@rainy-updates/cli 0.5.2-rc.1 → 0.5.2

package/dist/commands/audit/parser.js

@@ -1,6 +1,7 @@
 import path from "node:path";
 import process from "node:process";
 const SEVERITY_LEVELS = ["critical", "high", "medium", "low"];
+const SOURCE_MODES = ["auto", "osv", "github", "all"];
 export function parseSeverity(value) {
     if (SEVERITY_LEVELS.includes(value)) {
         return value;
@@ -14,7 +15,10 @@ export function parseAuditArgs(args) {
         severity: undefined,
         fix: false,
         dryRun: false,
+        commit: false,
+        packageManager: "auto",
         reportFormat: "table",
+        sourceMode: "auto",
         jsonFile: undefined,
         concurrency: 16,
         registryTimeoutMs: 8000,
@@ -52,9 +56,24 @@ export function parseAuditArgs(args) {
             index += 1;
             continue;
         }
+        if (current === "--commit") {
+            options.commit = true;
+            index += 1;
+            continue;
+        }
+        if (current === "--pm" && next) {
+            const valid = ["auto", "npm", "pnpm", "bun", "yarn"];
+            if (!valid.includes(next))
+                throw new Error(`--pm must be one of: ${valid.join(", ")}`);
+            options.packageManager = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--pm")
+            throw new Error("Missing value for --pm");
         if (current === "--report" && next) {
-            if (next !== "table" && next !== "json") {
-                throw new Error("--report must be table or json");
+            if (next !== "table" && next !== "json" && next !== "summary") {
+                throw new Error("--report must be table, summary, or json");
             }
             options.reportFormat = next;
             index += 2;
@@ -62,6 +81,21 @@ export function parseAuditArgs(args) {
         }
         if (current === "--report")
             throw new Error("Missing value for --report");
+        if (current === "--summary") {
+            options.reportFormat = "summary";
+            index += 1;
+            continue;
+        }
+        if (current === "--source" && next) {
+            if (!SOURCE_MODES.includes(next)) {
+                throw new Error(`--source must be one of: ${SOURCE_MODES.join(", ")}`);
+            }
+            options.sourceMode = next;
+            index += 2;
+            continue;
+        }
+        if (current === "--source")
+            throw new Error("Missing value for --source");
         if (current === "--json-file" && next) {
             options.jsonFile = path.resolve(options.cwd, next);
             index += 2;

package/dist/commands/audit/runner.js

@@ -1,9 +1,14 @@
+import { spawn } from "node:child_process";
+import { promises as fs } from "node:fs";
+import path from "node:path";
 import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
 import { discoverPackageDirs } from "../../workspace/discover.js";
 import { writeFileAtomic } from "../../utils/io.js";
 import { stableStringify } from "../../utils/stable-json.js";
 import { fetchAdvisories } from "./fetcher.js";
-import { filterBySeverity, buildPatchMap, renderAuditTable } from "./mapper.js";
+import { resolveAuditTargets } from "./targets.js";
+import { filterBySeverity, buildPatchMap, renderAuditSourceHealth, renderAuditSummary, renderAuditTable, summarizeAdvisories, } from "./mapper.js";
+import { formatClassifiedMessage } from "../../core/errors.js";
 /**
  * Entry point for `rup audit`. Lazy-loaded by cli.ts.
  * Discovers packages, fetches CVE advisories, filters by severity, and
@@ -12,13 +17,20 @@ import { filterBySeverity, buildPatchMap, renderAuditTable } from "./mapper.js";
 export async function runAudit(options) {
     const result = {
         advisories: [],
+        packages: [],
         autoFixable: 0,
         errors: [],
         warnings: [],
+        sourcesUsed: [],
+        sourceHealth: [],
+        resolution: {
+            lockfile: 0,
+            manifest: 0,
+            unresolved: 0,
+        },
     };
     const packageDirs = await discoverPackageDirs(options.cwd, options.workspace);
-    // Collect all unique package names
-    const packageNames = new Set();
+    const depsByDir = new Map();
     for (const dir of packageDirs) {
         let manifest;
         try {
@@ -33,32 +45,191 @@ export async function runAudit(options) {
             "devDependencies",
             "optionalDependencies",
         ]);
-        for (const dep of deps) {
-            packageNames.add(dep.name);
-        }
+        depsByDir.set(dir, deps);
     }
-    if (packageNames.size === 0) {
+    const targetResolution = await resolveAuditTargets(options.cwd, packageDirs, depsByDir);
+    result.warnings.push(...targetResolution.warnings);
+    result.resolution = targetResolution.resolution;
+    if (targetResolution.targets.length === 0) {
         result.warnings.push("No dependencies found to audit.");
         return result;
     }
-    process.stderr.write(`[audit] Querying OSV.dev for ${packageNames.size} packages...\n`);
-    let advisories = await fetchAdvisories([...packageNames], {
+    process.stderr.write(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
+    const fetched = await fetchAdvisories(targetResolution.targets, {
         concurrency: options.concurrency,
         registryTimeoutMs: options.registryTimeoutMs,
+        sourceMode: options.sourceMode,
     });
+    result.sourcesUsed = fetched.sourcesUsed;
+    result.sourceHealth = fetched.sourceHealth;
+    result.warnings.push(...fetched.warnings);
+    if (fetched.sourceHealth.every((item) => item.status === "failed")) {
+        result.errors.push(formatClassifiedMessage({
+            code: "ADVISORY_SOURCE_DOWN",
+            whatFailed: "All advisory sources failed.",
+            intact: "Dependency target resolution completed, but no advisory coverage was returned.",
+            validity: "invalid",
+            next: "Retry `rup audit` later or select a single healthy source with --source.",
+        }));
+    }
+    let advisories = fetched.advisories;
     advisories = filterBySeverity(advisories, options.severity);
     result.advisories = advisories;
+    result.packages = summarizeAdvisories(advisories);
     result.autoFixable = advisories.filter((a) => a.patchedVersion !== null).length;
-    if (options.reportFormat === "table" || !options.jsonFile) {
-        process.stdout.write(renderAuditTable(advisories) + "\n");
+    if (options.reportFormat === "summary") {
+        process.stdout.write(renderAuditSummary(result.packages) +
+            renderAuditSourceHealth(result.sourceHealth) +
+            "\n");
+    }
+    else if (options.reportFormat === "table" || !options.jsonFile) {
+        process.stdout.write(renderAuditTable(advisories) +
+            renderAuditSourceHealth(result.sourceHealth) +
+            "\n");
     }
     if (options.jsonFile) {
-        await writeFileAtomic(options.jsonFile, stableStringify({ advisories, errors: result.errors, warnings: result.warnings }, 2) + "\n");
+        await writeFileAtomic(options.jsonFile, stableStringify({
+            advisories,
+            packages: result.packages,
+            sourcesUsed: result.sourcesUsed,
+            sourceHealth: result.sourceHealth,
+            resolution: result.resolution,
+            errors: result.errors,
+            warnings: result.warnings,
+        }, 2) + "\n");
         process.stderr.write(`[audit] JSON report written to ${options.jsonFile}\n`);
     }
-    if (options.fix && !options.dryRun && result.autoFixable > 0) {
-        const patchMap = buildPatchMap(advisories);
-        process.stderr.write(`[audit] --fix: ${patchMap.size} packages have available patches. Apply with: npm install ${[...patchMap.entries()].map(([n, v]) => `${n}@${v}`).join(" ")}\n`);
+    if (options.fix && result.autoFixable > 0) {
+        await applyFix(advisories, options);
     }
     return result;
 }
+function describeSourceMode(mode) {
+    if (mode === "osv")
+        return "OSV.dev";
+    if (mode === "github")
+        return "GitHub Advisory DB";
+    return "OSV.dev + GitHub Advisory DB";
+}
+// ─── Fix application ──────────────────────────────────────────────────────────
+async function applyFix(advisories, options) {
+    const patchMap = buildPatchMap(advisories);
+    if (patchMap.size === 0)
+        return;
+    const pm = await detectPackageManager(options.cwd, options.packageManager);
+    const installArgs = buildInstallArgs(pm, patchMap);
+    const installCmd = `${pm} ${installArgs.join(" ")}`;
+    if (options.dryRun) {
+        process.stderr.write(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
+        if (options.commit) {
+            const msg = buildCommitMessage(patchMap);
+            process.stderr.write(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
+        }
+        return;
+    }
+    process.stderr.write(`[audit] Applying ${patchMap.size} fix(es)...\n`);
+    process.stderr.write(`  → ${installCmd}\n`);
+    try {
+        await runCommand(pm, installArgs, options.cwd);
+    }
+    catch (err) {
+        process.stderr.write(`[audit] Install failed: ${String(err)}\n`);
+        return;
+    }
+    process.stderr.write(`[audit] ✔ Patches applied successfully.\n`);
+    if (options.commit) {
+        await commitFix(patchMap, options.cwd);
+    }
+    else {
+        process.stderr.write(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
+    }
+}
+function buildInstallArgs(pm, patchMap) {
+    const packages = [...patchMap.entries()].map(([n, v]) => `${n}@${v}`);
+    switch (pm) {
+        case "pnpm":
+            return ["add", ...packages];
+        case "bun":
+            return ["add", ...packages];
+        case "yarn":
+            return ["add", ...packages];
+        default:
+            return ["install", ...packages]; // npm
+    }
+}
+async function commitFix(patchMap, cwd) {
+    const msg = buildCommitMessage(patchMap);
+    try {
+        // Stage all modified files (package.json + lockfiles)
+        await runCommand("git", [
+            "add",
+            "package.json",
+            "package-lock.json",
+            "pnpm-lock.yaml",
+            "yarn.lock",
+            "bun.lock",
+            "bun.lockb",
+        ], cwd, true);
+        await runCommand("git", ["commit", "-m", msg], cwd);
+        process.stderr.write(`[audit] ✔ Committed: "${msg}"\n`);
+    }
+    catch (err) {
+        process.stderr.write(`[audit] Git commit failed: ${String(err)}\n`);
+        process.stderr.write(`[audit] Changes are applied — commit manually with:\n`);
+        process.stderr.write(`  git add -A && git commit -m "${msg}"\n`);
+    }
+}
+function buildCommitMessage(patchMap) {
+    const items = [...patchMap.entries()];
+    if (items.length === 1) {
+        const [name, version] = items[0];
+        return `fix(security): patch ${name} to ${version} (rup audit)`;
+    }
+    const names = items.map(([n]) => n).join(", ");
+    return `fix(security): patch ${items.length} vulnerabilities — ${names} (rup audit)`;
+}
+/** Detects the package manager in use by checking for lockfiles. */
+async function detectPackageManager(cwd, explicit) {
+    if (explicit !== "auto")
+        return explicit;
+    const checks = [
+        ["bun.lock", "bun"],
+        ["bun.lockb", "bun"],
+        ["pnpm-lock.yaml", "pnpm"],
+        ["yarn.lock", "yarn"],
+    ];
+    for (const [lockfile, pm] of checks) {
+        try {
+            await fs.access(path.join(cwd, lockfile));
+            return pm;
+        }
+        catch {
+            // not found, try next
+        }
+    }
+    return "npm"; // default
+}
+/** Spawns a subprocess, pipes stdio live to the terminal. */
+function runCommand(cmd, args, cwd, ignoreErrors = false) {
+    return new Promise((resolve, reject) => {
+        const child = spawn(cmd, args, {
+            cwd,
+            stdio: "inherit", // stream stdout/stderr live
+            shell: process.platform === "win32",
+        });
+        child.on("close", (code) => {
+            if (code === 0 || ignoreErrors) {
+                resolve();
+            }
+            else {
+                reject(new Error(`${cmd} exited with code ${code}`));
+            }
+        });
+        child.on("error", (err) => {
+            if (ignoreErrors)
+                resolve();
+            else
+                reject(err);
+        });
+    });
+}

package/dist/commands/audit/sources/github.d.ts

@@ -0,0 +1,2 @@
+import type { AuditSourceAdapter } from "./types.js";
+export declare const githubAuditSource: AuditSourceAdapter;

package/dist/commands/audit/sources/github.js

@@ -0,0 +1,125 @@
+import { asyncPool } from "../../../utils/async-pool.js";
+const GITHUB_ADVISORY_API = "https://api.github.com/advisories";
+export const githubAuditSource = {
+    name: "github",
+    async fetch(targets, options) {
+        const tasks = targets.map((target) => () => queryGitHub(target, options.registryTimeoutMs));
+        const results = await asyncPool(options.concurrency, tasks);
+        const advisories = [];
+        let successfulTargets = 0;
+        let failedTargets = 0;
+        const errorCounts = new Map();
+        for (const result of results) {
+            if (result instanceof Error) {
+                failedTargets += 1;
+                incrementCount(errorCounts, "internal-error");
+                continue;
+            }
+            advisories.push(...result.advisories);
+            if (result.ok) {
+                successfulTargets += 1;
+            }
+            else {
+                failedTargets += 1;
+                incrementCount(errorCounts, result.error ?? "request-failed");
+            }
+        }
+        const status = failedTargets === 0
+            ? "ok"
+            : successfulTargets === 0
+                ? "failed"
+                : "partial";
+        return {
+            advisories,
+            warnings: createSourceWarnings("GitHub Advisory DB", targets.length, successfulTargets, failedTargets),
+            health: {
+                source: "github",
+                status,
+                attemptedTargets: targets.length,
+                successfulTargets,
+                failedTargets,
+                advisoriesFound: advisories.length,
+                message: formatDominantError(errorCounts),
+            },
+        };
+    },
+};
+async function queryGitHub(target, timeoutMs) {
+    const url = new URL(GITHUB_ADVISORY_API);
+    url.searchParams.set("ecosystem", "npm");
+    url.searchParams.set("affects", `${target.name}@${target.version}`);
+    url.searchParams.set("per_page", "100");
+    let response;
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        response = await fetch(url, {
+            headers: {
+                Accept: "application/vnd.github+json",
+                "User-Agent": "rainy-updates-cli",
+            },
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+    }
+    catch (error) {
+        return { advisories: [], ok: false, error: classifyFetchError(error) };
+    }
+    if (!response.ok) {
+        return { advisories: [], ok: false, error: `http-${response.status}` };
+    }
+    const data = (await response.json());
+    const advisories = [];
+    for (const item of data) {
+        const vulnerability = item.vulnerabilities?.find((entry) => entry.package?.name === target.name);
+        const severity = normalizeSeverity(item.severity);
+        advisories.push({
+            cveId: item.ghsa_id ?? item.cve_id ?? "UNKNOWN",
+            packageName: target.name,
+            currentVersion: target.version,
+            severity,
+            vulnerableRange: vulnerability?.vulnerable_version_range ?? "*",
+            patchedVersion: vulnerability?.first_patched_version?.identifier?.trim() || null,
+            title: item.summary ?? item.ghsa_id ?? "GitHub Advisory",
+            url: item.html_url ?? `https://github.com/advisories/${item.ghsa_id}`,
+            sources: ["github"],
+        });
+    }
+    return { advisories, ok: true };
+}
+function normalizeSeverity(value) {
+    const normalized = (value ?? "medium").toLowerCase();
+    if (normalized === "critical" ||
+        normalized === "high" ||
+        normalized === "medium" ||
+        normalized === "low") {
+        return normalized;
+    }
+    if (normalized === "moderate")
+        return "medium";
+    return "medium";
+}
+function createSourceWarnings(label, attemptedTargets, successfulTargets, failedTargets) {
+    if (failedTargets === 0)
+        return [];
+    if (successfulTargets === 0) {
+        return [
+            `${label} unavailable for all ${attemptedTargets} audit target${attemptedTargets === 1 ? "" : "s"}.`,
+        ];
+    }
+    return [
+        `${label} partially unavailable: ${failedTargets}/${attemptedTargets} audit target${attemptedTargets === 1 ? "" : "s"} failed.`,
+    ];
+}
+function classifyFetchError(error) {
+    if (error instanceof Error && error.name === "AbortError")
+        return "timeout";
+    return "network";
+}
+function incrementCount(map, key) {
+    map.set(key, (map.get(key) ?? 0) + 1);
+}
+function formatDominantError(errorCounts) {
+    const sorted = [...errorCounts.entries()].sort((a, b) => b[1] - a[1]);
+    return sorted[0]?.[0];
+}

package/dist/commands/audit/sources/index.d.ts

@@ -0,0 +1,6 @@
+import type { AuditOptions, AuditSourceName } from "../../../types/index.js";
+import type { AuditTarget } from "../targets.js";
+import type { AuditSourceAdapter, AuditSourceAggregateResult } from "./types.js";
+export declare function fetchAdvisoriesFromSources(targets: AuditTarget[], options: Pick<AuditOptions, "concurrency" | "registryTimeoutMs" | "sourceMode">, sourceMap?: Record<AuditSourceName, AuditSourceAdapter>): Promise<AuditSourceAggregateResult & {
+    sourcesUsed: AuditSourceName[];
+}>;

package/dist/commands/audit/sources/index.js

@@ -0,0 +1,99 @@
+import { compareVersions, parseVersion } from "../../../utils/semver.js";
+import { githubAuditSource } from "./github.js";
+import { osvAuditSource } from "./osv.js";
+import { formatClassifiedMessage } from "../../../core/errors.js";
+const SOURCE_MAP = {
+    osv: osvAuditSource,
+    github: githubAuditSource,
+};
+export async function fetchAdvisoriesFromSources(targets, options, sourceMap = SOURCE_MAP) {
+    const selected = selectSources(options.sourceMode);
+    const results = await Promise.all(selected.map((name) => sourceMap[name].fetch(targets, options)));
+    const warnings = normalizeSourceWarnings(results.flatMap((result) => result.warnings), results.map((result) => result.health));
+    const merged = mergeAdvisories(results.flatMap((result) => result.advisories));
+    return {
+        advisories: merged,
+        warnings,
+        sourcesUsed: selected,
+        sourceHealth: results.map((result) => result.health),
+    };
+}
+function selectSources(mode) {
+    if (mode === "osv")
+        return ["osv"];
+    if (mode === "github")
+        return ["github"];
+    return ["osv", "github"];
+}
+function mergeAdvisories(advisories) {
+    const merged = new Map();
+    for (const advisory of advisories) {
+        const key = [
+            advisory.packageName,
+            advisory.currentVersion ?? "?",
+            advisory.cveId,
+        ].join("|");
+        const existing = merged.get(key);
+        if (!existing) {
+            merged.set(key, advisory);
+            continue;
+        }
+        merged.set(key, {
+            ...existing,
+            severity: severityRank(advisory.severity) > severityRank(existing.severity)
+                ? advisory.severity
+                : existing.severity,
+            vulnerableRange: existing.vulnerableRange === "*" && advisory.vulnerableRange !== "*"
+                ? advisory.vulnerableRange
+                : existing.vulnerableRange,
+            patchedVersion: choosePreferredPatch(existing.patchedVersion, advisory.patchedVersion),
+            title: existing.title.length >= advisory.title.length ? existing.title : advisory.title,
+            url: existing.url.length >= advisory.url.length ? existing.url : advisory.url,
+            sources: [...new Set([...existing.sources, ...advisory.sources])].sort(),
+        });
+    }
+    return [...merged.values()];
+}
+function normalizeSourceWarnings(warnings, sourceHealth) {
+    const normalized = [...warnings];
+    const successful = sourceHealth.filter((item) => item.status !== "failed");
+    const failed = sourceHealth.filter((item) => item.status === "failed");
+    if (failed.length > 0 && successful.length > 0) {
+        const failedNames = failed.map((item) => formatSourceName(item.source)).join(", ");
+        const successfulNames = successful
+            .map((item) => formatSourceName(item.source))
+            .join(", ");
+        normalized.push(formatClassifiedMessage({
+            code: "ADVISORY_SOURCE_DEGRADED",
+            whatFailed: `${failedNames} advisory source(s) failed during the audit query.`,
+            intact: `${successfulNames} still returned advisory results.`,
+            validity: "partial",
+            next: "Retry `rup audit` later or pin `--source` to a healthy backend.",
+        }));
+    }
+    return normalized;
+}
+function formatSourceName(source) {
+    return source === "osv" ? "OSV.dev" : "GitHub Advisory DB";
+}
+function choosePreferredPatch(current, next) {
+    if (!current)
+        return next;
+    if (!next)
+        return current;
+    const currentParsed = parseVersion(current);
+    const nextParsed = parseVersion(next);
+    if (currentParsed && nextParsed) {
+        return compareVersions(currentParsed, nextParsed) <= 0 ? current : next;
+    }
+    return current <= next ? current : next;
+}
+function severityRank(value) {
+    if (value === "critical")
+        return 4;
+    if (value === "high")
+        return 3;
+    if (value === "medium")
+        return 2;
+    return 1;
+}

package/dist/commands/audit/sources/osv.d.ts

@@ -0,0 +1,2 @@
+import type { AuditSourceAdapter } from "./types.js";
+export declare const osvAuditSource: AuditSourceAdapter;

package/dist/commands/audit/sources/osv.js

@@ -0,0 +1,131 @@
+import { asyncPool } from "../../../utils/async-pool.js";
+const OSV_API = "https://api.osv.dev/v1/query";
+export const osvAuditSource = {
+    name: "osv",
+    async fetch(targets, options) {
+        const tasks = targets.map((target) => () => queryOsv(target, options.registryTimeoutMs));
+        const results = await asyncPool(options.concurrency, tasks);
+        const advisories = [];
+        let successfulTargets = 0;
+        let failedTargets = 0;
+        const errorCounts = new Map();
+        for (const result of results) {
+            if (result instanceof Error) {
+                failedTargets += 1;
+                incrementCount(errorCounts, "internal-error");
+                continue;
+            }
+            advisories.push(...result.advisories);
+            if (result.ok) {
+                successfulTargets += 1;
+            }
+            else {
+                failedTargets += 1;
+                incrementCount(errorCounts, result.error ?? "request-failed");
+            }
+        }
+        const status = failedTargets === 0
+            ? "ok"
+            : successfulTargets === 0
+                ? "failed"
+                : "partial";
+        return {
+            advisories,
+            warnings: createSourceWarnings("OSV.dev", targets.length, successfulTargets, failedTargets),
+            health: {
+                source: "osv",
+                status,
+                attemptedTargets: targets.length,
+                successfulTargets,
+                failedTargets,
+                advisoriesFound: advisories.length,
+                message: formatDominantError(errorCounts),
+            },
+        };
+    },
+};
+async function queryOsv(target, timeoutMs) {
+    const body = JSON.stringify({
+        package: { name: target.name, ecosystem: "npm" },
+        version: target.version,
+    });
+    let response;
+    try {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), timeoutMs);
+        response = await fetch(OSV_API, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body,
+            signal: controller.signal,
+        });
+        clearTimeout(timer);
+    }
+    catch (error) {
+        return { advisories: [], ok: false, error: classifyFetchError(error) };
+    }
+    if (!response.ok) {
+        return { advisories: [], ok: false, error: `http-${response.status}` };
+    }
+    const data = (await response.json());
+    const advisories = [];
+    for (const vuln of data.vulns ?? []) {
+        const cveId = vuln.id ?? "UNKNOWN";
+        const rawSeverity = (vuln.database_specific?.severity ?? "medium").toLowerCase();
+        const severity = (["critical", "high", "medium", "low"].includes(rawSeverity)
+            ? rawSeverity
+            : "medium");
+        let patchedVersion = null;
+        let vulnerableRange = "*";
+        for (const affected of vuln.affected ?? []) {
+            if (affected.package?.name !== target.name)
+                continue;
+            for (const range of affected.ranges ?? []) {
+                const fixedEvent = range.events?.find((event) => event.fixed);
+                if (fixedEvent?.fixed) {
+                    patchedVersion = fixedEvent.fixed;
+                    const introducedEvent = range.events?.find((event) => event.introduced);
+                    vulnerableRange = introducedEvent?.introduced
+                        ? `>=${introducedEvent.introduced} <${patchedVersion}`
+                        : `<${patchedVersion}`;
+                }
+            }
+        }
+        advisories.push({
+            cveId,
+            packageName: target.name,
+            currentVersion: target.version,
+            severity,
+            vulnerableRange,
+            patchedVersion,
+            title: vuln.summary ?? cveId,
+            url: vuln.references?.[0]?.url ?? `https://osv.dev/vulnerability/${cveId}`,
+            sources: ["osv"],
+        });
+    }
+    return { advisories, ok: true };
+}
+function createSourceWarnings(label, attemptedTargets, successfulTargets, failedTargets) {
+    if (failedTargets === 0)
+        return [];
+    if (successfulTargets === 0) {
+        return [
+            `${label} unavailable for all ${attemptedTargets} audit target${attemptedTargets === 1 ? "" : "s"}.`,
+        ];
+    }
+    return [
+        `${label} partially unavailable: ${failedTargets}/${attemptedTargets} audit target${attemptedTargets === 1 ? "" : "s"} failed.`,
+    ];
+}
+function classifyFetchError(error) {
+    if (error instanceof Error && error.name === "AbortError")
+        return "timeout";
+    return "network";
+}
+function incrementCount(map, key) {
+    map.set(key, (map.get(key) ?? 0) + 1);
+}
+function formatDominantError(errorCounts) {
+    const sorted = [...errorCounts.entries()].sort((a, b) => b[1] - a[1]);
+    return sorted[0]?.[0];
+}