@rainy-updates/cli 0.5.1 → 0.5.2-rc.2

package/dist/commands/unused/matcher.js

@@ -0,0 +1,95 @@
+export function matchDependencies(manifest, importedPackages, packageDir, options) {
+    const declared = buildDeclaredMap(manifest, options);
+    const unused = [];
+    const missing = [];
+    // Find declared deps not seen in source imports
+    for (const [name, field] of declared) {
+        if (!importedPackages.has(name)) {
+            unused.push({
+                name,
+                kind: "declared-not-imported",
+                declaredIn: field,
+            });
+        }
+    }
+    // Find imports not declared in package.json
+    for (const importedName of importedPackages) {
+        if (!declared.has(importedName)) {
+            missing.push({
+                name: importedName,
+                kind: "imported-not-declared",
+                importedFrom: packageDir,
+            });
+        }
+    }
+    return { unused, missing };
+}
+/**
+ * Build a map of { packageName → fieldName } from package.json.
+ * Only includes the fields requested (e.g. skip devDependencies when
+ * includeDevDependencies is false).
+ */
+function buildDeclaredMap(manifest, options) {
+    const result = new Map();
+    const fields = [
+        [
+            manifest.dependencies,
+            "dependencies",
+        ],
+        [
+            manifest.optionalDependencies,
+            "optionalDependencies",
+        ],
+    ];
+    if (options.includeDevDependencies) {
+        fields.push([
+            manifest.devDependencies,
+            "devDependencies",
+        ]);
+    }
+    // peerDependencies are intentionally excluded — they are rarely directly imported
+    // and are a separate concern handled by `rup resolve`.
+    for (const [deps, fieldName] of fields) {
+        if (!deps)
+            continue;
+        for (const name of Object.keys(deps)) {
+            if (!result.has(name)) {
+                result.set(name, fieldName);
+            }
+        }
+    }
+    return result;
+}
+/**
+ * Applies the unused/missing result of `matchDependencies` to a package.json
+ * manifest in-memory, removing `unused` entries. Returns the modified manifest
+ * as a formatted JSON string ready to write back to disk.
+ */
+export function removeUnusedFromManifest(manifestJson, unused) {
+    if (unused.length === 0)
+        return manifestJson;
+    let parsed;
+    try {
+        parsed = JSON.parse(manifestJson);
+    }
+    catch {
+        return manifestJson;
+    }
+    const unusedNames = new Set(unused.map((u) => u.name));
+    const fields = [
+        "dependencies",
+        "devDependencies",
+        "optionalDependencies",
+    ];
+    for (const field of fields) {
+        const deps = parsed[field];
+        if (!deps || typeof deps !== "object")
+            continue;
+        for (const name of Object.keys(deps)) {
+            if (unusedNames.has(name)) {
+                delete deps[name];
+            }
+        }
+    }
+    return JSON.stringify(parsed, null, 2) + "\n";
+}

package/dist/commands/unused/parser.d.ts

@@ -0,0 +1,2 @@
+import type { UnusedOptions } from "../../types/index.js";
+export declare function parseUnusedArgs(args: string[]): UnusedOptions;

package/dist/commands/unused/parser.js

@@ -0,0 +1,95 @@
+const DEFAULT_SRC_DIRS = ["src"];
+export function parseUnusedArgs(args) {
+    const options = {
+        cwd: process.cwd(),
+        workspace: false,
+        srcDirs: DEFAULT_SRC_DIRS,
+        includeDevDependencies: true,
+        fix: false,
+        dryRun: false,
+        jsonFile: undefined,
+        concurrency: 16,
+    };
+    for (let i = 0; i < args.length; i++) {
+        const current = args[i];
+        const next = args[i + 1];
+        if (current === "--cwd" && next) {
+            options.cwd = next;
+            i++;
+            continue;
+        }
+        if (current === "--cwd")
+            throw new Error("Missing value for --cwd");
+        if (current === "--workspace") {
+            options.workspace = true;
+            continue;
+        }
+        if (current === "--src" && next) {
+            options.srcDirs = next
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean);
+            i++;
+            continue;
+        }
+        if (current === "--src")
+            throw new Error("Missing value for --src");
+        if (current === "--no-dev") {
+            options.includeDevDependencies = false;
+            continue;
+        }
+        if (current === "--fix") {
+            options.fix = true;
+            continue;
+        }
+        if (current === "--dry-run") {
+            options.dryRun = true;
+            continue;
+        }
+        if (current === "--json-file" && next) {
+            options.jsonFile = next;
+            i++;
+            continue;
+        }
+        if (current === "--json-file")
+            throw new Error("Missing value for --json-file");
+        if (current === "--concurrency" && next) {
+            const parsed = Number(next);
+            if (!Number.isInteger(parsed) || parsed <= 0)
+                throw new Error("--concurrency must be a positive integer");
+            options.concurrency = parsed;
+            i++;
+            continue;
+        }
+        if (current === "--concurrency")
+            throw new Error("Missing value for --concurrency");
+        if (current === "--help" || current === "-h") {
+            process.stdout.write(UNUSED_HELP);
+            process.exit(0);
+        }
+        if (current.startsWith("-"))
+            throw new Error(`Unknown option: ${current}`);
+    }
+    return options;
+}
+const UNUSED_HELP = `
+rup unused — Detect unused and missing npm dependencies
+
+Usage:
+  rup unused [options]
+
+Options:
+  --src <dirs>          Comma-separated source directories to scan (default: src)
+  --workspace           Scan all workspace packages
+  --no-dev              Exclude devDependencies from unused detection
+  --fix                 Remove unused dependencies from package.json
+  --dry-run             Preview changes without writing
+  --json-file <path>    Write JSON report to file
+  --cwd <path>          Working directory (default: cwd)
+  --concurrency <n>     Parallel file scanning concurrency (default: 16)
+  --help                Show this help
+
+Exit codes:
+  0  No unused dependencies found
+  1  Unused or missing dependencies detected
+`.trimStart();

package/dist/commands/unused/runner.d.ts

@@ -0,0 +1,11 @@
+import type { UnusedOptions, UnusedResult } from "../../types/index.js";
+/**
+ * Entry point for `rup unused`. Lazy-loaded by cli.ts.
+ *
+ * Strategy:
+ *   1. Collect all source directories to scan
+ *   2. Scan them in parallel for imported package names
+ *   3. Cross-reference against package.json declarations
+ *   4. Optionally apply --fix (remove unused from package.json)
+ */
+export declare function runUnused(options: UnusedOptions): Promise<UnusedResult>;

package/dist/commands/unused/runner.js

@@ -0,0 +1,113 @@
+import path from "node:path";
+import process from "node:process";
+import { readManifest, } from "../../parsers/package-json.js";
+import { discoverPackageDirs } from "../../workspace/discover.js";
+import { writeFileAtomic } from "../../utils/io.js";
+import { stableStringify } from "../../utils/stable-json.js";
+import { scanDirectory } from "./scanner.js";
+import { matchDependencies, removeUnusedFromManifest } from "./matcher.js";
+/**
+ * Entry point for `rup unused`. Lazy-loaded by cli.ts.
+ *
+ * Strategy:
+ *   1. Collect all source directories to scan
+ *   2. Scan them in parallel for imported package names
+ *   3. Cross-reference against package.json declarations
+ *   4. Optionally apply --fix (remove unused from package.json)
+ */
+export async function runUnused(options) {
+    const result = {
+        unused: [],
+        missing: [],
+        totalUnused: 0,
+        totalMissing: 0,
+        errors: [],
+        warnings: [],
+    };
+    const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
+    for (const packageDir of packageDirs) {
+        // ─ Read manifest ─────────────────────────────────────────────────────────
+        let manifest;
+        try {
+            manifest = await readManifest(packageDir);
+        }
+        catch (error) {
+            result.errors.push(`Failed to read package.json in ${packageDir}: ${String(error)}`);
+            continue;
+        }
+        // ─ Scan source directories for imports ───────────────────────────────────
+        const allImports = new Set();
+        for (const srcDir of options.srcDirs) {
+            const scanTarget = path.isAbsolute(srcDir)
+                ? srcDir
+                : path.join(packageDir, srcDir);
+            const found = await scanDirectory(scanTarget);
+            for (const name of found)
+                allImports.add(name);
+        }
+        // Fallback: if no src dir exists, scan the package root itself
+        if (allImports.size === 0) {
+            const rootImports = await scanDirectory(packageDir);
+            for (const name of rootImports)
+                allImports.add(name);
+        }
+        // ─ Match declared vs imported ─────────────────────────────────────────────
+        const { unused, missing } = matchDependencies(manifest, allImports, packageDir, {
+            includeDevDependencies: options.includeDevDependencies,
+        });
+        result.unused.push(...unused);
+        result.missing.push(...missing);
+        // ─ Apply fix ─────────────────────────────────────────────────────────────
+        if (options.fix && unused.length > 0) {
+            if (options.dryRun) {
+                process.stderr.write(`[unused] --dry-run: would remove ${unused.length} unused dep(s) from ${packageDir}/package.json\n`);
+            }
+            else {
+                try {
+                    const { promises: fs } = await import("node:fs");
+                    const manifestPath = path.join(packageDir, "package.json");
+                    const originalJson = await fs.readFile(manifestPath, "utf8");
+                    const updatedJson = removeUnusedFromManifest(originalJson, unused);
+                    await writeFileAtomic(manifestPath, updatedJson);
+                    process.stderr.write(`[unused] Removed ${unused.length} unused dep(s) from ${packageDir}/package.json\n`);
+                }
+                catch (error) {
+                    result.errors.push(`Failed to update package.json in ${packageDir}: ${String(error)}`);
+                }
+            }
+        }
+    }
+    result.totalUnused = result.unused.length;
+    result.totalMissing = result.missing.length;
+    // ─ Render output ─────────────────────────────────────────────────────────
+    process.stdout.write(renderUnusedTable(result) + "\n");
+    // ─ JSON report ───────────────────────────────────────────────────────────
+    if (options.jsonFile) {
+        await writeFileAtomic(options.jsonFile, stableStringify(result, 2) + "\n");
+        process.stderr.write(`[unused] JSON report written to ${options.jsonFile}\n`);
+    }
+    return result;
+}
+function renderUnusedTable(result) {
+    const lines = [];
+    if (result.unused.length === 0 && result.missing.length === 0) {
+        return "✔ No unused or missing dependencies found.";
+    }
+    if (result.unused.length > 0) {
+        lines.push(`\n⚠ Unused dependencies (${result.unused.length}) — declared but never imported:\n`);
+        lines.push("  " + "Package".padEnd(35) + "Declared in");
+        lines.push("  " + "─".repeat(55));
+        for (const dep of result.unused) {
+            lines.push("  " + dep.name.padEnd(35) + (dep.declaredIn ?? ""));
+        }
+    }
+    if (result.missing.length > 0) {
+        lines.push(`\n✖ Missing dependencies (${result.missing.length}) — imported but not declared:\n`);
+        lines.push("  " + "Package".padEnd(35) + "Imported from");
+        lines.push("  " + "─".repeat(55));
+        for (const dep of result.missing) {
+            lines.push("  " + dep.name.padEnd(35) + (dep.importedFrom ?? ""));
+        }
+    }
+    return lines.join("\n");
+}

package/dist/commands/unused/scanner.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Extracts all imported package names from a single source file.
+ *
+ * Handles:
+ *   - ESM static:  import ... from "pkg"
+ *   - ESM dynamic: import("pkg")
+ *   - CJS:         require("pkg")
+ *
+ * Strips subpath imports (e.g. "lodash/merge" → "lodash"),
+ * skips relative imports and node: builtins.
+ */
+export declare function extractImportsFromSource(source: string): Set<string>;
+export declare function extractPackageName(specifier: string): string | null;
+/**
+ * Recursively scans a directory and returns all imported package names
+ * found across all source files.
+ */
+export declare function scanDirectory(dir: string): Promise<Set<string>>;

package/dist/commands/unused/scanner.js

@@ -0,0 +1,129 @@
+import { promises as fs } from "node:fs";
+import path from "node:path";
+/**
+ * Extracts all imported package names from a single source file.
+ *
+ * Handles:
+ *   - ESM static:  import ... from "pkg"
+ *   - ESM dynamic: import("pkg")
+ *   - CJS:         require("pkg")
+ *
+ * Strips subpath imports (e.g. "lodash/merge" → "lodash"),
+ * skips relative imports and node: builtins.
+ */
+export function extractImportsFromSource(source) {
+    const names = new Set();
+    // ESM static import: from "pkg" or from 'pkg'
+    const staticImport = /from\s+['"]([^'"]+)['"]/g;
+    for (const match of source.matchAll(staticImport)) {
+        addPackageName(names, match[1]);
+    }
+    // ESM dynamic import: import("pkg") or import('pkg')
+    const dynamicImport = /\bimport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    for (const match of source.matchAll(dynamicImport)) {
+        addPackageName(names, match[1]);
+    }
+    // CJS require: require("pkg") or require('pkg')
+    const cjsRequire = /\brequire\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    for (const match of source.matchAll(cjsRequire)) {
+        addPackageName(names, match[1]);
+    }
+    // export ... from "pkg"
+    const reExport = /\bexport\s+(?:\*|\{[^}]*\})\s+from\s+['"]([^'"]+)['"]/g;
+    for (const match of source.matchAll(reExport)) {
+        addPackageName(names, match[1]);
+    }
+    return names;
+}
+function addPackageName(names, specifier) {
+    // Skip relative imports, node: builtins, and bare file paths
+    if (specifier.startsWith(".") || specifier.startsWith("/"))
+        return;
+    if (specifier.startsWith("node:"))
+        return;
+    if (specifier.startsWith("bun:"))
+        return;
+    // Normalize package name (strip subpath): "lodash/merge" → "lodash"
+    // "@scope/pkg/subpath" → "@scope/pkg"
+    const name = extractPackageName(specifier);
+    if (name)
+        names.add(name);
+}
+export function extractPackageName(specifier) {
+    if (!specifier)
+        return null;
+    if (specifier.startsWith("@")) {
+        // Scoped: @scope/pkg or @scope/pkg/subpath
+        const parts = specifier.split("/");
+        if (parts.length < 2)
+            return null;
+        return `${parts[0]}/${parts[1]}`;
+    }
+    // Unscoped: pkg or pkg/subpath
+    return specifier.split("/")[0] ?? null;
+}
+const SOURCE_EXTENSIONS = new Set([
+    ".ts",
+    ".tsx",
+    ".js",
+    ".jsx",
+    ".mjs",
+    ".cjs",
+    ".mts",
+    ".cts",
+]);
+const IGNORED_DIRS = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "out",
+    ".next",
+    ".nuxt",
+]);
+/**
+ * Recursively scans a directory and returns all imported package names
+ * found across all source files.
+ */
+export async function scanDirectory(dir) {
+    const allImports = new Set();
+    await walkDirectory(dir, allImports);
+    return allImports;
+}
+async function walkDirectory(dir, collector) {
+    let entries;
+    try {
+        entries = await fs.readdir(dir);
+    }
+    catch {
+        return;
+    }
+    const tasks = [];
+    for (const entryName of entries) {
+        if (IGNORED_DIRS.has(entryName))
+            continue;
+        const fullPath = path.join(dir, entryName);
+        tasks.push(fs
+            .stat(fullPath)
+            .then((stat) => {
+            if (stat.isDirectory()) {
+                return walkDirectory(fullPath, collector);
+            }
+            if (stat.isFile()) {
+                const ext = path.extname(entryName).toLowerCase();
+                if (!SOURCE_EXTENSIONS.has(ext))
+                    return;
+                return fs
+                    .readFile(fullPath, "utf8")
+                    .then((source) => {
+                    for (const name of extractImportsFromSource(source)) {
+                        collector.add(name);
+                    }
+                })
+                    .catch(() => undefined);
+            }
+        })
+            .catch(() => undefined));
+    }
+    await Promise.all(tasks);
+}

package/dist/core/impact.d.ts

@@ -0,0 +1,36 @@
+import type { ImpactScore, PackageUpdate } from "../types/index.js";
+/**
+ * Context fed into the impact scorer from the outer check/upgrade pipeline.
+ * All fields are optional — missing data degrades gracefully.
+ */
+export interface ImpactContext {
+    /** Names of packages that have a known CVE advisory (from `rup audit` cache). */
+    advisoryPackages?: ReadonlySet<string>;
+    /** How many workspace packages depend on this package (reverse-dep count). */
+    workspaceDependentCount?: (name: string) => number;
+}
+/**
+ * Compute an `ImpactScore` for a single pending package update.
+ *
+ * Algorithm:
+ *   score = diffWeight
+ *         + (advisoryBonus if CVE exists)
+ *         + min(workspaceCount × perPkg, cap)
+ *
+ * Clamped to [0, 100]. Rank thresholds:
+ *   ≥ 70 → critical
+ *   ≥ 45 → high
+ *   ≥ 20 → medium
+ *   <  20 → low
+ */
+export declare function computeImpactScore(update: PackageUpdate, context?: ImpactContext): ImpactScore;
+/**
+ * Batch-compute impact scores for all updates, returning a new array with
+ * `impactScore` populated on each entry. Non-mutating.
+ */
+export declare function applyImpactScores(updates: PackageUpdate[], context?: ImpactContext): PackageUpdate[];
+/**
+ * Returns the ANSI color badge string for terminal output.
+ * Used by the table renderer when --show-impact is active.
+ */
+export declare function impactBadge(score: ImpactScore): string;

package/dist/core/impact.js

@@ -0,0 +1,82 @@
+/** Weights for each semver diff type. */
+const DIFF_WEIGHT = {
+    patch: 10,
+    minor: 25,
+    major: 55,
+    latest: 30,
+};
+/** Advisory presence bonus — lifts total score significantly. */
+const ADVISORY_BONUS = 35;
+/** Points added per additional workspace package that uses this dep. */
+const WORKSPACE_SPREAD_PER_PKG = 5;
+/** Maximum workspace spread contribution (cap). */
+const WORKSPACE_SPREAD_CAP = 20;
+/**
+ * Compute an `ImpactScore` for a single pending package update.
+ *
+ * Algorithm:
+ *   score = diffWeight
+ *         + (advisoryBonus if CVE exists)
+ *         + min(workspaceCount × perPkg, cap)
+ *
+ * Clamped to [0, 100]. Rank thresholds:
+ *   ≥ 70 → critical
+ *   ≥ 45 → high
+ *   ≥ 20 → medium
+ *   <  20 → low
+ */
+export function computeImpactScore(update, context = {}) {
+    const diffTypeWeight = DIFF_WEIGHT[update.diffType] ?? DIFF_WEIGHT.latest;
+    const hasAdvisory = context.advisoryPackages?.has(update.name) ?? false;
+    const rawWorkspaceCount = context.workspaceDependentCount?.(update.name) ?? 0;
+    const affectedWorkspaceCount = Math.max(0, rawWorkspaceCount);
+    const advisoryPoints = hasAdvisory ? ADVISORY_BONUS : 0;
+    const workspacePoints = Math.min(affectedWorkspaceCount * WORKSPACE_SPREAD_PER_PKG, WORKSPACE_SPREAD_CAP);
+    const rawScore = diffTypeWeight + advisoryPoints + workspacePoints;
+    const score = Math.min(100, Math.max(0, rawScore));
+    const rank = scoreToRank(score);
+    return {
+        rank,
+        score,
+        factors: {
+            diffTypeWeight,
+            hasAdvisory,
+            affectedWorkspaceCount,
+        },
+    };
+}
+/**
+ * Batch-compute impact scores for all updates, returning a new array with
+ * `impactScore` populated on each entry. Non-mutating.
+ */
+export function applyImpactScores(updates, context = {}) {
+    return updates.map((u) => ({
+        ...u,
+        impactScore: computeImpactScore(u, context),
+    }));
+}
+function scoreToRank(score) {
+    if (score >= 70)
+        return "critical";
+    if (score >= 45)
+        return "high";
+    if (score >= 20)
+        return "medium";
+    return "low";
+}
+/**
+ * Returns the ANSI color badge string for terminal output.
+ * Used by the table renderer when --show-impact is active.
+ */
+export function impactBadge(score) {
+    switch (score.rank) {
+        case "critical":
+            return "\x1b[41m\x1b[97m CRITICAL \x1b[0m";
+        case "high":
+            return "\x1b[31m HIGH \x1b[0m";
+        case "medium":
+            return "\x1b[33m MED  \x1b[0m";
+        case "low":
+            return "\x1b[32m LOW  \x1b[0m";
+    }
+}

package/dist/core/options.d.ts

@@ -1,4 +1,4 @@
-import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions } from "../types/index.js";
+import type { BaselineOptions, CheckOptions, UpgradeOptions, AuditOptions, BisectOptions, HealthOptions, UnusedOptions, ResolveOptions, LicenseOptions, SnapshotOptions } from "../types/index.js";
 import type { InitCiMode, InitCiSchedule } from "./init-ci.js";
 export type ParsedCliArgs = {
     command: "check";
@@ -34,5 +34,17 @@ export type ParsedCliArgs = {
 } | {
     command: "health";
     options: HealthOptions;
+} | {
+    command: "unused";
+    options: UnusedOptions;
+} | {
+    command: "resolve";
+    options: ResolveOptions;
+} | {
+    command: "licenses";
+    options: LicenseOptions;
+} | {
+    command: "snapshot";
+    options: SnapshotOptions;
 };
 export declare function parseCliArgs(argv: string[]): Promise<ParsedCliArgs>;

package/dist/core/options.js

@@ -17,6 +17,10 @@ const KNOWN_COMMANDS = [
     "bisect",
     "audit",
     "health",
+    "unused",
+    "resolve",
+    "licenses",
+    "snapshot",
 ];
 export async function parseCliArgs(argv) {
     const firstArg = argv[0];
@@ -27,6 +31,37 @@ export async function parseCliArgs(argv) {
     const command = isKnownCommand ? argv[0] : "check";
     const hasExplicitCommand = isKnownCommand;
     const args = hasExplicitCommand ? argv.slice(1) : argv.slice(0);
+    // ─── Early dispatch for isolated commands ─────────────────────────────────
+    // These commands have their own parsers and must NOT go through the base
+    // CheckOptions builder below, which would throw on their unique flags.
+    if (command === "bisect") {
+        const { parseBisectArgs } = await import("../commands/bisect/parser.js");
+        return { command, options: parseBisectArgs(args) };
+    }
+    if (command === "audit") {
+        const { parseAuditArgs } = await import("../commands/audit/parser.js");
+        return { command, options: parseAuditArgs(args) };
+    }
+    if (command === "health") {
+        const { parseHealthArgs } = await import("../commands/health/parser.js");
+        return { command, options: parseHealthArgs(args) };
+    }
+    if (command === "unused") {
+        const { parseUnusedArgs } = await import("../commands/unused/parser.js");
+        return { command, options: parseUnusedArgs(args) };
+    }
+    if (command === "resolve") {
+        const { parseResolveArgs } = await import("../commands/resolve/parser.js");
+        return { command, options: parseResolveArgs(args) };
+    }
+    if (command === "licenses") {
+        const { parseLicensesArgs } = await import("../commands/licenses/parser.js");
+        return { command, options: parseLicensesArgs(args) };
+    }
+    if (command === "snapshot") {
+        const { parseSnapshotArgs } = await import("../commands/snapshot/parser.js");
+        return { command, options: parseSnapshotArgs(args) };
+    }
     const base = {
         cwd: process.cwd(),
         target: "latest",
@@ -485,19 +520,6 @@ export async function parseCliArgs(argv) {
             },
         };
     }
-    // ─── New v0.5.1 commands: lazy-parsed by isolated sub-parsers ────────────
-    if (command === "bisect") {
-        const { parseBisectArgs } = await import("../commands/bisect/parser.js");
-        return { command, options: parseBisectArgs(args) };
-    }
-    if (command === "audit") {
-        const { parseAuditArgs } = await import("../commands/audit/parser.js");
-        return { command, options: parseAuditArgs(args) };
-    }
-    if (command === "health") {
-        const { parseHealthArgs } = await import("../commands/health/parser.js");
-        return { command, options: parseHealthArgs(args) };
-    }
     return {
         command: "check",
         options: base,