@preship/core 2.0.2 → 2.1.0

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-type ProjectType = 'npm' | 'yarn' | 'pnpm';
+type ProjectType = 'npm' | 'yarn' | 'pnpm' | 'flutter' | 'maven' | 'gradle' | 'cocoapods' | 'spm';
 interface DetectedProject {
     type: ProjectType;
     path: string;
@@ -14,7 +14,7 @@ interface Dependency {
     isDirect: boolean;
     isDevDependency: boolean;
 }
-type LicenseSource = 'package-json-license-field' | 'license-file' | 'package-json-licenses-field' | 'npm-registry' | 'github-api' | 'cache' | 'unknown';
+type LicenseSource = 'package-json-license-field' | 'license-file' | 'package-json-licenses-field' | 'npm-registry' | 'pub-registry' | 'maven-central' | 'cocoapods-cdn' | 'github-api' | 'cache' | 'unknown';
 interface ParsedDependency {
     name: string;
     version: string;
@@ -205,6 +205,130 @@ declare function parseYarnLockfile(lockfilePath: string, packageJsonPath: string
 
 declare function parsePnpmLockfile(lockfilePath: string, packageJsonPath: string): ParsedDependency[];
 
+/**
+ * Parse a Flutter/Dart pubspec.lock file and return all dependencies.
+ *
+ * pubspec.lock uses a well-defined YAML structure:
+ *   packages:
+ *     <name>:
+ *       dependency: "direct main"
+ *       description:
+ *         name: <name>
+ *         ...
+ *       source: hosted
+ *       version: "1.2.3"
+ *
+ * We use a simple line-based parser (no js-yaml dependency needed)
+ * because pubspec.lock has a consistent, predictable structure.
+ *
+ * SDK packages (source: sdk) are skipped — these are Flutter/Dart
+ * built-ins like `flutter`, `sky_engine`, `flutter_test`.
+ *
+ * @param lockfilePath - Absolute path to pubspec.lock
+ * @param pubspecYamlPath - Absolute path to pubspec.yaml
+ * @returns Array of ParsedDependency
+ */
+declare function parsePubspecLockfile(lockfilePath: string, pubspecYamlPath: string): ParsedDependency[];
+
+/**
+ * Parse a Maven pom.xml file and return all dependencies.
+ *
+ * Maven doesn't have a lockfile, so we parse pom.xml directly.
+ * Extracts <dependency> blocks from the <dependencies> section,
+ * resolving ${property} version references from <properties>.
+ *
+ * Skips:
+ *   - <scope>provided</scope> and <scope>system</scope> (always)
+ *   - <scope>test</scope> (marked as dev dependency)
+ *
+ * Package name format: groupId:artifactId
+ * (e.g., "org.springframework.boot:spring-boot-starter-web")
+ *
+ * @param pomPath - Absolute path to pom.xml
+ * @param _manifestPath - Same as pomPath (Maven uses pom.xml as both)
+ * @returns Array of ParsedDependency
+ */
+declare function parseMavenPom(pomPath: string, _manifestPath: string): ParsedDependency[];
+
+/**
+ * Parse a Gradle project's dependencies.
+ *
+ * Tries sources in priority order:
+ *   1. gradle.lockfile (opt-in, most reliable)
+ *   2. gradle/libs.versions.toml (version catalog)
+ *   3. build.gradle or build.gradle.kts (regex fallback)
+ *
+ * Package name format: groupId:artifactId
+ * (e.g., "org.springframework.boot:spring-boot-starter-web")
+ *
+ * @param lockfilePath - Path to gradle.lockfile or build.gradle(.kts)
+ * @param manifestPath - Path to build.gradle or build.gradle.kts
+ * @returns Array of ParsedDependency
+ */
+declare function parseGradleLockfile(lockfilePath: string, manifestPath: string): ParsedDependency[];
+
+/**
+ * Parse a CocoaPods Podfile.lock and return all dependencies.
+ *
+ * Podfile.lock is a YAML-like format with consistent structure:
+ *
+ *   PODS:
+ *     - AFNetworking (4.0.1):
+ *       - AFNetworking/NSURLSession (= 4.0.1)
+ *       - AFNetworking/Reachability (= 4.0.1)
+ *     - Alamofire (5.9.1)
+ *
+ *   DEPENDENCIES:
+ *     - AFNetworking (~> 4.0)
+ *     - Alamofire
+ *
+ *   SPEC REPOS:
+ *     ...
+ *
+ * We use a line-based parser (no YAML library needed) since the
+ * format is predictable.
+ *
+ * Subspecs (e.g., AFNetworking/NSURLSession) are skipped — only
+ * top-level pods are returned.
+ *
+ * @param lockfilePath - Absolute path to Podfile.lock
+ * @param _manifestPath - Absolute path to Podfile (unused, for API consistency)
+ * @returns Array of ParsedDependency
+ */
+declare function parsePodfileLock(lockfilePath: string, _manifestPath: string): ParsedDependency[];
+
+/**
+ * Parse a Swift Package Manager Package.resolved file.
+ *
+ * Supports:
+ *   - v2 format (Swift 5.6+): { "pins": [...] }
+ *   - v3 format: same structure with "originHash"
+ *   - v1 format (legacy): { "object": { "pins": [...] } }
+ *
+ * Skips:
+ *   - Branch-based pins (no version)
+ *   - Local packages (kind: "localSourceControl")
+ *
+ * All SPM deps are treated as direct (Package.resolved doesn't
+ * distinguish direct vs transitive).
+ *
+ * The `location` field contains the Git URL, useful for
+ * GitHub-based license resolution.
+ *
+ * @param resolvedPath - Absolute path to Package.resolved
+ * @param _manifestPath - Absolute path to Package.swift (unused, for API consistency)
+ * @returns Array of ParsedDependency
+ */
+declare function parsePackageResolved(resolvedPath: string, _manifestPath: string): ParsedDependency[];
+/**
+ * Extract the Git location URL for a pin.
+ * Used by the license resolver to find GitHub repos.
+ *
+ * @param resolvedPath - Absolute path to Package.resolved
+ * @returns Map of package identity → location URL
+ */
+declare function extractSpmLocations(resolvedPath: string): Map<string, string>;
+
 /**
  * Encrypted Project-Level License Cache
  *
@@ -360,4 +484,4 @@ interface ScanTimeoutController {
  */
 declare function createScanTimeoutController(timeout?: number): ScanTimeoutController;
 
-export { AdaptiveRateLimiter, type CacheEntry, type CacheFile, type Dependency, type DetectedProject, type ExceptionEntry, type LicenseSource, type ModuleConfig, type PackageHealth, type ParsedDependency, type PolicyResult, type PolicyTemplate, type PolicyVerdict, type PreshipConfig, type ProjectType, type ResolverMode, type ScanResult, type ScanTimeoutController, type SecretFinding, type SecretRule, type SecretSeverity, type SecretsConfig, type SecretsResult, type SecurityConfig, type SecurityFinding, type SecurityPolicyLevel, type SecurityResult, type SecuritySeverity, type SecurityVulnerability, type UnifiedScanResult, cacheKey, createEmptyCache, createScanTimeoutController, detectProjects, getCacheEntry, getDefaultConfig, getOrCreateKey, loadCache, loadConfig, parseNpmLockfile, parsePnpmLockfile, parseYarnLockfile, saveCache, setCacheEntry };
+export { AdaptiveRateLimiter, type CacheEntry, type CacheFile, type Dependency, type DetectedProject, type ExceptionEntry, type LicenseSource, type ModuleConfig, type PackageHealth, type ParsedDependency, type PolicyResult, type PolicyTemplate, type PolicyVerdict, type PreshipConfig, type ProjectType, type ResolverMode, type ScanResult, type ScanTimeoutController, type SecretFinding, type SecretRule, type SecretSeverity, type SecretsConfig, type SecretsResult, type SecurityConfig, type SecurityFinding, type SecurityPolicyLevel, type SecurityResult, type SecuritySeverity, type SecurityVulnerability, type UnifiedScanResult, cacheKey, createEmptyCache, createScanTimeoutController, detectProjects, extractSpmLocations, getCacheEntry, getDefaultConfig, getOrCreateKey, loadCache, loadConfig, parseGradleLockfile, parseMavenPom, parseNpmLockfile, parsePackageResolved, parsePnpmLockfile, parsePodfileLock, parsePubspecLockfile, parseYarnLockfile, saveCache, setCacheEntry };

package/dist/index.js

@@ -35,13 +35,19 @@ __export(index_exports, {
   createEmptyCache: () => createEmptyCache,
   createScanTimeoutController: () => createScanTimeoutController,
   detectProjects: () => detectProjects,
+  extractSpmLocations: () => extractSpmLocations,
   getCacheEntry: () => getCacheEntry,
   getDefaultConfig: () => getDefaultConfig,
   getOrCreateKey: () => getOrCreateKey,
   loadCache: () => loadCache,
   loadConfig: () => loadConfig,
+  parseGradleLockfile: () => parseGradleLockfile,
+  parseMavenPom: () => parseMavenPom,
   parseNpmLockfile: () => parseNpmLockfile,
+  parsePackageResolved: () => parsePackageResolved,
   parsePnpmLockfile: () => parsePnpmLockfile,
+  parsePodfileLock: () => parsePodfileLock,
+  parsePubspecLockfile: () => parsePubspecLockfile,
   parseYarnLockfile: () => parseYarnLockfile,
   saveCache: () => saveCache,
   setCacheEntry: () => setCacheEntry
@@ -378,10 +384,30 @@ function loadConfig(projectPath) {
 // src/detector.ts
 var fs2 = __toESM(require("fs"));
 var path2 = __toESM(require("path"));
+var NODE_LOCK_FILES = [
+  { filename: "package-lock.json", type: "npm", manifest: "package.json" },
+  { filename: "yarn.lock", type: "yarn", manifest: "package.json" },
+  { filename: "pnpm-lock.yaml", type: "pnpm", manifest: "package.json" }
+];
+var FLUTTER_LOCK_FILES = [
+  { filename: "pubspec.lock", type: "flutter", manifest: "pubspec.yaml" }
+];
+var JAVA_LOCK_FILES = [
+  { filename: "gradle.lockfile", type: "gradle", manifest: "build.gradle" },
+  { filename: "gradle.lockfile", type: "gradle", manifest: "build.gradle.kts" },
+  { filename: "build.gradle", type: "gradle", manifest: "build.gradle" },
+  { filename: "build.gradle.kts", type: "gradle", manifest: "build.gradle.kts" },
+  { filename: "pom.xml", type: "maven", manifest: "pom.xml" }
+];
+var IOS_LOCK_FILES = [
+  { filename: "Podfile.lock", type: "cocoapods", manifest: "Podfile" },
+  { filename: "Package.resolved", type: "spm", manifest: "Package.swift" }
+];
 var LOCK_FILES = [
-  { filename: "package-lock.json", type: "npm" },
-  { filename: "yarn.lock", type: "yarn" },
-  { filename: "pnpm-lock.yaml", type: "pnpm" }
+  ...NODE_LOCK_FILES,
+  ...FLUTTER_LOCK_FILES,
+  ...JAVA_LOCK_FILES,
+  ...IOS_LOCK_FILES
 ];
 function detectFramework(packageJsonPath) {
   try {
@@ -391,8 +417,15 @@ function detectFramework(packageJsonPath) {
       ...pkg.dependencies || {},
       ...pkg.devDependencies || {}
     };
+    if (allDeps["expo"]) return "expo";
+    if (allDeps["react-native"]) return "react-native";
+    if (allDeps["electron"]) return "electron";
+    if (allDeps["@tauri-apps/api"] || allDeps["tauri"]) return "tauri";
     if (allDeps["next"]) return "nextjs";
     if (allDeps["nuxt"]) return "nuxtjs";
+    if (allDeps["@remix-run/react"] || allDeps["remix"]) return "remix";
+    if (allDeps["astro"]) return "astro";
+    if (allDeps["gatsby"]) return "gatsby";
     if (allDeps["react"]) return "react";
     if (allDeps["vue"]) return "vue";
     if (allDeps["@angular/core"]) return "angular";
@@ -400,25 +433,113 @@ function detectFramework(packageJsonPath) {
     if (allDeps["express"]) return "express";
     if (allDeps["fastify"]) return "fastify";
     if (allDeps["@nestjs/core"] || allDeps["nestjs"]) return "nestjs";
+    if (allDeps["@hapi/hapi"]) return "hapi";
+    if (allDeps["koa"]) return "koa";
     return void 0;
   } catch {
     return void 0;
   }
 }
+function detectFlutterFramework(pubspecYamlPath, projectRoot) {
+  try {
+    const content = fs2.readFileSync(pubspecYamlPath, "utf-8");
+    const hasFlutterSdk = /^\s{2}flutter:\s*$/m.test(content) && /sdk:\s*flutter/m.test(content);
+    if (hasFlutterSdk) {
+      const hasWebDir = fs2.existsSync(path2.join(projectRoot, "web"));
+      if (hasWebDir) return "flutter-web";
+      const hasDesktopDir = fs2.existsSync(path2.join(projectRoot, "linux")) || fs2.existsSync(path2.join(projectRoot, "windows")) || fs2.existsSync(path2.join(projectRoot, "macos"));
+      if (hasDesktopDir) return "flutter-desktop";
+      return "flutter";
+    }
+    const hasShelf = /shelf/m.test(content);
+    const hasDartFrog = /dart_frog/m.test(content);
+    if (hasShelf || hasDartFrog) return "dart-server";
+    return "dart-cli";
+  } catch {
+    return void 0;
+  }
+}
+function detectJavaFramework(manifestPath, _projectRoot) {
+  try {
+    const content = fs2.readFileSync(manifestPath, "utf-8");
+    if (/com\.android\.(application|library)/m.test(content)) return "android-java";
+    if (/spring-boot-starter/m.test(content)) return "spring-boot";
+    if (/org\.springframework/m.test(content)) return "spring";
+    if (/io\.quarkus/m.test(content)) return "quarkus";
+    if (/io\.micronaut/m.test(content)) return "micronaut";
+    return "java";
+  } catch {
+    return "java";
+  }
+}
+function detectIosFramework(manifestPath, projectType) {
+  if (projectType === "spm") return "ios-spm";
+  try {
+    const content = fs2.readFileSync(manifestPath, "utf-8");
+    if (/platform\s*:tvos/m.test(content)) return "tvos-native";
+    if (/platform\s*:osx/m.test(content) || /platform\s*:macos/m.test(content)) return "macos-native";
+    return "ios-native";
+  } catch {
+    return "ios-native";
+  }
+}
 function detectProjects(rootPath) {
   const absRoot = path2.resolve(rootPath);
   const packageJsonPath = path2.join(absRoot, "package.json");
-  if (!fs2.existsSync(packageJsonPath)) {
+  const pubspecYamlPath = path2.join(absRoot, "pubspec.yaml");
+  const pomXmlPath = path2.join(absRoot, "pom.xml");
+  const buildGradlePath = path2.join(absRoot, "build.gradle");
+  const buildGradleKtsPath = path2.join(absRoot, "build.gradle.kts");
+  const podfilePath = path2.join(absRoot, "Podfile");
+  const packageSwiftPath = path2.join(absRoot, "Package.swift");
+  const hasPackageJson = fs2.existsSync(packageJsonPath);
+  const hasPubspecYaml = fs2.existsSync(pubspecYamlPath);
+  const hasPomXml = fs2.existsSync(pomXmlPath);
+  const hasBuildGradle = fs2.existsSync(buildGradlePath) || fs2.existsSync(buildGradleKtsPath);
+  const hasPodfile = fs2.existsSync(podfilePath);
+  const hasPackageSwift = fs2.existsSync(packageSwiftPath);
+  if (!hasPackageJson && !hasPubspecYaml && !hasPomXml && !hasBuildGradle && !hasPodfile && !hasPackageSwift) {
     throw new Error(
-      `No package.json found in ${absRoot}.
-  PreShip needs a Node.js project to scan.
+      `No supported project manifest found in ${absRoot}.
+  PreShip supports:
+    - Node.js (package.json)
+    - Flutter/Dart (pubspec.yaml)
+    - Maven (pom.xml)
+    - Gradle (build.gradle / build.gradle.kts)
+    - CocoaPods (Podfile)
+    - Swift Package Manager (Package.swift)
   Make sure you're running from the project root.`
     );
   }
   const detected = [];
   for (const entry of LOCK_FILES) {
     const lockFilePath = path2.join(absRoot, entry.filename);
-    if (fs2.existsSync(lockFilePath)) {
+    const manifestPath = path2.join(absRoot, entry.manifest);
+    if (!fs2.existsSync(lockFilePath) || !fs2.existsSync(manifestPath)) {
+      continue;
+    }
+    if (entry.type === "flutter") {
+      detected.push({
+        type: entry.type,
+        path: absRoot,
+        lockFile: lockFilePath,
+        framework: detectFlutterFramework(pubspecYamlPath, absRoot)
+      });
+    } else if (entry.type === "maven" || entry.type === "gradle") {
+      detected.push({
+        type: entry.type,
+        path: absRoot,
+        lockFile: lockFilePath,
+        framework: detectJavaFramework(manifestPath, absRoot)
+      });
+    } else if (entry.type === "cocoapods" || entry.type === "spm") {
+      detected.push({
+        type: entry.type,
+        path: absRoot,
+        lockFile: lockFilePath,
+        framework: detectIosFramework(manifestPath, entry.type)
+      });
+    } else {
       detected.push({
         type: entry.type,
         path: absRoot,
@@ -428,11 +549,42 @@ function detectProjects(rootPath) {
     }
   }
   if (detected.length === 0) {
-    throw new Error(
-      `No supported lock file found in ${absRoot}.
+    if (hasPackageJson) {
+      throw new Error(
+        `No supported lock file found in ${absRoot}.
   PreShip needs a lock file to scan dependencies.
   Run 'npm install', 'yarn install', or 'pnpm install' first.`
-    );
+      );
+    } else if (hasPubspecYaml) {
+      throw new Error(
+        `No pubspec.lock found in ${absRoot}.
+  PreShip needs a lock file to scan dependencies.
+  Run 'flutter pub get' or 'dart pub get' first.`
+      );
+    } else if (hasPomXml) {
+      throw new Error(
+        `Maven project detected in ${absRoot} but scanning is ready.
+  PreShip will parse pom.xml directly (no lockfile needed).`
+      );
+    } else if (hasBuildGradle) {
+      throw new Error(
+        `No gradle.lockfile found in ${absRoot}.
+  PreShip needs a lockfile or build file to scan dependencies.
+  For best results, enable lockfile: add 'dependencyLocking { lockAllConfigurations() }' to build.gradle.`
+      );
+    } else if (hasPodfile) {
+      throw new Error(
+        `No Podfile.lock found in ${absRoot}.
+  PreShip needs a lock file to scan dependencies.
+  Run 'pod install' first.`
+      );
+    } else {
+      throw new Error(
+        `No Package.resolved found in ${absRoot}.
+  PreShip needs a resolved file to scan dependencies.
+  Run 'swift package resolve' first.`
+      );
+    }
   }
   return [detected[0]];
 }
@@ -782,18 +934,595 @@ function parseV5Key(key) {
   return { name, pkgVersion };
 }
 
-// src/cache.ts
-var crypto = __toESM(require("crypto"));
+// src/parsers/flutter.ts
 var fs6 = __toESM(require("fs"));
+function parsePubspecLockfile(lockfilePath, pubspecYamlPath) {
+  let lockContent;
+  try {
+    lockContent = fs6.readFileSync(lockfilePath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${lockfilePath}.
+  The lock file may be missing or corrupted. Try running 'flutter pub get'.`
+    );
+  }
+  let pubspecContent;
+  try {
+    pubspecContent = fs6.readFileSync(pubspecYamlPath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${pubspecYamlPath}.
+  Make sure pubspec.yaml exists and is readable.`
+    );
+  }
+  const { directDeps, devDeps } = parsePubspecYamlDeps(pubspecContent);
+  const packages = parsePubspecLockPackages(lockContent);
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [name, entry] of packages) {
+    if (entry.source === "sdk") {
+      continue;
+    }
+    if (!entry.version) {
+      continue;
+    }
+    const dedupKey = `${name}@${entry.version}`;
+    if (seen.has(dedupKey)) {
+      continue;
+    }
+    seen.add(dedupKey);
+    const isDirect = entry.dependency === "direct main" || entry.dependency === "direct dev" || entry.dependency === "direct overridden";
+    const isDevDependency = entry.dependency === "direct dev" || !isDirect && devDeps.has(name) && !directDeps.has(name);
+    results.push({
+      name,
+      version: entry.version,
+      isDirect,
+      isDevDependency
+    });
+  }
+  return results;
+}
+function parsePubspecYamlDeps(content) {
+  const directDeps = /* @__PURE__ */ new Set();
+  const devDeps = /* @__PURE__ */ new Set();
+  const lines = content.split("\n");
+  let currentSection = null;
+  for (const line of lines) {
+    const trimmed = line.trimEnd();
+    if (trimmed === "" || trimmed.startsWith("#")) {
+      continue;
+    }
+    if (!trimmed.startsWith(" ") && !trimmed.startsWith("	")) {
+      if (trimmed === "dependencies:" || trimmed.startsWith("dependencies:")) {
+        currentSection = "dependencies";
+        continue;
+      }
+      if (trimmed === "dev_dependencies:" || trimmed.startsWith("dev_dependencies:")) {
+        currentSection = "dev_dependencies";
+        continue;
+      }
+      currentSection = null;
+      continue;
+    }
+    if (currentSection) {
+      const depMatch = trimmed.match(/^  ([a-zA-Z_][a-zA-Z0-9_]*):/);
+      if (depMatch) {
+        const depName = depMatch[1];
+        if (currentSection === "dependencies") {
+          directDeps.add(depName);
+        } else {
+          devDeps.add(depName);
+        }
+      }
+    }
+  }
+  return { directDeps, devDeps };
+}
+function parsePubspecLockPackages(content) {
+  const packages = /* @__PURE__ */ new Map();
+  const lines = content.split("\n");
+  let inPackages = false;
+  let currentPackage = null;
+  let currentEntry = {};
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const trimmedEnd = line.trimEnd();
+    if (trimmedEnd === "packages:") {
+      inPackages = true;
+      continue;
+    }
+    if (!inPackages) {
+      continue;
+    }
+    if (trimmedEnd !== "" && !trimmedEnd.startsWith(" ") && !trimmedEnd.startsWith("	")) {
+      if (currentPackage && currentEntry.dependency && currentEntry.source && currentEntry.version) {
+        packages.set(currentPackage, currentEntry);
+      }
+      break;
+    }
+    if (trimmedEnd === "") {
+      continue;
+    }
+    const packageNameMatch = line.match(/^  ([a-zA-Z_][a-zA-Z0-9_-]*):\s*$/);
+    if (packageNameMatch) {
+      if (currentPackage && currentEntry.dependency && currentEntry.source && currentEntry.version) {
+        packages.set(currentPackage, currentEntry);
+      }
+      currentPackage = packageNameMatch[1];
+      currentEntry = {};
+      continue;
+    }
+    if (currentPackage && line.startsWith("    ") && !line.startsWith("      ")) {
+      const propMatch = line.match(/^    (\w+):\s*"?([^"]*)"?\s*$/);
+      if (propMatch) {
+        const [, key, value] = propMatch;
+        if (key === "dependency") {
+          currentEntry.dependency = value;
+        } else if (key === "source") {
+          currentEntry.source = value;
+        } else if (key === "version") {
+          currentEntry.version = value;
+        }
+      }
+    }
+  }
+  if (currentPackage && currentEntry.dependency && currentEntry.source && currentEntry.version) {
+    packages.set(currentPackage, currentEntry);
+  }
+  return packages;
+}
+
+// src/parsers/maven.ts
+var fs7 = __toESM(require("fs"));
+function parseMavenPom(pomPath, _manifestPath) {
+  let content;
+  try {
+    content = fs7.readFileSync(pomPath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${pomPath}.
+  The pom.xml file may be missing or corrupted.`
+    );
+  }
+  const properties = parseProperties(content);
+  const dependencies = parseDependencies(content, properties);
+  return dependencies;
+}
+function parseProperties(content) {
+  const props = /* @__PURE__ */ new Map();
+  const propsMatch = content.match(/<properties>([\s\S]*?)<\/properties>/);
+  if (!propsMatch) return props;
+  const propsBlock = propsMatch[1];
+  const propRegex = /<([a-zA-Z0-9._-]+)>(.*?)<\/\1>/g;
+  let match;
+  while ((match = propRegex.exec(propsBlock)) !== null) {
+    props.set(match[1], match[2].trim());
+  }
+  return props;
+}
+function resolveVersion(version, properties) {
+  if (!version) return void 0;
+  return version.replace(/\$\{([^}]+)\}/g, (_, propName) => {
+    return properties.get(propName) ?? `\${${propName}}`;
+  });
+}
+function parseDependencies(content, properties) {
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  const withoutMgmt = content.replace(
+    /<dependencyManagement>[\s\S]*?<\/dependencyManagement>/g,
+    ""
+  );
+  const depsBlockRegex = /<dependencies>([\s\S]*?)<\/dependencies>/g;
+  let depsMatch;
+  while ((depsMatch = depsBlockRegex.exec(withoutMgmt)) !== null) {
+    const depsBlock = depsMatch[1];
+    const depRegex = /<dependency>([\s\S]*?)<\/dependency>/g;
+    let depMatch;
+    while ((depMatch = depRegex.exec(depsBlock)) !== null) {
+      const depBlock = depMatch[1];
+      const groupId = extractXmlValue(depBlock, "groupId");
+      const artifactId = extractXmlValue(depBlock, "artifactId");
+      const rawVersion = extractXmlValue(depBlock, "version");
+      const scope = extractXmlValue(depBlock, "scope");
+      if (!groupId || !artifactId) continue;
+      if (scope === "provided" || scope === "system") continue;
+      const version = resolveVersion(rawVersion, properties) ?? "UNKNOWN";
+      const name = `${groupId}:${artifactId}`;
+      const isDevDependency = scope === "test";
+      const dedupKey = `${name}@${version}`;
+      if (seen.has(dedupKey)) continue;
+      seen.add(dedupKey);
+      results.push({
+        name,
+        version,
+        isDirect: true,
+        // pom.xml only lists direct dependencies
+        isDevDependency
+      });
+    }
+  }
+  return results;
+}
+function extractXmlValue(block, tag) {
+  const match = block.match(new RegExp(`<${tag}>\\s*(.*?)\\s*</${tag}>`));
+  return match ? match[1].trim() : void 0;
+}
+
+// src/parsers/gradle.ts
+var fs8 = __toESM(require("fs"));
 var path3 = __toESM(require("path"));
+function parseGradleLockfile(lockfilePath, manifestPath) {
+  const lockFileName = path3.basename(lockfilePath);
+  if (lockFileName === "gradle.lockfile") {
+    return parseGradleLockfileFormat(lockfilePath);
+  }
+  const projectDir = path3.dirname(manifestPath);
+  const versionCatalogPath = path3.join(projectDir, "gradle", "libs.versions.toml");
+  if (fs8.existsSync(versionCatalogPath)) {
+    const catalogDeps = parseVersionCatalog(versionCatalogPath);
+    if (catalogDeps.length > 0) return catalogDeps;
+  }
+  return parseBuildGradleFile(manifestPath);
+}
+function parseGradleLockfileFormat(lockfilePath) {
+  let content;
+  try {
+    content = fs8.readFileSync(lockfilePath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${lockfilePath}.
+  The gradle.lockfile may be missing or corrupted.`
+    );
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed === "empty=") continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    const coordPart = trimmed.slice(0, eqIdx);
+    const configPart = trimmed.slice(eqIdx + 1);
+    const parts = coordPart.split(":");
+    if (parts.length < 3) continue;
+    const groupId = parts[0];
+    const artifactId = parts[1];
+    const version = parts[2];
+    const name = `${groupId}:${artifactId}`;
+    const dedupKey = `${name}@${version}`;
+    if (seen.has(dedupKey)) continue;
+    seen.add(dedupKey);
+    const configs = configPart.split(",").map((c) => c.trim().toLowerCase());
+    const isTestOnly = configs.length > 0 && configs.every(
+      (c) => c.includes("test") || c.includes("androidtest") || c.includes("unittest")
+    );
+    results.push({
+      name,
+      version,
+      isDirect: true,
+      // Lockfile doesn't distinguish, assume direct
+      isDevDependency: isTestOnly
+    });
+  }
+  return results;
+}
+function parseVersionCatalog(catalogPath) {
+  let content;
+  try {
+    content = fs8.readFileSync(catalogPath, "utf-8");
+  } catch {
+    return [];
+  }
+  const versions = /* @__PURE__ */ new Map();
+  const versionsSection = extractTomlSection(content, "versions");
+  if (versionsSection) {
+    for (const line of versionsSection.split("\n")) {
+      const match = line.match(/^\s*([a-zA-Z0-9_-]+)\s*=\s*"([^"]+)"/);
+      if (match) {
+        versions.set(match[1], match[2]);
+      }
+    }
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  const librariesSection = extractTomlSection(content, "libraries");
+  if (!librariesSection) return results;
+  for (const line of librariesSection.split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const moduleMatch = trimmed.match(/module\s*=\s*"([^"]+)"/);
+    if (!moduleMatch) {
+      const groupMatch = trimmed.match(/group\s*=\s*"([^"]+)"/);
+      const nameMatch = trimmed.match(/name\s*=\s*"([^"]+)"/);
+      if (!groupMatch || !nameMatch) continue;
+      const name2 = `${groupMatch[1]}:${nameMatch[1]}`;
+      const version2 = resolveTomlVersion(trimmed, versions);
+      if (!version2) continue;
+      const dedupKey2 = `${name2}@${version2}`;
+      if (seen.has(dedupKey2)) continue;
+      seen.add(dedupKey2);
+      results.push({ name: name2, version: version2, isDirect: true, isDevDependency: false });
+      continue;
+    }
+    const name = moduleMatch[1];
+    const version = resolveTomlVersion(trimmed, versions);
+    if (!version) continue;
+    const dedupKey = `${name}@${version}`;
+    if (seen.has(dedupKey)) continue;
+    seen.add(dedupKey);
+    results.push({ name, version, isDirect: true, isDevDependency: false });
+  }
+  return results;
+}
+function extractTomlSection(content, sectionName) {
+  const sectionRegex = new RegExp(`^\\[${sectionName}\\]\\s*$`, "m");
+  const match = content.match(sectionRegex);
+  if (!match || match.index === void 0) return null;
+  const start = match.index + match[0].length;
+  const nextSection = content.slice(start).match(/^\[/m);
+  const end = nextSection?.index !== void 0 ? start + nextSection.index : content.length;
+  return content.slice(start, end);
+}
+function resolveTomlVersion(line, versions) {
+  const refMatch = line.match(/version\.ref\s*=\s*"([^"]+)"/);
+  if (refMatch) {
+    return versions.get(refMatch[1]);
+  }
+  const versionMatch = line.match(/version\s*=\s*"([^"]+)"/);
+  if (versionMatch) {
+    return versionMatch[1];
+  }
+  return void 0;
+}
+function parseBuildGradleFile(buildFilePath) {
+  let content;
+  try {
+    content = fs8.readFileSync(buildFilePath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${buildFilePath}.
+  The build file may be missing or corrupted.`
+    );
+  }
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  const depConfigs = [
+    "implementation",
+    "api",
+    "compileOnly",
+    "runtimeOnly",
+    "testImplementation",
+    "testCompileOnly",
+    "testRuntimeOnly",
+    "androidTestImplementation",
+    "debugImplementation",
+    "releaseImplementation"
+  ];
+  for (const config of depConfigs) {
+    const patterns = [
+      new RegExp(`${config}\\s*\\(\\s*["']([^"']+)["']\\s*\\)`, "g"),
+      new RegExp(`${config}\\s+["']([^"']+)["']`, "g")
+    ];
+    for (const pattern of patterns) {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const dep = match[1];
+        const parts = dep.split(":");
+        if (parts.length < 3) continue;
+        const name = `${parts[0]}:${parts[1]}`;
+        const version = parts[2];
+        const dedupKey = `${name}@${version}`;
+        if (seen.has(dedupKey)) continue;
+        seen.add(dedupKey);
+        const isTest = config.toLowerCase().includes("test");
+        results.push({
+          name,
+          version,
+          isDirect: true,
+          isDevDependency: isTest
+        });
+      }
+    }
+    const mapPattern = new RegExp(
+      `${config}\\s+group:\\s*["']([^"']+)["']\\s*,\\s*name:\\s*["']([^"']+)["']\\s*,\\s*version:\\s*["']([^"']+)["']`,
+      "g"
+    );
+    let mapMatch;
+    while ((mapMatch = mapPattern.exec(content)) !== null) {
+      const name = `${mapMatch[1]}:${mapMatch[2]}`;
+      const version = mapMatch[3];
+      const dedupKey = `${name}@${version}`;
+      if (seen.has(dedupKey)) continue;
+      seen.add(dedupKey);
+      const isTest = config.toLowerCase().includes("test");
+      results.push({
+        name,
+        version,
+        isDirect: true,
+        isDevDependency: isTest
+      });
+    }
+  }
+  return results;
+}
+
+// src/parsers/cocoapods.ts
+var fs9 = __toESM(require("fs"));
+function parsePodfileLock(lockfilePath, _manifestPath) {
+  let content;
+  try {
+    content = fs9.readFileSync(lockfilePath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${lockfilePath}.
+  The Podfile.lock may be missing or corrupted. Try running 'pod install'.`
+    );
+  }
+  const pods = parsePodsSection(content);
+  const directDeps = parseDependenciesSection(content);
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const [name, version] of pods) {
+    if (name.includes("/")) continue;
+    const dedupKey = `${name}@${version}`;
+    if (seen.has(dedupKey)) continue;
+    seen.add(dedupKey);
+    const isDirect = directDeps.has(name);
+    results.push({
+      name,
+      version,
+      isDirect,
+      isDevDependency: false
+      // CocoaPods doesn't have dev dependency concept
+    });
+  }
+  return results;
+}
+function parsePodsSection(content) {
+  const pods = /* @__PURE__ */ new Map();
+  const lines = content.split("\n");
+  let inPodsSection = false;
+  for (const line of lines) {
+    const trimmed = line.trimEnd();
+    if (trimmed === "PODS:") {
+      inPodsSection = true;
+      continue;
+    }
+    if (inPodsSection && trimmed !== "" && !trimmed.startsWith(" ") && !trimmed.startsWith("	")) {
+      break;
+    }
+    if (!inPodsSection) continue;
+    if (trimmed === "") continue;
+    const podMatch = trimmed.match(/^  - ([^\s(/]+(?:\/[^\s(]+)?)\s+\(([^)]+)\)/);
+    if (podMatch) {
+      pods.set(podMatch[1], podMatch[2]);
+    }
+  }
+  return pods;
+}
+function parseDependenciesSection(content) {
+  const directDeps = /* @__PURE__ */ new Set();
+  const lines = content.split("\n");
+  let inDepsSection = false;
+  for (const line of lines) {
+    const trimmed = line.trimEnd();
+    if (trimmed === "DEPENDENCIES:") {
+      inDepsSection = true;
+      continue;
+    }
+    if (inDepsSection && trimmed !== "" && !trimmed.startsWith(" ") && !trimmed.startsWith("	")) {
+      break;
+    }
+    if (!inDepsSection) continue;
+    if (trimmed === "") continue;
+    const depMatch = trimmed.match(/^  - ([^\s(/]+)/);
+    if (depMatch) {
+      directDeps.add(depMatch[1]);
+    }
+  }
+  return directDeps;
+}
+
+// src/parsers/spm.ts
+var fs10 = __toESM(require("fs"));
+function parsePackageResolved(resolvedPath, _manifestPath) {
+  let content;
+  try {
+    content = fs10.readFileSync(resolvedPath, "utf-8");
+  } catch {
+    throw new Error(
+      `Failed to read ${resolvedPath}.
+  The Package.resolved file may be missing or corrupted.
+  Run 'swift package resolve' to regenerate it.`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    throw new Error(
+      `Failed to parse ${resolvedPath}: Invalid JSON.
+  The Package.resolved file may be corrupted.`
+    );
+  }
+  const pins = extractPins(parsed);
+  if (!pins) return [];
+  const results = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const pin of pins) {
+    if (pin.kind === "localSourceControl") continue;
+    const version = pin.state?.version;
+    if (!version) continue;
+    const name = pin.identity;
+    if (!name) continue;
+    const dedupKey = `${name}@${version}`;
+    if (seen.has(dedupKey)) continue;
+    seen.add(dedupKey);
+    results.push({
+      name,
+      version,
+      isDirect: true,
+      // Package.resolved doesn't distinguish
+      isDevDependency: false
+    });
+  }
+  return results;
+}
+function extractPins(parsed) {
+  if (Array.isArray(parsed.pins)) {
+    return parsed.pins;
+  }
+  if (parsed.object && Array.isArray(parsed.object.pins)) {
+    return parsed.object.pins.map((pin) => ({
+      identity: pin.package,
+      kind: "remoteSourceControl",
+      location: pin.repositoryURL || "",
+      state: {
+        revision: pin.state?.revision,
+        version: pin.state?.version,
+        branch: pin.state?.branch
+      }
+    }));
+  }
+  return null;
+}
+function extractSpmLocations(resolvedPath) {
+  const locations = /* @__PURE__ */ new Map();
+  let content;
+  try {
+    content = fs10.readFileSync(resolvedPath, "utf-8");
+  } catch {
+    return locations;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return locations;
+  }
+  const pins = extractPins(parsed);
+  if (!pins) return locations;
+  for (const pin of pins) {
+    if (pin.identity && pin.location) {
+      locations.set(pin.identity, pin.location);
+    }
+  }
+  return locations;
+}
+
+// src/cache.ts
+var crypto = __toESM(require("crypto"));
+var fs11 = __toESM(require("fs"));
+var path4 = __toESM(require("path"));
 var KEY_FILENAME = ".preship-key";
 var ALGORITHM = "aes-256-cbc";
 var IV_LENGTH = 16;
 function getOrCreateKey(projectPath) {
-  const keyPath = path3.join(projectPath, KEY_FILENAME);
+  const keyPath = path4.join(projectPath, KEY_FILENAME);
   try {
-    if (fs6.existsSync(keyPath)) {
-      const hex = fs6.readFileSync(keyPath, "utf-8").trim();
+    if (fs11.existsSync(keyPath)) {
+      const hex = fs11.readFileSync(keyPath, "utf-8").trim();
       if (hex.length === 64) {
         return Buffer.from(hex, "hex");
       }
@@ -802,7 +1531,7 @@ function getOrCreateKey(projectPath) {
   }
   const key = crypto.randomBytes(32);
   try {
-    fs6.writeFileSync(keyPath, key.toString("hex"), { mode: 384 });
+    fs11.writeFileSync(keyPath, key.toString("hex"), { mode: 384 });
   } catch {
   }
   return key;
@@ -838,10 +1567,10 @@ function createEmptyCache() {
 }
 function loadCache(cacheFilePath, key) {
   try {
-    if (!fs6.existsSync(cacheFilePath)) {
+    if (!fs11.existsSync(cacheFilePath)) {
       return createEmptyCache();
     }
-    const encryptedContent = fs6.readFileSync(cacheFilePath, "utf-8").trim();
+    const encryptedContent = fs11.readFileSync(cacheFilePath, "utf-8").trim();
     if (!encryptedContent) {
       return createEmptyCache();
     }
@@ -860,8 +1589,8 @@ function saveCache(cacheFilePath, cache, key) {
     const jsonStr = JSON.stringify(cache);
     const encrypted = encrypt(jsonStr, key);
     const tmpPath = cacheFilePath + ".tmp";
-    fs6.writeFileSync(tmpPath, encrypted, "utf-8");
-    fs6.renameSync(tmpPath, cacheFilePath);
+    fs11.writeFileSync(tmpPath, encrypted, "utf-8");
+    fs11.renameSync(tmpPath, cacheFilePath);
   } catch {
   }
 }
@@ -1050,13 +1779,19 @@ function createScanTimeoutController(timeout) {
   createEmptyCache,
   createScanTimeoutController,
   detectProjects,
+  extractSpmLocations,
   getCacheEntry,
   getDefaultConfig,
   getOrCreateKey,
   loadCache,
   loadConfig,
+  parseGradleLockfile,
+  parseMavenPom,
   parseNpmLockfile,
+  parsePackageResolved,
   parsePnpmLockfile,
+  parsePodfileLock,
+  parsePubspecLockfile,
   parseYarnLockfile,
   saveCache,
   setCacheEntry

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@preship/core",
-  "version": "2.0.2",
+  "version": "2.1.0",
   "description": "Core infrastructure for PreShip — types, config, detection, parsing, caching, and rate limiting",
   "author": "Cyfox Inc.",
   "license": "Apache-2.0",