npm - @planu/cli - Versions diffs - 1.0.2 → 1.0.4 - Mend

@planu/cli 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/dist/engine/dep-auditor/index.js CHANGED Viewed

@@ -1,63 +1,103 @@
-// dep-auditor/index.ts — Main dependency audit orchestrator (SPEC-025)
+// dep-auditor/index.ts — Main dependency audit orchestrator (SPEC-025, SPEC-335)
 // Combines license checking, vuln detection, abandonment heuristics, and duplicate detection.
 import { readFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { readManifest } from '../stack-auditor/manifest-reader.js';
 import { checkLicense, isCommercialProject } from './license-checker.js';
 import { detectDuplicates } from './dep-duplicates-detector.js';
-import { getVulns } from './vuln-data.js';
+import { getVulns, KNOWN_VULNS } from './vuln-data.js';
 import { getAbandonedInfo, classifyEntry } from './abandonment-data.js';
+import { fetchNpmCve } from './cve-fetcher.js';
+import { parseTransitiveDeps } from './lockfile-parser.js';
 export { formatDepAuditMarkdown, formatDepAuditAcceptanceCriteria } from './formatters.js';
+// ---------------------------------------------------------------------------
+// 1h in-memory CVE cache
+// ---------------------------------------------------------------------------
+const cveCache = new Map();
+const CVE_CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour
+/** Clear the CVE cache — intended for use in tests only. */
+export function clearCveCache() {
+    cveCache.clear();
+}
+async function fetchNpmCveCached(pkg, version) {
+    const cacheKey = `${pkg}@${version}`;
+    const now = Date.now();
+    const cached = cveCache.get(cacheKey);
+    if (cached && cached.expiresAt > now) {
+        return cached.data;
+    }
+    const data = await fetchNpmCve(pkg, version);
+    cveCache.set(cacheKey, { data, expiresAt: now + CVE_CACHE_TTL_MS });
+    return data;
+}
+/** Build DepVuln entries from live CveFinding results, marking as transitive if needed. */
+function cveToDepVulns(findings, transitive) {
+    return findings.map((f) => ({
+        cveId: f.cveId,
+        severity: f.severity,
+        description: f.title,
+        fixedIn: f.fixedIn ?? undefined,
+        ...(transitive ? { transitive: true } : {}),
+    }));
+}
 /**
- * Audit all dependencies of a project at projectPath.
- * Scans package.json (npm), requirements.txt (python), go.mod (go),
- * Cargo.toml (rust), pom.xml (java).
+ * Merge hardcoded vulns with live API vulns. Live results take precedence:
+ * if a CVE ID appears in both, keep the live version.
  */
-export async function auditDeps(projectPath) {
-    const manifest = await readManifest(projectPath);
-    const ecosystem = manifest.ecosystem;
-    // Determine if commercial project (for future license severity adjustment)
-    if (ecosystem === 'nodejs') {
+function mergeVulns(hardcoded, live) {
+    const liveCveIds = new Set(live.map((v) => v.cveId));
+    const filteredHardcoded = hardcoded.filter((v) => !liveCveIds.has(v.cveId));
+    return [...filteredHardcoded, ...live];
+}
+/** Build a DepAuditEntry for a single direct dependency. */
+async function buildDirectEntry(name, version, ecosystem, licenseMap) {
+    const hardcodedVulns = getVulns(name, version);
+    let liveVulns = [];
+    if (ecosystem === 'nodejs' && name in KNOWN_VULNS) {
         try {
-            const pkgJson = await readFile(join(projectPath, 'package.json'), 'utf-8');
-            // isCommercialProject result reserved for future enforcement logic
-            isCommercialProject(pkgJson);
+            const findings = await fetchNpmCveCached(name, version);
+            liveVulns = cveToDepVulns(findings, false);
         }
         catch {
-            // default: assume commercial
+            // silently fall back to hardcoded list
         }
     }
-    const deps = manifest.directDependencies;
-    const depNames = Object.keys(deps);
-    const licenseMap = await buildLicenseMap(projectPath, ecosystem);
-    const entries = depNames.map((name) => {
-        const version = deps[name] ?? 'unknown';
-        const vulns = getVulns(name, version);
-        const licenseRaw = licenseMap[name] ?? '';
-        const license = checkLicense(licenseRaw);
-        const abandoned = getAbandonedInfo(name);
+    const vulns = mergeVulns(hardcodedVulns, liveVulns);
+    const licenseRaw = licenseMap[name] ?? '';
+    const license = checkLicense(licenseRaw);
+    const abandoned = getAbandonedInfo(name);
+    return { name, currentVersion: version, ecosystem, vulns, license, abandoned };
+}
+/** Build transitive-only vuln entries (packages not in direct deps). */
+async function buildTransitiveEntries(transitiveOnlyEntries, ecosystem) {
+    const results = await Promise.all(transitiveOnlyEntries.map(async ([name, version]) => {
+        const hardcoded = getVulns(name, version).map((v) => ({ ...v, transitive: true }));
+        let liveVulns = [];
+        if (name in KNOWN_VULNS) {
+            try {
+                liveVulns = cveToDepVulns(await fetchNpmCveCached(name, version), true);
+            }
+            catch {
+                /* fall back to hardcoded */
+            }
+        }
+        const vulns = mergeVulns(hardcoded, liveVulns);
+        if (vulns.length === 0) {
+            return null;
+        }
         return {
             name,
             currentVersion: version,
             ecosystem,
             vulns,
-            license,
-            abandoned,
+            license: checkLicense(''),
+            abandoned: getAbandonedInfo(name),
         };
-    });
-    // Detect duplicates
-    const duplicates = detectDuplicates(depNames);
-    const duplicateCategories = new Map();
-    for (const dup of duplicates) {
-        for (const pkg of dup.packages) {
-            duplicateCategories.set(pkg, dup.category);
-        }
-    }
-    // Tag duplicate groups on entries
-    const taggedEntries = entries.map((e) => {
-        const grp = duplicateCategories.get(e.name);
-        return grp ? { ...e, duplicateGroup: grp } : e;
-    });
+    }));
+    return results.filter((e) => e !== null);
+}
+/** Classify tagged entries into critical / warnings / clean buckets. */
+function classifyEntries(taggedEntries) {
     const critical = [];
     const warnings = [];
     const clean = [];
@@ -73,9 +113,41 @@ export async function auditDeps(projectPath) {
             clean.push(entry);
         }
     }
-    const totalDeps = depNames.length;
-    const summary = buildSummary(totalDeps, critical.length, warnings.length, duplicates.length);
-    return { ecosystem, totalDeps, critical, warnings, clean, duplicates, summary };
+    return { critical, warnings, clean };
+}
+/**
+ * Audit all dependencies of a project at projectPath.
+ * Scans package.json (npm), requirements.txt (python), go.mod (go),
+ * Cargo.toml (rust), pom.xml (java).
+ */
+export async function auditDeps(projectPath) {
+    const manifest = await readManifest(projectPath);
+    const ecosystem = manifest.ecosystem;
+    if (ecosystem === 'nodejs') {
+        try {
+            isCommercialProject(await readFile(join(projectPath, 'package.json'), 'utf-8'));
+        }
+        catch {
+            /* default: assume commercial */
+        }
+    }
+    const deps = manifest.directDependencies;
+    const depNames = Object.keys(deps);
+    const licenseMap = await buildLicenseMap(projectPath, ecosystem);
+    const entries = await Promise.all(depNames.map((name) => buildDirectEntry(name, deps[name] ?? 'unknown', ecosystem, licenseMap)));
+    const transitiveOnlyEntries = ecosystem === 'nodejs'
+        ? [...(await parseTransitiveDeps(projectPath)).entries()].filter(([n]) => !new Set(depNames).has(n))
+        : [];
+    const transitiveVulnEntries = await buildTransitiveEntries(transitiveOnlyEntries, ecosystem);
+    const duplicates = detectDuplicates(depNames);
+    const dupCategories = new Map(duplicates.flatMap((d) => d.packages.map((p) => [p, d.category])));
+    const tagged = [...entries, ...transitiveVulnEntries].map((e) => {
+        const grp = dupCategories.get(e.name);
+        return grp ? { ...e, duplicateGroup: grp } : e;
+    });
+    const { critical, warnings, clean } = classifyEntries(tagged);
+    const summary = buildSummary(depNames.length, critical.length, warnings.length, duplicates.length);
+    return { ecosystem, totalDeps: depNames.length, critical, warnings, clean, duplicates, summary };
 }
 async function buildLicenseMap(projectPath, ecosystem) {
     if (ecosystem !== 'nodejs') {

package/dist/engine/dep-auditor/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/engine/dep-auditor/index.ts"],"names":[],"mappings":"AAAA,~~uEAAuE~~;~~AACvE~~,8FAA8F;AAC9F,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;~~AAC1C~~,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;~~AAGxE~~,OAAO,EAAE,sBAAsB,EAAE,gCAAgC,EAAE,MAAM,iBAAiB,CAAC;AAE3F~~;;;;GAIG~~;~~AACH~~,MAAM,CAAC,KAAK,UAAU,~~SAAS~~,CAAC,~~WAAmB~~;~~IACjD~~,MAAM,QAAQ,GAAG,~~MAAM~~,~~YAAY~~,CAAC,~~WAAW~~,CAAC,CAAC;~~IACjD~~,MAAM,~~SAAS~~,GAAG,QAAQ,CAAC,~~SAAS~~,CAAC~~;IAErC~~,~~2EAA2E~~;~~IAC3E~~,IAAI,SAAS,~~KAAK~~,~~QAAQ~~,EAAE,CAAC;~~QAC3B~~,IAAI,CAAC;~~YACH~~,MAAM,~~OAAO~~,GAAG,MAAM,QAAQ,CAAC,~~IAAI~~,CAAC,~~WAAW~~,EAAE,~~cAAc~~,~~CAAC~~,EAAE,OAAO,CAAC,CAAC;~~YAC3E~~,~~mEAAmE~~;~~YACnE~~,~~mBAAmB~~,CAAC,OAAO,CAAC,CAAC;~~QAC/B~~,CAAC;~~QAAC~~,~~MAAM~~,CAAC;~~YACP~~,~~6BAA6B~~;QAC/B,CAAC;~~IACH~~,CAAC;~~IAED~~,MAAM,IAAI,GAAG,~~QAAQ~~,CAAC,~~kBAAkB~~,CAAC;~~IACzC~~,MAAM,~~QAAQ~~,GAAG,MAAM,CAAC,~~IAAI~~,CAAC,~~IAAI~~,CAAC,CAAC~~;IAEnC~~,~~MAAM,~~UAAU,GAAG,~~MAAM~~,~~eAAe~~,CAAC,~~WAAW~~,EAAE,~~SAAS~~,CAAC,CAAC;~~IAEjE~~,MAAM,~~OAAO~~,~~GAAoB~~,QAAQ,CAAC,~~GAAG~~,CAAC,CAAC,IAAI,EAAE,EAAE;~~QACrD~~,MAAM,~~OAAO~~,GAAG,~~IAAI~~,CAAC,IAAI,CAAC,~~IAAI~~,SAAS,CAAC;~~QACxC~~,MAAM,KAAK,GAAG,~~QAAQ~~,CAAC,~~IAAI~~,EAAE,~~OAAO~~,CAAC,CAAC;~~QACtC~~,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;~~QAC1C~~,MAAM,OAAO,GAAmB,YAAY,CAAC,UAAU,CAAC,CAAC;~~QACzD~~,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;~~QAEzC~~,OAAO~~;YACL~~,IAAI~~;YACJ~~,cAAc,EAAE,OAAO~~;YACvB~~,SAAS~~;YACT~~,KAAK~~;YACL~~,OAAO~~;YACP~~,SAAS~~;SACV~~,CAAC;~~IACJ~~,CAAC,~~CAAC,CAAC~~;~~IAEH~~,~~oBAAoB~~;~~IACpB~~,MAAM,~~UAAU~~,GAAG,~~gBAAgB~~,CAAC,~~QAAQ~~,CAAC,CAAC;~~IAC9C~~,MAAM,~~mBAAmB~~,GAAG,IAAI,GAAG,~~EAAkB~~,CAAC~~;IACtD~~,~~KAAK~~,~~MAAM~~,GAAG,~~IAAI~~,UAAU,EAAE,CAAC;~~QAC7B~~,~~KAAK~~,~~MAAM~~,~~GAAG~~,IAAI,~~GAAG~~,~~CAAC~~,~~QAAQ~~,EAAE,CAAC;~~YAC/B~~,~~mBAAmB~~,CAAC,GAAG,CAAC,~~GAAG~~,EAAE,~~GAAG~~,CAAC,~~QAAQ~~,CAAC,CAAC;~~QAC7C~~,CAAC;~~IACH~~,CAAC;~~IAED~~,~~kCAAkC~~;~~IAClC~~,MAAM,~~aAAa~~,~~GAAoB~~,~~OAAO~~,CAAC,~~GAAG~~,CAAC,CAAC,CAAC,EAAE,EAAE;~~QACvD~~,~~MAAM~~,~~GAAG~~,~~GAAG~~,~~mBAAmB~~,CAAC,~~GAAG~~,CAAC,~~CAAC~~,CAAC,IAAI,CAAC,CAAC;~~QAC5C~~,~~OAAO,GAAG,~~CAAC,CAAC,CAAC,~~EAAE~~,~~GAAG~~,CAAC,~~EAAE~~,~~cAAc~~,~~EAAE~~,~~GAAG~~,EAAE,CAAC,CAAC,~~CAAC~~,CAAC,CAAC;~~IACjD~~,CAAC,CAAC,~~CAAC~~;~~IAEH~~,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,KAAK,GAAoB,EAAE,CAAC;~~IAElC~~,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;~~IAED~~,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC;~~IAClC~~,MAAM,OAAO,GAAG,~~YAAY~~,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;~~IAE7F~~,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;~~AAClF~~,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,WAAmB,EACnB,SAAiB;IAEjB,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,MAAM,OAAO,GAAG;YACd,GAAG,CAAE,MAAM,CAAC,YAAmD,IAAI,EAAE,CAAC;YACtE,GAAG,CAAE,MAAM,CAAC,eAAsD,IAAI,EAAE,CAAC;SAC1E,CAAC;QACF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAC3B,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,OAAO,EAAE,cAAc,CAAC,EAC1D,OAAO,CACR,CAAC;gBACF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;gBAChE,IAAI,OAAO,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;oBAC1C,UAAU,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;gBAC1C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yDAAyD;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,YAAY,CACnB,KAAa,EACb,aAAqB,EACrB,YAAoB,EACpB,cAAsB;IAEtB,MAAM,KAAK,GAAa,CAAC,GAAG,KAAK,iBAAiB,CAAC,CAAC;IACpD,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,GAAG,aAAa,oBAAoB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,aAAa,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,8BAA8B,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,aAAa,KAAK,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,cAAc,KAAK,CAAC,EAAE,CAAC;QACtE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/engine/dep-auditor/index.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,8FAA8F;AAC9F,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,qCAAqC,CAAC;AACnE,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACxE,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAS3D,OAAO,EAAE,sBAAsB,EAAE,gCAAgC,EAAE,MAAM,iBAAiB,CAAC;AAE3F,8EAA8E;AAC9E,yBAAyB;AACzB,8EAA8E;AAE9E,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAqD,CAAC;AAC9E,MAAM,gBAAgB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAElD,4DAA4D;AAC5D,MAAM,UAAU,aAAa;IAC3B,QAAQ,CAAC,KAAK,EAAE,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,iBAAiB,CAAC,GAAW,EAAE,OAAe;IAC3D,MAAM,QAAQ,GAAG,GAAG,GAAG,IAAI,OAAO,EAAE,CAAC;IACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC7C,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,GAAG,gBAAgB,EAAE,CAAC,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,2FAA2F;AAC3F,SAAS,aAAa,CAAC,QAAsB,EAAE,UAAmB;IAChE,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1B,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,WAAW,EAAE,CAAC,CAAC,KAAK;QACpB,OAAO,EAAE,CAAC,CAAC,OAAO,IAAI,SAAS;QAC/B,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC5C,CAAC,CAAC,CAAC;AACN,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,SAAoB,EAAE,IAAe;IACvD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IACrD,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,iBAAiB,EAAE,GAAG,IAAI,CAAC,CAAC;AACzC,CAAC;AAED,4DAA4D;AAC5D,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,OAAe,EACf,SAAiB,EACjB,UAAkC;IAElC,MAAM,cAAc,GAAG,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC/C,IAAI,SAAS,GAAc,EAAE,CAAC;IAC9B,IAAI,SAAS,KAAK,QAAQ,IAAI,IAAI,IAAI,WAAW,EAAE,CAAC;QAClD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACxD,SAAS,GAAG,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;IACH,CAAC;IACD,MAAM,KAAK,GAAG,UAAU,CAAC,cAAc,EAAE,SAAS,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAmB,YAAY,CAAC,UAAU,CAAC,CAAC;IACzD,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;IACzC,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;AACjF,CAAC;AAED,wEAAwE;AACxE,KAAK,UAAU,sBAAsB,CACnC,qBAAyC,EACzC,SAAiB;IAEjB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,qBAAqB,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE;QAClD,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACnF,IAAI,SAAS,GAAc,EAAE,CAAC;QAC9B,IAAI,IAAI,IAAI,WAAW,EAAE,CAAC;YACxB,IAAI,CAAC;gBACH,SAAS,GAAG,aAAa,CAAC,MAAM,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,CAAC;YAC1E,CAAC;YAAC,MAAM,CAAC;gBACP,4BAA4B;YAC9B,CAAC;QACH,CAAC;QACD,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAC/C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO;YACL,IAAI;YACJ,cAAc,EAAE,OAAO;YACvB,SAAS;YACT,KAAK;YACL,OAAO,EAAE,YAAY,CAAC,EAAE,CAAC;YACzB,SAAS,EAAE,gBAAgB,CAAC,IAAI,CAAC;SAClC,CAAC;IACJ,CAAC,CAAC,CACH,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAsB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;AAC/D,CAAC;AAED,wEAAwE;AACxE,SAAS,eAAe,CAAC,aAA8B;IAKrD,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,KAAK,GAAoB,EAAE,CAAC;IAClC,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACjC,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,WAAmB;IACjD,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,WAAW,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;IAErC,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC;YACH,mBAAmB,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAClF,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,QAAQ,CAAC,kBAAkB,CAAC;IACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAEjE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAC/F,CAAC;IAEF,MAAM,qBAAqB,GACzB,SAAS,KAAK,QAAQ;QACpB,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,mBAAmB,CAAC,WAAW,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAC5D,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CACnC;QACH,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,qBAAqB,GAAG,MAAM,sBAAsB,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;IAE7F,MAAM,UAAU,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACjG,MAAM,MAAM,GAAG,CAAC,GAAG,OAAO,EAAE,GAAG,qBAAqB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC9D,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtC,OAAO,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,YAAY,CAC1B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,MAAM,EACf,UAAU,CAAC,MAAM,CAClB,CAAC;IACF,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AACnG,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,WAAmB,EACnB,SAAiB;IAEjB,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,UAAU,GAA2B,EAAE,CAAC;IAC9C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,MAAM,OAAO,GAAG;YACd,GAAG,CAAE,MAAM,CAAC,YAAmD,IAAI,EAAE,CAAC;YACtE,GAAG,CAAE,MAAM,CAAC,eAAsD,IAAI,EAAE,CAAC;SAC1E,CAAC;QACF,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAC3B,IAAI,CAAC,WAAW,EAAE,cAAc,EAAE,OAAO,EAAE,cAAc,CAAC,EAC1D,OAAO,CACR,CAAC;gBACF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;gBAChE,IAAI,OAAO,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;oBAC1C,UAAU,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC;gBAC1C,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,yDAAyD;YAC3D,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,kBAAkB;IACpB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,YAAY,CACnB,KAAa,EACb,aAAqB,EACrB,YAAoB,EACpB,cAAsB;IAEtB,MAAM,KAAK,GAAa,CAAC,GAAG,KAAK,iBAAiB,CAAC,CAAC;IACpD,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,GAAG,aAAa,oBAAoB,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,aAAa,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,8BAA8B,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,aAAa,KAAK,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,cAAc,KAAK,CAAC,EAAE,CAAC;QACtE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3B,CAAC"}

package/dist/engine/dep-auditor/lockfile-parser.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+/**
+ * Parse transitive deps from the project lockfile.
+ * Returns Map<packageName, installedVersion> for ALL deps (direct + transitive).
+ * Falls back to direct deps from package.json if no lockfile found.
+ */
+export declare function parseTransitiveDeps(projectPath: string): Promise<Map<string, string>>;
+/**
+ * Parse pnpm-lock.yaml v9 format.
+ * v9 format has a `snapshots:` section with entries like:
+ *   pkg@version:
+ *     ...
+ * and a `packages:` section with entries like:
+ *   /pkg/version:
+ *     ...
+ * We parse both sections to extract all package names and versions.
+ */
+export declare function parsePnpmLockYaml(raw: string): Map<string, string>;
+/**
+ * Parse package-lock.json v2/v3 format.
+ * v3: top-level `packages` object with keys like "node_modules/pkg" or
+ *     "node_modules/pkg/node_modules/nested-pkg".
+ * v2: both `packages` and `dependencies` present.
+ * v1: only `dependencies` present (older format).
+ */
+export declare function parsePackageLockJson(raw: string): Map<string, string>;
+//# sourceMappingURL=lockfile-parser.d.ts.map

package/dist/engine/dep-auditor/lockfile-parser.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"lockfile-parser.d.ts","sourceRoot":"","sources":["../../../src/engine/dep-auditor/lockfile-parser.ts"],"names":[],"mappings":"AAOA;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAe3F;AAaD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CA8BlE;AAkBD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAgCrE"}

package/dist/engine/dep-auditor/lockfile-parser.js ADDED Viewed

@@ -0,0 +1,164 @@
+// dep-auditor/lockfile-parser.ts — Transitive dependency walker (SPEC-335)
+// Reads pnpm-lock.yaml (v9) or package-lock.json (v2/v3) to build a full
+// flat map of all installed packages including transitive dependencies.
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+/**
+ * Parse transitive deps from the project lockfile.
+ * Returns Map<packageName, installedVersion> for ALL deps (direct + transitive).
+ * Falls back to direct deps from package.json if no lockfile found.
+ */
+export async function parseTransitiveDeps(projectPath) {
+    // Try pnpm-lock.yaml first
+    const pnpmResult = await tryParsePnpmLock(projectPath);
+    if (pnpmResult !== null) {
+        return pnpmResult;
+    }
+    // Try package-lock.json (npm v2/v3)
+    const npmResult = await tryParsePackageLock(projectPath);
+    if (npmResult !== null) {
+        return npmResult;
+    }
+    // Fallback: read direct deps from package.json
+    return readDirectDepsFromPackageJson(projectPath);
+}
+async function tryParsePnpmLock(projectPath) {
+    const lockPath = join(projectPath, 'pnpm-lock.yaml');
+    let raw;
+    try {
+        raw = await readFile(lockPath, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+    return parsePnpmLockYaml(raw);
+}
+/**
+ * Parse pnpm-lock.yaml v9 format.
+ * v9 format has a `snapshots:` section with entries like:
+ *   pkg@version:
+ *     ...
+ * and a `packages:` section with entries like:
+ *   /pkg/version:
+ *     ...
+ * We parse both sections to extract all package names and versions.
+ */
+export function parsePnpmLockYaml(raw) {
+    const result = new Map();
+    // pnpm-lock.yaml v9: snapshots section
+    // Pattern: "  pkg@version:" or "  '@scope/pkg@version':" at start of line
+    // Also handle: "  pkg@version(peer@ver):"
+    // Scoped packages start with @scope/name, unscoped are plain names.
+    const snapshotPattern = /^ {2}'?(@[^/@\s']+\/[^/@\s'(]+|[^/@\s'(]+)@([^:()\s']+)/gm;
+    let match;
+    while ((match = snapshotPattern.exec(raw)) !== null) {
+        const name = match[1];
+        const version = match[2];
+        if (name && version && !result.has(name)) {
+            result.set(name, version);
+        }
+    }
+    // pnpm-lock.yaml v6/v8: packages section with /pkg/version: format
+    // Pattern: "  /pkg/version:" — older pnpm format
+    const packagePattern = /^ {2}\/(@?[^/\s]+(?:\/[^/\s]+)?)\/([^:()\s]+):/gm;
+    while ((match = packagePattern.exec(raw)) !== null) {
+        const name = match[1];
+        const version = match[2];
+        if (name && version && !result.has(name)) {
+            result.set(name, version);
+        }
+    }
+    return result;
+}
+async function tryParsePackageLock(projectPath) {
+    const lockPath = join(projectPath, 'package-lock.json');
+    let raw;
+    try {
+        raw = await readFile(lockPath, 'utf-8');
+    }
+    catch {
+        return null;
+    }
+    try {
+        return parsePackageLockJson(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Parse package-lock.json v2/v3 format.
+ * v3: top-level `packages` object with keys like "node_modules/pkg" or
+ *     "node_modules/pkg/node_modules/nested-pkg".
+ * v2: both `packages` and `dependencies` present.
+ * v1: only `dependencies` present (older format).
+ */
+export function parsePackageLockJson(raw) {
+    const result = new Map();
+    const parsed = JSON.parse(raw);
+    // v2/v3: use packages section
+    if (parsed.packages && typeof parsed.packages === 'object') {
+        const pkgs = parsed.packages;
+        for (const [key, entry] of Object.entries(pkgs)) {
+            if (!key || key === '') {
+                continue; // skip root package entry
+            }
+            const version = entry.version;
+            if (!version) {
+                continue;
+            }
+            // Extract package name from key: "node_modules/foo" -> "foo"
+            // Scoped: "node_modules/@scope/foo" -> "@scope/foo"
+            // Nested: "node_modules/foo/node_modules/bar" -> "bar" (use the deepest)
+            const name = extractNameFromPackagesKey(key);
+            if (name && !result.has(name)) {
+                result.set(name, version);
+            }
+        }
+        return result;
+    }
+    // v1 fallback: use dependencies section (flat list)
+    if (parsed.dependencies && typeof parsed.dependencies === 'object') {
+        flattenDependencies(parsed.dependencies, result);
+    }
+    return result;
+}
+function extractNameFromPackagesKey(key) {
+    // Remove leading "node_modules/" segments, keep the last package name
+    const parts = key.split('node_modules/');
+    const lastPart = parts[parts.length - 1];
+    if (!lastPart) {
+        return null;
+    }
+    // Handle scoped packages like "@scope/name"
+    return lastPart || null;
+}
+function flattenDependencies(deps, result) {
+    for (const [name, entry] of Object.entries(deps)) {
+        if (entry.version && !result.has(name)) {
+            result.set(name, entry.version);
+        }
+        if (entry.dependencies && typeof entry.dependencies === 'object') {
+            flattenDependencies(entry.dependencies, result);
+        }
+    }
+}
+async function readDirectDepsFromPackageJson(projectPath) {
+    const result = new Map();
+    try {
+        const raw = await readFile(join(projectPath, 'package.json'), 'utf-8');
+        const parsed = JSON.parse(raw);
+        const allDeps = {
+            ...(parsed.dependencies ?? {}),
+            ...(parsed.devDependencies ?? {}),
+        };
+        for (const [name, version] of Object.entries(allDeps)) {
+            result.set(name, version.replace(/^[\^~>=<]/, ''));
+        }
+    }
+    catch {
+        // no package.json or parse error — return empty map
+    }
+    return result;
+}
+//# sourceMappingURL=lockfile-parser.js.map

package/dist/engine/dep-auditor/lockfile-parser.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"lockfile-parser.js","sourceRoot":"","sources":["../../../src/engine/dep-auditor/lockfile-parser.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,yEAAyE;AACzE,wEAAwE;AACxE,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAGjC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IAC3D,2BAA2B;IAC3B,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACvD,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QACxB,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,oCAAoC;IACpC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,WAAW,CAAC,CAAC;IACzD,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,+CAA+C;IAC/C,OAAO,6BAA6B,CAAC,WAAW,CAAC,CAAC;AACpD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,WAAmB;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;IACrD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IAEzC,uCAAuC;IACvC,0EAA0E;IAC1E,0CAA0C;IAC1C,oEAAoE;IACpE,MAAM,eAAe,GAAG,2DAA2D,CAAC;IACpF,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,iDAAiD;IACjD,MAAM,cAAc,GAAG,kDAAkD,CAAC;IAC1E,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,IAAI,IAAI,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,WAAmB;IACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,mBAAmB,CAAC,CAAC;IACxD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAEhD,8BAA8B;IAC9B,IAAI,MAAM,CAAC,QAAQ,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,QAAgD,CAAC;QACrE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,GAAG,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;gBACvB,SAAS,CAAC,0BAA0B;YACtC,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;YAC9B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,SAAS;YACX,CAAC;YACD,6DAA6D;YAC7D,oDAAoD;YACpD,yEAAyE;YACzE,MAAM,IAAI,GAAG,0BAA0B,CAAC,GAAG,CAAC,CAAC;YAC7C,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM,CAAC,YAAY,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;QACnE,mBAAmB,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,0BAA0B,CAAC,GAAW;IAC7C,sEAAsE;IACtE,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IACD,4CAA4C;IAC5C,OAAO,QAAQ,IAAI,IAAI,CAAC;AAC1B,CAAC;AAED,SAAS,mBAAmB,CAC1B,IAAkF,EAClF,MAA2B;IAE3B,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACjD,IAAI,KAAK,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,KAAK,CAAC,YAAY,IAAI,OAAO,KAAK,CAAC,YAAY,KAAK,QAAQ,EAAE,CAAC;YACjE,mBAAmB,CACjB,KAAK,CAAC,YAGL,EACD,MAAM,CACP,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,6BAA6B,CAAC,WAAmB;IAC9D,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACvE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAG5B,CAAC;QACF,MAAM,OAAO,GAAG;YACd,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;YAC9B,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;SAClC,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtD,MAAM,CAAC,GAAG,CAAC,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;IACtD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/engine/dep-auditor/semver-utils.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Returns true if installedVersion falls within vulnerableRange.
+ * vulnerableRange supports:
+ *   - exact: "1.2.3"
+ *   - caret: "^1.2.3"
+ *   - tilde: "~1.2.3"
+ *   - comparators: ">=1.0.0", "<=2.0.0", ">1.0.0", "<2.0.0"
+ *   - AND ranges (space-separated): ">=1.0.0 <2.0.0"
+ *   - OR ranges (|| separated): ">=1.0.0 <1.5.0 || >=2.0.0 <2.5.0"
+ *   - pre-release suffixes: "1.2.3-rc.1", ">=1.0.0-alpha"
+ */
+export declare function isVersionVulnerable(installedVersion: string, vulnerableRange: string): boolean;
+/**
+ * Returns true if installedVersion is strictly below threshold.
+ * Equivalent to isVersionVulnerable(installed, '<threshold').
+ * Used as backward-compatible replacement for the old isVersionBelow().
+ */
+export declare function isVersionBelow(installedVersion: string, threshold: string): boolean;
+//# sourceMappingURL=semver-utils.d.ts.map

package/dist/engine/dep-auditor/semver-utils.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"semver-utils.d.ts","sourceRoot":"","sources":["../../../src/engine/dep-auditor/semver-utils.ts"],"names":[],"mappings":"AA2GA;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,GAAG,OAAO,CAmB9F;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,gBAAgB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAOnF"}

package/dist/engine/dep-auditor/semver-utils.js ADDED Viewed

@@ -0,0 +1,141 @@
+/**
+ * Parse a version string like "1.2.3", "1.2.3-rc.1", "^1.2.3" into parts.
+ * Strips leading range operators (^, ~, >=, <=, >, <) before parsing.
+ */
+function parseSemver(raw) {
+    const stripped = raw.trim().replace(/^[^0-9]*/, '');
+    const match = /^(\d+)\.(\d+)\.(\d+)(?:-([a-zA-Z0-9._-]+))?/.exec(stripped);
+    if (!match) {
+        return null;
+    }
+    return {
+        major: parseInt(match[1] ?? '0', 10),
+        minor: parseInt(match[2] ?? '0', 10),
+        patch: parseInt(match[3] ?? '0', 10),
+        preRelease: match[4] ?? '',
+    };
+}
+/** Compare two parsed versions. Returns negative if a < b, 0 if equal, positive if a > b. */
+function compareTuples(a, b) {
+    if (a.major !== b.major) {
+        return a.major - b.major;
+    }
+    if (a.minor !== b.minor) {
+        return a.minor - b.minor;
+    }
+    if (a.patch !== b.patch) {
+        return a.patch - b.patch;
+    }
+    // Pre-release handling: a version without pre-release is greater than one with
+    if (a.preRelease === '' && b.preRelease !== '') {
+        return 1;
+    }
+    if (a.preRelease !== '' && b.preRelease === '') {
+        return -1;
+    }
+    // Both have pre-release: compare lexicographically
+    return a.preRelease < b.preRelease ? -1 : a.preRelease > b.preRelease ? 1 : 0;
+}
+/** Evaluate a single comparator like ">=1.0.0", "<2.0.0", "1.2.3" against installed. */
+function evaluateComparator(installed, comparator) {
+    const c = comparator.trim();
+    if (c === '' || c === '*') {
+        return true;
+    }
+    if (c.startsWith('>=')) {
+        const bound = parseSemver(c.slice(2));
+        return bound !== null && compareTuples(installed, bound) >= 0;
+    }
+    if (c.startsWith('<=')) {
+        const bound = parseSemver(c.slice(2));
+        return bound !== null && compareTuples(installed, bound) <= 0;
+    }
+    if (c.startsWith('>')) {
+        const bound = parseSemver(c.slice(1));
+        return bound !== null && compareTuples(installed, bound) > 0;
+    }
+    if (c.startsWith('<')) {
+        const bound = parseSemver(c.slice(1));
+        return bound !== null && compareTuples(installed, bound) < 0;
+    }
+    if (c.startsWith('~')) {
+        // ~1.2.3 := >=1.2.3 <1.3.0
+        const base = parseSemver(c.slice(1));
+        if (!base) {
+            return false;
+        }
+        const upper = {
+            major: base.major,
+            minor: base.minor + 1,
+            patch: 0,
+            preRelease: '',
+        };
+        return compareTuples(installed, base) >= 0 && compareTuples(installed, upper) < 0;
+    }
+    if (c.startsWith('^')) {
+        // ^1.2.3 := >=1.2.3 <2.0.0, ^0.2.3 := >=0.2.3 <0.3.0, ^0.0.3 := >=0.0.3 <0.0.4
+        const base = parseSemver(c.slice(1));
+        if (!base) {
+            return false;
+        }
+        let upper;
+        if (base.major > 0) {
+            upper = { major: base.major + 1, minor: 0, patch: 0, preRelease: '' };
+        }
+        else if (base.minor > 0) {
+            upper = { major: 0, minor: base.minor + 1, patch: 0, preRelease: '' };
+        }
+        else {
+            upper = { major: 0, minor: 0, patch: base.patch + 1, preRelease: '' };
+        }
+        return compareTuples(installed, base) >= 0 && compareTuples(installed, upper) < 0;
+    }
+    // Exact version match
+    const exact = parseSemver(c);
+    if (!exact) {
+        return false;
+    }
+    return compareTuples(installed, exact) === 0;
+}
+/**
+ * Returns true if installedVersion falls within vulnerableRange.
+ * vulnerableRange supports:
+ *   - exact: "1.2.3"
+ *   - caret: "^1.2.3"
+ *   - tilde: "~1.2.3"
+ *   - comparators: ">=1.0.0", "<=2.0.0", ">1.0.0", "<2.0.0"
+ *   - AND ranges (space-separated): ">=1.0.0 <2.0.0"
+ *   - OR ranges (|| separated): ">=1.0.0 <1.5.0 || >=2.0.0 <2.5.0"
+ *   - pre-release suffixes: "1.2.3-rc.1", ">=1.0.0-alpha"
+ */
+export function isVersionVulnerable(installedVersion, vulnerableRange) {
+    const installed = parseSemver(installedVersion);
+    if (!installed) {
+        return false;
+    }
+    // Split by || for OR groups
+    const orGroups = vulnerableRange.split('||').map((g) => g.trim());
+    for (const group of orGroups) {
+        // Each group is an AND of space-separated comparators
+        const comparators = group.split(/\s+/).filter((c) => c !== '');
+        const allMatch = comparators.every((c) => evaluateComparator(installed, c));
+        if (allMatch) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Returns true if installedVersion is strictly below threshold.
+ * Equivalent to isVersionVulnerable(installed, '<threshold').
+ * Used as backward-compatible replacement for the old isVersionBelow().
+ */
+export function isVersionBelow(installedVersion, threshold) {
+    const installed = parseSemver(installedVersion);
+    const bound = parseSemver(threshold);
+    if (!installed || !bound) {
+        return false;
+    }
+    return compareTuples(installed, bound) < 0;
+}
+//# sourceMappingURL=semver-utils.js.map

package/dist/engine/dep-auditor/semver-utils.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"semver-utils.js","sourceRoot":"","sources":["../../../src/engine/dep-auditor/semver-utils.ts"],"names":[],"mappings":"AAKA;;;GAGG;AACH,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,KAAK,GAAG,6CAA6C,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3E,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QACpC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QACpC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC;QACpC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;KAC3B,CAAC;AACJ,CAAC;AAED,6FAA6F;AAC7F,SAAS,aAAa,CAAC,CAAc,EAAE,CAAc;IACnD,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC;IACD,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC;IACD,+EAA+E;IAC/E,IAAI,CAAC,CAAC,UAAU,KAAK,EAAE,IAAI,CAAC,CAAC,UAAU,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,KAAK,EAAE,IAAI,CAAC,CAAC,UAAU,KAAK,EAAE,EAAE,CAAC;QAC/C,OAAO,CAAC,CAAC,CAAC;IACZ,CAAC;IACD,mDAAmD;IACnD,OAAO,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAChF,CAAC;AAED,wFAAwF;AACxF,SAAS,kBAAkB,CAAC,SAAsB,EAAE,UAAkB;IACpE,MAAM,CAAC,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC5B,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,OAAO,KAAK,KAAK,IAAI,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,OAAO,KAAK,KAAK,IAAI,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,OAAO,KAAK,KAAK,IAAI,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACtC,OAAO,KAAK,KAAK,IAAI,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,2BAA2B;QAC3B,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAgB;YACzB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,CAAC;YACrB,KAAK,EAAE,CAAC;YACR,UAAU,EAAE,EAAE;SACf,CAAC;QACF,OAAO,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACtB,+EAA+E;QAC/E,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;QACD,IAAI,KAAkB,CAAC;QACvB,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YACnB,KAAK,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACxE,CAAC;aAAM,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;YAC1B,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACxE,CAAC;aAAM,CAAC;YACN,KAAK,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,GAAG,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACxE,CAAC;QACD,OAAO,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IACpF,CAAC;IAED,sBAAsB;IACtB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC7B,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,gBAAwB,EAAE,eAAuB;IACnF,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAChD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAElE,KAAK,MAAM,KAAK,IAAI,QAAQ,EAAE,CAAC;QAC7B,sDAAsD;QACtD,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/D,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5E,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,gBAAwB,EAAE,SAAiB;IACxE,MAAM,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACrC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,aAAa,CAAC,SAAS,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;AAC7C,CAAC"}

package/dist/engine/dep-auditor/vuln-data.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"vuln-data.d.ts","sourceRoot":"","sources":["../../../src/engine/dep-auditor/vuln-data.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;~~AAEpE~~,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,CAgHxD,CAAC;~~AAuBF~~,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE,CAoBjE"}
1	+ {"version":3,"file":"vuln-data.d.ts","sourceRoot":"","sources":["../../../src/engine/dep-auditor/vuln-data.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAGpE,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,CAgHxD,CAAC;AAEF,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE,CAoBjE"}

package/dist/engine/dep-auditor/vuln-data.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { isVersionBelow } from './semver-utils.js';
 export const KNOWN_VULNS = {
     lodash: [
         {
@@ -111,26 +112,6 @@ export const KNOWN_VULNS = {
         },
     ],
 };
-function isVersionBelow(current, threshold) {
-    const parseParts = (v) => {
-        const cleaned = v.replace(/^[^0-9]*/, '');
-        return cleaned.split('.').map((p) => parseInt(p, 10) || 0);
-    };
-    const cur = parseParts(current);
-    const thr = parseParts(threshold);
-    const len = Math.max(cur.length, thr.length);
-    for (let i = 0; i < len; i++) {
-        const c = cur[i] ?? 0;
-        const t = thr[i] ?? 0;
-        if (c < t) {
-            return true;
-        }
-        if (c > t) {
-            return false;
-        }
-    }
-    return false;
-}
 export function getVulns(name, version) {
     const entries = KNOWN_VULNS[name];
     if (!entries) {