@rainy-updates/cli 0.5.1-rc.3 → 0.5.2-rc.1

package/dist/types/index.d.ts

@@ -2,6 +2,7 @@ export type DependencyKind = "dependencies" | "devDependencies" | "optionalDepen
 export type TargetLevel = "patch" | "minor" | "major" | "latest";
 export type GroupBy = "none" | "name" | "scope" | "kind" | "risk";
 export type CiProfile = "minimal" | "strict" | "enterprise";
+export type LockfileMode = "preserve" | "update" | "error";
 export type OutputFormat = "table" | "json" | "minimal" | "github" | "metrics";
 export type FailOnLevel = "none" | "patch" | "minor" | "major" | "any";
 export type LogLevel = "error" | "warn" | "info" | "debug";
@@ -20,7 +21,10 @@ export interface RunOptions {
     githubOutputFile?: string;
     sarifFile?: string;
     concurrency: number;
+    registryTimeoutMs: number;
+    registryRetries: number;
     offline: boolean;
+    stream: boolean;
     policyFile?: string;
     prReportFile?: string;
     failOn?: FailOnLevel;
@@ -39,6 +43,7 @@ export interface RunOptions {
     prLimit?: number;
     onlyChanged: boolean;
     ciProfile: CiProfile;
+    lockfileMode: LockfileMode;
 }
 export interface CheckOptions extends RunOptions {
 }
@@ -59,6 +64,15 @@ export interface PackageDependency {
     range: string;
     kind: DependencyKind;
 }
+export interface ImpactScore {
+    rank: "critical" | "high" | "medium" | "low";
+    score: number;
+    factors: {
+        diffTypeWeight: number;
+        hasAdvisory: boolean;
+        affectedWorkspaceCount: number;
+    };
+}
 export interface PackageUpdate {
     packagePath: string;
     name: string;
@@ -68,7 +82,10 @@ export interface PackageUpdate {
     toVersionResolved: string;
     diffType: TargetLevel;
     filtered: boolean;
+    autofix: boolean;
     reason?: string;
+    impactScore?: ImpactScore;
+    homepage?: string;
 }
 export interface Summary {
     contractVersion: "2";
@@ -84,6 +101,7 @@ export interface Summary {
         total: number;
         offlineCacheMiss: number;
         registryFailure: number;
+        registryAuthFailure: number;
         other: number;
     };
     warningCounts: {
@@ -106,6 +124,8 @@ export interface Summary {
     cooldownSkipped: number;
     ciProfile: CiProfile;
     prLimitHit: boolean;
+    streamedEvents: number;
+    policyOverridesApplied: number;
 }
 export interface CheckResult {
     projectPath: string;
@@ -141,3 +161,219 @@ export interface CachedVersion {
 export interface VersionResolver {
     resolveLatestVersion(packageName: string): Promise<string | null>;
 }
+export type AuditSeverity = "critical" | "high" | "medium" | "low";
+export type AuditReportFormat = "table" | "json";
+export interface AuditOptions {
+    cwd: string;
+    workspace: boolean;
+    severity?: AuditSeverity;
+    fix: boolean;
+    dryRun: boolean;
+    reportFormat: AuditReportFormat;
+    jsonFile?: string;
+    concurrency: number;
+    registryTimeoutMs: number;
+}
+export interface CveAdvisory {
+    cveId: string;
+    packageName: string;
+    severity: AuditSeverity;
+    vulnerableRange: string;
+    patchedVersion: string | null;
+    title: string;
+    url: string;
+}
+export interface AuditResult {
+    advisories: CveAdvisory[];
+    autoFixable: number;
+    errors: string[];
+    warnings: string[];
+}
+export interface BisectOptions {
+    cwd: string;
+    packageName: string;
+    versionRange?: string;
+    testCommand: string;
+    concurrency: number;
+    registryTimeoutMs: number;
+    cacheTtlSeconds: number;
+    dryRun: boolean;
+}
+export type BisectOutcome = "good" | "bad" | "skip";
+export interface BisectResult {
+    packageName: string;
+    breakingVersion: string | null;
+    lastGoodVersion: string | null;
+    totalVersionsTested: number;
+    iterations: number;
+}
+export type HealthFlag = "stale" | "deprecated" | "archived" | "unmaintained";
+export interface HealthOptions {
+    cwd: string;
+    workspace: boolean;
+    staleDays: number;
+    includeDeprecated: boolean;
+    includeAlternatives: boolean;
+    reportFormat: "table" | "json";
+    jsonFile?: string;
+    concurrency: number;
+    registryTimeoutMs: number;
+}
+export interface PackageHealthMetric {
+    name: string;
+    currentVersion: string;
+    lastPublished: string | null;
+    isDeprecated: boolean;
+    deprecatedMessage?: string;
+    isArchived: boolean;
+    daysSinceLastRelease: number | null;
+    flags: HealthFlag[];
+}
+export interface HealthResult {
+    metrics: PackageHealthMetric[];
+    totalFlagged: number;
+    errors: string[];
+    warnings: string[];
+}
+export interface PeerNode {
+    name: string;
+    resolvedVersion: string;
+    peerRequirements: Map<string, string>;
+}
+export interface PeerGraph {
+    nodes: Map<string, PeerNode>;
+    roots: string[];
+}
+export type PeerConflictSeverity = "error" | "warning";
+export interface PeerConflict {
+    requester: string;
+    peer: string;
+    requiredRange: string;
+    resolvedVersion: string;
+    severity: PeerConflictSeverity;
+    suggestion: string;
+}
+export interface ResolveOptions {
+    cwd: string;
+    workspace: boolean;
+    afterUpdate: boolean;
+    safe: boolean;
+    jsonFile?: string;
+    concurrency: number;
+    registryTimeoutMs: number;
+    cacheTtlSeconds: number;
+}
+export interface ResolveResult {
+    conflicts: PeerConflict[];
+    errorConflicts: number;
+    warningConflicts: number;
+    errors: string[];
+    warnings: string[];
+}
+export type UnusedKind = "declared-not-imported" | "imported-not-declared";
+export interface UnusedDependency {
+    name: string;
+    kind: UnusedKind;
+    declaredIn?: string;
+    importedFrom?: string;
+}
+export interface UnusedOptions {
+    cwd: string;
+    workspace: boolean;
+    srcDirs: string[];
+    includeDevDependencies: boolean;
+    fix: boolean;
+    dryRun: boolean;
+    jsonFile?: string;
+    concurrency: number;
+}
+export interface UnusedResult {
+    unused: UnusedDependency[];
+    missing: UnusedDependency[];
+    totalUnused: number;
+    totalMissing: number;
+    errors: string[];
+    warnings: string[];
+}
+export interface PackageLicense {
+    name: string;
+    version: string;
+    license: string;
+    spdxExpression: string | null;
+    homepage?: string;
+    repository?: string;
+}
+export interface SbomDocument {
+    spdxVersion: "SPDX-2.3";
+    dataLicense: "CC0-1.0";
+    name: string;
+    documentNamespace: string;
+    packages: SbomPackage[];
+    relationships: SbomRelationship[];
+}
+export interface SbomPackage {
+    SPDXID: string;
+    name: string;
+    versionInfo: string;
+    downloadLocation: string;
+    licenseConcluded: string;
+    licenseDeclared: string;
+    copyrightText: string;
+}
+export interface SbomRelationship {
+    spdxElementId: string;
+    relationshipType: "DESCRIBES" | "DEPENDS_ON";
+    relatedSpdxElement: string;
+}
+export interface LicenseOptions {
+    cwd: string;
+    workspace: boolean;
+    allow?: string[];
+    deny?: string[];
+    sbomFile?: string;
+    jsonFile?: string;
+    diffMode: boolean;
+    concurrency: number;
+    registryTimeoutMs: number;
+    cacheTtlSeconds: number;
+}
+export interface LicenseResult {
+    packages: PackageLicense[];
+    violations: PackageLicense[];
+    totalViolations: number;
+    errors: string[];
+    warnings: string[];
+}
+export interface SnapshotEntry {
+    id: string;
+    label: string;
+    createdAt: number;
+    manifests: Record<string, string>;
+    lockfileHashes: Record<string, string>;
+}
+export type SnapshotAction = "save" | "list" | "restore" | "diff";
+export interface SnapshotOptions {
+    cwd: string;
+    workspace: boolean;
+    action: SnapshotAction;
+    label?: string;
+    snapshotId?: string;
+    storeFile?: string;
+}
+export interface SnapshotResult {
+    action: SnapshotAction;
+    snapshotId?: string;
+    label?: string;
+    entries?: Array<{
+        id: string;
+        label: string;
+        createdAt: string;
+    }>;
+    diff?: Array<{
+        name: string;
+        from: string;
+        to: string;
+    }>;
+    errors: string[];
+    warnings: string[];
+}

package/dist/utils/lockfile.d.ts

@@ -0,0 +1,5 @@
+import type { LockfileMode } from "../types/index.js";
+export type LockfileSnapshot = Map<string, string | null>;
+export declare function captureLockfileSnapshot(cwd: string): Promise<LockfileSnapshot>;
+export declare function changedLockfiles(cwd: string, before: LockfileSnapshot): Promise<string[]>;
+export declare function validateLockfileMode(mode: LockfileMode, install: boolean): void;

package/dist/utils/lockfile.js

@@ -0,0 +1,44 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { createHash } from "node:crypto";
+const LOCKFILE_NAMES = ["package-lock.json", "npm-shrinkwrap.json", "pnpm-lock.yaml", "yarn.lock", "bun.lock"];
+export async function captureLockfileSnapshot(cwd) {
+    const snapshot = new Map();
+    for (const name of LOCKFILE_NAMES) {
+        const filePath = path.join(cwd, name);
+        try {
+            const content = await fs.readFile(filePath);
+            snapshot.set(filePath, hashBuffer(content));
+        }
+        catch {
+            snapshot.set(filePath, null);
+        }
+    }
+    return snapshot;
+}
+export async function changedLockfiles(cwd, before) {
+    const changed = [];
+    for (const name of LOCKFILE_NAMES) {
+        const filePath = path.join(cwd, name);
+        let current = null;
+        try {
+            const content = await fs.readFile(filePath);
+            current = hashBuffer(content);
+        }
+        catch {
+            current = null;
+        }
+        if ((before.get(filePath) ?? null) !== current) {
+            changed.push(filePath);
+        }
+    }
+    return changed.sort((a, b) => a.localeCompare(b));
+}
+export function validateLockfileMode(mode, install) {
+    if (mode === "update" && !install) {
+        throw new Error("--lockfile-mode update requires --install to update lockfiles deterministically.");
+    }
+}
+function hashBuffer(value) {
+    return createHash("sha256").update(value).digest("hex");
+}

package/dist/utils/semver.d.ts

@@ -12,3 +12,21 @@ export declare function pickTargetVersion(currentRange: string, latestVersion: s
 export declare function pickTargetVersionFromAvailable(currentRange: string, availableVersions: string[], latestVersion: string, target: TargetLevel): string | null;
 export declare function applyRangeStyle(previousRange: string, version: string): string;
 export declare function clampTarget(requested: TargetLevel, maxAllowed?: TargetLevel): TargetLevel;
+/**
+ * Checks whether a concrete version satisfies a semver range expression.
+ *
+ * Handles the common npm range operators used in peerDependencies:
+ *   exact:  "1.2.3"       → version must equal
+ *   ^:      "^1.2.3"      → major must match, version must be >=
+ *   ~:      "~1.2.3"      → major+minor must match, version must be >=
+ *   >=:     ">=1.2.3"     → version must be >=
+ *   <=:     "<=1.2.3"     → version must be <=
+ *   >:      ">1.2.3"      → version must be >
+ *   <:      "<1.2.3"      → version must be <
+ *   *:      "*" | ""      → always true
+ *   ranges: ">=1 <3"      → all space-separated clauses AND-ed together
+ *
+ * Does NOT handle || unions or hyphen ranges — those are rare in peerDependencies
+ * and degrade gracefully (returns true to avoid false-positive conflicts).
+ */
+export declare function satisfies(version: string, range: string): boolean;

package/dist/utils/semver.js

@@ -45,13 +45,16 @@ export function pickTargetVersion(currentRange, latestVersion, target) {
     if (!current || target === "latest")
         return latestVersion;
     if (target === "patch") {
-        if (current.major === latest.major && current.minor === latest.minor && latest.patch > current.patch) {
+        if (current.major === latest.major &&
+            current.minor === latest.minor &&
+            latest.patch > current.patch) {
             return latestVersion;
         }
         return null;
     }
     if (target === "minor") {
-        if (current.major === latest.major && compareVersions(latest, current) > 0) {
+        if (current.major === latest.major &&
+            compareVersions(latest, current) > 0) {
             return latestVersion;
         }
         return null;
@@ -83,7 +86,8 @@ export function pickTargetVersionFromAvailable(currentRange, availableVersions,
         return sameMajor.length > 0 ? sameMajor[sameMajor.length - 1].raw : null;
     }
     if (target === "patch") {
-        const sameLine = parsed.filter((item) => item.parsed.major === current.major && item.parsed.minor === current.minor);
+        const sameLine = parsed.filter((item) => item.parsed.major === current.major &&
+            item.parsed.minor === current.minor);
         return sameLine.length > 0 ? sameLine[sameLine.length - 1].raw : null;
     }
     return latestVersion;
@@ -102,3 +106,84 @@ export function clampTarget(requested, maxAllowed) {
         return requested;
     return TARGET_ORDER[Math.min(requestedIndex, allowedIndex)];
 }
+/**
+ * Checks whether a concrete version satisfies a semver range expression.
+ *
+ * Handles the common npm range operators used in peerDependencies:
+ *   exact:  "1.2.3"       → version must equal
+ *   ^:      "^1.2.3"      → major must match, version must be >=
+ *   ~:      "~1.2.3"      → major+minor must match, version must be >=
+ *   >=:     ">=1.2.3"     → version must be >=
+ *   <=:     "<=1.2.3"     → version must be <=
+ *   >:      ">1.2.3"      → version must be >
+ *   <:      "<1.2.3"      → version must be <
+ *   *:      "*" | ""      → always true
+ *   ranges: ">=1 <3"      → all space-separated clauses AND-ed together
+ *
+ * Does NOT handle || unions or hyphen ranges — those are rare in peerDependencies
+ * and degrade gracefully (returns true to avoid false-positive conflicts).
+ */
+export function satisfies(version, range) {
+    const trimmedRange = range.trim();
+    if (!trimmedRange || trimmedRange === "*")
+        return true;
+    const parsed = parseVersion(version);
+    if (!parsed)
+        return true; // non-semver versions (e.g. "latest", "workspace:*") pass through
+    // Handle OR unions — split on " || " and return true if any clause matches
+    if (trimmedRange.includes("||")) {
+        return trimmedRange
+            .split("||")
+            .some((clause) => satisfies(version, clause.trim()));
+    }
+    // Handle AND ranges — split on whitespace and require all clauses to match
+    const clauses = trimmedRange.split(/\s+/).filter(Boolean);
+    if (clauses.length > 1) {
+        return clauses.every((clause) => satisfies(version, clause));
+    }
+    const clause = clauses[0] ?? "";
+    const op = parseRangeOperator(clause);
+    if (!op)
+        return true;
+    const cmp = compareVersions(parsed, op.version);
+    switch (op.operator) {
+        case "^": {
+            // same major, version >= bound
+            return parsed.major === op.version.major && cmp >= 0;
+        }
+        case "~": {
+            // same major+minor, version >= bound
+            return (parsed.major === op.version.major &&
+                parsed.minor === op.version.minor &&
+                cmp >= 0);
+        }
+        case ">=":
+            return cmp >= 0;
+        case "<=":
+            return cmp <= 0;
+        case ">":
+            return cmp > 0;
+        case "<":
+            return cmp < 0;
+        case "=":
+            return cmp === 0;
+        default:
+            return true;
+    }
+}
+function parseRangeOperator(clause) {
+    const ops = [">=", "<=", "^", "~", ">", "<", "="];
+    for (const op of ops) {
+        if (clause.startsWith(op)) {
+            const versionStr = clause.slice(op.length);
+            const parsed = parseVersion(versionStr);
+            if (parsed)
+                return { operator: op, version: parsed };
+        }
+    }
+    // Bare version string — treat as exact
+    const parsed = parseVersion(clause);
+    if (parsed)
+        return { operator: "=", version: parsed };
+    return null;
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@rainy-updates/cli",
-  "version": "0.5.1-rc.3",
-  "description": "Agentic CLI to check and upgrade npm/pnpm dependencies for CI workflows",
+  "version": "0.5.2-rc.1",
+  "description": "The fastest DevOps-first dependency CLI. Checks, audits, upgrades, bisects, and automates npm/pnpm dependencies in CI.",
   "type": "module",
   "private": false,
   "license": "MIT",
@@ -18,12 +18,21 @@
     "updates",
     "cli",
     "ci",
+    "devops",
     "npm",
     "pnpm",
-    "monorepo"
+    "monorepo",
+    "audit",
+    "security",
+    "bisect",
+    "ncu",
+    "taze",
+    "renovate"
   ],
   "bin": {
-    "rainy-updates": "./dist/bin/cli.js"
+    "rainy-updates": "./dist/bin/cli.js",
+    "rainy-up": "./dist/bin/cli.js",
+    "rup": "./dist/bin/cli.js"
   },
   "types": "./dist/index.d.ts",
   "exports": {