@rainy-updates/cli 0.5.1 → 0.5.2-rc.2

package/dist/commands/audit/sources/types.d.ts

@@ -0,0 +1,21 @@
+import type { AuditOptions, AuditSourceStatus, AuditSourceName, CveAdvisory } from "../../../types/index.js";
+import type { AuditTarget } from "../targets.js";
+export interface AuditSourceTargetResult {
+    advisories: CveAdvisory[];
+    ok: boolean;
+    error?: string;
+}
+export interface AuditSourceFetchResult {
+    advisories: CveAdvisory[];
+    warnings: string[];
+    health: AuditSourceStatus;
+}
+export interface AuditSourceAggregateResult {
+    advisories: CveAdvisory[];
+    warnings: string[];
+    sourceHealth: AuditSourceStatus[];
+}
+export interface AuditSourceAdapter {
+    name: AuditSourceName;
+    fetch(targets: AuditTarget[], options: Pick<AuditOptions, "concurrency" | "registryTimeoutMs">): Promise<AuditSourceFetchResult>;
+}

package/dist/commands/audit/sources/types.js

@@ -0,0 +1 @@
+export {};

package/dist/commands/audit/targets.d.ts

@@ -0,0 +1,20 @@
+import type { PackageDependency } from "../../types/index.js";
+export interface AuditTarget {
+    name: string;
+    version: string;
+    packageDir: string;
+    manifestRange: string;
+    resolution: "lockfile" | "manifest";
+    lockfilePath?: string;
+}
+export interface AuditTargetResolution {
+    targets: AuditTarget[];
+    warnings: string[];
+    resolution: {
+        lockfile: number;
+        manifest: number;
+        unresolved: number;
+    };
+}
+export declare function extractAuditVersion(range: string): string | null;
+export declare function resolveAuditTargets(rootCwd: string, packageDirs: string[], depsByDir: Map<string, PackageDependency[]>): Promise<AuditTargetResolution>;

package/dist/commands/audit/targets.js

@@ -0,0 +1,314 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+const LOCKFILE_PRIORITY = [
+    "package-lock.json",
+    "npm-shrinkwrap.json",
+    "pnpm-lock.yaml",
+    "bun.lock",
+];
+const packageLockCache = new Map();
+const pnpmLockCache = new Map();
+const bunLockCache = new Map();
+export function extractAuditVersion(range) {
+    const trimmed = range.trim();
+    const match = trimmed.match(/^(?:\^|~|>=|<=|>|<|=)?\s*(\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?)$/);
+    return match?.[1] ?? null;
+}
+export async function resolveAuditTargets(rootCwd, packageDirs, depsByDir) {
+    const warnings = [];
+    const targets = new Map();
+    const resolution = {
+        lockfile: 0,
+        manifest: 0,
+        unresolved: 0,
+    };
+    for (const dir of packageDirs) {
+        const deps = depsByDir.get(dir) ?? [];
+        for (const dep of deps) {
+            const resolved = await resolveDependencyVersion(rootCwd, dir, dep);
+            if (!resolved) {
+                resolution.unresolved += 1;
+                continue;
+            }
+            const key = `${resolved.name}@${resolved.version}`;
+            targets.set(key, resolved);
+            if (resolved.resolution === "lockfile") {
+                resolution.lockfile += 1;
+            }
+            else {
+                resolution.manifest += 1;
+            }
+        }
+    }
+    if (resolution.unresolved > 0) {
+        warnings.push(`Skipped ${resolution.unresolved} dependency range${resolution.unresolved === 1 ? "" : "s"} that could not be resolved from a lockfile or concrete manifest version.`);
+    }
+    return {
+        targets: [...targets.values()],
+        warnings,
+        resolution,
+    };
+}
+async function resolveDependencyVersion(rootCwd, packageDir, dep) {
+    const lockfiles = await findNearestLockfiles(rootCwd, packageDir);
+    for (const lockfilePath of lockfiles) {
+        const fileName = path.basename(lockfilePath);
+        const version = fileName === "pnpm-lock.yaml"
+            ? await resolveFromPnpmLock(lockfilePath, packageDir, dep.name)
+            : fileName === "bun.lock"
+                ? await resolveFromBunLock(lockfilePath, packageDir, dep.name)
+                : await resolveFromPackageLock(lockfilePath, packageDir, dep.name);
+        if (version) {
+            return {
+                name: dep.name,
+                version,
+                packageDir,
+                manifestRange: dep.range,
+                resolution: "lockfile",
+                lockfilePath,
+            };
+        }
+    }
+    const manifestVersion = extractAuditVersion(dep.range);
+    if (!manifestVersion)
+        return null;
+    return {
+        name: dep.name,
+        version: manifestVersion,
+        packageDir,
+        manifestRange: dep.range,
+        resolution: "manifest",
+    };
+}
+async function findNearestLockfiles(rootCwd, startDir) {
+    const found = [];
+    let current = startDir;
+    while (true) {
+        for (const fileName of LOCKFILE_PRIORITY) {
+            const candidate = path.join(current, fileName);
+            try {
+                await fs.access(candidate);
+                found.push(candidate);
+            }
+            catch {
+                // ignore missing
+            }
+        }
+        if (current === rootCwd)
+            break;
+        const parent = path.dirname(current);
+        if (parent === current)
+            break;
+        current = parent;
+    }
+    return found;
+}
+async function resolveFromPackageLock(lockfilePath, packageDir, packageName) {
+    const parsed = await readPackageLock(lockfilePath);
+    const rootDir = path.dirname(lockfilePath);
+    const relDir = normalizeRelativePath(rootDir, packageDir);
+    const candidatePaths = relDir
+        ? [`${relDir}/node_modules/${packageName}`, `node_modules/${packageName}`]
+        : [`node_modules/${packageName}`];
+    for (const key of candidatePaths) {
+        const version = parsed.packages?.[key]?.version;
+        if (version)
+            return version;
+    }
+    if (!relDir) {
+        return parsed.dependencies?.[packageName]?.version ?? null;
+    }
+    return parsed.dependencies?.[packageName]?.version ?? null;
+}
+async function resolveFromPnpmLock(lockfilePath, packageDir, packageName) {
+    const parsed = await readPnpmLock(lockfilePath);
+    const rootDir = path.dirname(lockfilePath);
+    const relDir = normalizeRelativePath(rootDir, packageDir) || ".";
+    const importers = [relDir, "."];
+    for (const importerKey of importers) {
+        const importer = parsed.importers.get(importerKey);
+        const version = importer?.get(packageName);
+        if (version)
+            return version;
+    }
+    return null;
+}
+async function resolveFromBunLock(lockfilePath, packageDir, packageName) {
+    const parsed = await readBunLock(lockfilePath);
+    const rootDir = path.dirname(lockfilePath);
+    const relDir = normalizeRelativePath(rootDir, packageDir);
+    const workspaceKeys = [relDir, ""];
+    for (const workspaceKey of workspaceKeys) {
+        const workspace = parsed.workspaces.get(workspaceKey);
+        const version = workspace?.get(packageName);
+        if (version)
+            return version;
+    }
+    return null;
+}
+async function readPackageLock(lockfilePath) {
+    let promise = packageLockCache.get(lockfilePath);
+    if (!promise) {
+        promise = fs
+            .readFile(lockfilePath, "utf8")
+            .then((content) => JSON.parse(content));
+        packageLockCache.set(lockfilePath, promise);
+    }
+    return await promise;
+}
+async function readPnpmLock(lockfilePath) {
+    let promise = pnpmLockCache.get(lockfilePath);
+    if (!promise) {
+        promise = fs.readFile(lockfilePath, "utf8").then(parsePnpmLock);
+        pnpmLockCache.set(lockfilePath, promise);
+    }
+    return await promise;
+}
+async function readBunLock(lockfilePath) {
+    let promise = bunLockCache.get(lockfilePath);
+    if (!promise) {
+        promise = fs.readFile(lockfilePath, "utf8").then(parseBunLock);
+        bunLockCache.set(lockfilePath, promise);
+    }
+    return await promise;
+}
+function parsePnpmLock(content) {
+    const importers = new Map();
+    const lines = content.split(/\r?\n/);
+    let inImporters = false;
+    let currentImporter = null;
+    let inDependencySection = false;
+    let currentPackageName = null;
+    for (const rawLine of lines) {
+        const indent = rawLine.match(/^ */)?.[0].length ?? 0;
+        const trimmed = rawLine.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        if (indent === 0) {
+            inImporters = trimmed === "importers:";
+            currentImporter = null;
+            inDependencySection = false;
+            currentPackageName = null;
+            continue;
+        }
+        if (!inImporters)
+            continue;
+        if (indent === 2 && trimmed.endsWith(":")) {
+            currentImporter = trimYamlKey(trimmed.slice(0, -1));
+            importers.set(currentImporter, new Map());
+            inDependencySection = false;
+            currentPackageName = null;
+            continue;
+        }
+        if (!currentImporter)
+            continue;
+        if (indent === 4 && trimmed.endsWith(":")) {
+            const key = trimYamlKey(trimmed.slice(0, -1));
+            inDependencySection =
+                key === "dependencies" ||
+                    key === "devDependencies" ||
+                    key === "optionalDependencies";
+            currentPackageName = null;
+            continue;
+        }
+        if (!inDependencySection)
+            continue;
+        if (indent === 6) {
+            currentPackageName = null;
+            const separator = trimmed.indexOf(":");
+            if (separator === -1)
+                continue;
+            const key = trimYamlKey(trimmed.slice(0, separator));
+            const value = trimmed.slice(separator + 1).trim();
+            if (!value) {
+                currentPackageName = key;
+                continue;
+            }
+            const version = normalizePnpmVersion(value);
+            if (version) {
+                importers.get(currentImporter)?.set(key, version);
+            }
+            continue;
+        }
+        if (indent === 8 && currentPackageName && trimmed.startsWith("version:")) {
+            const version = normalizePnpmVersion(trimmed.slice("version:".length));
+            if (version) {
+                importers.get(currentImporter)?.set(currentPackageName, version);
+            }
+        }
+    }
+    return { importers };
+}
+function parseBunLock(content) {
+    const workspaces = new Map();
+    const lines = content.split(/\r?\n/);
+    let inWorkspaces = false;
+    let currentWorkspace = "";
+    let currentSection = null;
+    for (const rawLine of lines) {
+        const indent = rawLine.match(/^ */)?.[0].length ?? 0;
+        const trimmed = rawLine.trim();
+        if (!trimmed)
+            continue;
+        if (!inWorkspaces && trimmed === '"workspaces": {') {
+            inWorkspaces = true;
+            currentWorkspace = "";
+            currentSection = null;
+            continue;
+        }
+        if (inWorkspaces && indent <= 2 && trimmed === "},") {
+            inWorkspaces = false;
+            currentWorkspace = "";
+            currentSection = null;
+            continue;
+        }
+        if (indent === 4 && trimmed.endsWith("{")) {
+            const keyMatch = trimmed.match(/^"([^"]*)": \{$/);
+            if (!keyMatch)
+                continue;
+            currentWorkspace = keyMatch[1] === "" ? "" : keyMatch[1];
+            workspaces.set(currentWorkspace, new Map());
+            currentSection = null;
+            continue;
+        }
+        if (!workspaces.has(currentWorkspace))
+            continue;
+        if (indent === 6 && trimmed.endsWith("{")) {
+            const keyMatch = trimmed.match(/^"(dependencies|devDependencies|optionalDependencies)": \{$/);
+            const sectionName = keyMatch?.[1];
+            currentSection =
+                sectionName === "dependencies" ||
+                    sectionName === "devDependencies" ||
+                    sectionName === "optionalDependencies"
+                    ? sectionName
+                    : null;
+            continue;
+        }
+        if (!currentSection)
+            continue;
+        if (indent === 8) {
+            const depMatch = trimmed.match(/^"([^"]+)": "([^"]+)",?$/);
+            if (!depMatch)
+                continue;
+            const packageName = depMatch[1];
+            const version = extractAuditVersion(depMatch[2]);
+            if (version) {
+                workspaces.get(currentWorkspace)?.set(packageName, version);
+            }
+        }
+    }
+    return { workspaces };
+}
+function normalizeRelativePath(rootDir, targetDir) {
+    const relative = path.relative(rootDir, targetDir).replace(/\\/g, "/");
+    return relative === "" ? "" : relative;
+}
+function normalizePnpmVersion(value) {
+    const cleaned = trimYamlKey(value.trim());
+    const base = cleaned.split("(")[0] ?? cleaned;
+    const match = base.match(/^(\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?)/);
+    return match?.[1] ?? null;
+}
+function trimYamlKey(value) {
+    return value.trim().replace(/^['"]|['"]$/g, "");
+}

package/dist/commands/changelog/fetcher.d.ts

@@ -0,0 +1,9 @@
+export interface ChangelogEntry {
+    content: string;
+    fetchedAt: number;
+}
+/**
+ * Fetches the changelog or release notes for a given package and repository URL.
+ * Uses SQLite caching to avoid API rate limits.
+ */
+export declare function fetchChangelog(packageName: string, repositoryUrl?: string): Promise<string | null>;

package/dist/commands/changelog/fetcher.js

@@ -0,0 +1,130 @@
+import os from "node:os";
+import path from "node:path";
+import { promises as fs } from "node:fs";
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+class ChangelogCache {
+    db = null;
+    dbPath;
+    constructor() {
+        const basePath = path.join(os.homedir(), ".cache", "rainy-updates");
+        this.dbPath = path.join(basePath, "cache.db");
+    }
+    async init() {
+        if (this.db)
+            return;
+        try {
+            if (typeof Bun !== "undefined") {
+                await fs.mkdir(path.dirname(this.dbPath), { recursive: true });
+                const mod = await import("bun:sqlite");
+                this.db = new mod.Database(this.dbPath, { create: true });
+                this.db.exec(`
+          CREATE TABLE IF NOT EXISTS changelogs (
+            package TEXT PRIMARY KEY,
+            content TEXT,
+            fetched_at INTEGER NOT NULL
+          );
+        `);
+            }
+        }
+        catch (e) {
+            // Fail silently if sqlite isn't available
+            this.db = null;
+        }
+    }
+    async get(packageName) {
+        if (!this.db)
+            return null;
+        try {
+            const row = this.db
+                .prepare("SELECT content, fetched_at FROM changelogs WHERE package = ?")
+                .get(packageName);
+            if (!row)
+                return null;
+            const isExpired = Date.now() - row.fetched_at > CACHE_TTL_MS;
+            if (isExpired)
+                return null;
+            return row.content;
+        }
+        catch {
+            return null;
+        }
+    }
+    async set(packageName, content) {
+        if (!this.db)
+            return;
+        try {
+            this.db
+                .prepare("INSERT OR REPLACE INTO changelogs (package, content, fetched_at) VALUES (?, ?, ?)")
+                .run(packageName, content, Date.now());
+        }
+        catch {
+            // Ignore cache write errors
+        }
+    }
+}
+const cache = new ChangelogCache();
+/**
+ * Parses a repository URL into a GitHub owner and repo.
+ */
+function parseGitHubUrl(url) {
+    const match = url.match(/github\.com[/:]([^/]+)\/([^/.]+)(?:\.git)?/);
+    if (match && match[1] && match[2]) {
+        return { owner: match[1], repo: match[2] };
+    }
+    return null;
+}
+/**
+ * Fetches the changelog or release notes for a given package and repository URL.
+ * Uses SQLite caching to avoid API rate limits.
+ */
+export async function fetchChangelog(packageName, repositoryUrl) {
+    if (!repositoryUrl)
+        return null;
+    await cache.init();
+    // 1. Check Cache
+    const cached = await cache.get(packageName);
+    if (cached)
+        return cached;
+    const githubInfo = parseGitHubUrl(repositoryUrl);
+    if (!githubInfo)
+        return null;
+    const { owner, repo } = githubInfo;
+    try {
+        // 2. Fetch from GitHub API
+        // Try releases first, fallback to CHANGELOG.md file
+        const headers = {
+            "User-Agent": "rainy-updates-cli",
+            Accept: "application/vnd.github.v3+json",
+        };
+        let content = "";
+        // Attempt to get the latest release notes
+        const releasesRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/releases/latest`, { headers });
+        if (releasesRes.ok) {
+            const release = await releasesRes.json();
+            if (release.body) {
+                content = `# Release ${release.name || release.tag_name}\n\n${release.body}`;
+            }
+        }
+        if (!content) {
+            // Fallback: try to fetch CHANGELOG.md from the root
+            const contentsRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/CHANGELOG.md`, { headers });
+            if (contentsRes.ok) {
+                const fileContent = await contentsRes.json();
+                if (fileContent.content && fileContent.encoding === "base64") {
+                    content = Buffer.from(fileContent.content, "base64").toString("utf-8");
+                }
+            }
+        }
+        if (content) {
+            // 3. Cache the fetched content
+            await cache.set(packageName, content);
+            return content;
+        }
+        // Nothing found, cache empty string to prevent spamming
+        await cache.set(packageName, "");
+        return null;
+    }
+    catch (err) {
+        return null;
+    }
+}

package/dist/commands/licenses/parser.d.ts

@@ -0,0 +1,2 @@
+import type { LicenseOptions } from "../../types/index.js";
+export declare function parseLicensesArgs(args: string[]): LicenseOptions;

package/dist/commands/licenses/parser.js

@@ -0,0 +1,116 @@
+export function parseLicensesArgs(args) {
+    const options = {
+        cwd: process.cwd(),
+        workspace: false,
+        allow: undefined,
+        deny: undefined,
+        sbomFile: undefined,
+        jsonFile: undefined,
+        diffMode: false,
+        concurrency: 12,
+        registryTimeoutMs: 10_000,
+        cacheTtlSeconds: 3600,
+    };
+    for (let i = 0; i < args.length; i++) {
+        const current = args[i];
+        const next = args[i + 1];
+        if (current === "--cwd" && next) {
+            options.cwd = next;
+            i++;
+            continue;
+        }
+        if (current === "--cwd")
+            throw new Error("Missing value for --cwd");
+        if (current === "--workspace") {
+            options.workspace = true;
+            continue;
+        }
+        if (current === "--diff") {
+            options.diffMode = true;
+            continue;
+        }
+        if (current === "--allow" && next) {
+            options.allow = next
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean);
+            i++;
+            continue;
+        }
+        if (current === "--allow")
+            throw new Error("Missing value for --allow");
+        if (current === "--deny" && next) {
+            options.deny = next
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean);
+            i++;
+            continue;
+        }
+        if (current === "--deny")
+            throw new Error("Missing value for --deny");
+        if (current === "--sbom" && next) {
+            options.sbomFile = next;
+            i++;
+            continue;
+        }
+        if (current === "--sbom")
+            throw new Error("Missing value for --sbom");
+        if (current === "--json-file" && next) {
+            options.jsonFile = next;
+            i++;
+            continue;
+        }
+        if (current === "--json-file")
+            throw new Error("Missing value for --json-file");
+        if (current === "--concurrency" && next) {
+            const n = Number(next);
+            if (!Number.isInteger(n) || n <= 0)
+                throw new Error("--concurrency must be a positive integer");
+            options.concurrency = n;
+            i++;
+            continue;
+        }
+        if (current === "--concurrency")
+            throw new Error("Missing value for --concurrency");
+        if (current === "--timeout" && next) {
+            const ms = Number(next);
+            if (!Number.isFinite(ms) || ms <= 0)
+                throw new Error("--timeout must be a positive number");
+            options.registryTimeoutMs = ms;
+            i++;
+            continue;
+        }
+        if (current === "--timeout")
+            throw new Error("Missing value for --timeout");
+        if (current === "--help" || current === "-h") {
+            process.stdout.write(LICENSES_HELP);
+            process.exit(0);
+        }
+        if (current.startsWith("-"))
+            throw new Error(`Unknown option: ${current}`);
+    }
+    return options;
+}
+const LICENSES_HELP = `
+rup licenses — Scan dependency licenses and generate SPDX SBOM
+
+Usage:
+  rup licenses [options]
+
+Options:
+  --allow <spdx,...>     Allow only these SPDX identifiers (e.g. MIT,Apache-2.0)
+  --deny <spdx,...>      Deny these SPDX identifiers (e.g. GPL-3.0)
+  --sbom <path>          Write SPDX 2.3 SBOM JSON to file
+  --json-file <path>     Write JSON report to file
+  --diff                 Show only packages with a different license than last scan
+  --workspace            Scan all workspace packages
+  --timeout <ms>         Registry request timeout (default: 10000)
+  --concurrency <n>      Parallel registry requests (default: 12)
+  --cwd <path>           Working directory (default: cwd)
+  --help                 Show this help
+
+Exit codes:
+  0  No violations
+  1  License violations detected
+`.trimStart();

package/dist/commands/licenses/runner.d.ts

@@ -0,0 +1,9 @@
+import type { LicenseOptions, LicenseResult } from "../../types/index.js";
+/**
+ * Entry point for `rup licenses`. Lazy-loaded by cli.ts.
+ *
+ * Fetches the SPDX license field from each dependency's packument,
+ * checks it against --allow/--deny lists, and optionally generates
+ * an SPDX 2.3 SBOM JSON document.
+ */
+export declare function runLicenses(options: LicenseOptions): Promise<LicenseResult>;