@pnpm/deps.compliance.audit 1002.0.14 → 1101.0.0

package/lib/index.d.ts

@@ -1,22 +1,23 @@
 import { PnpmError } from '@pnpm/error';
 import type { GetAuthHeader } from '@pnpm/fetching.types';
 import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types';
-import { type AgentOptions, type RetryTimeoutOptions } from '@pnpm/network.fetch';
+import { type DispatcherOptions, type RetryTimeoutOptions } from '@pnpm/network.fetch';
 import type { DependenciesField } from '@pnpm/types';
 import type { AuditReport } from './types.js';
+export type { AuditIndexRequest, AuditPathIndex, PathInfo } from './lockfileToAuditIndex.js';
+export { buildAuditPathIndex, lockfileToAuditRequest } from './lockfileToAuditIndex.js';
 export * from './types.js';
 export declare function audit(lockfile: LockfileObject, getAuthHeader: GetAuthHeader, opts: {
-    agentOptions?: AgentOptions;
+    dispatcherOptions?: DispatcherOptions;
     envLockfile?: EnvLockfile | null;
     include?: {
         [dependenciesField in DependenciesField]: boolean;
     };
-    lockfileDir: string;
     registry: string;
     retry?: RetryTimeoutOptions;
     timeout?: number;
-    virtualStoreDirMaxLength: number;
 }): Promise<AuditReport>;
+export declare function normalizeGhsaId(ghsaId: string): string;
 export declare class AuditEndpointNotExistsError extends PnpmError {
     constructor(endpoint: string);
 }

package/lib/index.js

@@ -1,38 +1,174 @@
 import { PnpmError } from '@pnpm/error';
-import { fetchWithAgent } from '@pnpm/network.fetch';
-import { lockfileToAuditTree } from './lockfileToAuditTree.js';
+import { detectDepTypes } from '@pnpm/lockfile.detect-dep-types';
+import { fetchWithDispatcher } from '@pnpm/network.fetch';
+import semver from 'semver';
+import { buildAuditPathIndex, collectOptionalOnlyDepPaths, lockfileToAuditRequest, } from './lockfileToAuditIndex.js';
+export { buildAuditPathIndex, lockfileToAuditRequest } from './lockfileToAuditIndex.js';
 export * from './types.js';
 export async function audit(lockfile, getAuthHeader, opts) {
-    const auditTree = await lockfileToAuditTree(lockfile, { envLockfile: opts.envLockfile, include: opts.include, lockfileDir: opts.lockfileDir });
+    const depTypes = detectDepTypes(lockfile);
+    const optionalOnly = collectOptionalOnlyDepPaths(lockfile, opts.include);
+    const auditRequest = lockfileToAuditRequest(lockfile, { envLockfile: opts.envLockfile, include: opts.include, depTypes, optionalOnly });
     const registry = opts.registry.endsWith('/') ? opts.registry : `${opts.registry}/`;
-    const auditUrl = `${registry}-/npm/v1/security/audits`;
-    const quickAuditUrl = `${registry}-/npm/v1/security/audits/quick`;
+    const auditUrl = `${registry}-/npm/v1/security/advisories/bulk`;
     const authHeaderValue = getAuthHeader(registry);
-    const requestBody = JSON.stringify(auditTree);
     const requestHeaders = {
         'Content-Type': 'application/json',
         ...getAuthHeaders(authHeaderValue),
     };
-    const requestOptions = {
-        agentOptions: opts.agentOptions ?? {},
-        body: requestBody,
+    const res = await fetchWithDispatcher(auditUrl, {
+        dispatcherOptions: opts.dispatcherOptions ?? {},
+        body: JSON.stringify(auditRequest.request),
         headers: requestHeaders,
         method: 'POST',
         retry: opts.retry,
         timeout: opts.timeout,
+    });
+    if (res.status === 200) {
+        const rawBody = await res.text();
+        let body;
+        try {
+            body = JSON.parse(rawBody);
+        }
+        catch (err) {
+            const reason = err instanceof Error ? err.message : String(err);
+            throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) returned invalid JSON: ${reason}. Response body: ${rawBody.slice(0, 500)}`);
+        }
+        if (!isBulkResponseShape(body)) {
+            throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) returned an unexpected body. Expected an object keyed by package name; got: ${JSON.stringify(body)?.slice(0, 500) ?? String(body)}`);
+        }
+        const vulnerableNames = new Set(Object.keys(body));
+        let auditPathIndex = {};
+        if (vulnerableNames.size > 0) {
+            auditPathIndex = buildAuditPathIndex(lockfile, vulnerableNames, { envLockfile: opts.envLockfile, include: opts.include, depTypes, optionalOnly });
+        }
+        return bulkResponseToAuditReport(body, auditRequest, auditPathIndex);
+    }
+    if (res.status === 404) {
+        throw new AuditEndpointNotExistsError(auditUrl);
+    }
+    throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${auditUrl}) responded with ${res.status}: ${await res.text()}`);
+}
+function bulkResponseToAuditReport(bulk, auditRequest, auditPathIndex) {
+    // Null-prototype map — the id comes from the registry and could be anything.
+    const advisories = Object.create(null);
+    const vulnerabilities = { info: 0, low: 0, moderate: 0, high: 0, critical: 0 };
+    for (const [moduleName, packageAdvisories] of Object.entries(bulk)) {
+        const byVersion = auditPathIndex[moduleName];
+        for (const adv of packageAdvisories) {
+            // Guard against registry-supplied values that could corrupt the report:
+            // only accept finite numeric ids and severities from the known set.
+            if (typeof adv.id !== 'number' || !Number.isFinite(adv.id))
+                continue;
+            if (!isKnownSeverity(adv.severity))
+                continue;
+            const findings = buildFindings(adv, byVersion);
+            // If no installed version is vulnerable, skip the advisory entirely so
+            // we don't report false positives for packages the lockfile doesn't use.
+            if (findings.length === 0)
+                continue;
+            advisories[String(adv.id)] = normalizeAdvisory(adv, moduleName, findings);
+            // npm's audit report counts one vulnerability per advisory in the metadata summary
+            // when using the bulk endpoint format pnpm expects.
+            vulnerabilities[adv.severity] += 1;
+        }
+    }
+    return {
+        advisories,
+        metadata: {
+            vulnerabilities,
+            dependencies: auditRequest.dependencies,
+            devDependencies: auditRequest.devDependencies,
+            optionalDependencies: auditRequest.optionalDependencies,
+            totalDependencies: auditRequest.totalDependencies,
+        },
     };
-    const quickRes = await fetchWithAgent(quickAuditUrl, requestOptions);
-    if (quickRes.status === 200) {
-        return quickRes.json();
+}
+function buildFindings(adv, byVersion) {
+    if (byVersion == null)
+        return [];
+    const findings = [];
+    for (const [version, info] of byVersion) {
+        if (satisfiesSafe(version, adv.vulnerable_versions)) {
+            findings.push({
+                version,
+                paths: info.paths,
+                dev: info.dev,
+                optional: info.optional,
+                bundled: false,
+            });
+        }
     }
-    const res = await fetchWithAgent(auditUrl, requestOptions);
-    if (res.status === 200) {
-        return res.json();
+    return findings;
+}
+const KNOWN_SEVERITIES = new Set(['info', 'low', 'moderate', 'high', 'critical']);
+function isKnownSeverity(severity) {
+    return typeof severity === 'string' && KNOWN_SEVERITIES.has(severity);
+}
+function isBulkResponseShape(body) {
+    if (typeof body !== 'object' || body === null || Array.isArray(body))
+        return false;
+    // Every value must be an array of advisory objects; a null or scalar value
+    // would crash `for (const adv of packageAdvisories)` downstream.
+    return Object.values(body).every((packageAdvisories) => Array.isArray(packageAdvisories) && packageAdvisories.every((advisory) => typeof advisory === 'object' && advisory !== null && !Array.isArray(advisory) &&
+        typeof advisory.vulnerable_versions === 'string'));
+}
+function satisfiesSafe(version, range) {
+    try {
+        return semver.satisfies(version, range, { includePrerelease: true, loose: true });
     }
-    if (quickRes.status === 404 && res.status === 404) {
-        throw new AuditEndpointNotExistsError(quickAuditUrl);
+    catch {
+        return false;
+    }
+}
+function normalizeAdvisory(adv, moduleName, findings) {
+    const cwe = Array.isArray(adv.cwe) ? adv.cwe.join(', ') : adv.cwe;
+    return {
+        findings,
+        id: adv.id,
+        title: adv.title ?? '',
+        module_name: moduleName,
+        vulnerable_versions: adv.vulnerable_versions,
+        patched_versions: inferPatchedVersions(adv.vulnerable_versions),
+        severity: adv.severity,
+        cwe: cwe ?? '',
+        github_advisory_id: deriveGithubAdvisoryId(adv.url),
+        url: adv.url ?? '',
+    };
+}
+function inferPatchedVersions(vulnerableRange) {
+    // Matches `<X.Y.Z` or `<= X.Y.Z` (with optional whitespace after the operator)
+    // at the end of the range, optionally preceded by other comparators like
+    // `>=0.8.1 <0.28.0`. Returns undefined if the range doesn't have a
+    // recognizable upper bound — callers must not confuse that with "no fix".
+    const trimmed = vulnerableRange.trim();
+    const ltMatch = trimmed.match(/(?:^|\s)<\s*(\d+\.\d+\.\d[\w\-.+]*)\s*$/);
+    if (ltMatch)
+        return `>=${ltMatch[1]}`;
+    const lteMatch = trimmed.match(/(?:^|\s)<=\s*(\d+\.\d+\.\d[\w\-.+]*)\s*$/);
+    if (lteMatch) {
+        const next = semver.inc(lteMatch[1], 'patch');
+        if (next)
+            return `>=${next}`;
     }
-    throw new PnpmError('AUDIT_BAD_RESPONSE', `The audit endpoint (at ${quickAuditUrl}) responded with ${quickRes.status}: ${await quickRes.text()}. Fallback endpoint (at ${auditUrl}) responded with ${res.status}: ${await res.text()}`);
+    return undefined;
+}
+function deriveGithubAdvisoryId(url) {
+    if (!url)
+        return '';
+    const match = url.match(/\/(GHSA-[\w-]+)/i);
+    return match ? normalizeGhsaId(match[1]) : '';
+}
+// GHSA identifiers are canonically written with an uppercase `GHSA-` prefix
+// and a lowercase hexadecimal-style suffix (e.g. `GHSA-cph5-m8f7-6c5x`).
+// Normalize both halves so ignore-list comparisons don't depend on how the
+// user (or the advisory url) happens to case the id.
+export function normalizeGhsaId(ghsaId) {
+    const trimmed = ghsaId.trim();
+    const dash = trimmed.indexOf('-');
+    if (dash < 0)
+        return trimmed.toUpperCase();
+    return trimmed.slice(0, dash).toUpperCase() + trimmed.slice(dash).toLowerCase();
 }
 function getAuthHeaders(authHeaderValue) {
     const headers = {};
@@ -43,7 +179,7 @@ function getAuthHeaders(authHeaderValue) {
 }
 export class AuditEndpointNotExistsError extends PnpmError {
     constructor(endpoint) {
-        const message = `The audit endpoint (at ${endpoint}) is doesn't exist.`;
+        const message = `The audit endpoint (at ${endpoint}) doesn't exist.`;
         super('AUDIT_ENDPOINT_NOT_EXISTS', message, {
             hint: 'This issue is probably because you are using a private npm registry and that endpoint doesn\'t have an implementation of audit.',
         });

package/lib/lockfileToAuditIndex.d.ts

@@ -0,0 +1,27 @@
+import { type DepTypes } from '@pnpm/lockfile.detect-dep-types';
+import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types';
+import type { DependenciesField, DepPath } from '@pnpm/types';
+export interface PathInfo {
+    paths: string[];
+    dev: boolean;
+    optional: boolean;
+}
+export type AuditPathIndex = Record<string, Map<string, PathInfo>>;
+export interface AuditIndexRequest {
+    request: Record<string, string[]>;
+    totalDependencies: number;
+    dependencies: number;
+    devDependencies: number;
+    optionalDependencies: number;
+}
+export interface AuditIndexOptions {
+    envLockfile?: EnvLockfile | null;
+    include?: {
+        [dependenciesField in DependenciesField]: boolean;
+    };
+    depTypes?: DepTypes;
+    optionalOnly?: Set<DepPath>;
+}
+export declare function lockfileToAuditRequest(lockfile: LockfileObject, opts: AuditIndexOptions): AuditIndexRequest;
+export declare function buildAuditPathIndex(lockfile: LockfileObject, vulnerableNames: Set<string>, opts: AuditIndexOptions): AuditPathIndex;
+export declare function collectOptionalOnlyDepPaths(lockfile: LockfileObject, include?: AuditIndexOptions['include']): Set<DepPath>;

package/lib/lockfileToAuditIndex.js

@@ -0,0 +1,281 @@
+import * as dp from '@pnpm/deps.path';
+import { DepType, detectDepTypes } from '@pnpm/lockfile.detect-dep-types';
+import { convertToLockfileObject } from '@pnpm/lockfile.fs';
+import { nameVerFromPkgSnapshot } from '@pnpm/lockfile.utils';
+import { lockfileWalkerGroupImporterSteps } from '@pnpm/lockfile.walker';
+export function lockfileToAuditRequest(lockfile, opts) {
+    const importerIds = Object.keys(lockfile.importers);
+    const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, importerIds, { include: opts.include });
+    const depTypes = opts.depTypes ?? detectDepTypes(lockfile);
+    const optionalOnly = opts.optionalOnly ?? collectOptionalOnlyDepPaths(lockfile, opts.include);
+    // Use null-prototype objects for records keyed by package names so a
+    // hostile or unusual package name (e.g. "__proto__") cannot pollute the
+    // prototype or overwrite inherited properties.
+    const request = Object.create(null);
+    // Per (name, version) classification. Counted as dev/optional only while
+    // every observed occurrence is dev-only / optional-only; once a non-dev or
+    // non-optional occurrence is seen, the flag is cleared and the counter
+    // decremented.
+    const versionStatesByName = Object.create(null);
+    let totalDependencies = 0;
+    let dependencies = 0;
+    let devDependencies = 0;
+    let optionalDependencies = 0;
+    const registerOccurrence = (o) => {
+        let versionStates = versionStatesByName[o.name];
+        if (!versionStates) {
+            versionStates = new Map();
+            versionStatesByName[o.name] = versionStates;
+            request[o.name] = [];
+        }
+        const state = versionStates.get(o.version);
+        if (!state) {
+            versionStates.set(o.version, { devOnly: o.devOnly, optionalOnly: o.optionalOnly });
+            request[o.name].push(o.version);
+            totalDependencies++;
+            if (o.devOnly)
+                devDependencies++;
+            if (o.optionalOnly)
+                optionalDependencies++;
+            if (!o.devOnly && !o.optionalOnly)
+                dependencies++;
+            return;
+        }
+        const wasProduction = !state.devOnly && !state.optionalOnly;
+        if (state.devOnly && !o.devOnly) {
+            state.devOnly = false;
+            devDependencies--;
+        }
+        if (state.optionalOnly && !o.optionalOnly) {
+            state.optionalOnly = false;
+            optionalDependencies--;
+        }
+        if (!wasProduction && !state.devOnly && !state.optionalOnly) {
+            dependencies++;
+        }
+    };
+    // Build a visitor for one lockfile graph. The walker already de-duplicates
+    // by depPath internally, so we don't need a second visited set here.
+    const makeVisitor = (graphDepTypes, graphOptionalOnly) => {
+        const visit = (step) => {
+            for (const { depPath, pkgSnapshot, next } of step.dependencies) {
+                const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot);
+                if (version) {
+                    registerOccurrence({
+                        name,
+                        version,
+                        devOnly: graphDepTypes[depPath] === DepType.DevOnly,
+                        optionalOnly: graphOptionalOnly.has(depPath),
+                    });
+                }
+                visit(next());
+            }
+        };
+        return visit;
+    };
+    const visitMain = makeVisitor(depTypes, optionalOnly);
+    for (const importerWalker of importerWalkers) {
+        visitMain(importerWalker.step);
+    }
+    if (opts.envLockfile) {
+        const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile);
+        const envDepTypes = detectDepTypes(envLockfileObject);
+        const envOptionalOnly = collectOptionalOnlyDepPaths(envLockfileObject, opts.include);
+        const visitEnv = makeVisitor(envDepTypes, envOptionalOnly);
+        for (const { step } of lockfileWalkerGroupImporterSteps(envLockfileObject, Object.keys(envLockfileObject.importers), { include: opts.include })) {
+            visitEnv(step);
+        }
+    }
+    return { request, totalDependencies, dependencies, devDependencies, optionalDependencies };
+}
+export function buildAuditPathIndex(lockfile, vulnerableNames, opts) {
+    // Null-prototype record keyed by package name to avoid prototype pollution
+    // from registry-supplied or lockfile-supplied names.
+    const paths = Object.create(null);
+    const depTypes = opts.depTypes ?? detectDepTypes(lockfile);
+    const optionalOnly = opts.optionalOnly ?? collectOptionalOnlyDepPaths(lockfile, opts.include);
+    walkForPaths({
+        lockfile,
+        vulnerableNames,
+        paths,
+        depTypes,
+        optionalOnly,
+        include: opts.include,
+        importerSegmentOf: (importerId) => importerId.replace(/\//g, '__'),
+    });
+    if (opts.envLockfile) {
+        const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile);
+        walkForPaths({
+            lockfile: envLockfileObject,
+            vulnerableNames,
+            paths,
+            depTypes: detectDepTypes(envLockfileObject),
+            optionalOnly: collectOptionalOnlyDepPaths(envLockfileObject, opts.include),
+            include: opts.include,
+            importerSegmentOf: (importerId) => importerId,
+        });
+    }
+    return paths;
+}
+function walkForPaths(ctx) {
+    const { lockfile, vulnerableNames, paths, depTypes, optionalOnly, include, importerSegmentOf } = ctx;
+    const includeDeps = include?.dependencies !== false;
+    const includeDevDeps = include?.devDependencies !== false;
+    const includeOptDeps = include?.optionalDependencies !== false;
+    const packages = lockfile.packages ?? {};
+    // Reused across every root to avoid per-node Set cloning. visit adds the
+    // current depPath before recursing and removes it on the way back, so the
+    // set always reflects the current trail.
+    const inTrail = new Set();
+    const visit = (edge, trail) => {
+        if (inTrail.has(edge.depPath))
+            return;
+        const pkgSnapshot = packages[edge.depPath];
+        if (pkgSnapshot == null)
+            return;
+        const { name, version } = nameVerFromPkgSnapshot(edge.depPath, pkgSnapshot);
+        const resolvedName = name ?? edge.name;
+        const fullPath = [...trail, resolvedName];
+        if (version && vulnerableNames.has(resolvedName)) {
+            recordPath(paths, resolvedName, version, fullPath.join('>'), depTypes[edge.depPath] === DepType.DevOnly, optionalOnly.has(edge.depPath));
+        }
+        inTrail.add(edge.depPath);
+        try {
+            for (const child of resolvedDepsToNamedDepPaths(pkgSnapshot.dependencies ?? {})) {
+                visit(child, fullPath);
+            }
+            if (includeOptDeps) {
+                for (const child of resolvedDepsToNamedDepPaths(pkgSnapshot.optionalDependencies ?? {})) {
+                    visit(child, fullPath);
+                }
+            }
+        }
+        finally {
+            inTrail.delete(edge.depPath);
+        }
+    };
+    for (const [importerId, importer] of Object.entries(lockfile.importers)) {
+        const trail = [importerSegmentOf(importerId)];
+        const roots = [];
+        if (includeDeps)
+            roots.push(...resolvedDepsToNamedDepPaths(importer.dependencies ?? {}));
+        if (includeDevDeps)
+            roots.push(...resolvedDepsToNamedDepPaths(importer.devDependencies ?? {}));
+        if (includeOptDeps)
+            roots.push(...resolvedDepsToNamedDepPaths(importer.optionalDependencies ?? {}));
+        for (const root of roots) {
+            visit(root, trail);
+        }
+    }
+}
+// Per-(name, version) cap on recorded paths. The CLI only ever displays the
+// first few and follows with a "run pnpm why" hint, so keeping tens of
+// thousands of equivalent chains is wasted memory/CPU for projects with
+// heavy sharing (e.g. diamond dependencies deep in the graph).
+const MAX_PATHS_PER_FINDING = 100;
+function recordPath(paths, name, version, joined, isDev, isOptional) {
+    let byVersion = paths[name];
+    if (!byVersion) {
+        byVersion = new Map();
+        paths[name] = byVersion;
+    }
+    const info = byVersion.get(version);
+    if (!info) {
+        byVersion.set(version, { paths: [joined], dev: isDev, optional: isOptional });
+        return;
+    }
+    if (!isDev)
+        info.dev = false;
+    if (!isOptional)
+        info.optional = false;
+    if (info.paths.length >= MAX_PATHS_PER_FINDING)
+        return;
+    // Dedupe — the same joined trail can be produced when a package appears in
+    // both `dependencies` and `optionalDependencies` of the same parent, or via
+    // equivalent peer-suffix variants.
+    if (info.paths.includes(joined))
+        return;
+    info.paths.push(joined);
+}
+function resolvedDepsToNamedDepPaths(deps) {
+    const result = [];
+    for (const [alias, ref] of Object.entries(deps)) {
+        const depPath = dp.refToRelative(ref, alias);
+        if (depPath != null)
+            result.push({ name: alias, depPath });
+    }
+    return result;
+}
+// Returns the set of depPaths that are reachable only through optional edges
+// (i.e. they would be absent from the install set if optionalDependencies were
+// not included). Matches the AuditMetadata.optionalDependencies semantic.
+//
+// Implemented as (reachableWithOptional − reachableWithoutOptional) so that
+// optionalDependencies nested inside a required chain are also accounted for,
+// not just the ones declared directly on importer.optionalDependencies.
+//
+// Root selection honours the caller's `include` flags, so running
+// `pnpm audit --prod` doesn't let dev-only subgraphs flip a package out of
+// "optional-only" classification.
+export function collectOptionalOnlyDepPaths(lockfile, include) {
+    const includeDeps = include?.dependencies !== false;
+    const includeDevDeps = include?.devDependencies !== false;
+    const includeOptDeps = include?.optionalDependencies !== false;
+    const withoutOptional = new Set();
+    const withOptional = new Set();
+    for (const importer of Object.values(lockfile.importers)) {
+        const nonOptionalRoots = [
+            ...(includeDeps ? resolvedDepsToDepPaths(importer.dependencies ?? {}) : []),
+            ...(includeDevDeps ? resolvedDepsToDepPaths(importer.devDependencies ?? {}) : []),
+        ];
+        const allRoots = [
+            ...nonOptionalRoots,
+            ...(includeOptDeps ? resolvedDepsToDepPaths(importer.optionalDependencies ?? {}) : []),
+        ];
+        walkReachable(lockfile, nonOptionalRoots, withoutOptional, false);
+        walkReachable(lockfile, allRoots, withOptional, includeOptDeps);
+    }
+    const result = new Set();
+    for (const depPath of withOptional) {
+        if (!withoutOptional.has(depPath))
+            result.add(depPath);
+    }
+    return result;
+}
+function walkReachable(lockfile, depPaths, seen, includeOptionalEdges) {
+    const packages = lockfile.packages ?? {};
+    for (const depPath of depPaths) {
+        if (seen.has(depPath))
+            continue;
+        seen.add(depPath);
+        const snapshot = packages[depPath];
+        if (!snapshot)
+            continue;
+        walkReachable(lockfile, resolvedDepsToDepPaths(snapshot.dependencies ?? {}), seen, includeOptionalEdges);
+        if (includeOptionalEdges) {
+            walkReachable(lockfile, resolvedDepsToDepPaths(snapshot.optionalDependencies ?? {}), seen, includeOptionalEdges);
+        }
+    }
+}
+function resolvedDepsToDepPaths(deps) {
+    return Object.entries(deps)
+        .map(([alias, ref]) => dp.refToRelative(ref, alias))
+        .filter((depPath) => depPath !== null);
+}
+function envLockfileToLockfileObject(envLockfile) {
+    const envImporter = envLockfile.importers['.'];
+    const importers = {};
+    if (Object.keys(envImporter.configDependencies).length > 0) {
+        importers['configDependencies'] = { dependencies: envImporter.configDependencies };
+    }
+    if (envImporter.packageManagerDependencies) {
+        importers['packageManagerDependencies'] = { dependencies: envImporter.packageManagerDependencies };
+    }
+    return convertToLockfileObject({
+        lockfileVersion: envLockfile.lockfileVersion,
+        importers,
+        packages: envLockfile.packages,
+        snapshots: envLockfile.snapshots,
+    });
+}
+//# sourceMappingURL=lockfileToAuditIndex.js.map

package/lib/types.d.ts

@@ -6,64 +6,31 @@ export interface AuditVulnerabilityCounts {
     critical: number;
 }
 export interface IgnoredAuditVulnerabilityCounts {
+    info: number;
     low: number;
     moderate: number;
     high: number;
     critical: number;
 }
-export interface AuditResolution {
-    id: number;
-    path: string;
+export type AuditLevelString = 'info' | 'low' | 'moderate' | 'high' | 'critical';
+export type AuditLevelNumber = 0 | 1 | 2 | 3 | 4;
+export interface AuditFinding {
+    version: string;
+    paths: string[];
     dev: boolean;
     optional: boolean;
     bundled: boolean;
 }
-export interface AuditAction {
-    action: string;
-    module: string;
-    target: string;
-    isMajor: boolean;
-    resolves: AuditResolution[];
-}
-export type AuditLevelString = 'low' | 'moderate' | 'high' | 'critical';
-export type AuditLevelNumber = 0 | 1 | 2 | 3;
 export interface AuditAdvisory {
-    findings: [
-        {
-            version: string;
-            paths: string[];
-            dev: boolean;
-            optional: boolean;
-            bundled: boolean;
-        }
-    ];
+    findings: AuditFinding[];
     id: number;
-    created: string;
-    updated: string;
-    deleted?: boolean;
     title: string;
-    found_by: {
-        name: string;
-    };
-    reported_by: {
-        name: string;
-    };
     module_name: string;
-    cves: string[];
     vulnerable_versions: string;
-    patched_versions: string;
-    overview: string;
-    recommendation: string;
-    references: string;
-    access: string;
+    patched_versions?: string;
     severity: AuditLevelString;
     cwe: string;
     github_advisory_id: string;
-    metadata: {
-        module_type: string;
-        exploitability: number;
-        affected_components: string;
-    };
     url: string;
 }
 export interface AuditMetadata {
@@ -74,15 +41,8 @@ export interface AuditMetadata {
     totalDependencies: number;
 }
 export interface AuditReport {
-    actions: AuditAction[];
     advisories: {
         [id: string]: AuditAdvisory;
     };
-    muted: unknown[];
     metadata: AuditMetadata;
 }
-export interface AuditActionRecommendation {
-    cmd: string;
-    isBreaking: boolean;
-    action: AuditAction;
-}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.audit",
-  "version": "1002.0.14",
+  "version": "1101.0.0",
   "description": "Audit a lockfile",
   "keywords": [
     "pnpm",
@@ -25,28 +25,28 @@
     "!*.map"
   ],
   "dependencies": {
-    "ramda": "npm:@pnpm/ramda@0.28.1",
-    "@pnpm/error": "1000.0.5",
-    "@pnpm/fetching.types": "1000.2.0",
-    "@pnpm/lockfile.fs": "1001.1.21",
-    "@pnpm/lockfile.detect-dep-types": "1001.0.16",
-    "@pnpm/lockfile.types": "1002.0.2",
-    "@pnpm/lockfile.walker": "1001.0.16",
-    "@pnpm/network.fetch": "1000.2.6",
-    "@pnpm/types": "1000.9.0",
-    "@pnpm/lockfile.utils": "1003.0.3",
-    "@pnpm/workspace.project-manifest-reader": "1001.1.4"
+    "semver": "^7.7.2",
+    "@pnpm/error": "1100.0.0",
+    "@pnpm/fetching.types": "1100.0.0",
+    "@pnpm/deps.path": "1100.0.1",
+    "@pnpm/lockfile.detect-dep-types": "1100.0.1",
+    "@pnpm/lockfile.fs": "1100.0.1",
+    "@pnpm/lockfile.utils": "1100.0.1",
+    "@pnpm/lockfile.types": "1100.0.1",
+    "@pnpm/lockfile.walker": "1100.0.1",
+    "@pnpm/network.fetch": "1100.0.1",
+    "@pnpm/types": "1101.0.0"
   },
   "peerDependencies": {
     "@pnpm/logger": ">=1001.0.0 <1002.0.0"
   },
   "devDependencies": {
-    "@types/ramda": "0.29.12",
-    "nock": "13.3.4",
-    "@pnpm/logger": "1001.0.1",
-    "@pnpm/test-fixtures": "1000.0.0",
-    "@pnpm/deps.compliance.audit": "1002.0.14",
-    "@pnpm/constants": "1001.3.1"
+    "@types/semver": "7.7.1",
+    "@pnpm/deps.compliance.audit": "1101.0.0",
+    "@pnpm/constants": "1100.0.0",
+    "@pnpm/logger": "1100.0.0",
+    "@pnpm/test-fixtures": "1100.0.0",
+    "@pnpm/testing.mock-agent": "1100.0.1"
   },
   "engines": {
     "node": ">=22.13"
@@ -56,8 +56,8 @@
   },
   "scripts": {
     "lint": "eslint \"src/**/*.ts\" \"test/**/*.ts\"",
-    "_test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest",
-    "test": "pnpm run compile && pnpm run _test",
-    "compile": "tsgo --build && pnpm run lint --fix"
+    "test": "pn compile && pn .test",
+    "compile": "tsgo --build && pn lint --fix",
+    ".test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest"
   }
 }

package/lib/lockfileToAuditTree.d.ts

@@ -1,24 +0,0 @@
-import type { EnvLockfile, LockfileObject } from '@pnpm/lockfile.types';
-import type { DependenciesField } from '@pnpm/types';
-export interface AuditNode {
-    version?: string;
-    integrity?: string;
-    requires?: Record<string, string>;
-    dependencies?: {
-        [name: string]: AuditNode;
-    };
-    dev: boolean;
-}
-export interface AuditTree extends AuditNode {
-    name?: string;
-    install: string[];
-    remove: string[];
-    metadata: unknown;
-}
-export declare function lockfileToAuditTree(lockfile: LockfileObject, opts: {
-    envLockfile?: EnvLockfile | null;
-    include?: {
-        [dependenciesField in DependenciesField]: boolean;
-    };
-    lockfileDir: string;
-}): Promise<AuditTree>;

package/lib/lockfileToAuditTree.js

@@ -1,93 +0,0 @@
-import path from 'node:path';
-import { DepType, detectDepTypes } from '@pnpm/lockfile.detect-dep-types';
-import { convertToLockfileObject } from '@pnpm/lockfile.fs';
-import { nameVerFromPkgSnapshot } from '@pnpm/lockfile.utils';
-import { lockfileWalkerGroupImporterSteps } from '@pnpm/lockfile.walker';
-import { safeReadProjectManifestOnly } from '@pnpm/workspace.project-manifest-reader';
-import { map as mapValues } from 'ramda';
-export async function lockfileToAuditTree(lockfile, opts) {
-    const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, Object.keys(lockfile.importers), { include: opts?.include });
-    const dependencies = {};
-    const depTypes = detectDepTypes(lockfile);
-    await Promise.all(importerWalkers.map(async (importerWalker) => {
-        const importerDeps = lockfileToAuditNode(depTypes, importerWalker.step);
-        // For some reason the registry responds with 500 if the keys in dependencies have slashes
-        // see issue: https://github.com/pnpm/pnpm/issues/2848
-        const depName = importerWalker.importerId.replace(/\//g, '__');
-        const manifest = await safeReadProjectManifestOnly(path.join(opts.lockfileDir, importerWalker.importerId));
-        dependencies[depName] = {
-            dependencies: importerDeps,
-            dev: false,
-            requires: toRequires(importerDeps),
-            version: manifest?.version ?? '0.0.0',
-        };
-    }));
-    if (opts.envLockfile) {
-        const envLockfileObject = envLockfileToLockfileObject(opts.envLockfile);
-        const envDepTypes = detectDepTypes(envLockfileObject);
-        for (const { importerId, step } of lockfileWalkerGroupImporterSteps(envLockfileObject, Object.keys(envLockfileObject.importers), { include: opts.include })) {
-            const deps = lockfileToAuditNode(envDepTypes, step);
-            if (Object.keys(deps).length > 0) {
-                dependencies[importerId] = wrapDepsGroup(deps);
-            }
-        }
-    }
-    const auditTree = {
-        name: undefined,
-        version: undefined,
-        dependencies,
-        dev: false,
-        install: [],
-        integrity: undefined,
-        metadata: {},
-        remove: [],
-        requires: toRequires(dependencies),
-    };
-    return auditTree;
-}
-function lockfileToAuditNode(depTypes, step) {
-    const dependencies = {};
-    for (const { depPath, pkgSnapshot, next } of step.dependencies) {
-        const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot);
-        const subdeps = lockfileToAuditNode(depTypes, next());
-        const dep = {
-            dev: depTypes[depPath] === DepType.DevOnly,
-            integrity: pkgSnapshot.resolution.integrity,
-            version,
-        };
-        if (Object.keys(subdeps).length > 0) {
-            dep.dependencies = subdeps;
-            dep.requires = toRequires(subdeps);
-        }
-        dependencies[name] = dep;
-    }
-    return dependencies;
-}
-function toRequires(auditNodesByDepName) {
-    return mapValues((auditNode) => auditNode.version, auditNodesByDepName);
-}
-function wrapDepsGroup(deps) {
-    return {
-        dependencies: deps,
-        dev: false,
-        requires: toRequires(deps),
-        version: '0.0.0',
-    };
-}
-function envLockfileToLockfileObject(envLockfile) {
-    const envImporter = envLockfile.importers['.'];
-    const importers = {};
-    if (Object.keys(envImporter.configDependencies).length > 0) {
-        importers['configDependencies'] = { dependencies: envImporter.configDependencies };
-    }
-    if (envImporter.packageManagerDependencies) {
-        importers['packageManagerDependencies'] = { dependencies: envImporter.packageManagerDependencies };
-    }
-    return convertToLockfileObject({
-        lockfileVersion: envLockfile.lockfileVersion,
-        importers,
-        packages: envLockfile.packages,
-        snapshots: envLockfile.snapshots,
-    });
-}
-//# sourceMappingURL=lockfileToAuditTree.js.map