npm - @paklo/core - Versions diffs - 0.3.0 → 0.4.0 - Mend

@paklo/core 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/azure/index.d.ts +2 -2
package/dist/dependabot/index.d.ts +2 -2
package/dist/github/index.d.ts +2 -2
package/dist/github/index.js +78 -43
package/dist/github/index.js.map +1 -1
package/dist/{index-3wZw74Ah.d.ts → index-CYzMyUeu.d.ts} +30 -12
package/dist/{index-Dr0PB1As.d.ts → index-VTX2ArLa.d.ts} +20 -20
package/package.json +2 -1

package/dist/azure/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { D as DependabotUpdatePullRequest, Yt as DependabotConfig, ft as DependabotDependency, gt as DependabotExistingPR, mt as DependabotExistingGroupPR, r as DependabotCreatePullRequest, t as DependabotClosePullRequest, xn as VariableFinderFn } from "../index-Dr0PB1As.js";
-import "../index-3wZw74Ah.js";
+import { D as DependabotUpdatePullRequest, Yt as DependabotConfig, ft as DependabotDependency, gt as DependabotExistingPR, mt as DependabotExistingGroupPR, r as DependabotCreatePullRequest, t as DependabotClosePullRequest, xn as VariableFinderFn } from "../index-VTX2ArLa.js";
+import "../index-CYzMyUeu.js";
 import * as zod_v40 from "zod/v4";
 import * as zod_v4_core0 from "zod/v4/core";

package/dist/dependabot/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
-import { $ as sanitizeRef, $t as DependabotGroup, A as DependabotRequest, At as DependabotProxyConfig, B as makeRandomJobToken, Bt as DependabotSourceProviderSchema, C as DependabotRecordUpdateJobUnknownError, Cn as extractPlaceholder, Ct as DependabotGroupRuleJobSchema, D as DependabotUpdatePullRequest, Dt as DependabotJobFileSchema, E as DependabotUpdateDependencyListSchema, En as GitAuthor, Et as DependabotJobFile, F as createApiServerApp, Ft as DependabotRequirementSourceSchema, G as mapIgnoreConditionsFromDependabotConfigToJobConfig, Gt as DependabotAllowCondition, H as mapCredentials, Ht as FetchedFiles, I as DependabotJobBuilder, It as DependabotSecurityAdvisory, J as mapSourceFromDependabotConfigToJobConfig, Jt as DependabotCommitMessageSchema, K as mapPackageEcosystemToPackageManager, Kt as DependabotAllowConditionSchema, L as DependabotJobBuilderOutput, Lt as DependabotSecurityAdvisorySchema, M as DependabotRequestType, Mt as DependabotRequirement, N as DependabotRequestTypeSchema, Nt as DependabotRequirementSchema, O as DependabotUpdatePullRequestSchema, Ot as DependabotPackageManager, P as DependabotTokenType, Pt as DependabotRequirementSource, Q as getBranchNameForUpdate, Qt as DependabotCooldownSchema, R as DependabotSourceInfo, Rt as DependabotSource, S as DependabotRecordUpdateJobErrorSchema, Sn as convertPlaceholder, St as DependabotGroupRuleJob, T as DependabotUpdateDependencyList, Tn as DEPENDABOT_DEFAULT_AUTHOR_NAME, Tt as DependabotJobConfigSchema, U as mapExperiments, Ut as FileFetcherInput, V as mapAllowedUpdatesFromDependabotConfigToJobConfig, Vt as DependabotSourceSchema, W as mapGroupsFromDependabotConfigToJobConfig, Wt as FileUpdaterInput, X as DEFAULT_EXPERIMENTS, Xt as DependabotConfigSchema, Y as mapVersionStrategyToRequirementsUpdateStrategy, Yt as DependabotConfig, Z as parseExperiments, Zt as DependabotCooldown, _ as DependabotRecordEcosystemMeta, _n as parseDependabotConfig, _t as DependabotExistingPRSchema, a as DependabotDependencyFile, an as DependabotPullRequestBranchName, at as DependabotCommandSchema, b as DependabotRecordEcosystemVersionsSchema, bn as validateConfiguration, bt as DependabotGroupJob, c as DependabotEcosystemMetaSchema, cn as DependabotSchedule, ct as DependabotCondition, d as DependabotIncrementMetric, dn as DependabotUpdateSchema, dt as DependabotCredentialSchema, en as DependabotGroupSchema, et as CertificateAuthority, f as DependabotIncrementMetricSchema, fn as POSSIBLE_CONFIG_FILE_PATHS, ft as DependabotDependency, g as DependabotMetricSchema, gn as VersioningStrategySchema, gt as DependabotExistingPR, h as DependabotMetric, hn as VersioningStrategy, ht as DependabotExistingGroupPRSchema, i as DependabotCreatePullRequestSchema, in as DependabotMultiEcosystemGroupSchema, it as DependabotCommand, j as DependabotRequestSchema, jt as DependabotProxyConfigSchema, k as CreateApiServerAppOptions, kt as DependabotPackageManagerSchema, l as DependabotEcosystemVersionManager, ln as DependabotScheduleSchema, lt as DependabotConditionSchema, m as DependabotMarkAsProcessedSchema, mn as PackageEcosystemSchema, mt as DependabotExistingGroupPR, n as DependabotClosePullRequestSchema, nn as DependabotIgnoreConditionSchema, nt as DependabotAllowed, o as DependabotDependencyFileSchema, on as DependabotRegistry, ot as DependabotCommitOptions, p as DependabotMarkAsProcessed, pn as PackageEcosystem, pt as DependabotDependencySchema, q as mapSecurityAdvisories, qt as DependabotCommitMessage, r as DependabotCreatePullRequest, rn as DependabotMultiEcosystemGroup, rt as DependabotAllowedSchema, s as DependabotEcosystemMeta, sn as DependabotRegistrySchema, st as DependabotCommitOptionsSchema, t as DependabotClosePullRequest, tn as DependabotIgnoreCondition, tt as CertificateAuthoritySchema, u as DependabotEcosystemVersionManagerSchema, un as DependabotUpdate, ut as DependabotCredential, v as DependabotRecordEcosystemMetaSchema, vn as parseRegistries, vt as DependabotExperiments, w as DependabotRecordUpdateJobUnknownErrorSchema, wn as DEPENDABOT_DEFAULT_AUTHOR_EMAIL, wt as DependabotJobConfig, x as DependabotRecordUpdateJobError, xn as VariableFinderFn, xt as DependabotGroupJobSchema, y as DependabotRecordEcosystemVersions, yn as parseUpdates, yt as DependabotExperimentsSchema, z as makeRandomJobId, zt as DependabotSourceProvider } from "../index-Dr0PB1As.js";
-import "../index-3wZw74Ah.js";
+import { $ as sanitizeRef, $t as DependabotGroup, A as DependabotRequest, At as DependabotProxyConfig, B as makeRandomJobToken, Bt as DependabotSourceProviderSchema, C as DependabotRecordUpdateJobUnknownError, Cn as extractPlaceholder, Ct as DependabotGroupRuleJobSchema, D as DependabotUpdatePullRequest, Dt as DependabotJobFileSchema, E as DependabotUpdateDependencyListSchema, En as GitAuthor, Et as DependabotJobFile, F as createApiServerApp, Ft as DependabotRequirementSourceSchema, G as mapIgnoreConditionsFromDependabotConfigToJobConfig, Gt as DependabotAllowCondition, H as mapCredentials, Ht as FetchedFiles, I as DependabotJobBuilder, It as DependabotSecurityAdvisory, J as mapSourceFromDependabotConfigToJobConfig, Jt as DependabotCommitMessageSchema, K as mapPackageEcosystemToPackageManager, Kt as DependabotAllowConditionSchema, L as DependabotJobBuilderOutput, Lt as DependabotSecurityAdvisorySchema, M as DependabotRequestType, Mt as DependabotRequirement, N as DependabotRequestTypeSchema, Nt as DependabotRequirementSchema, O as DependabotUpdatePullRequestSchema, Ot as DependabotPackageManager, P as DependabotTokenType, Pt as DependabotRequirementSource, Q as getBranchNameForUpdate, Qt as DependabotCooldownSchema, R as DependabotSourceInfo, Rt as DependabotSource, S as DependabotRecordUpdateJobErrorSchema, Sn as convertPlaceholder, St as DependabotGroupRuleJob, T as DependabotUpdateDependencyList, Tn as DEPENDABOT_DEFAULT_AUTHOR_NAME, Tt as DependabotJobConfigSchema, U as mapExperiments, Ut as FileFetcherInput, V as mapAllowedUpdatesFromDependabotConfigToJobConfig, Vt as DependabotSourceSchema, W as mapGroupsFromDependabotConfigToJobConfig, Wt as FileUpdaterInput, X as DEFAULT_EXPERIMENTS, Xt as DependabotConfigSchema, Y as mapVersionStrategyToRequirementsUpdateStrategy, Yt as DependabotConfig, Z as parseExperiments, Zt as DependabotCooldown, _ as DependabotRecordEcosystemMeta, _n as parseDependabotConfig, _t as DependabotExistingPRSchema, a as DependabotDependencyFile, an as DependabotPullRequestBranchName, at as DependabotCommandSchema, b as DependabotRecordEcosystemVersionsSchema, bn as validateConfiguration, bt as DependabotGroupJob, c as DependabotEcosystemMetaSchema, cn as DependabotSchedule, ct as DependabotCondition, d as DependabotIncrementMetric, dn as DependabotUpdateSchema, dt as DependabotCredentialSchema, en as DependabotGroupSchema, et as CertificateAuthority, f as DependabotIncrementMetricSchema, fn as POSSIBLE_CONFIG_FILE_PATHS, ft as DependabotDependency, g as DependabotMetricSchema, gn as VersioningStrategySchema, gt as DependabotExistingPR, h as DependabotMetric, hn as VersioningStrategy, ht as DependabotExistingGroupPRSchema, i as DependabotCreatePullRequestSchema, in as DependabotMultiEcosystemGroupSchema, it as DependabotCommand, j as DependabotRequestSchema, jt as DependabotProxyConfigSchema, k as CreateApiServerAppOptions, kt as DependabotPackageManagerSchema, l as DependabotEcosystemVersionManager, ln as DependabotScheduleSchema, lt as DependabotConditionSchema, m as DependabotMarkAsProcessedSchema, mn as PackageEcosystemSchema, mt as DependabotExistingGroupPR, n as DependabotClosePullRequestSchema, nn as DependabotIgnoreConditionSchema, nt as DependabotAllowed, o as DependabotDependencyFileSchema, on as DependabotRegistry, ot as DependabotCommitOptions, p as DependabotMarkAsProcessed, pn as PackageEcosystem, pt as DependabotDependencySchema, q as mapSecurityAdvisories, qt as DependabotCommitMessage, r as DependabotCreatePullRequest, rn as DependabotMultiEcosystemGroup, rt as DependabotAllowedSchema, s as DependabotEcosystemMeta, sn as DependabotRegistrySchema, st as DependabotCommitOptionsSchema, t as DependabotClosePullRequest, tn as DependabotIgnoreCondition, tt as CertificateAuthoritySchema, u as DependabotEcosystemVersionManagerSchema, un as DependabotUpdate, ut as DependabotCredential, v as DependabotRecordEcosystemMetaSchema, vn as parseRegistries, vt as DependabotExperiments, w as DependabotRecordUpdateJobUnknownErrorSchema, wn as DEPENDABOT_DEFAULT_AUTHOR_EMAIL, wt as DependabotJobConfig, x as DependabotRecordUpdateJobError, xn as VariableFinderFn, xt as DependabotGroupJobSchema, y as DependabotRecordEcosystemVersions, yn as parseUpdates, yt as DependabotExperimentsSchema, z as makeRandomJobId, zt as DependabotSourceProvider } from "../index-VTX2ArLa.js";
+import "../index-CYzMyUeu.js";
 export { CertificateAuthority, CertificateAuthoritySchema, CreateApiServerAppOptions, DEFAULT_EXPERIMENTS, DEPENDABOT_DEFAULT_AUTHOR_EMAIL, DEPENDABOT_DEFAULT_AUTHOR_NAME, DependabotAllowCondition, DependabotAllowConditionSchema, DependabotAllowed, DependabotAllowedSchema, DependabotClosePullRequest, DependabotClosePullRequestSchema, DependabotCommand, DependabotCommandSchema, DependabotCommitMessage, DependabotCommitMessageSchema, DependabotCommitOptions, DependabotCommitOptionsSchema, DependabotCondition, DependabotConditionSchema, DependabotConfig, DependabotConfigSchema, DependabotCooldown, DependabotCooldownSchema, DependabotCreatePullRequest, DependabotCreatePullRequestSchema, DependabotCredential, DependabotCredentialSchema, DependabotDependency, DependabotDependencyFile, DependabotDependencyFileSchema, DependabotDependencySchema, DependabotEcosystemMeta, DependabotEcosystemMetaSchema, DependabotEcosystemVersionManager, DependabotEcosystemVersionManagerSchema, DependabotExistingGroupPR, DependabotExistingGroupPRSchema, DependabotExistingPR, DependabotExistingPRSchema, DependabotExperiments, DependabotExperimentsSchema, DependabotGroup, DependabotGroupJob, DependabotGroupJobSchema, DependabotGroupRuleJob, DependabotGroupRuleJobSchema, DependabotGroupSchema, DependabotIgnoreCondition, DependabotIgnoreConditionSchema, DependabotIncrementMetric, DependabotIncrementMetricSchema, DependabotJobBuilder, DependabotJobBuilderOutput, DependabotJobConfig, DependabotJobConfigSchema, DependabotJobFile, DependabotJobFileSchema, DependabotMarkAsProcessed, DependabotMarkAsProcessedSchema, DependabotMetric, DependabotMetricSchema, DependabotMultiEcosystemGroup, DependabotMultiEcosystemGroupSchema, DependabotPackageManager, DependabotPackageManagerSchema, DependabotProxyConfig, DependabotProxyConfigSchema, DependabotPullRequestBranchName, DependabotRecordEcosystemMeta, DependabotRecordEcosystemMetaSchema, DependabotRecordEcosystemVersions, DependabotRecordEcosystemVersionsSchema, DependabotRecordUpdateJobError, DependabotRecordUpdateJobErrorSchema, DependabotRecordUpdateJobUnknownError, DependabotRecordUpdateJobUnknownErrorSchema, DependabotRegistry, DependabotRegistrySchema, DependabotRequest, DependabotRequestSchema, DependabotRequestType, DependabotRequestTypeSchema, DependabotRequirement, DependabotRequirementSchema, DependabotRequirementSource, DependabotRequirementSourceSchema, DependabotSchedule, DependabotScheduleSchema, DependabotSecurityAdvisory, DependabotSecurityAdvisorySchema, DependabotSource, DependabotSourceInfo, DependabotSourceProvider, DependabotSourceProviderSchema, DependabotSourceSchema, DependabotTokenType, DependabotUpdate, DependabotUpdateDependencyList, DependabotUpdateDependencyListSchema, DependabotUpdatePullRequest, DependabotUpdatePullRequestSchema, DependabotUpdateSchema, FetchedFiles, FileFetcherInput, FileUpdaterInput, GitAuthor, POSSIBLE_CONFIG_FILE_PATHS, PackageEcosystem, PackageEcosystemSchema, VariableFinderFn, VersioningStrategy, VersioningStrategySchema, convertPlaceholder, createApiServerApp, extractPlaceholder, getBranchNameForUpdate, makeRandomJobId, makeRandomJobToken, mapAllowedUpdatesFromDependabotConfigToJobConfig, mapCredentials, mapExperiments, mapGroupsFromDependabotConfigToJobConfig, mapIgnoreConditionsFromDependabotConfigToJobConfig, mapPackageEcosystemToPackageManager, mapSecurityAdvisories, mapSourceFromDependabotConfigToJobConfig, mapVersionStrategyToRequirementsUpdateStrategy, parseDependabotConfig, parseExperiments, parseRegistries, parseUpdates, sanitizeRef, validateConfiguration };

package/dist/github/index.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-import { a as PackageEcosystemSchema, c as SecurityAdvisoryIdentifierSchema, d as SecurityAdvisorySeverity, f as SecurityAdvisorySeveritySchema, g as getGhsaPackageEcosystemFromDependabotPackageManager, h as filterVulnerabilities, i as PackageEcosystem, l as SecurityAdvisoryIdentifierType, m as SecurityVulnerabilitySchema, n as GitHubGraphClient, o as PackageSchema, p as SecurityVulnerability, r as Package, s as SecurityAdvisory, t as FirstPatchedVersion, u as SecurityAdvisorySchema } from "../index-3wZw74Ah.js";
-export { FirstPatchedVersion, GitHubGraphClient, Package, PackageEcosystem, PackageEcosystemSchema, PackageSchema, SecurityAdvisory, SecurityAdvisoryIdentifierSchema, SecurityAdvisoryIdentifierType, SecurityAdvisorySchema, SecurityAdvisorySeverity, SecurityAdvisorySeveritySchema, SecurityVulnerability, SecurityVulnerabilitySchema, filterVulnerabilities, getGhsaPackageEcosystemFromDependabotPackageManager };
+import { _ as createGitHubClient, a as PackageEcosystemSchema, c as SecurityAdvisoryIdentifierSchema, d as SecurityAdvisorySeverity, f as SecurityAdvisorySeveritySchema, g as getGhsaPackageEcosystemFromDependabotPackageManager, h as filterVulnerabilities, i as PackageEcosystem, l as SecurityAdvisoryIdentifierType, m as SecurityVulnerabilitySchema, n as GitHubSecurityAdvisoryClient, o as PackageSchema, p as SecurityVulnerability, r as Package, s as SecurityAdvisory, t as FirstPatchedVersion, u as SecurityAdvisorySchema } from "../index-CYzMyUeu.js";
+export { FirstPatchedVersion, GitHubSecurityAdvisoryClient, Package, PackageEcosystem, PackageEcosystemSchema, PackageSchema, SecurityAdvisory, SecurityAdvisoryIdentifierSchema, SecurityAdvisoryIdentifierType, SecurityAdvisorySchema, SecurityAdvisorySeverity, SecurityAdvisorySeveritySchema, SecurityVulnerability, SecurityVulnerabilitySchema, createGitHubClient, filterVulnerabilities, getGhsaPackageEcosystemFromDependabotPackageManager };

package/dist/github/index.js CHANGED Viewed

@@ -1,10 +1,22 @@
 import "../environment-DX5CD-dD.js";
 import { n as logger } from "../logger-bWnHxtAf.js";
 import { z } from "zod/v4";
+import { Octokit } from "octokit";
 import * as semver from "semver";
+//#region src/github/client.ts
+/**
+* Creates an authenticated GitHub API client using Octokit.
+*
+* @param token - GitHub personal access token or fine-grained token with appropriate permissions
+* @returns Configured Octokit instance ready for API calls
+*/
+function createGitHubClient({ token }) {
+	return new Octokit({ auth: token });
+}
+//#endregion
 //#region src/github/ghsa.ts
-const GHSA_GRAPHQL_API = "https://api.github.com/graphql";
 const GHSA_SECURITY_VULNERABILITIES_QUERY = `
   query($ecosystem: SecurityAdvisoryEcosystem, $package: String) {
     securityVulnerabilities(first: 100, ecosystem: $ecosystem, package: $package) {
@@ -20,9 +32,15 @@ const GHSA_SECURITY_VULNERABILITIES_QUERY = `
           references {
             url
           }
-          cvss {
-            score
-            vectorString
+          cvssSeverities {
+            cvssV3 {
+              score
+              vectorString
+            }
+            cvssV4 {
+              score
+              vectorString
+            }
           }
           epss {
             percentage
@@ -73,28 +91,30 @@ const SecurityAdvisorySeveritySchema = z.enum([
 	"HIGH",
 	"CRITICAL"
 ]);
+const CweSchema = z.object({
+	cweId: z.string(),
+	name: z.string(),
+	description: z.string()
+});
+const CvssSchema = z.object({
+	score: z.number(),
+	vectorString: z.string().nullish()
+});
 const SecurityAdvisorySchema = z.object({
-	identifiers: z.array(z.object({
+	identifiers: z.object({
 		type: z.union([SecurityAdvisoryIdentifierSchema, z.string()]),
 		value: z.string()
-	})),
+	}).array(),
 	severity: SecurityAdvisorySeveritySchema.nullish(),
 	summary: z.string(),
 	description: z.string().nullish(),
-	references: z.array(z.object({ url: z.string() })).nullish(),
-	cvss: z.object({
-		score: z.number(),
-		vectorString: z.string()
-	}).nullish(),
+	references: z.object({ url: z.string() }).array().nullish(),
+	cvss: CvssSchema.nullish(),
 	epss: z.object({
-		percentage: z.number(),
-		percentile: z.number()
+		percentage: z.number().nullish(),
+		percentile: z.number().nullish()
 	}).nullish(),
-	cwes: z.array(z.object({
-		cweId: z.string(),
-		name: z.string(),
-		description: z.string()
-	})).nullish(),
+	cwes: CweSchema.array().nullish(),
 	publishedAt: z.string().nullish(),
 	updatedAt: z.string().nullish(),
 	withdrawnAt: z.string().nullish(),
@@ -107,6 +127,18 @@ const SecurityVulnerabilitySchema = z.object({
 	vulnerableVersionRange: z.string(),
 	firstPatchedVersion: FirstPatchedVersionSchema.nullish()
 });
+const CvssSeveritiesSchema = z.object({
+	cvssV3: CvssSchema.nullish(),
+	cvssV4: CvssSchema.nullish()
+});
+const GitHubSecurityVulnerabilitiesResponseSchema = z.object({ securityVulnerabilities: z.object({ nodes: z.object({
+	advisory: SecurityAdvisorySchema.omit({ cvss: true }).extend({
+		cvssSeverities: CvssSeveritiesSchema,
+		cwes: z.object({ nodes: CweSchema.array() }).nullish()
+	}),
+	firstPatchedVersion: FirstPatchedVersionSchema.nullish(),
+	vulnerableVersionRange: z.string()
+}).array() }) });
 function getGhsaPackageEcosystemFromDependabotPackageManager(dependabotPackageManager) {
 	switch (dependabotPackageManager) {
 		case "composer": return "COMPOSER";
@@ -125,12 +157,15 @@ function getGhsaPackageEcosystemFromDependabotPackageManager(dependabotPackageMa
 	}
 }
 /**
-* GitHub GraphQL client
+* GitHub Security Advisory client
 */
-var GitHubGraphClient = class {
-	accessToken;
-	constructor(accessToken) {
-		this.accessToken = accessToken;
+var GitHubSecurityAdvisoryClient = class {
+	octokit;
+	/**
+	* @param token GitHub personal access token with access to the GHSA API
+	*/
+	constructor(token) {
+		this.octokit = createGitHubClient({ token });
 	}
 	/**
 	* Get the list of security vulnerabilities for a given package ecosystem and list of packages
@@ -143,25 +178,25 @@ var GitHubGraphClient = class {
 				ecosystem: packageEcosystem,
 				package: pkg.name
 			};
-			const response = await fetch(GHSA_GRAPHQL_API, {
-				method: "POST",
-				headers: {
-					Authorization: `Bearer ${this.accessToken}`,
-					"Content-Type": "application/json"
-				},
-				body: JSON.stringify({
-					query: GHSA_SECURITY_VULNERABILITIES_QUERY,
-					variables
-				})
-			});
-			if (!response.ok) throw new Error(`GHSA GraphQL request failed with response: ${response.status} ${response.statusText}`);
-			const responseData = await response.json();
-			const errors = responseData?.errors;
-			if (errors) throw new Error(`GHSA GraphQL request failed with errors: ${JSON.stringify(errors)}`);
-			return (responseData?.data?.securityVulnerabilities?.nodes)?.filter((v) => v?.advisory)?.map((v) => ({
-				package: pkg,
-				...v
-			}));
+			function pickCvss(value) {
+				if (value.cvssV4 && value.cvssV4.score > 0) return value.cvssV4;
+				if (value.cvssV3 && value.cvssV3.score > 0) return value.cvssV3;
+			}
+			try {
+				const response = await this.octokit.graphql(GHSA_SECURITY_VULNERABILITIES_QUERY, variables);
+				return GitHubSecurityVulnerabilitiesResponseSchema.parse(response).securityVulnerabilities.nodes?.filter((v) => v.advisory != null)?.map((v) => ({
+					...v,
+					package: pkg,
+					advisory: {
+						...v.advisory,
+						cwes: v.advisory.cwes?.nodes,
+						cvss: pickCvss(v.advisory.cvssSeverities)
+					}
+				})) || [];
+			} catch (error) {
+				logger.warn(`GHSA GraphQL request failed for package ${pkg.name}: ${error}. Continuing with other packages.`);
+				return [];
+			}
 		});
 	}
 	/**
@@ -194,5 +229,5 @@ function filterVulnerabilities(securityVulnerabilities) {
 }
 //#endregion
-export { GitHubGraphClient, PackageEcosystemSchema, PackageSchema, SecurityAdvisoryIdentifierSchema, SecurityAdvisorySchema, SecurityAdvisorySeveritySchema, SecurityVulnerabilitySchema, filterVulnerabilities, getGhsaPackageEcosystemFromDependabotPackageManager };
+export { GitHubSecurityAdvisoryClient, PackageEcosystemSchema, PackageSchema, SecurityAdvisoryIdentifierSchema, SecurityAdvisorySchema, SecurityAdvisorySeveritySchema, SecurityVulnerabilitySchema, createGitHubClient, filterVulnerabilities, getGhsaPackageEcosystemFromDependabotPackageManager };
 //# sourceMappingURL=index.js.map

package/dist/github/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","names":["results: T2[]","v"],"sources":["../../src/github/ghsa.ts"],"sourcesContent":["import * as semver from 'semver';\nimport { z } from 'zod/v4';\n\nimport { logger } from '@/logger';\n\n// we use nullish() because it does optional() and allows the value to be set to null\n\nconst GHSA_GRAPHQL_API = 'https://api.github.com/graphql';\n\nconst GHSA_SECURITY_VULNERABILITIES_QUERY = `\n query($ecosystem: SecurityAdvisoryEcosystem, $package: String) {\n securityVulnerabilities(first: 100, ecosystem: $ecosystem, package: $package) {\n nodes {\n advisory {\n identifiers {\n type,\n value\n },\n severity,\n summary,\n description,\n references {\n url\n }\n cvss {\n score\n vectorString\n }\n epss {\n percentage\n percentile\n }\n cwes (first: 100) {\n nodes {\n cweId\n name\n description\n }\n }\n publishedAt\n updatedAt\n withdrawnAt\n permalink\n }\n vulnerableVersionRange\n firstPatchedVersion {\n identifier\n }\n }\n }\n }\n`;\n\nexport const PackageEcosystemSchema = z.enum([\n 'COMPOSER',\n 'ERLANG',\n 'GO',\n 'ACTIONS',\n 'MAVEN',\n 'NPM',\n 'NUGET',\n 'PIP',\n 'PUB',\n 'RUBYGEMS',\n 'RUST',\n 'SWIFT',\n]);\nexport type PackageEcosystem = z.infer<typeof PackageEcosystemSchema>;\n\nexport const PackageSchema = z.object({\n name: z.string(),\n version: z.string().nullish(),\n});\nexport type Package = z.infer<typeof PackageSchema>;\n\nexport const SecurityAdvisoryIdentifierSchema = z.enum(['CVE', 'GHSA']);\nexport type SecurityAdvisoryIdentifierType = z.infer<typeof SecurityAdvisoryIdentifierSchema>;\n\nexport const SecurityAdvisorySeveritySchema = z.enum(['LOW', 'MODERATE', 'HIGH', 'CRITICAL']);\nexport type SecurityAdvisorySeverity = z.infer<typeof SecurityAdvisorySeveritySchema>;\n\nexport const SecurityAdvisorySchema = z.object({\n identifiers: z.array(\n z.object({\n type: z.union([SecurityAdvisoryIdentifierSchema, z.string()]),\n value: z.string(),\n }),\n ),\n severity: SecurityAdvisorySeveritySchema.nullish(),\n summary: z.string(),\n description: z.string().nullish(),\n references: z.array(z.object({ url: z.string() })).nullish(),\n cvss: z\n .object({\n score: z.number(),\n vectorString: z.string(),\n })\n .nullish(),\n epss: z\n .object({\n percentage: z.number(),\n percentile: z.number(),\n })\n .nullish(),\n cwes: z\n .array(\n z.object({\n cweId: z.string(),\n name: z.string(),\n description: z.string(),\n }),\n )\n .nullish(),\n publishedAt: z.string().nullish(),\n updatedAt: z.string().nullish(),\n withdrawnAt: z.string().nullish(),\n permalink: z.string().nullish(),\n});\nexport type SecurityAdvisory = z.infer<typeof SecurityAdvisorySchema>;\n\nconst FirstPatchedVersionSchema = z.object({ identifier: z.string() });\nexport type FirstPatchedVersion = z.infer<typeof FirstPatchedVersionSchema>;\n\nexport const SecurityVulnerabilitySchema = z.object({\n package: PackageSchema,\n advisory: SecurityAdvisorySchema,\n vulnerableVersionRange: z.string(),\n firstPatchedVersion: FirstPatchedVersionSchema.nullish(),\n});\nexport type SecurityVulnerability = z.infer<typeof SecurityVulnerabilitySchema>;\n\nexport function getGhsaPackageEcosystemFromDependabotPackageManager(\n dependabotPackageManager: string,\n): PackageEcosystem {\n switch (dependabotPackageManager) {\n case 'composer':\n return 'COMPOSER';\n case 'elm':\n return 'ERLANG';\n case 'github_actions':\n return 'ACTIONS';\n case 'go_modules':\n return 'GO';\n case 'maven':\n return 'MAVEN';\n case 'npm_and_yarn':\n return 'NPM';\n case 'nuget':\n return 'NUGET';\n case 'pip':\n return 'PIP';\n case 'pub':\n return 'PUB';\n case 'bundler':\n return 'RUBYGEMS';\n case 'cargo':\n return 'RUST';\n case 'swift':\n return 'SWIFT';\n default:\n throw new Error(`Unknown dependabot package manager: ${dependabotPackageManager}`);\n }\n}\n\n/*\n GitHub GraphQL client\n /\nexport class GitHubGraphClient {\n private readonly accessToken: string;\n\n constructor(accessToken: string) {\n this.accessToken = accessToken;\n }\n\n /\n Get the list of security vulnerabilities for a given package ecosystem and list of packages\n * @param packageEcosystem\n * @param packages\n /\n public async getSecurityVulnerabilitiesAsync(\n packageEcosystem: PackageEcosystem,\n packages: Package[],\n ): Promise<SecurityVulnerability[]> {\n // GitHub API doesn't support querying multiple package at once, so we need to make a request for each package individually.\n // To speed up the process, we can make the requests in parallel, 100 at a time. We batch the requests to avoid hitting the rate limit too quickly.\n // https://docs.github.com/en/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api\n const securityVulnerabilities = await this.batchGraphQueryAsync<Package, SecurityVulnerability>(\n 100,\n packages,\n async (pkg) => {\n const variables = {\n ecosystem: packageEcosystem,\n package: pkg.name,\n };\n const response = await fetch(GHSA_GRAPHQL_API, {\n method: 'POST',\n headers: {\n Authorization: `Bearer ${this.accessToken}`,\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n query: GHSA_SECURITY_VULNERABILITIES_QUERY,\n variables: variables,\n }),\n });\n if (!response.ok) {\n throw new Error(`GHSA GraphQL request failed with response: ${response.status} ${response.statusText}`);\n }\n const responseData = await response.json();\n const errors = responseData?.errors;\n if (errors) {\n throw new Error(`GHSA GraphQL request failed with errors: ${JSON.stringify(errors)}`);\n }\n\n const vulnerabilities = responseData?.data?.securityVulnerabilities?.nodes;\n // biome-ignore lint/suspicious/noExplicitAny: generic\n return vulnerabilities?.filter((v: any) => v?.advisory)?.map((v: any) => ({ package: pkg, ...v }));\n },\n );\n\n return securityVulnerabilities;\n }\n\n /\n Batch requests in parallel to speed up the process when we are forced to do a N+1 query\n * @param batchSize\n * @param items\n * @param action\n * @returns\n /\n private async batchGraphQueryAsync<T1, T2>(batchSize: number, items: T1[], action: (item: T1) => Promise<T2[]>) {\n const results: T2[] = [];\n for (let i = 0; i < items.length; i += batchSize) {\n const batch = items.slice(i, i + batchSize);\n if (batch?.length) {\n try {\n const batchResults = await Promise.all(batch.map(action));\n if (batchResults?.length) {\n results.push(...batchResults.flat());\n }\n } catch (error) {\n logger.warn(`Request batch [${i}-${i + batchSize}] failed; The data may be incomplete. ${error}`);\n }\n }\n }\n return results;\n }\n}\n\nexport function filterVulnerabilities(securityVulnerabilities: SecurityVulnerability[]): SecurityVulnerability[] {\n // Filter out vulnerabilities that have been withdrawn or that are not relevant the current version of the package\n const affectedVulnerabilities = securityVulnerabilities\n .filter((v) => !v.advisory.withdrawnAt)\n .filter((v) => {\n const pkg = v.package;\n if (!pkg \|\| !pkg.version \|\| !v.vulnerableVersionRange) {\n return false;\n }\n\n /\n The vulnerable version range follows a basic syntax with a few forms:\n * `= 0.2.0` denotes a single vulnerable version\n * `<= 1.0.8` denotes a version range up to and including the specified version\n * `< 0.1.11` denotes a version range up to, but excluding, the specified version\n * `>= 4.3.0, < 4.3.5` denotes a version range with a known minimum and maximum version\n * `>= 0.0.1` denotes a version range with a known minimum, but no known maximum\n */\n const versionRangeRequirements = v.vulnerableVersionRange.split(',').map((v) => v.trim());\n return versionRangeRequirements.every((r) => pkg.version && semver.satisfies(pkg.version, r));\n });\n return affectedVulnerabilities;\n}\n"],"mappings":";;;;;;AAOA,MAAM,mBAAmB;AAEzB,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4C5C,MAAa,yBAAyB,EAAE,KAAK;CAC3C;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAGF,MAAa,gBAAgB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ;CAChB,SAAS,EAAE,QAAQ,CAAC,SAAS;CAC9B,CAAC;AAGF,MAAa,mCAAmC,EAAE,KAAK,CAAC,OAAO,OAAO,CAAC;AAGvE,MAAa,iCAAiC,EAAE,KAAK;CAAC;CAAO;CAAY;CAAQ;CAAW,CAAC;AAG7F,MAAa,yBAAyB,EAAE,OAAO;CAC7C,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,MAAM,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CAAC;EAC7D,OAAO,EAAE,QAAQ;EAClB,CAAC,CACH;CACD,UAAU,+BAA+B,SAAS;CAClD,SAAS,EAAE,QAAQ;CACnB,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,SAAS;CAC5D,MAAM,EACH,OAAO;EACN,OAAO,EAAE,QAAQ;EACjB,cAAc,EAAE,QAAQ;EACzB,CAAC,CACD,SAAS;CACZ,MAAM,EACH,OAAO;EACN,YAAY,EAAE,QAAQ;EACtB,YAAY,EAAE,QAAQ;EACvB,CAAC,CACD,SAAS;CACZ,MAAM,EACH,MACC,EAAE,OAAO;EACP,OAAO,EAAE,QAAQ;EACjB,MAAM,EAAE,QAAQ;EAChB,aAAa,EAAE,QAAQ;EACxB,CAAC,CACH,CACA,SAAS;CACZ,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,WAAW,EAAE,QAAQ,CAAC,SAAS;CAC/B,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,WAAW,EAAE,QAAQ,CAAC,SAAS;CAChC,CAAC;AAGF,MAAM,4BAA4B,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AAGtE,MAAa,8BAA8B,EAAE,OAAO;CAClD,SAAS;CACT,UAAU;CACV,wBAAwB,EAAE,QAAQ;CAClC,qBAAqB,0BAA0B,SAAS;CACzD,CAAC;AAGF,SAAgB,oDACd,0BACkB;AAClB,SAAQ,0BAAR;EACE,KAAK,WACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,iBACH,QAAO;EACT,KAAK,aACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,QACE,OAAM,IAAI,MAAM,uCAAuC,2BAA2B;;;;;;AAOxF,IAAa,oBAAb,MAA+B;CAC7B,AAAiB;CAEjB,YAAY,aAAqB;AAC/B,OAAK,cAAc;;;;;;;CAQrB,MAAa,gCACX,kBACA,UACkC;AAsClC,SAlCgC,MAAM,KAAK,qBACzC,KACA,UACA,OAAO,QAAQ;GACb,MAAM,YAAY;IAChB,WAAW;IACX,SAAS,IAAI;IACd;GACD,MAAM,WAAW,MAAM,MAAM,kBAAkB;IAC7C,QAAQ;IACR,SAAS;KACP,eAAe,UAAU,KAAK;KAC9B,gBAAgB;KACjB;IACD,MAAM,KAAK,UAAU;KACnB,OAAO;KACI;KACZ,CAAC;IACH,CAAC;AACF,OAAI,CAAC,SAAS,GACZ,OAAM,IAAI,MAAM,8CAA8C,SAAS,OAAO,GAAG,SAAS,aAAa;GAEzG,MAAM,eAAe,MAAM,SAAS,MAAM;GAC1C,MAAM,SAAS,cAAc;AAC7B,OAAI,OACF,OAAM,IAAI,MAAM,4CAA4C,KAAK,UAAU,OAAO,GAAG;AAKvF,WAFwB,cAAc,MAAM,yBAAyB,QAE7C,QAAQ,MAAW,GAAG,SAAS,EAAE,KAAK,OAAY;IAAE,SAAS;IAAK,GAAG;IAAG,EAAE;IAErG;;;;;;;;;CAYH,MAAc,qBAA6B,WAAmB,OAAa,QAAqC;EAC9G,MAAMA,UAAgB,EAAE;AACxB,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,WAAW;GAChD,MAAM,QAAQ,MAAM,MAAM,GAAG,IAAI,UAAU;AAC3C,OAAI,OAAO,OACT,KAAI;IACF,MAAM,eAAe,MAAM,QAAQ,IAAI,MAAM,IAAI,OAAO,CAAC;AACzD,QAAI,cAAc,OAChB,SAAQ,KAAK,GAAG,aAAa,MAAM,CAAC;YAE/B,OAAO;AACd,WAAO,KAAK,kBAAkB,EAAE,GAAG,IAAI,UAAU,wCAAwC,QAAQ;;;AAIvG,SAAO;;;AAIX,SAAgB,sBAAsB,yBAA2E;AAqB/G,QAnBgC,wBAC7B,QAAQ,MAAM,CAAC,EAAE,SAAS,YAAY,CACtC,QAAQ,MAAM;EACb,MAAM,MAAM,EAAE;AACd,MAAI,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,EAAE,uBAC7B,QAAO;AAYT,SADiC,EAAE,uBAAuB,MAAM,IAAI,CAAC,KAAK,QAAMC,IAAE,MAAM,CAAC,CACzD,OAAO,MAAM,IAAI,WAAW,OAAO,UAAU,IAAI,SAAS,EAAE,CAAC;GAC7F"}
1	+ {"version":3,"file":"index.js","names":["results: T2[]","v"],"sources":["../../src/github/client.ts","../../src/github/ghsa.ts"],"sourcesContent":["import { Octokit } from 'octokit';\n\n/*\n Creates an authenticated GitHub API client using Octokit.\n \n @param token - GitHub personal access token or fine-grained token with appropriate permissions\n * @returns Configured Octokit instance ready for API calls\n /\nexport function createGitHubClient({ token }: { token: string }): Octokit {\n return new Octokit({\n auth: token,\n // could add retry here perhaps?\n });\n}\n","import type { Octokit } from 'octokit';\nimport as semver from 'semver';\nimport { z } from 'zod/v4';\n\nimport { logger } from '@/logger';\nimport { createGitHubClient } from './client';\n\n// we use nullish() because it does optional() and allows the value to be set to null\n\nconst GHSA_SECURITY_VULNERABILITIES_QUERY = `\n query($ecosystem: SecurityAdvisoryEcosystem, $package: String) {\n securityVulnerabilities(first: 100, ecosystem: $ecosystem, package: $package) {\n nodes {\n advisory {\n identifiers {\n type,\n value\n },\n severity,\n summary,\n description,\n references {\n url\n }\n cvssSeverities {\n cvssV3 {\n score\n vectorString\n }\n cvssV4 {\n score\n vectorString\n }\n }\n epss {\n percentage\n percentile\n }\n cwes (first: 100) {\n nodes {\n cweId\n name\n description\n }\n }\n publishedAt\n updatedAt\n withdrawnAt\n permalink\n }\n vulnerableVersionRange\n firstPatchedVersion {\n identifier\n }\n }\n }\n }\n`;\n\nexport const PackageEcosystemSchema = z.enum([\n 'COMPOSER',\n 'ERLANG',\n 'GO',\n 'ACTIONS',\n 'MAVEN',\n 'NPM',\n 'NUGET',\n 'PIP',\n 'PUB',\n 'RUBYGEMS',\n 'RUST',\n 'SWIFT',\n]);\nexport type PackageEcosystem = z.infer<typeof PackageEcosystemSchema>;\n\nexport const PackageSchema = z.object({\n name: z.string(),\n version: z.string().nullish(),\n});\nexport type Package = z.infer<typeof PackageSchema>;\n\nexport const SecurityAdvisoryIdentifierSchema = z.enum(['CVE', 'GHSA']);\nexport type SecurityAdvisoryIdentifierType = z.infer<typeof SecurityAdvisoryIdentifierSchema>;\n\nexport const SecurityAdvisorySeveritySchema = z.enum(['LOW', 'MODERATE', 'HIGH', 'CRITICAL']);\nexport type SecurityAdvisorySeverity = z.infer<typeof SecurityAdvisorySeveritySchema>;\n\nconst CweSchema = z.object({\n cweId: z.string(),\n name: z.string(),\n description: z.string(),\n});\n\nconst CvssSchema = z.object({\n score: z.number(),\n vectorString: z.string().nullish(),\n});\ntype Cvss = z.infer<typeof CvssSchema>;\n\nexport const SecurityAdvisorySchema = z.object({\n identifiers: z\n .object({\n type: z.union([SecurityAdvisoryIdentifierSchema, z.string()]),\n value: z.string(),\n })\n .array(),\n severity: SecurityAdvisorySeveritySchema.nullish(),\n summary: z.string(),\n description: z.string().nullish(),\n references: z.object({ url: z.string() }).array().nullish(),\n cvss: CvssSchema.nullish(),\n epss: z\n .object({\n percentage: z.number().nullish(),\n percentile: z.number().nullish(),\n })\n .nullish(),\n cwes: CweSchema.array().nullish(),\n publishedAt: z.string().nullish(),\n updatedAt: z.string().nullish(),\n withdrawnAt: z.string().nullish(),\n permalink: z.string().nullish(),\n});\nexport type SecurityAdvisory = z.infer<typeof SecurityAdvisorySchema>;\n\nconst FirstPatchedVersionSchema = z.object({ identifier: z.string() });\nexport type FirstPatchedVersion = z.infer<typeof FirstPatchedVersionSchema>;\n\nexport const SecurityVulnerabilitySchema = z.object({\n package: PackageSchema,\n advisory: SecurityAdvisorySchema,\n vulnerableVersionRange: z.string(),\n firstPatchedVersion: FirstPatchedVersionSchema.nullish(),\n});\nexport type SecurityVulnerability = z.infer<typeof SecurityVulnerabilitySchema>;\n\nconst CvssSeveritiesSchema = z.object({\n cvssV3: CvssSchema.nullish(),\n cvssV4: CvssSchema.nullish(),\n});\ntype CvssSeverities = z.infer<typeof CvssSeveritiesSchema>;\n\nconst GitHubSecurityVulnerabilitiesResponseSchema = z.object({\n securityVulnerabilities: z.object({\n nodes: z\n .object({\n advisory: SecurityAdvisorySchema.omit({ cvss: true /* incoming is cvssSeverities / }).extend({\n cvssSeverities: CvssSeveritiesSchema,\n cwes: z.object({ nodes: CweSchema.array() }).nullish(),\n }),\n firstPatchedVersion: FirstPatchedVersionSchema.nullish(),\n vulnerableVersionRange: z.string(),\n })\n .array(),\n }),\n});\ntype GitHubSecurityVulnerabilitiesResponse = z.infer<typeof GitHubSecurityVulnerabilitiesResponseSchema>;\n\nexport function getGhsaPackageEcosystemFromDependabotPackageManager(\n dependabotPackageManager: string,\n): PackageEcosystem {\n switch (dependabotPackageManager) {\n case 'composer':\n return 'COMPOSER';\n case 'elm':\n return 'ERLANG';\n case 'github_actions':\n return 'ACTIONS';\n case 'go_modules':\n return 'GO';\n case 'maven':\n return 'MAVEN';\n case 'npm_and_yarn':\n return 'NPM';\n case 'nuget':\n return 'NUGET';\n case 'pip':\n return 'PIP';\n case 'pub':\n return 'PUB';\n case 'bundler':\n return 'RUBYGEMS';\n case 'cargo':\n return 'RUST';\n case 'swift':\n return 'SWIFT';\n default:\n throw new Error(`Unknown dependabot package manager: ${dependabotPackageManager}`);\n }\n}\n\n/\n GitHub Security Advisory client\n /\nexport class GitHubSecurityAdvisoryClient {\n private readonly octokit: Octokit;\n\n /\n @param token GitHub personal access token with access to the GHSA API\n /\n constructor(token: string) {\n this.octokit = createGitHubClient({ token });\n }\n\n /\n Get the list of security vulnerabilities for a given package ecosystem and list of packages\n * @param packageEcosystem\n * @param packages\n /\n public async getSecurityVulnerabilitiesAsync(\n packageEcosystem: PackageEcosystem,\n packages: Package[],\n ): Promise<SecurityVulnerability[]> {\n // GitHub API doesn't support querying multiple package at once, so we need to make a request for each package individually.\n // To speed up the process, we can make the requests in parallel, 100 at a time. We batch the requests to avoid hitting the rate limit too quickly.\n // https://docs.github.com/en/graphql/overview/rate-limits-and-node-limits-for-the-graphql-api\n const securityVulnerabilities = await this.batchGraphQueryAsync<Package, SecurityVulnerability>(\n 100,\n packages,\n async (pkg) => {\n const variables = {\n ecosystem: packageEcosystem,\n package: pkg.name,\n };\n\n function pickCvss(value: CvssSeverities): Cvss \| undefined {\n // Pick the one with a non-zero score\n if (value.cvssV4 && value.cvssV4.score > 0) return value.cvssV4;\n if (value.cvssV3 && value.cvssV3.score > 0) return value.cvssV3;\n }\n\n try {\n const response = await this.octokit.graphql<GitHubSecurityVulnerabilitiesResponse>(\n GHSA_SECURITY_VULNERABILITIES_QUERY,\n variables,\n );\n const parsed = GitHubSecurityVulnerabilitiesResponseSchema.parse(response);\n const vulnerabilities = parsed.securityVulnerabilities.nodes;\n return (\n vulnerabilities\n ?.filter((v) => v.advisory != null)\n ?.map(\n (v) =>\n ({\n ...v,\n package: pkg,\n advisory: {\n ...v.advisory,\n cwes: v.advisory.cwes?.nodes,\n cvss: pickCvss(v.advisory.cvssSeverities),\n },\n }) satisfies SecurityVulnerability,\n ) \|\| []\n );\n } catch (error) {\n logger.warn(`GHSA GraphQL request failed for package ${pkg.name}: ${error}. Continuing with other packages.`);\n return [];\n }\n },\n );\n\n return securityVulnerabilities;\n }\n\n /\n Batch requests in parallel to speed up the process when we are forced to do a N+1 query\n * @param batchSize\n * @param items\n * @param action\n * @returns\n /\n private async batchGraphQueryAsync<T1, T2>(batchSize: number, items: T1[], action: (item: T1) => Promise<T2[]>) {\n const results: T2[] = [];\n for (let i = 0; i < items.length; i += batchSize) {\n const batch = items.slice(i, i + batchSize);\n if (batch?.length) {\n try {\n const batchResults = await Promise.all(batch.map(action));\n if (batchResults?.length) {\n results.push(...batchResults.flat());\n }\n } catch (error) {\n logger.warn(`Request batch [${i}-${i + batchSize}] failed; The data may be incomplete. ${error}`);\n }\n }\n }\n return results;\n }\n}\n\nexport function filterVulnerabilities(securityVulnerabilities: SecurityVulnerability[]): SecurityVulnerability[] {\n // Filter out vulnerabilities that have been withdrawn or that are not relevant the current version of the package\n const affectedVulnerabilities = securityVulnerabilities\n .filter((v) => !v.advisory.withdrawnAt)\n .filter((v) => {\n const pkg = v.package;\n if (!pkg \|\| !pkg.version \|\| !v.vulnerableVersionRange) {\n return false;\n }\n\n /\n The vulnerable version range follows a basic syntax with a few forms:\n * `= 0.2.0` denotes a single vulnerable version\n * `<= 1.0.8` denotes a version range up to and including the specified version\n * `< 0.1.11` denotes a version range up to, but excluding, the specified version\n * `>= 4.3.0, < 4.3.5` denotes a version range with a known minimum and maximum version\n * `>= 0.0.1` denotes a version range with a known minimum, but no known maximum\n */\n const versionRangeRequirements = v.vulnerableVersionRange.split(',').map((v) => v.trim());\n return versionRangeRequirements.every((r) => pkg.version && semver.satisfies(pkg.version, r));\n });\n return affectedVulnerabilities;\n}\n"],"mappings":";;;;;;;;;;;;;AAQA,SAAgB,mBAAmB,EAAE,SAAqC;AACxE,QAAO,IAAI,QAAQ,EACjB,MAAM,OAEP,CAAC;;;;;ACHJ,MAAM,sCAAsC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkD5C,MAAa,yBAAyB,EAAE,KAAK;CAC3C;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACD,CAAC;AAGF,MAAa,gBAAgB,EAAE,OAAO;CACpC,MAAM,EAAE,QAAQ;CAChB,SAAS,EAAE,QAAQ,CAAC,SAAS;CAC9B,CAAC;AAGF,MAAa,mCAAmC,EAAE,KAAK,CAAC,OAAO,OAAO,CAAC;AAGvE,MAAa,iCAAiC,EAAE,KAAK;CAAC;CAAO;CAAY;CAAQ;CAAW,CAAC;AAG7F,MAAM,YAAY,EAAE,OAAO;CACzB,OAAO,EAAE,QAAQ;CACjB,MAAM,EAAE,QAAQ;CAChB,aAAa,EAAE,QAAQ;CACxB,CAAC;AAEF,MAAM,aAAa,EAAE,OAAO;CAC1B,OAAO,EAAE,QAAQ;CACjB,cAAc,EAAE,QAAQ,CAAC,SAAS;CACnC,CAAC;AAGF,MAAa,yBAAyB,EAAE,OAAO;CAC7C,aAAa,EACV,OAAO;EACN,MAAM,EAAE,MAAM,CAAC,kCAAkC,EAAE,QAAQ,CAAC,CAAC;EAC7D,OAAO,EAAE,QAAQ;EAClB,CAAC,CACD,OAAO;CACV,UAAU,+BAA+B,SAAS;CAClD,SAAS,EAAE,QAAQ;CACnB,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS;CAC3D,MAAM,WAAW,SAAS;CAC1B,MAAM,EACH,OAAO;EACN,YAAY,EAAE,QAAQ,CAAC,SAAS;EAChC,YAAY,EAAE,QAAQ,CAAC,SAAS;EACjC,CAAC,CACD,SAAS;CACZ,MAAM,UAAU,OAAO,CAAC,SAAS;CACjC,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,WAAW,EAAE,QAAQ,CAAC,SAAS;CAC/B,aAAa,EAAE,QAAQ,CAAC,SAAS;CACjC,WAAW,EAAE,QAAQ,CAAC,SAAS;CAChC,CAAC;AAGF,MAAM,4BAA4B,EAAE,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;AAGtE,MAAa,8BAA8B,EAAE,OAAO;CAClD,SAAS;CACT,UAAU;CACV,wBAAwB,EAAE,QAAQ;CAClC,qBAAqB,0BAA0B,SAAS;CACzD,CAAC;AAGF,MAAM,uBAAuB,EAAE,OAAO;CACpC,QAAQ,WAAW,SAAS;CAC5B,QAAQ,WAAW,SAAS;CAC7B,CAAC;AAGF,MAAM,8CAA8C,EAAE,OAAO,EAC3D,yBAAyB,EAAE,OAAO,EAChC,OAAO,EACJ,OAAO;CACN,UAAU,uBAAuB,KAAK,EAAE,MAAM,MAAuC,CAAC,CAAC,OAAO;EAC5F,gBAAgB;EAChB,MAAM,EAAE,OAAO,EAAE,OAAO,UAAU,OAAO,EAAE,CAAC,CAAC,SAAS;EACvD,CAAC;CACF,qBAAqB,0BAA0B,SAAS;CACxD,wBAAwB,EAAE,QAAQ;CACnC,CAAC,CACD,OAAO,EACX,CAAC,EACH,CAAC;AAGF,SAAgB,oDACd,0BACkB;AAClB,SAAQ,0BAAR;EACE,KAAK,WACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,iBACH,QAAO;EACT,KAAK,aACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,MACH,QAAO;EACT,KAAK,UACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,QACE,OAAM,IAAI,MAAM,uCAAuC,2BAA2B;;;;;;AAOxF,IAAa,+BAAb,MAA0C;CACxC,AAAiB;;;;CAKjB,YAAY,OAAe;AACzB,OAAK,UAAU,mBAAmB,EAAE,OAAO,CAAC;;;;;;;CAQ9C,MAAa,gCACX,kBACA,UACkC;AAiDlC,SA7CgC,MAAM,KAAK,qBACzC,KACA,UACA,OAAO,QAAQ;GACb,MAAM,YAAY;IAChB,WAAW;IACX,SAAS,IAAI;IACd;GAED,SAAS,SAAS,OAAyC;AAEzD,QAAI,MAAM,UAAU,MAAM,OAAO,QAAQ,EAAG,QAAO,MAAM;AACzD,QAAI,MAAM,UAAU,MAAM,OAAO,QAAQ,EAAG,QAAO,MAAM;;AAG3D,OAAI;IACF,MAAM,WAAW,MAAM,KAAK,QAAQ,QAClC,qCACA,UACD;AAGD,WAFe,4CAA4C,MAAM,SAAS,CAC3C,wBAAwB,OAGjD,QAAQ,MAAM,EAAE,YAAY,KAAK,EACjC,KACC,OACE;KACC,GAAG;KACH,SAAS;KACT,UAAU;MACR,GAAG,EAAE;MACL,MAAM,EAAE,SAAS,MAAM;MACvB,MAAM,SAAS,EAAE,SAAS,eAAe;MAC1C;KACF,EACJ,IAAI,EAAE;YAEJ,OAAO;AACd,WAAO,KAAK,2CAA2C,IAAI,KAAK,IAAI,MAAM,mCAAmC;AAC7G,WAAO,EAAE;;IAGd;;;;;;;;;CAYH,MAAc,qBAA6B,WAAmB,OAAa,QAAqC;EAC9G,MAAMA,UAAgB,EAAE;AACxB,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,WAAW;GAChD,MAAM,QAAQ,MAAM,MAAM,GAAG,IAAI,UAAU;AAC3C,OAAI,OAAO,OACT,KAAI;IACF,MAAM,eAAe,MAAM,QAAQ,IAAI,MAAM,IAAI,OAAO,CAAC;AACzD,QAAI,cAAc,OAChB,SAAQ,KAAK,GAAG,aAAa,MAAM,CAAC;YAE/B,OAAO;AACd,WAAO,KAAK,kBAAkB,EAAE,GAAG,IAAI,UAAU,wCAAwC,QAAQ;;;AAIvG,SAAO;;;AAIX,SAAgB,sBAAsB,yBAA2E;AAqB/G,QAnBgC,wBAC7B,QAAQ,MAAM,CAAC,EAAE,SAAS,YAAY,CACtC,QAAQ,MAAM;EACb,MAAM,MAAM,EAAE;AACd,MAAI,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,EAAE,uBAC7B,QAAO;AAYT,SADiC,EAAE,uBAAuB,MAAM,IAAI,CAAC,KAAK,QAAMC,IAAE,MAAM,CAAC,CACzD,OAAO,MAAM,IAAI,WAAW,OAAO,UAAU,IAAI,SAAS,EAAE,CAAC;GAC7F"}

package/dist/{index-3wZw74Ah.d.ts → index-CYzMyUeu.d.ts} RENAMED Viewed

@@ -1,5 +1,20 @@
 import { z } from "zod/v4";
+import { Octokit } from "octokit";
+//#region src/github/client.d.ts
+/**
+ * Creates an authenticated GitHub API client using Octokit.
+ *
+ * @param token - GitHub personal access token or fine-grained token with appropriate permissions
+ * @returns Configured Octokit instance ready for API calls
+ */
+declare function createGitHubClient({
+  token
+}: {
+  token: string;
+}): Octokit;
+//#endregion
 //#region src/github/ghsa.d.ts
 declare const PackageEcosystemSchema: z.ZodEnum<{
   COMPOSER: "COMPOSER";
@@ -54,11 +69,11 @@ declare const SecurityAdvisorySchema: z.ZodObject<{
   }, z.core.$strip>>>>;
   cvss: z.ZodOptional<z.ZodNullable<z.ZodObject<{
     score: z.ZodNumber;
-    vectorString: z.ZodString;
+    vectorString: z.ZodOptional<z.ZodNullable<z.ZodString>>;
   }, z.core.$strip>>>;
   epss: z.ZodOptional<z.ZodNullable<z.ZodObject<{
-    percentage: z.ZodNumber;
-    percentile: z.ZodNumber;
+    percentage: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    percentile: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
   }, z.core.$strip>>>;
   cwes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodObject<{
     cweId: z.ZodString;
@@ -101,11 +116,11 @@ declare const SecurityVulnerabilitySchema: z.ZodObject<{
     }, z.core.$strip>>>>;
     cvss: z.ZodOptional<z.ZodNullable<z.ZodObject<{
       score: z.ZodNumber;
-      vectorString: z.ZodString;
+      vectorString: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     }, z.core.$strip>>>;
     epss: z.ZodOptional<z.ZodNullable<z.ZodObject<{
-      percentage: z.ZodNumber;
-      percentile: z.ZodNumber;
+      percentage: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+      percentile: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
     }, z.core.$strip>>>;
     cwes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodObject<{
       cweId: z.ZodString;
@@ -125,11 +140,14 @@ declare const SecurityVulnerabilitySchema: z.ZodObject<{
 type SecurityVulnerability = z.infer<typeof SecurityVulnerabilitySchema>;
 declare function getGhsaPackageEcosystemFromDependabotPackageManager(dependabotPackageManager: string): PackageEcosystem;
 /**
- * GitHub GraphQL client
+ * GitHub Security Advisory client
  */
-declare class GitHubGraphClient {
-  private readonly accessToken;
-  constructor(accessToken: string);
+declare class GitHubSecurityAdvisoryClient {
+  private readonly octokit;
+  /**
+   * @param token GitHub personal access token with access to the GHSA API
+   */
+  constructor(token: string);
   /**
    * Get the list of security vulnerabilities for a given package ecosystem and list of packages
    * @param packageEcosystem
@@ -147,5 +165,5 @@ declare class GitHubGraphClient {
 }
 declare function filterVulnerabilities(securityVulnerabilities: SecurityVulnerability[]): SecurityVulnerability[];
 //#endregion
-export { PackageEcosystemSchema as a, SecurityAdvisoryIdentifierSchema as c, SecurityAdvisorySeverity as d, SecurityAdvisorySeveritySchema as f, getGhsaPackageEcosystemFromDependabotPackageManager as g, filterVulnerabilities as h, PackageEcosystem as i, SecurityAdvisoryIdentifierType as l, SecurityVulnerabilitySchema as m, GitHubGraphClient as n, PackageSchema as o, SecurityVulnerability as p, Package as r, SecurityAdvisory as s, FirstPatchedVersion as t, SecurityAdvisorySchema as u };
-//# sourceMappingURL=index-3wZw74Ah.d.ts.map
+export { createGitHubClient as _, PackageEcosystemSchema as a, SecurityAdvisoryIdentifierSchema as c, SecurityAdvisorySeverity as d, SecurityAdvisorySeveritySchema as f, getGhsaPackageEcosystemFromDependabotPackageManager as g, filterVulnerabilities as h, PackageEcosystem as i, SecurityAdvisoryIdentifierType as l, SecurityVulnerabilitySchema as m, GitHubSecurityAdvisoryClient as n, PackageSchema as o, SecurityVulnerability as p, Package as r, SecurityAdvisory as s, FirstPatchedVersion as t, SecurityAdvisorySchema as u };
+//# sourceMappingURL=index-CYzMyUeu.d.ts.map

package/dist/{index-Dr0PB1As.d.ts → index-VTX2ArLa.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { p as SecurityVulnerability } from "./index-3wZw74Ah.js";
+import { p as SecurityVulnerability } from "./index-CYzMyUeu.js";
 import { z } from "zod/v4";
 import { Hono } from "hono";
@@ -113,11 +113,11 @@ type DependabotGroup = z.infer<typeof DependabotGroupSchema>;
 declare const DependabotAllowConditionSchema: z.ZodObject<{
   'dependency-name': z.ZodOptional<z.ZodString>;
   'dependency-type': z.ZodOptional<z.ZodEnum<{
-    all: "all";
     development: "development";
     production: "production";
     direct: "direct";
     indirect: "indirect";
+    all: "all";
   }>>;
   'update-type': z.ZodOptional<z.ZodEnum<{
     all: "all";
@@ -213,10 +213,10 @@ declare const PackageEcosystemSchema: z.ZodEnum<{
 }>;
 type PackageEcosystem = z.infer<typeof PackageEcosystemSchema>;
 declare const VersioningStrategySchema: z.ZodEnum<{
-  "lockfile-only": "lockfile-only";
   auto: "auto";
   increase: "increase";
   "increase-if-necessary": "increase-if-necessary";
+  "lockfile-only": "lockfile-only";
   widen: "widen";
 }>;
 type VersioningStrategy = z.infer<typeof VersioningStrategySchema>;
@@ -260,11 +260,11 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   allow: z.ZodOptional<z.ZodArray<z.ZodObject<{
     'dependency-name': z.ZodOptional<z.ZodString>;
     'dependency-type': z.ZodOptional<z.ZodEnum<{
-      all: "all";
       development: "development";
       production: "production";
       direct: "direct";
       indirect: "indirect";
+      all: "all";
     }>>;
     'update-type': z.ZodOptional<z.ZodEnum<{
       all: "all";
@@ -350,10 +350,10 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   'target-branch': z.ZodOptional<z.ZodString>;
   vendor: z.ZodOptional<z.ZodBoolean>;
   'versioning-strategy': z.ZodOptional<z.ZodEnum<{
-    "lockfile-only": "lockfile-only";
     auto: "auto";
     increase: "increase";
     "increase-if-necessary": "increase-if-necessary";
+    "lockfile-only": "lockfile-only";
     widen: "widen";
   }>>;
   patterns: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -365,7 +365,7 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   'exclude-paths'?: string[] | undefined;
   allow?: {
     'dependency-name'?: string | undefined;
-    'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+    'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
     'update-type'?: "all" | "security" | undefined;
   }[] | undefined;
   assignees?: string[] | undefined;
@@ -413,7 +413,7 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   } | undefined;
   'target-branch'?: string | undefined;
   vendor?: boolean | undefined;
-  'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+  'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
   patterns?: string[] | undefined;
   'multi-ecosystem-group'?: string | undefined;
 }, {
@@ -423,7 +423,7 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   'exclude-paths'?: string[] | undefined;
   allow?: {
     'dependency-name'?: string | undefined;
-    'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+    'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
     'update-type'?: "all" | "security" | undefined;
   }[] | undefined;
   assignees?: string[] | undefined;
@@ -471,7 +471,7 @@ declare const DependabotUpdateSchema: z.ZodPipe<z.ZodObject<{
   } | undefined;
   'target-branch'?: string | undefined;
   vendor?: boolean | undefined;
-  'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+  'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
   patterns?: string[] | undefined;
   'multi-ecosystem-group'?: string | undefined;
 }>>;
@@ -597,11 +597,11 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     allow: z.ZodOptional<z.ZodArray<z.ZodObject<{
       'dependency-name': z.ZodOptional<z.ZodString>;
       'dependency-type': z.ZodOptional<z.ZodEnum<{
-        all: "all";
         development: "development";
         production: "production";
         direct: "direct";
         indirect: "indirect";
+        all: "all";
       }>>;
       'update-type': z.ZodOptional<z.ZodEnum<{
         all: "all";
@@ -687,10 +687,10 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     'target-branch': z.ZodOptional<z.ZodString>;
     vendor: z.ZodOptional<z.ZodBoolean>;
     'versioning-strategy': z.ZodOptional<z.ZodEnum<{
-      "lockfile-only": "lockfile-only";
       auto: "auto";
       increase: "increase";
       "increase-if-necessary": "increase-if-necessary";
+      "lockfile-only": "lockfile-only";
       widen: "widen";
     }>>;
     patterns: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -702,7 +702,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     'exclude-paths'?: string[] | undefined;
     allow?: {
       'dependency-name'?: string | undefined;
-      'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+      'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
       'update-type'?: "all" | "security" | undefined;
     }[] | undefined;
     assignees?: string[] | undefined;
@@ -750,7 +750,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     } | undefined;
     'target-branch'?: string | undefined;
     vendor?: boolean | undefined;
-    'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+    'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
     patterns?: string[] | undefined;
     'multi-ecosystem-group'?: string | undefined;
   }, {
@@ -760,7 +760,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     'exclude-paths'?: string[] | undefined;
     allow?: {
       'dependency-name'?: string | undefined;
-      'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+      'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
       'update-type'?: "all" | "security" | undefined;
     }[] | undefined;
     assignees?: string[] | undefined;
@@ -808,7 +808,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     } | undefined;
     'target-branch'?: string | undefined;
     vendor?: boolean | undefined;
-    'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+    'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
     patterns?: string[] | undefined;
     'multi-ecosystem-group'?: string | undefined;
   }>>>;
@@ -890,7 +890,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     'exclude-paths'?: string[] | undefined;
     allow?: {
       'dependency-name'?: string | undefined;
-      'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+      'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
       'update-type'?: "all" | "security" | undefined;
     }[] | undefined;
     assignees?: string[] | undefined;
@@ -938,7 +938,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     } | undefined;
     'target-branch'?: string | undefined;
     vendor?: boolean | undefined;
-    'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+    'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
     patterns?: string[] | undefined;
     'multi-ecosystem-group'?: string | undefined;
   }[];
@@ -991,7 +991,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     'exclude-paths'?: string[] | undefined;
     allow?: {
       'dependency-name'?: string | undefined;
-      'dependency-type'?: "all" | "development" | "production" | "direct" | "indirect" | undefined;
+      'dependency-type'?: "development" | "production" | "direct" | "indirect" | "all" | undefined;
       'update-type'?: "all" | "security" | undefined;
     }[] | undefined;
     assignees?: string[] | undefined;
@@ -1039,7 +1039,7 @@ declare const DependabotConfigSchema: z.ZodPipe<z.ZodObject<{
     } | undefined;
     'target-branch'?: string | undefined;
     vendor?: boolean | undefined;
-    'versioning-strategy'?: "lockfile-only" | "auto" | "increase" | "increase-if-necessary" | "widen" | undefined;
+    'versioning-strategy'?: "auto" | "increase" | "increase-if-necessary" | "lockfile-only" | "widen" | undefined;
     patterns?: string[] | undefined;
     'multi-ecosystem-group'?: string | undefined;
   }[];
@@ -2081,4 +2081,4 @@ declare const DependabotMetricSchema: z.ZodObject<{
 type DependabotMetric = z.infer<typeof DependabotMetricSchema>;
 //#endregion
 export { sanitizeRef as $, DependabotGroup as $t, DependabotRequest as A, DependabotProxyConfig as At, makeRandomJobToken as B, DependabotSourceProviderSchema as Bt, DependabotRecordUpdateJobUnknownError as C, extractPlaceholder as Cn, DependabotGroupRuleJobSchema as Ct, DependabotUpdatePullRequest as D, DependabotJobFileSchema as Dt, DependabotUpdateDependencyListSchema as E, GitAuthor as En, DependabotJobFile as Et, createApiServerApp as F, DependabotRequirementSourceSchema as Ft, mapIgnoreConditionsFromDependabotConfigToJobConfig as G, DependabotAllowCondition as Gt, mapCredentials as H, FetchedFiles as Ht, DependabotJobBuilder as I, DependabotSecurityAdvisory as It, mapSourceFromDependabotConfigToJobConfig as J, DependabotCommitMessageSchema as Jt, mapPackageEcosystemToPackageManager as K, DependabotAllowConditionSchema as Kt, DependabotJobBuilderOutput as L, DependabotSecurityAdvisorySchema as Lt, DependabotRequestType as M, DependabotRequirement as Mt, DependabotRequestTypeSchema as N, DependabotRequirementSchema as Nt, DependabotUpdatePullRequestSchema as O, DependabotPackageManager as Ot, DependabotTokenType as P, DependabotRequirementSource as Pt, getBranchNameForUpdate as Q, DependabotCooldownSchema as Qt, DependabotSourceInfo as R, DependabotSource as Rt, DependabotRecordUpdateJobErrorSchema as S, convertPlaceholder as Sn, DependabotGroupRuleJob as St, DependabotUpdateDependencyList as T, DEPENDABOT_DEFAULT_AUTHOR_NAME as Tn, DependabotJobConfigSchema as Tt, mapExperiments as U, FileFetcherInput as Ut, mapAllowedUpdatesFromDependabotConfigToJobConfig as V, DependabotSourceSchema as Vt, mapGroupsFromDependabotConfigToJobConfig as W, FileUpdaterInput as Wt, DEFAULT_EXPERIMENTS as X, DependabotConfigSchema as Xt, mapVersionStrategyToRequirementsUpdateStrategy as Y, DependabotConfig as Yt, parseExperiments as Z, DependabotCooldown as Zt, DependabotRecordEcosystemMeta as _, parseDependabotConfig as _n, DependabotExistingPRSchema as _t, DependabotDependencyFile as a, DependabotPullRequestBranchName as an, DependabotCommandSchema as at, DependabotRecordEcosystemVersionsSchema as b, validateConfiguration as bn, DependabotGroupJob as bt, DependabotEcosystemMetaSchema as c, DependabotSchedule as cn, DependabotCondition as ct, DependabotIncrementMetric as d, DependabotUpdateSchema as dn, DependabotCredentialSchema as dt, DependabotGroupSchema as en, CertificateAuthority as et, DependabotIncrementMetricSchema as f, POSSIBLE_CONFIG_FILE_PATHS as fn, DependabotDependency as ft, DependabotMetricSchema as g, VersioningStrategySchema as gn, DependabotExistingPR as gt, DependabotMetric as h, VersioningStrategy as hn, DependabotExistingGroupPRSchema as ht, DependabotCreatePullRequestSchema as i, DependabotMultiEcosystemGroupSchema as in, DependabotCommand as it, DependabotRequestSchema as j, DependabotProxyConfigSchema as jt, CreateApiServerAppOptions as k, DependabotPackageManagerSchema as kt, DependabotEcosystemVersionManager as l, DependabotScheduleSchema as ln, DependabotConditionSchema as lt, DependabotMarkAsProcessedSchema as m, PackageEcosystemSchema as mn, DependabotExistingGroupPR as mt, DependabotClosePullRequestSchema as n, DependabotIgnoreConditionSchema as nn, DependabotAllowed as nt, DependabotDependencyFileSchema as o, DependabotRegistry as on, DependabotCommitOptions as ot, DependabotMarkAsProcessed as p, PackageEcosystem as pn, DependabotDependencySchema as pt, mapSecurityAdvisories as q, DependabotCommitMessage as qt, DependabotCreatePullRequest as r, DependabotMultiEcosystemGroup as rn, DependabotAllowedSchema as rt, DependabotEcosystemMeta as s, DependabotRegistrySchema as sn, DependabotCommitOptionsSchema as st, DependabotClosePullRequest as t, DependabotIgnoreCondition as tn, CertificateAuthoritySchema as tt, DependabotEcosystemVersionManagerSchema as u, DependabotUpdate as un, DependabotCredential as ut, DependabotRecordEcosystemMetaSchema as v, parseRegistries as vn, DependabotExperiments as vt, DependabotRecordUpdateJobUnknownErrorSchema as w, DEPENDABOT_DEFAULT_AUTHOR_EMAIL as wn, DependabotJobConfig as wt, DependabotRecordUpdateJobError as x, VariableFinderFn as xn, DependabotGroupJobSchema as xt, DependabotRecordEcosystemVersions as y, parseUpdates as yn, DependabotExperimentsSchema as yt, makeRandomJobId as z, DependabotSourceProvider as zt };
-//# sourceMappingURL=index-Dr0PB1As.d.ts.map
+//# sourceMappingURL=index-VTX2ArLa.d.ts.map

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@paklo/core",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "sideEffects": false,
   "type": "module",
   "author": "mburumaxwell",
@@ -62,6 +62,7 @@
     "@hono/zod-validator": "0.7.4",
     "hono": "4.10.4",
     "js-yaml": "4.1.0",
+    "octokit": "5.0.5",
     "pino": "10.1.0",
     "pino-pretty": "13.1.2",
     "semver": "7.7.3",