('@', 1);
-                if (secondAtIndex > 0 && secondAtIndex !== atIndex) {
-                    // Has version specifier: @scope/package@^1
-                    packageName = key.substring(0, secondAtIndex);
-                    versionRange = key.substring(secondAtIndex + 1);
-                    isVersionSpecific = true;
-                } else {
-                    // Just @scope/package
-                    packageName = key;
-                }
-            } else {
-                packageName = key;
-            }
-
-            overrides.push({
-                key,
-                packageName,
-                version: value,
-                isVersionSpecific,
-                versionRange
-            });
-        }
-
-        return overrides;
-    }
-
     /**
      * Tests each override to see if it's redundant.
      *
@@ -320,7 +234,7 @@ export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
             // Create package.json with ALL overrides removed
             const packageJson = JSON.parse(project.originalPackageJson);
             for (const override of project.overrides) {
-                this.removeOverrideFromObject(packageJson, project.packageManager, override.key);
+                removeOverrideFromObject(packageJson, project.packageManager, override.key);
             }
             const modifiedPackageJson = JSON.stringify(packageJson, null, 2);
 
@@ -396,120 +310,4 @@ export class RemoveRedundantOverrides extends ScanningRecipe<Accumulator> {
 
         return false;
     }
-
-    /**
-     * Removes a single override from the package.json object.
-     */
-    private removeOverrideFromObject(
-        packageJson: Record<string, any>,
-        pm: PackageManager,
-        key: string
-    ): void {
-        switch (pm) {
-            case PackageManager.Npm:
-            case PackageManager.Bun:
-                if (packageJson.overrides) {
-                    delete packageJson.overrides[key];
-                    if (Object.keys(packageJson.overrides).length === 0) {
-                        delete packageJson.overrides;
-                    }
-                }
-                break;
-            case PackageManager.Pnpm:
-                if (packageJson.pnpm?.overrides) {
-                    delete packageJson.pnpm.overrides[key];
-                    if (Object.keys(packageJson.pnpm.overrides).length === 0) {
-                        delete packageJson.pnpm.overrides;
-                    }
-                    if (Object.keys(packageJson.pnpm).length === 0) {
-                        delete packageJson.pnpm;
-                    }
-                }
-                break;
-            case PackageManager.YarnClassic:
-            case PackageManager.YarnBerry:
-                if (packageJson.resolutions) {
-                    delete packageJson.resolutions[key];
-                    if (Object.keys(packageJson.resolutions).length === 0) {
-                        delete packageJson.resolutions;
-                    }
-                }
-                break;
-        }
-    }
-
-    /**
-     * Removes the specified overrides from package.json content.
-     * Also removes associated comments.
-     */
-    private removeOverrides(
-        originalContent: string,
-        pm: PackageManager,
-        keysToRemove: Set<string>
-    ): string {
-        const packageJson = JSON.parse(originalContent);
-
-        // Determine field names
-        let overrideField: string;
-        let commentField: string;
-
-        switch (pm) {
-            case PackageManager.Npm:
-            case PackageManager.Bun:
-                overrideField = 'overrides';
-                commentField = '//overrides';
-                break;
-            case PackageManager.Pnpm:
-                overrideField = 'pnpm';
-                commentField = '//pnpm.overrides';
-                break;
-            case PackageManager.YarnClassic:
-            case PackageManager.YarnBerry:
-                overrideField = 'resolutions';
-                commentField = '//resolutions';
-                break;
-            default:
-                return originalContent;
-        }
-
-        // Remove overrides
-        if (pm === PackageManager.Pnpm) {
-            if (packageJson.pnpm?.overrides) {
-                for (const key of keysToRemove) {
-                    delete packageJson.pnpm.overrides[key];
-                }
-                if (Object.keys(packageJson.pnpm.overrides).length === 0) {
-                    delete packageJson.pnpm.overrides;
-                }
-                if (Object.keys(packageJson.pnpm).length === 0) {
-                    delete packageJson.pnpm;
-                }
-            }
-        } else {
-            if (packageJson[overrideField]) {
-                for (const key of keysToRemove) {
-                    delete packageJson[overrideField][key];
-                }
-                if (Object.keys(packageJson[overrideField]).length === 0) {
-                    delete packageJson[overrideField];
-                }
-            }
-        }
-
-        // Remove associated comments
-        if (packageJson[commentField]) {
-            for (const key of keysToRemove) {
-                delete packageJson[commentField][key];
-            }
-            if (Object.keys(packageJson[commentField]).length === 0) {
-                delete packageJson[commentField];
-            }
-        }
-
-        // Preserve original indentation
-        const indentMatch = originalContent.match(/^(\s+)"/m);
-        const indent = indentMatch ? indentMatch[1].length : 2;
-
-        return JSON.stringify(packageJson, null, indent);
-    }
 }

package/src/security/types.ts

@@ -0,0 +1,116 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import {DependencyScope, PackageManager, ResolvedDependency} from "@openrewrite/rewrite/javascript";
+import {Vulnerability} from "./vulnerability";
+
+/**
+ * All dependency scopes that can contain dependencies in package.json.
+ */
+export const ALL_DEPENDENCY_SCOPES: DependencyScope[] = [
+    'dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies'
+];
+
+/**
+ * Strategy for handling transitive dependency vulnerabilities.
+ *
+ * - 'report': Report transitive vulnerabilities but don't fix them. (Default)
+ * - 'override': Add overrides/resolutions for transitives that aren't fixed
+ *               by direct dependency upgrades. Runs an extra npm install
+ *               to check which transitives are still vulnerable after
+ *               applying direct fixes, then adds overrides only for those.
+ * - 'prefer-direct-upgrade': First applies minimum direct dependency upgrades,
+ *                            then for any remaining transitive vulnerabilities,
+ *                            tries to find a higher direct dependency version
+ *                            that fixes them. Falls back to overrides if no
+ *                            suitable direct upgrade exists. Queries npm registry.
+ *                            Most thorough, slowest.
+ */
+export type TransitiveFixStrategy = 'report' | 'override' | 'prefer-direct-upgrade';
+
+/**
+ * Represents a segment in the dependency path.
+ */
+export interface PathSegment {
+    name: string;
+    version: string;
+}
+
+/**
+ * Represents a vulnerable dependency found during scanning.
+ */
+export interface VulnerableDependency {
+    /** The resolved dependency that is vulnerable */
+    resolved: ResolvedDependency;
+    /** The vulnerability affecting it */
+    vulnerability: Vulnerability;
+    /** Depth in dependency tree (0 = direct) */
+    depth: number;
+    /** Whether this is a direct dependency */
+    isDirect: boolean;
+    /** The scope where this dependency was found (for direct deps) */
+    scope?: DependencyScope;
+    /** Path from root to this dependency */
+    path: PathSegment[];
+}
+
+/**
+ * Represents a fix to apply for a vulnerability.
+ */
+export interface VulnerabilityFix {
+    /** Package name to upgrade (the vulnerable package) */
+    packageName: string;
+    /** Version to upgrade to */
+    newVersion: string;
+    /** Whether the vulnerable package is a transitive dependency */
+    isTransitive: boolean;
+    /** CVEs this fix resolves */
+    cves: string[];
+    /** CVE summaries for generating comments (CVE ID -> summary) */
+    cveSummaries: Map<string, string>;
+    /** The scope where this dependency was found (for direct deps) */
+    scope?: DependencyScope;
+    /** The original major version (for version-specific overrides) */
+    originalMajorVersion?: number;
+    /**
+     * For transitive vulnerabilities, info about ALL direct dependencies that bring
+     * this transitive in. Used by prefer-direct-upgrade to find higher versions
+     * of the direct dependencies that might fix the transitive.
+     */
+    directDepInfos?: {
+        name: string;
+        version: string;
+        scope: DependencyScope;
+    }[];
+    /**
+     * If set, fix this transitive vulnerability by upgrading direct dependencies
+     * instead of using overrides. This is preferred when a newer version of a
+     * direct dependency includes a fixed version of the vulnerable transitive.
+     * Multiple entries when the transitive is brought in by multiple direct deps.
+     */
+    fixViaDirectUpgrades?: {
+        /** Name of the direct dependency to upgrade */
+        directDepName: string;
+        /** Version to upgrade the direct dependency to */
+        directDepVersion: string;
+        /** Scope of the direct dependency */
+        directDepScope: DependencyScope;
+    }[];
+}
+
+/**
+ * Project info for lock file updates.
+ */
+export interface ProjectUpdateInfo {
+    /** Relative path to package.json (from source root) */
+    packageJsonPath: string;
+    /** Original package.json content */
+    originalPackageJson: string;
+    /** The package manager used by this project */
+    packageManager: PackageManager;
+    /** Config file contents extracted from the project (e.g., .npmrc) */
+    configFiles?: Record<string, string>;
+}

package/src/security/version-utils.ts

@@ -0,0 +1,198 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+
+import * as semver from "semver";
+import {Vulnerability} from "./vulnerability";
+
+/**
+ * Upgrade delta options for version upgrades.
+ */
+export type UpgradeDelta = 'none' | 'patch' | 'minor' | 'major';
+
+/**
+ * Extracts the version prefix (e.g., ^, ~, >=) from a version string.
+ * Returns the prefix and the bare version separately.
+ */
+export function extractVersionPrefix(versionString: string): { prefix: string; version: string } {
+    const match = versionString.match(/^([~^]|>=?|<=?|=)?(.*)$/);
+    if (match) {
+        return {
+            prefix: match[1] || '',
+            version: match[2]
+        };
+    }
+    return {prefix: '', version: versionString};
+}
+
+/**
+ * Applies the original version prefix to a new version.
+ */
+export function applyVersionPrefix(originalVersion: string, newVersion: string): string {
+    const {prefix} = extractVersionPrefix(originalVersion);
+    return prefix + newVersion;
+}
+
+/**
+ * Extracts the minimum version from a version constraint.
+ * For example: "^3.0.2" -> "3.0.2", "~1.2.3" -> "1.2.3", ">=2.0.0" -> "2.0.0"
+ */
+export function extractMinimumVersion(constraint: string): string | undefined {
+    if (!constraint) return undefined;
+
+    // Handle exact versions
+    if (semver.valid(constraint)) {
+        return constraint;
+    }
+
+    // Handle ranges with prefix: ^, ~, >=, >, etc.
+    const match = constraint.match(/^[~^>=<]*\s*(\d+\.\d+\.\d+(?:-[a-zA-Z0-9.]+)?)/);
+    if (match && semver.valid(match[1])) {
+        return match[1];
+    }
+
+    // Try to coerce other formats
+    const coerced = semver.coerce(constraint);
+    return coerced?.version;
+}
+
+/**
+ * Checks if a target version is within the allowed upgrade delta from the original version.
+ */
+export function isVersionWithinDelta(
+    originalVersion: string,
+    targetVersion: string,
+    delta: UpgradeDelta
+): boolean {
+    if (delta === 'none') {
+        return false;
+    }
+
+    try {
+        const original = semver.parse(originalVersion);
+        const target = semver.parse(targetVersion);
+        if (!original || !target) return false;
+
+        switch (delta) {
+            case 'patch':
+                return original.major === target.major && original.minor === target.minor;
+            case 'minor':
+                return original.major === target.major;
+            case 'major':
+                return true;
+            default:
+                return false;
+        }
+    } catch {
+        return false;
+    }
+}
+
+/**
+ * Checks if a specific version is affected by a vulnerability.
+ */
+export function isVersionAffected(version: string, vulnerability: Vulnerability): boolean {
+    try {
+        const v = semver.parse(version);
+        if (!v) return false;
+
+        // Check introduced version
+        if (vulnerability.introducedVersion && vulnerability.introducedVersion !== '0') {
+            const introduced = semver.parse(vulnerability.introducedVersion);
+            if (introduced && semver.lt(v, introduced)) {
+                return false; // Version is before the vulnerability was introduced
+            }
+        }
+
+        // Check if fixed
+        if (vulnerability.fixedVersion) {
+            const fixed = semver.parse(vulnerability.fixedVersion);
+            if (fixed && semver.gte(v, fixed)) {
+                return false; // Version is at or after the fix
+            }
+            return true; // Version is in the vulnerable range
+        }
+
+        // Check last affected version
+        if (vulnerability.lastAffectedVersion) {
+            const lastAffected = semver.parse(vulnerability.lastAffectedVersion);
+            if (lastAffected && semver.gt(v, lastAffected)) {
+                return false; // Version is after the last affected
+            }
+            return true;
+        }
+
+        return true; // No fix information, assume vulnerable
+    } catch {
+        return false; // Invalid version, skip
+    }
+}
+
+/**
+ * Checks if a vulnerability can be fixed within the maximum upgrade delta.
+ */
+export function isUpgradeableWithinDelta(
+    currentVersion: string,
+    vulnerability: Vulnerability,
+    delta: UpgradeDelta
+): boolean {
+    if (delta === 'none') {
+        return false;
+    }
+
+    try {
+        const current = semver.parse(currentVersion);
+        if (!current) return false;
+
+        // If we have a fixed version, check if it's reachable within delta
+        if (vulnerability.fixedVersion) {
+            const fixed = semver.parse(vulnerability.fixedVersion);
+            if (!fixed) return false;
+
+            switch (delta) {
+                case 'patch':
+                    return current.major === fixed.major && current.minor === fixed.minor;
+                case 'minor':
+                    return current.major === fixed.major;
+                case 'major':
+                    return true;
+            }
+        }
+
+        // If we only have lastAffectedVersion, check if upgrading within delta
+        // could get us past it (i.e., to a non-vulnerable version)
+        if (vulnerability.lastAffectedVersion) {
+            const lastAffected = semver.parse(vulnerability.lastAffectedVersion);
+            if (!lastAffected) return false;
+
+            switch (delta) {
+                case 'patch':
+                    return current.major === lastAffected.major &&
+                        current.minor === lastAffected.minor;
+                case 'minor':
+                    return current.major === lastAffected.major;
+                case 'major':
+                    return true;
+            }
+        }
+
+        return false;
+    } catch {
+        return false;
+    }
+}
+
+/**
+ * Gets the version to upgrade to for a vulnerability.
+ */
+export function getUpgradeVersion(vulnerability: Vulnerability): string | undefined {
+    if (vulnerability.fixedVersion) {
+        return vulnerability.fixedVersion;
+    }
+    // For lastAffectedVersion, we need the next version after it
+    // We can't determine this exactly, so return undefined and let the
+    // upgrade recipe handle version selection
+    return undefined;
+}