@rainy-updates/cli 0.5.1-rc.2 → 0.5.1

package/CHANGELOG.md

@@ -2,6 +2,90 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.5.1] - 2026-02-27
+
+### Added
+
+- **New `audit` command**: Scan dependencies for known CVEs using [OSV.dev](https://osv.dev) (Google's open vulnerability database). Runs queries in parallel for all installed packages.
+  - `--severity critical|high|medium|low` — Filter by minimum severity level
+  - `--fix` — Print the minimum-secure-version `npm install` command to patch advisories
+  - `--dry-run` — Preview without side effects
+  - `--report json` — Machine-readable JSON output
+  - `--json-file <path>` — Write JSON report to file for CI pipelines
+  - Exit code `1` when vulnerabilities are found; `0` when clean.
+
+- **New `health` command**: Surface stale, deprecated, and unmaintained packages before they become liabilities.
+  - `--stale 12m|180d|365` — Flag packages with no release in the given period (supports months and days)
+  - `--deprecated` / `--no-deprecated` — Control deprecated package detection
+  - `--alternatives` — Suggest active alternatives for deprecated packages
+  - `--report json` — Machine-readable JSON output
+  - Exit code `1` when flagged packages are found.
+
+- **New `bisect` command**: Binary search across semver versions to find the exact version that introduced a failing test or breaking change.
+  - `rup bisect <package> --cmd "<test command>"` — Specify test oracle command
+  - `--range <start>..<end>` — Narrow the search to a specific version range
+  - `--dry-run` — Simulate without installing anything
+  - Exit code `1` when a breaking version is identified.
+
+- **New CLI binary aliases for developer ergonomics**:
+  - `rup` — Ultra-short power-user alias (e.g., `rup ci`, `rup audit`)
+  - `rainy-up` — Human-friendly alias (e.g., `rainy-up check`)
+  - `rainy-updates` retained for backwards compatibility with CI scripts.
+
+### Architecture
+
+- `bisect`, `audit`, and `health` are fully isolated modules under `src/commands/`. They are lazy-loaded (dynamic `import()`) only when their command is invoked — zero startup cost penalty.
+- `src/core/options.ts` now dispatches `bisect`, `audit`, and `health` to their isolated sub-parsers, keeping the command router clean and extensible.
+- New type definitions: `AuditOptions`, `AuditResult`, `CveAdvisory`, `BisectOptions`, `BisectResult`, `HealthOptions`, `HealthResult`, `PackageHealthMetric`.
+
+### Changed
+
+- CLI global help updated to list all 9 commands.
+- Error messages now include `(rup)` in the binary identifier.
+- `package.json` description updated to reflect DevOps-first positioning.
+
+## [0.5.1-rc.4] - 2026-02-27
+
+### Added
+
+- New registry and stream controls:
+  - `--registry-timeout-ms <n>`
+  - `--registry-retries <n>`
+  - `--stream`
+- New lockfile execution control:
+  - `--lockfile-mode preserve|update|error`
+- Policy extensions:
+  - package rule `target` override
+  - package rule `autofix` control for fix-PR flows
+- New additive summary/output metadata:
+  - `streamedEvents`
+  - `policyOverridesApplied`
+  - `registryAuthFailure`
+  - `streamed_events` GitHub output key
+  - `policy_overrides_applied` GitHub output key
+  - `registry_auth_failures` GitHub output key
+
+### Changed
+
+- Registry client now supports configurable retry count and timeout defaults.
+- Registry resolution now supports `.npmrc` auth token/basic auth parsing for scoped/private registries.
+- Fix-PR automation now excludes updates with `autofix: false`.
+- CI workflow templates generated by `init-ci` now include stream mode and registry control flags.
+- Upgrade flow now enforces explicit lockfile policy semantics via `--lockfile-mode`.
+
+### Tests
+
+- Extended options parsing tests for registry/stream/lockfile flags.
+- Extended policy tests for `target` and `autofix` rule behavior.
+- Updated output and summary tests for additive metadata fields.
+
+## [0.5.1-rc.3] - 2026-02-27
+
+### Fixed
+
+- Resolved false dirty-worktree failures in `--fix-pr` flows caused by early PR report file creation.
+- `deps-report.md` generation now runs after fix-PR git automation checks/operations.
+
 ## [0.5.1-rc.2] - 2026-02-27
 
 ### Added
@@ -175,7 +259,6 @@ All notable changes to this project are documented in this file.
   - `--schedule weekly|daily|off`
   - package-manager-aware install step generation (npm/pnpm)
 
-
 ## [0.4.0] - 2026-02-27
 
 ### Added

package/README.md

@@ -65,7 +65,9 @@ npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --w
 - Scans dependency groups: `dependencies`, `devDependencies`, `optionalDependencies`, `peerDependencies`.
 - Resolves versions per unique package to reduce duplicate network requests.
 - Uses network concurrency controls and resilient retries.
+- Supports explicit registry retry/timeout tuning (`--registry-retries`, `--registry-timeout-ms`).
 - Supports stale-cache fallback when registry calls fail.
+- Supports streamed progress output for long CI runs (`--stream`).
 
 ### Workspace support
 
@@ -80,6 +82,7 @@ npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --w
 - Apply global ignore patterns.
 - Apply package-specific rules.
 - Enforce max upgrade target per package (for safer rollout).
+- Support per-package target override and fix-pr inclusion (`target`, `autofix`).
 
 Example policy file:
 
@@ -87,7 +90,7 @@ Example policy file:
 {
   "ignore": ["@types/*", "eslint*"],
   "packageRules": {
-    "react": { "maxTarget": "minor" },
+    "react": { "maxTarget": "minor", "target": "patch", "autofix": false },
     "typescript": { "ignore": true }
   }
 }
@@ -155,7 +158,10 @@ Schedule:
 - `--dep-kinds deps,dev,optional,peer`
 - `--concurrency <n>`
 - `--cache-ttl <seconds>`
+- `--registry-timeout-ms <n>`
+- `--registry-retries <n>`
 - `--offline`
+- `--stream`
 - `--fail-on none|patch|minor|major|any`
 - `--max-updates <n>`
 - `--group-by none|name|scope|kind|risk`
@@ -175,6 +181,7 @@ Schedule:
 - `--fix-branch <name>`
 - `--fix-commit-message <text>`
 - `--fix-dry-run`
+- `--lockfile-mode preserve|update|error`
 - `--no-pr-report`
 - `--ci`
 

package/dist/bin/cli.js

@@ -66,20 +66,42 @@ async function main() {
             process.exitCode = 1;
             return;
         }
-        const result = await runCommand(parsed);
-        if (parsed.options.prReportFile) {
-            const markdown = renderPrReport(result);
-            await writeFileAtomic(parsed.options.prReportFile, markdown + "\n");
+        // ─── v0.5.1 commands: lazy-loaded, isolated from check pipeline ──────────
+        if (parsed.command === "bisect") {
+            const { runBisect } = await import("../commands/bisect/runner.js");
+            const result = await runBisect(parsed.options);
+            process.exitCode = result.breakingVersion ? 1 : 0;
+            return;
+        }
+        if (parsed.command === "audit") {
+            const { runAudit } = await import("../commands/audit/runner.js");
+            const result = await runAudit(parsed.options);
+            process.exitCode = result.advisories.length > 0 ? 1 : 0;
+            return;
         }
-        if (parsed.options.fixPr && (parsed.command === "check" || parsed.command === "upgrade" || parsed.command === "ci")) {
+        if (parsed.command === "health") {
+            const { runHealth } = await import("../commands/health/runner.js");
+            const result = await runHealth(parsed.options);
+            process.exitCode = result.totalFlagged > 0 ? 1 : 0;
+            return;
+        }
+        const result = await runCommand(parsed);
+        if (parsed.options.fixPr &&
+            (parsed.command === "check" ||
+                parsed.command === "upgrade" ||
+                parsed.command === "ci")) {
             result.summary.fixPrApplied = false;
-            result.summary.fixBranchName = parsed.options.fixBranch ?? "chore/rainy-updates";
+            result.summary.fixBranchName =
+                parsed.options.fixBranch ?? "chore/rainy-updates";
             result.summary.fixCommitSha = "";
             result.summary.fixPrBranchesCreated = 0;
             if (parsed.command === "ci") {
                 const batched = await applyFixPrBatches(parsed.options, result);
                 result.summary.fixPrApplied = batched.applied;
-                result.summary.fixBranchName = batched.branches[0] ?? (parsed.options.fixBranch ?? "chore/rainy-updates");
+                result.summary.fixBranchName =
+                    batched.branches[0] ??
+                        parsed.options.fixBranch ??
+                        "chore/rainy-updates";
                 result.summary.fixCommitSha = batched.commits[0] ?? "";
                 result.summary.fixPrBranchesCreated = batched.branches.length;
                 if (batched.branches.length > 1) {
@@ -87,25 +109,32 @@ async function main() {
                 }
             }
             else {
-                const fixResult = await applyFixPr(parsed.options, result, parsed.options.prReportFile ? [parsed.options.prReportFile] : []);
+                const fixResult = await applyFixPr(parsed.options, result, []);
                 result.summary.fixPrApplied = fixResult.applied;
                 result.summary.fixBranchName = fixResult.branchName ?? "";
                 result.summary.fixCommitSha = fixResult.commitSha ?? "";
                 result.summary.fixPrBranchesCreated = fixResult.applied ? 1 : 0;
             }
         }
+        if (parsed.options.prReportFile) {
+            const markdown = renderPrReport(result);
+            await writeFileAtomic(parsed.options.prReportFile, markdown + "\n");
+        }
         result.summary.failReason = resolveFailReason(result.updates, result.errors, parsed.options.failOn, parsed.options.maxUpdates, parsed.options.ci);
         const renderStartedAt = Date.now();
         let rendered = renderResult(result, parsed.options.format);
         result.summary.durationMs.render = Math.max(0, Date.now() - renderStartedAt);
-        if (parsed.options.format === "json" || parsed.options.format === "metrics") {
+        if (parsed.options.format === "json" ||
+            parsed.options.format === "metrics") {
             rendered = renderResult(result, parsed.options.format);
         }
         if (parsed.options.onlyChanged &&
             result.updates.length === 0 &&
             result.errors.length === 0 &&
             result.warnings.length === 0 &&
-            (parsed.options.format === "table" || parsed.options.format === "minimal" || parsed.options.format === "github")) {
+            (parsed.options.format === "table" ||
+                parsed.options.format === "minimal" ||
+                parsed.options.format === "github")) {
             rendered = "";
         }
         if (parsed.options.jsonFile) {
@@ -122,7 +151,7 @@ async function main() {
         process.exitCode = resolveExitCode(result, result.summary.failReason);
     }
     catch (error) {
-        process.stderr.write(`rainy-updates: ${String(error)}\n`);
+        process.stderr.write(`rainy-updates (rup): ${String(error)}\n`);
         process.exitCode = 2;
     }
 }
@@ -141,7 +170,10 @@ Options:
   --reject <pattern>
   --dep-kinds deps,dev,optional,peer
   --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
   --cache-ttl <seconds>
+  --stream
   --policy-file <path>
   --offline
   --fix-pr
@@ -162,6 +194,7 @@ Options:
   --cooldown-days <n>
   --pr-limit <n>
   --only-changed
+  --lockfile-mode preserve|update|error
   --log-level error|warn|info|debug
   --ci`;
     }
@@ -177,8 +210,11 @@ Options:
   --reject <pattern>
   --dep-kinds deps,dev,optional,peer
   --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
   --cache-ttl <seconds>
   --offline
+  --stream
   --json-file <path>
   --github-output <path>
   --sarif-file <path>
@@ -197,12 +233,15 @@ Options:
   --target patch|minor|major|latest
   --policy-file <path>
   --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
   --fix-pr
   --fix-branch <name>
   --fix-commit-message <text>
   --fix-dry-run
   --fix-pr-no-checkout
   --fix-pr-batch-size <n>
+  --lockfile-mode preserve|update|error
   --no-pr-report
   --json-file <path>
   --pr-report-file <path>`;
@@ -222,6 +261,9 @@ Options:
   --only-changed
   --offline
   --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --stream
   --fix-pr
   --fix-branch <name>
   --fix-commit-message <text>
@@ -235,6 +277,7 @@ Options:
   --pr-report-file <path>
   --fail-on none|patch|minor|major|any
   --max-updates <n>
+  --lockfile-mode preserve|update|error
   --log-level error|warn|info|debug
   --ci`;
     }
@@ -262,7 +305,7 @@ Options:
   --dep-kinds deps,dev,optional,peer
   --ci`;
     }
-    return `rainy-updates <command> [options]
+    return `rainy-updates (rup / rainy-up) <command> [options]
 
 Commands:
   check       Detect available updates
@@ -271,6 +314,9 @@ Commands:
   warm-cache  Warm local cache for fast/offline checks
   init-ci     Scaffold GitHub Actions workflow
   baseline    Save/check dependency baseline snapshots
+  audit       Scan dependencies for CVEs (OSV.dev)
+  health      Detect stale/deprecated/unmaintained packages
+  bisect      Find which version of a dep introduced a failure
 
 Global options:
   --cwd <path>
@@ -299,8 +345,12 @@ Global options:
   --no-pr-report
   --log-level error|warn|info|debug
   --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
   --cache-ttl <seconds>
   --offline
+  --stream
+  --lockfile-mode preserve|update|error
   --ci
   --help, -h
   --version, -v`;

package/dist/commands/audit/fetcher.d.ts

@@ -0,0 +1,6 @@
+import type { CveAdvisory, AuditOptions } from "../../types/index.js";
+/**
+ * Fetches CVE advisories for all given package names in parallel.
+ * Uses OSV.dev as primary source.
+ */
+export declare function fetchAdvisories(packageNames: string[], options: Pick<AuditOptions, "concurrency" | "registryTimeoutMs">): Promise<CveAdvisory[]>;

package/dist/commands/audit/fetcher.js

@@ -0,0 +1,79 @@
+import { asyncPool } from "../../utils/async-pool.js";
+const OSV_API = "https://api.osv.dev/v1/query";
+const GITHUB_ADVISORY_API = "https://api.github.com/advisories";
+/**
+ * Queries OSV.dev for advisories for a single npm package.
+ */
+async function queryOsv(packageName, timeoutMs) {
+    const body = JSON.stringify({
+        package: { name: packageName, ecosystem: "npm" },
+    });
+    let response;
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        response = await fetch(OSV_API, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body,
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+    }
+    catch {
+        return [];
+    }
+    if (!response.ok)
+        return [];
+    const data = (await response.json());
+    const advisories = [];
+    for (const vuln of data.vulns ?? []) {
+        const cveId = vuln.id ?? "UNKNOWN";
+        const rawSeverity = (vuln.database_specific?.severity ?? "medium").toLowerCase();
+        const severity = (["critical", "high", "medium", "low"].includes(rawSeverity)
+            ? rawSeverity
+            : "medium");
+        let patchedVersion = null;
+        let vulnerableRange = "*";
+        for (const affected of vuln.affected ?? []) {
+            if (affected.package?.name !== packageName)
+                continue;
+            for (const range of affected.ranges ?? []) {
+                const fixedEvent = range.events?.find((e) => e.fixed);
+                if (fixedEvent?.fixed) {
+                    patchedVersion = fixedEvent.fixed;
+                    const introducedEvent = range.events?.find((e) => e.introduced);
+                    vulnerableRange = introducedEvent?.introduced
+                        ? `>=${introducedEvent.introduced} <${patchedVersion}`
+                        : `<${patchedVersion}`;
+                }
+            }
+        }
+        advisories.push({
+            cveId,
+            packageName,
+            severity,
+            vulnerableRange,
+            patchedVersion,
+            title: vuln.summary ?? cveId,
+            url: vuln.references?.[0]?.url ?? `https://osv.dev/vulnerability/${cveId}`,
+        });
+    }
+    return advisories;
+}
+/**
+ * Fetches CVE advisories for all given package names in parallel.
+ * Uses OSV.dev as primary source.
+ */
+export async function fetchAdvisories(packageNames, options) {
+    const tasks = packageNames.map((name) => () => queryOsv(name, options.registryTimeoutMs));
+    const results = await asyncPool(options.concurrency, tasks);
+    const advisories = [];
+    for (const r of results) {
+        if (!(r instanceof Error)) {
+            for (const adv of r)
+                advisories.push(adv);
+        }
+    }
+    return advisories;
+}

package/dist/commands/audit/mapper.d.ts

@@ -0,0 +1,16 @@
+import type { CveAdvisory, AuditSeverity } from "../../types/index.js";
+/**
+ * Filters advisories by minimum severity level.
+ * e.g. --severity high → keeps critical and high.
+ */
+export declare function filterBySeverity(advisories: CveAdvisory[], minSeverity: AuditSeverity | undefined): CveAdvisory[];
+/**
+ * For each advisory that has a known patchedVersion,
+ * produces a sorted, deduplicated map of package → minimum secure version.
+ * Used by --fix to determine what version to update to.
+ */
+export declare function buildPatchMap(advisories: CveAdvisory[]): Map<string, string>;
+/**
+ * Renders audit advisories as a formatted table string for terminal output.
+ */
+export declare function renderAuditTable(advisories: CveAdvisory[]): string;

package/dist/commands/audit/mapper.js

@@ -0,0 +1,61 @@
+const SEVERITY_RANK = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+};
+/**
+ * Filters advisories by minimum severity level.
+ * e.g. --severity high → keeps critical and high.
+ */
+export function filterBySeverity(advisories, minSeverity) {
+    if (!minSeverity)
+        return advisories;
+    const minRank = SEVERITY_RANK[minSeverity];
+    return advisories.filter((a) => SEVERITY_RANK[a.severity] >= minRank);
+}
+/**
+ * For each advisory that has a known patchedVersion,
+ * produces a sorted, deduplicated map of package → minimum secure version.
+ * Used by --fix to determine what version to update to.
+ */
+export function buildPatchMap(advisories) {
+    const patchMap = new Map();
+    for (const advisory of advisories) {
+        if (!advisory.patchedVersion)
+            continue;
+        const existing = patchMap.get(advisory.packageName);
+        if (!existing || advisory.patchedVersion > existing) {
+            patchMap.set(advisory.packageName, advisory.patchedVersion);
+        }
+    }
+    return patchMap;
+}
+/**
+ * Renders audit advisories as a formatted table string for terminal output.
+ */
+export function renderAuditTable(advisories) {
+    if (advisories.length === 0) {
+        return "✔ No vulnerabilities found.\n";
+    }
+    const SEVERITY_ICON = {
+        critical: "🔴 CRITICAL",
+        high: "🟠 HIGH    ",
+        medium: "🟡 MEDIUM  ",
+        low: "⚪ LOW     ",
+    };
+    const sorted = [...advisories].sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
+    const lines = [
+        `Found ${advisories.length} vulnerability${advisories.length === 1 ? "" : "ies"}:\n`,
+        "Package".padEnd(30) + "Severity".padEnd(20) + "CVE".padEnd(22) + "Patch",
+        "─".repeat(90),
+    ];
+    for (const adv of sorted) {
+        const name = adv.packageName.slice(0, 28).padEnd(30);
+        const sev = SEVERITY_ICON[adv.severity].padEnd(20);
+        const cve = adv.cveId.slice(0, 20).padEnd(22);
+        const patch = adv.patchedVersion ? `→ ${adv.patchedVersion}` : "no patch";
+        lines.push(`${name}${sev}${cve}${patch}`);
+    }
+    return lines.join("\n");
+}

package/dist/commands/audit/parser.d.ts

@@ -0,0 +1,3 @@
+import type { AuditOptions, AuditSeverity } from "../../types/index.js";
+export declare function parseSeverity(value: string): AuditSeverity;
+export declare function parseAuditArgs(args: string[]): AuditOptions;

package/dist/commands/audit/parser.js

@@ -0,0 +1,87 @@
+import path from "node:path";
+import process from "node:process";
+const SEVERITY_LEVELS = ["critical", "high", "medium", "low"];
+export function parseSeverity(value) {
+    if (SEVERITY_LEVELS.includes(value)) {
+        return value;
+    }
+    throw new Error(`--severity must be critical, high, medium, or low. Got: ${value}`);
+}
+export function parseAuditArgs(args) {
+    const options = {
+        cwd: process.cwd(),
+        workspace: false,
+        severity: undefined,
+        fix: false,
+        dryRun: false,
+        reportFormat: "table",
+        jsonFile: undefined,
+        concurrency: 16,
+        registryTimeoutMs: 8000,
+    };
+    let index = 0;
+    while (index < args.length) {
+        const current = args[index];
+        const next = args[index + 1];
+        if (current === "--cwd" && next) {
+            options.cwd = path.resolve(next);
+            index += 2;
+            continue;
+        }
+        if (current === "--cwd")
+            throw new Error("Missing value for --cwd");
+        if (current === "--workspace") {
+            options.workspace = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--severity" && next) {
+            options.severity = parseSeverity(next);
+            index += 2;
+            continue;
+        }
+        if (current === "--severity")
+            throw new Error("Missing value for --severity");
+        if (current === "--fix") {
+            options.fix = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--dry-run") {
+            options.dryRun = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--report" && next) {
+            if (next !== "table" && next !== "json") {
+                throw new Error("--report must be table or json");
+            }
+            options.reportFormat = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--report")
+            throw new Error("Missing value for --report");
+        if (current === "--json-file" && next) {
+            options.jsonFile = path.resolve(options.cwd, next);
+            index += 2;
+            continue;
+        }
+        if (current === "--json-file")
+            throw new Error("Missing value for --json-file");
+        if (current === "--concurrency" && next) {
+            const parsed = Number(next);
+            if (!Number.isInteger(parsed) || parsed <= 0)
+                throw new Error("--concurrency must be a positive integer");
+            options.concurrency = parsed;
+            index += 2;
+            continue;
+        }
+        if (current === "--concurrency")
+            throw new Error("Missing value for --concurrency");
+        if (current.startsWith("-"))
+            throw new Error(`Unknown audit option: ${current}`);
+        throw new Error(`Unexpected audit argument: ${current}`);
+    }
+    return options;
+}

package/dist/commands/audit/runner.d.ts

@@ -0,0 +1,7 @@
+import type { AuditOptions, AuditResult } from "../../types/index.js";
+/**
+ * Entry point for `rup audit`. Lazy-loaded by cli.ts.
+ * Discovers packages, fetches CVE advisories, filters by severity, and
+ * optionally applies minimum-secure-version patches.
+ */
+export declare function runAudit(options: AuditOptions): Promise<AuditResult>;

package/dist/commands/audit/runner.js

@@ -0,0 +1,64 @@
+import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
+import { discoverPackageDirs } from "../../workspace/discover.js";
+import { writeFileAtomic } from "../../utils/io.js";
+import { stableStringify } from "../../utils/stable-json.js";
+import { fetchAdvisories } from "./fetcher.js";
+import { filterBySeverity, buildPatchMap, renderAuditTable } from "./mapper.js";
+/**
+ * Entry point for `rup audit`. Lazy-loaded by cli.ts.
+ * Discovers packages, fetches CVE advisories, filters by severity, and
+ * optionally applies minimum-secure-version patches.
+ */
+export async function runAudit(options) {
+    const result = {
+        advisories: [],
+        autoFixable: 0,
+        errors: [],
+        warnings: [],
+    };
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    // Collect all unique package names
+    const packageNames = new Set();
+    for (const dir of packageDirs) {
+        let manifest;
+        try {
+            manifest = await readManifest(dir);
+        }
+        catch (error) {
+            result.errors.push(`Failed to read package.json in ${dir}: ${String(error)}`);
+            continue;
+        }
+        const deps = collectDependencies(manifest, [
+            "dependencies",
+            "devDependencies",
+            "optionalDependencies",
+        ]);
+        for (const dep of deps) {
+            packageNames.add(dep.name);
+        }
+    }
+    if (packageNames.size === 0) {
+        result.warnings.push("No dependencies found to audit.");
+        return result;
+    }
+    process.stderr.write(`[audit] Querying OSV.dev for ${packageNames.size} packages...\n`);
+    let advisories = await fetchAdvisories([...packageNames], {
+        concurrency: options.concurrency,
+        registryTimeoutMs: options.registryTimeoutMs,
+    });
+    advisories = filterBySeverity(advisories, options.severity);
+    result.advisories = advisories;
+    result.autoFixable = advisories.filter((a) => a.patchedVersion !== null).length;
+    if (options.reportFormat === "table" || !options.jsonFile) {
+        process.stdout.write(renderAuditTable(advisories) + "\n");
+    }
+    if (options.jsonFile) {
+        await writeFileAtomic(options.jsonFile, stableStringify({ advisories, errors: result.errors, warnings: result.warnings }, 2) + "\n");
+        process.stderr.write(`[audit] JSON report written to ${options.jsonFile}\n`);
+    }
+    if (options.fix && !options.dryRun && result.autoFixable > 0) {
+        const patchMap = buildPatchMap(advisories);
+        process.stderr.write(`[audit] --fix: ${patchMap.size} packages have available patches. Apply with: npm install ${[...patchMap.entries()].map(([n, v]) => `${n}@${v}`).join(" ")}\n`);
+    }
+    return result;
+}

package/dist/commands/bisect/engine.d.ts

@@ -0,0 +1,12 @@
+import type { BisectOptions, BisectResult } from "../../types/index.js";
+/**
+ * Binary search engine for dependency bisecting.
+ * Given a sorted list of versions, finds the exact version that causes
+ * a test oracle to switch from "good" → "bad".
+ */
+export declare function bisectVersions(versions: string[], options: BisectOptions): Promise<BisectResult>;
+/**
+ * Fetches available versions for a package from registry/cache,
+ * optionally filtered to a user-specified range, sorted ascending.
+ */
+export declare function fetchBisectVersions(options: BisectOptions): Promise<string[]>;