@rainy-updates/cli 0.5.2-rc.1 → 0.5.2-rc.2

package/CHANGELOG.md

@@ -2,6 +2,31 @@
 
 All notable changes to this project are documented in this file.
 
+## [0.5.2-rc.2] - 2026-02-27
+
+### Added
+
+- **Audit RC2 overhaul**:
+  - `audit --summary` / `audit --report summary` groups noisy advisory lists into affected-package summaries.
+  - `audit --source auto|osv|github|all` adds multi-source security lookups, with `auto` querying **OSV.dev + GitHub Advisory Database** and merging results.
+  - Lockfile-backed version inference for `package-lock.json`, `npm-shrinkwrap.json`, `pnpm-lock.yaml`, and basic `bun.lock` workspace entries resolves real installed versions for complex ranges.
+  - JSON audit output now includes package summaries, source metadata, and resolution statistics.
+  - Source-health reporting now distinguishes `ok`, `partial`, and `failed` advisory backends so partial coverage is explicit instead of silent.
+- **Interactive TUI Engine**: An `ink`-based Terminal User Interface for interactive dependency updates, featuring semantic diff coloring and keyboard navigation (`src/ui/tui.tsx`).
+- **Changelog Fetcher**: Implemented `changelog/fetcher.ts` to retrieve release notes dynamically from GitHub API.
+  - Utilizes `bun:sqlite` backed `VersionCache` to prevent API rate limit (403) errors.
+  - Strictly lazy-loaded to preserve zero-overhead startup time.
+
+### Fixed
+
+- Audit patch planning now chooses the lowest safe patched version that clears all detected vulnerable ranges, avoiding unnecessary major jumps during `audit --fix`.
+- Audit findings now record the current installed version and contributing advisory sources per finding.
+- Audit now warns when one advisory source degrades and fails the run when all selected advisory sources are unavailable.
+- Audit terminal output now shows advisory-source health directly in table and summary modes, so degraded coverage is visible without reading JSON.
+- Resolved TypeScript JSX compiler errors by properly exposing `"jsx": "react-jsx"` in `tsconfig.json`.
+
+---
+
 ## [0.5.2] - 2026-02-27
 
 ### Added

package/README.md

@@ -59,7 +59,7 @@ npx @rainy-updates/cli ci --workspace --mode strict
 
 ### Security & health (_new in v0.5.1_)
 
-- `audit` — scan dependencies for CVEs using [OSV.dev](https://osv.dev) (Google's open vulnerability database)
+- `audit` — scan dependencies for CVEs using [OSV.dev](https://osv.dev) plus GitHub Advisory Database, with lockfile-aware version inference
 - `health` — detect stale, deprecated, and unmaintained packages before they become liabilities
 - `bisect` — binary-search across semver versions to find the exact version that broke your tests
 
@@ -99,9 +99,13 @@ npx @rainy-updates/cli baseline --check --file .artifacts/deps-baseline.json --w
 # 8) Scan for known CVEs  ── NEW in v0.5.1
 npx @rainy-updates/cli audit
 npx @rainy-updates/cli audit --severity high
+npx @rainy-updates/cli audit --summary
+npx @rainy-updates/cli audit --source osv
 npx @rainy-updates/cli audit --fix          # prints the patching npm install command
 rup audit --severity high                   # if installed
 
+`audit` prefers npm/pnpm lockfiles today for exact installed-version inference, and now also reads simple `bun.lock` workspace entries when available. It reports source-health warnings when OSV or GitHub returns only partial coverage.
+
 # 9) Check dependency maintenance health  ── NEW in v0.5.1
 npx @rainy-updates/cli health
 npx @rainy-updates/cli health --stale 6m   # flag packages with no release in 6 months

package/dist/bin/cli.js

@@ -330,6 +330,25 @@ Options:
   --workspace
   --dep-kinds deps,dev,optional,peer
   --ci`;
+    }
+    if (isCommand && command === "audit") {
+        return `rainy-updates audit [options]
+
+Scan dependencies for CVEs using OSV.dev and GitHub Advisory Database.
+
+Options:
+  --workspace
+  --severity critical|high|medium|low
+  --summary
+  --report table|summary|json
+  --source auto|osv|github|all
+  --fix
+  --dry-run
+  --commit
+  --pm auto|npm|pnpm|bun|yarn
+  --json-file <path>
+  --concurrency <n>
+  --registry-timeout-ms <n>`;
     }
     return `rainy-updates (rup / rainy-up) <command> [options]
 
@@ -340,7 +359,7 @@ Commands:
   warm-cache  Warm local cache for fast/offline checks
   init-ci     Scaffold GitHub Actions workflow
   baseline    Save/check dependency baseline snapshots
-  audit       Scan dependencies for CVEs (OSV.dev)
+  audit       Scan dependencies for CVEs (OSV.dev + GitHub)
   health      Detect stale/deprecated/unmaintained packages
   bisect      Find which version of a dep introduced a failure
   unused      Detect unused or missing npm dependencies

package/dist/commands/audit/fetcher.d.ts

@@ -1,6 +1,2 @@
-import type { CveAdvisory, AuditOptions } from "../../types/index.js";
-/**
- * Fetches CVE advisories for all given package names in parallel.
- * Uses OSV.dev as primary source.
- */
-export declare function fetchAdvisories(packageNames: string[], options: Pick<AuditOptions, "concurrency" | "registryTimeoutMs">): Promise<CveAdvisory[]>;
+export { extractAuditVersion } from "./targets.js";
+export { fetchAdvisoriesFromSources as fetchAdvisories } from "./sources/index.js";

package/dist/commands/audit/fetcher.js

@@ -1,79 +1,2 @@
-import { asyncPool } from "../../utils/async-pool.js";
-const OSV_API = "https://api.osv.dev/v1/query";
-const GITHUB_ADVISORY_API = "https://api.github.com/advisories";
-/**
- * Queries OSV.dev for advisories for a single npm package.
- */
-async function queryOsv(packageName, timeoutMs) {
-    const body = JSON.stringify({
-        package: { name: packageName, ecosystem: "npm" },
-    });
-    let response;
-    try {
-        const controller = new AbortController();
-        const timer = setTimeout(() => controller.abort(), timeoutMs);
-        response = await fetch(OSV_API, {
-            method: "POST",
-            headers: { "Content-Type": "application/json" },
-            body,
-            signal: controller.signal,
-        });
-        clearTimeout(timer);
-    }
-    catch {
-        return [];
-    }
-    if (!response.ok)
-        return [];
-    const data = (await response.json());
-    const advisories = [];
-    for (const vuln of data.vulns ?? []) {
-        const cveId = vuln.id ?? "UNKNOWN";
-        const rawSeverity = (vuln.database_specific?.severity ?? "medium").toLowerCase();
-        const severity = (["critical", "high", "medium", "low"].includes(rawSeverity)
-            ? rawSeverity
-            : "medium");
-        let patchedVersion = null;
-        let vulnerableRange = "*";
-        for (const affected of vuln.affected ?? []) {
-            if (affected.package?.name !== packageName)
-                continue;
-            for (const range of affected.ranges ?? []) {
-                const fixedEvent = range.events?.find((e) => e.fixed);
-                if (fixedEvent?.fixed) {
-                    patchedVersion = fixedEvent.fixed;
-                    const introducedEvent = range.events?.find((e) => e.introduced);
-                    vulnerableRange = introducedEvent?.introduced
-                        ? `>=${introducedEvent.introduced} <${patchedVersion}`
-                        : `<${patchedVersion}`;
-                }
-            }
-        }
-        advisories.push({
-            cveId,
-            packageName,
-            severity,
-            vulnerableRange,
-            patchedVersion,
-            title: vuln.summary ?? cveId,
-            url: vuln.references?.[0]?.url ?? `https://osv.dev/vulnerability/${cveId}`,
-        });
-    }
-    return advisories;
-}
-/**
- * Fetches CVE advisories for all given package names in parallel.
- * Uses OSV.dev as primary source.
- */
-export async function fetchAdvisories(packageNames, options) {
-    const tasks = packageNames.map((name) => () => queryOsv(name, options.registryTimeoutMs));
-    const results = await asyncPool(options.concurrency, tasks);
-    const advisories = [];
-    for (const r of results) {
-        if (!(r instanceof Error)) {
-            for (const adv of r)
-                advisories.push(adv);
-        }
-    }
-    return advisories;
-}
+export { extractAuditVersion } from "./targets.js";
+export { fetchAdvisoriesFromSources as fetchAdvisories } from "./sources/index.js";

package/dist/commands/audit/mapper.d.ts

@@ -1,4 +1,4 @@
-import type { CveAdvisory, AuditSeverity } from "../../types/index.js";
+import type { AuditPackageSummary, AuditSourceStatus, CveAdvisory, AuditSeverity } from "../../types/index.js";
 /**
  * Filters advisories by minimum severity level.
  * e.g. --severity high → keeps critical and high.
@@ -8,9 +8,16 @@ export declare function filterBySeverity(advisories: CveAdvisory[], minSeverity:
  * For each advisory that has a known patchedVersion,
  * produces a sorted, deduplicated map of package → minimum secure version.
  * Used by --fix to determine what version to update to.
+ *
+ * Uses proper semver numeric comparison — NOT string comparison — so that
+ * e.g. "5.19.1" correctly beats "5.5.1" (lexicographically "5.5.1" > "5.19.1"
+ * because "5" > "1" at the third character, which is the classic semver trap).
  */
 export declare function buildPatchMap(advisories: CveAdvisory[]): Map<string, string>;
+export declare function summarizeAdvisories(advisories: CveAdvisory[]): AuditPackageSummary[];
 /**
  * Renders audit advisories as a formatted table string for terminal output.
  */
 export declare function renderAuditTable(advisories: CveAdvisory[]): string;
+export declare function renderAuditSummary(packages: AuditPackageSummary[]): string;
+export declare function renderAuditSourceHealth(sourceHealth: AuditSourceStatus[]): string;

package/dist/commands/audit/mapper.js

@@ -1,3 +1,4 @@
+import { compareVersions, parseVersion, satisfies } from "../../utils/semver.js";
 const SEVERITY_RANK = {
     critical: 4,
     high: 3,
@@ -18,19 +19,66 @@ export function filterBySeverity(advisories, minSeverity) {
  * For each advisory that has a known patchedVersion,
  * produces a sorted, deduplicated map of package → minimum secure version.
  * Used by --fix to determine what version to update to.
+ *
+ * Uses proper semver numeric comparison — NOT string comparison — so that
+ * e.g. "5.19.1" correctly beats "5.5.1" (lexicographically "5.5.1" > "5.19.1"
+ * because "5" > "1" at the third character, which is the classic semver trap).
  */
 export function buildPatchMap(advisories) {
     const patchMap = new Map();
+    const byPackage = new Map();
     for (const advisory of advisories) {
-        if (!advisory.patchedVersion)
+        const items = byPackage.get(advisory.packageName) ?? [];
+        items.push(advisory);
+        byPackage.set(advisory.packageName, items);
+    }
+    for (const [packageName, items] of byPackage) {
+        const candidates = [...new Set(items.flatMap((item) => item.patchedVersion ? [item.patchedVersion] : []))].sort(compareSemverAsc);
+        if (candidates.length === 0)
             continue;
-        const existing = patchMap.get(advisory.packageName);
-        if (!existing || advisory.patchedVersion > existing) {
-            patchMap.set(advisory.packageName, advisory.patchedVersion);
-        }
+        const safeCandidate = candidates.find((candidate) => items.every((item) => !satisfies(candidate, item.vulnerableRange)));
+        patchMap.set(packageName, safeCandidate ?? candidates[candidates.length - 1]);
     }
     return patchMap;
 }
+function compareSemverAsc(a, b) {
+    const pa = parseVersion(a);
+    const pb = parseVersion(b);
+    if (pa && pb)
+        return compareVersions(pa, pb);
+    if (a === b)
+        return 0;
+    return a < b ? -1 : 1;
+}
+export function summarizeAdvisories(advisories) {
+    const byPackage = new Map();
+    for (const advisory of advisories) {
+        const key = `${advisory.packageName}|${advisory.currentVersion ?? "?"}`;
+        const items = byPackage.get(key) ?? [];
+        items.push(advisory);
+        byPackage.set(key, items);
+    }
+    const summaries = [];
+    for (const [, items] of byPackage) {
+        const sorted = [...items].sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
+        const representative = sorted[0];
+        const patchMap = buildPatchMap(items);
+        summaries.push({
+            packageName: representative.packageName,
+            currentVersion: representative.currentVersion,
+            severity: representative.severity,
+            advisoryCount: items.length,
+            patchedVersion: patchMap.get(representative.packageName) ?? null,
+            sources: [...new Set(items.flatMap((item) => item.sources))].sort(),
+        });
+    }
+    return summaries.sort((a, b) => {
+        const severityDiff = SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity];
+        if (severityDiff !== 0)
+            return severityDiff;
+        return a.packageName.localeCompare(b.packageName);
+    });
+}
 /**
  * Renders audit advisories as a formatted table string for terminal output.
  */
@@ -47,15 +95,63 @@ export function renderAuditTable(advisories) {
     const sorted = [...advisories].sort((a, b) => SEVERITY_RANK[b.severity] - SEVERITY_RANK[a.severity]);
     const lines = [
         `Found ${advisories.length} ${advisories.length === 1 ? "vulnerability" : "vulnerabilities"}:\n`,
-        "Package".padEnd(30) + "Severity".padEnd(20) + "CVE".padEnd(22) + "Patch",
-        "─".repeat(90),
+        "Package".padEnd(24) +
+            "Current".padEnd(14) +
+            "Severity".padEnd(20) +
+            "CVE".padEnd(22) +
+            "Patch",
+        "─".repeat(104),
     ];
     for (const adv of sorted) {
-        const name = adv.packageName.slice(0, 28).padEnd(30);
+        const name = adv.packageName.slice(0, 22).padEnd(24);
+        const current = (adv.currentVersion ?? "?").slice(0, 12).padEnd(14);
         const sev = SEVERITY_ICON[adv.severity].padEnd(20);
         const cve = adv.cveId.slice(0, 20).padEnd(22);
         const patch = adv.patchedVersion ? `→ ${adv.patchedVersion}` : "no patch";
-        lines.push(`${name}${sev}${cve}${patch}`);
+        lines.push(`${name}${current}${sev}${cve}${patch}`);
+    }
+    return lines.join("\n");
+}
+export function renderAuditSummary(packages) {
+    if (packages.length === 0) {
+        return "✔ No vulnerable packages found.\n";
+    }
+    const SEVERITY_ICON = {
+        critical: "🔴 CRITICAL",
+        high: "🟠 HIGH    ",
+        medium: "🟡 MEDIUM  ",
+        low: "⚪ LOW     ",
+    };
+    const lines = [
+        `Found ${packages.length} affected ${packages.length === 1 ? "package" : "packages"}:\n`,
+        "Package".padEnd(24) +
+            "Current".padEnd(14) +
+            "Severity".padEnd(20) +
+            "Advisories".padEnd(12) +
+            "Patch",
+        "─".repeat(98),
+    ];
+    for (const item of packages) {
+        const name = item.packageName.slice(0, 22).padEnd(24);
+        const current = (item.currentVersion ?? "?").slice(0, 12).padEnd(14);
+        const sev = SEVERITY_ICON[item.severity].padEnd(20);
+        const count = String(item.advisoryCount).padEnd(12);
+        const patch = item.patchedVersion ? `→ ${item.patchedVersion}` : "no patch";
+        lines.push(`${name}${current}${sev}${count}${patch}`);
+    }
+    return lines.join("\n");
+}
+export function renderAuditSourceHealth(sourceHealth) {
+    if (sourceHealth.length === 0)
+        return "";
+    const lines = ["", "Sources:"];
+    for (const item of sourceHealth) {
+        const label = item.source === "osv" ? "OSV.dev" : "GitHub Advisory DB";
+        const status = item.status.toUpperCase().padEnd(7);
+        const coverage = `${item.successfulTargets}/${item.attemptedTargets} targets`;
+        const advisories = `${item.advisoriesFound} advisories`;
+        const suffix = item.message ? ` (${item.message})` : "";
+        lines.push(`  ${label.padEnd(22)} ${status} ${coverage}, ${advisories}${suffix}`);
     }
     return lines.join("\n");
 }

package/dist/commands/audit/parser.js

@@ -1,6 +1,7 @@
 import path from "node:path";
 import process from "node:process";
 const SEVERITY_LEVELS = ["critical", "high", "medium", "low"];
+const SOURCE_MODES = ["auto", "osv", "github", "all"];
 export function parseSeverity(value) {
     if (SEVERITY_LEVELS.includes(value)) {
         return value;
@@ -14,7 +15,10 @@ export function parseAuditArgs(args) {
         severity: undefined,
         fix: false,
         dryRun: false,
+        commit: false,
+        packageManager: "auto",
         reportFormat: "table",
+        sourceMode: "auto",
         jsonFile: undefined,
         concurrency: 16,
         registryTimeoutMs: 8000,
@@ -52,9 +56,24 @@ export function parseAuditArgs(args) {
             index += 1;
             continue;
         }
+        if (current === "--commit") {
+            options.commit = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--pm" && next) {
+            const valid = ["auto", "npm", "pnpm", "bun", "yarn"];
+            if (!valid.includes(next))
+                throw new Error(`--pm must be one of: ${valid.join(", ")}`);
+            options.packageManager = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--pm")
+            throw new Error("Missing value for --pm");
         if (current === "--report" && next) {
-            if (next !== "table" && next !== "json") {
-                throw new Error("--report must be table or json");
+            if (next !== "table" && next !== "json" && next !== "summary") {
+                throw new Error("--report must be table, summary, or json");
             }
             options.reportFormat = next;
             index += 2;
@@ -62,6 +81,21 @@ export function parseAuditArgs(args) {
         }
         if (current === "--report")
             throw new Error("Missing value for --report");
+        if (current === "--summary") {
+            options.reportFormat = "summary";
+            index += 1;
+            continue;
+        }
+        if (current === "--source" && next) {
+            if (!SOURCE_MODES.includes(next)) {
+                throw new Error(`--source must be one of: ${SOURCE_MODES.join(", ")}`);
+            }
+            options.sourceMode = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--source")
+            throw new Error("Missing value for --source");
         if (current === "--json-file" && next) {
             options.jsonFile = path.resolve(options.cwd, next);
             index += 2;

package/dist/commands/audit/runner.js

@@ -1,9 +1,13 @@
+import { spawn } from "node:child_process";
+import { promises as fs } from "node:fs";
+import path from "node:path";
 import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
 import { discoverPackageDirs } from "../../workspace/discover.js";
 import { writeFileAtomic } from "../../utils/io.js";
 import { stableStringify } from "../../utils/stable-json.js";
 import { fetchAdvisories } from "./fetcher.js";
-import { filterBySeverity, buildPatchMap, renderAuditTable } from "./mapper.js";
+import { resolveAuditTargets } from "./targets.js";
+import { filterBySeverity, buildPatchMap, renderAuditSourceHealth, renderAuditSummary, renderAuditTable, summarizeAdvisories, } from "./mapper.js";
 /**
  * Entry point for `rup audit`. Lazy-loaded by cli.ts.
  * Discovers packages, fetches CVE advisories, filters by severity, and
@@ -12,13 +16,20 @@ import { filterBySeverity, buildPatchMap, renderAuditTable } from "./mapper.js";
 export async function runAudit(options) {
     const result = {
         advisories: [],
+        packages: [],
         autoFixable: 0,
         errors: [],
         warnings: [],
+        sourcesUsed: [],
+        sourceHealth: [],
+        resolution: {
+            lockfile: 0,
+            manifest: 0,
+            unresolved: 0,
+        },
     };
     const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
-    // Collect all unique package names
-    const packageNames = new Set();
+    const depsByDir = new Map();
     for (const dir of packageDirs) {
         let manifest;
         try {
@@ -33,32 +44,185 @@ export async function runAudit(options) {
             "devDependencies",
             "optionalDependencies",
         ]);
-        for (const dep of deps) {
-            packageNames.add(dep.name);
-        }
+        depsByDir.set(dir, deps);
     }
-    if (packageNames.size === 0) {
+    const targetResolution = await resolveAuditTargets(options.cwd, packageDirs, depsByDir);
+    result.warnings.push(...targetResolution.warnings);
+    result.resolution = targetResolution.resolution;
+    if (targetResolution.targets.length === 0) {
         result.warnings.push("No dependencies found to audit.");
         return result;
     }
-    process.stderr.write(`[audit] Querying OSV.dev for ${packageNames.size} packages...\n`);
-    let advisories = await fetchAdvisories([...packageNames], {
+    process.stderr.write(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
+    const fetched = await fetchAdvisories(targetResolution.targets, {
         concurrency: options.concurrency,
         registryTimeoutMs: options.registryTimeoutMs,
+        sourceMode: options.sourceMode,
     });
+    result.sourcesUsed = fetched.sourcesUsed;
+    result.sourceHealth = fetched.sourceHealth;
+    result.warnings.push(...fetched.warnings);
+    if (fetched.sourceHealth.every((item) => item.status === "failed")) {
+        result.errors.push("All advisory sources failed. Audit coverage is unavailable for this run.");
+    }
+    let advisories = fetched.advisories;
     advisories = filterBySeverity(advisories, options.severity);
     result.advisories = advisories;
+    result.packages = summarizeAdvisories(advisories);
     result.autoFixable = advisories.filter((a) => a.patchedVersion !== null).length;
-    if (options.reportFormat === "table" || !options.jsonFile) {
-        process.stdout.write(renderAuditTable(advisories) + "\n");
+    if (options.reportFormat === "summary") {
+        process.stdout.write(renderAuditSummary(result.packages) +
+            renderAuditSourceHealth(result.sourceHealth) +
+            "\n");
+    }
+    else if (options.reportFormat === "table" || !options.jsonFile) {
+        process.stdout.write(renderAuditTable(advisories) +
+            renderAuditSourceHealth(result.sourceHealth) +
+            "\n");
     }
     if (options.jsonFile) {
-        await writeFileAtomic(options.jsonFile, stableStringify({ advisories, errors: result.errors, warnings: result.warnings }, 2) + "\n");
+        await writeFileAtomic(options.jsonFile, stableStringify({
+            advisories,
+            packages: result.packages,
+            sourcesUsed: result.sourcesUsed,
+            sourceHealth: result.sourceHealth,
+            resolution: result.resolution,
+            errors: result.errors,
+            warnings: result.warnings,
+        }, 2) + "\n");
         process.stderr.write(`[audit] JSON report written to ${options.jsonFile}\n`);
     }
-    if (options.fix && !options.dryRun && result.autoFixable > 0) {
-        const patchMap = buildPatchMap(advisories);
-        process.stderr.write(`[audit] --fix: ${patchMap.size} packages have available patches. Apply with: npm install ${[...patchMap.entries()].map(([n, v]) => `${n}@${v}`).join(" ")}\n`);
+    if (options.fix && result.autoFixable > 0) {
+        await applyFix(advisories, options);
     }
     return result;
 }
+function describeSourceMode(mode) {
+    if (mode === "osv")
+        return "OSV.dev";
+    if (mode === "github")
+        return "GitHub Advisory DB";
+    return "OSV.dev + GitHub Advisory DB";
+}
+// ─── Fix application ──────────────────────────────────────────────────────────
+async function applyFix(advisories, options) {
+    const patchMap = buildPatchMap(advisories);
+    if (patchMap.size === 0)
+        return;
+    const pm = await detectPackageManager(options.cwd, options.packageManager);
+    const installArgs = buildInstallArgs(pm, patchMap);
+    const installCmd = `${pm} ${installArgs.join(" ")}`;
+    if (options.dryRun) {
+        process.stderr.write(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
+        if (options.commit) {
+            const msg = buildCommitMessage(patchMap);
+            process.stderr.write(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
+        }
+        return;
+    }
+    process.stderr.write(`[audit] Applying ${patchMap.size} fix(es)...\n`);
+    process.stderr.write(`  → ${installCmd}\n`);
+    try {
+        await runCommand(pm, installArgs, options.cwd);
+    }
+    catch (err) {
+        process.stderr.write(`[audit] Install failed: ${String(err)}\n`);
+        return;
+    }
+    process.stderr.write(`[audit] ✔ Patches applied successfully.\n`);
+    if (options.commit) {
+        await commitFix(patchMap, options.cwd);
+    }
+    else {
+        process.stderr.write(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
+    }
+}
+function buildInstallArgs(pm, patchMap) {
+    const packages = [...patchMap.entries()].map(([n, v]) => `${n}@${v}`);
+    switch (pm) {
+        case "pnpm":
+            return ["add", ...packages];
+        case "bun":
+            return ["add", ...packages];
+        case "yarn":
+            return ["add", ...packages];
+        default:
+            return ["install", ...packages]; // npm
+    }
+}
+async function commitFix(patchMap, cwd) {
+    const msg = buildCommitMessage(patchMap);
+    try {
+        // Stage all modified files (package.json + lockfiles)
+        await runCommand("git", [
+            "add",
+            "package.json",
+            "package-lock.json",
+            "pnpm-lock.yaml",
+            "yarn.lock",
+            "bun.lock",
+            "bun.lockb",
+        ], cwd, true);
+        await runCommand("git", ["commit", "-m", msg], cwd);
+        process.stderr.write(`[audit] ✔ Committed: "${msg}"\n`);
+    }
+    catch (err) {
+        process.stderr.write(`[audit] Git commit failed: ${String(err)}\n`);
+        process.stderr.write(`[audit] Changes are applied — commit manually with:\n`);
+        process.stderr.write(`  git add -A && git commit -m "${msg}"\n`);
+    }
+}
+function buildCommitMessage(patchMap) {
+    const items = [...patchMap.entries()];
+    if (items.length === 1) {
+        const [name, version] = items[0];
+        return `fix(security): patch ${name} to ${version} (rup audit)`;
+    }
+    const names = items.map(([n]) => n).join(", ");
+    return `fix(security): patch ${items.length} vulnerabilities — ${names} (rup audit)`;
+}
+/** Detects the package manager in use by checking for lockfiles. */
+async function detectPackageManager(cwd, explicit) {
+    if (explicit !== "auto")
+        return explicit;
+    const checks = [
+        ["bun.lock", "bun"],
+        ["bun.lockb", "bun"],
+        ["pnpm-lock.yaml", "pnpm"],
+        ["yarn.lock", "yarn"],
+    ];
+    for (const [lockfile, pm] of checks) {
+        try {
+            await fs.access(path.join(cwd, lockfile));
+            return pm;
+        }
+        catch {
+            // not found, try next
+        }
+    }
+    return "npm"; // default
+}
+/** Spawns a subprocess, pipes stdio live to the terminal. */
+function runCommand(cmd, args, cwd, ignoreErrors = false) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, {
+            cwd,
+            stdio: "inherit", // stream stdout/stderr live
+            shell: process.platform === "win32",
+        });
+        child.on("close", (code) => {
+            if (code === 0 || ignoreErrors) {
+                resolve();
+            }
+            else {
+                reject(new Error(`${cmd} exited with code ${code}`));
+            }
+        });
+        child.on("error", (err) => {
+            if (ignoreErrors)
+                resolve();
+            else
+                reject(err);
+        });
+    });
+}

package/dist/commands/audit/sources/github.d.ts

@@ -0,0 +1,2 @@
+import type { AuditSourceAdapter } from "./types.js";
+export declare const githubAuditSource: AuditSourceAdapter;