@rainy-updates/cli 0.5.2-rc.1 → 0.5.2

package/dist/output/sarif.js

@@ -30,6 +30,12 @@ export function createSarifReport(result) {
             kind: update.kind,
             diffType: update.diffType,
             resolvedVersion: update.toVersionResolved,
+            impactRank: update.impactScore?.rank,
+            impactScore: update.impactScore?.score,
+            riskLevel: update.riskLevel,
+            advisoryCount: update.advisoryCount ?? 0,
+            peerConflictSeverity: update.peerConflictSeverity ?? "none",
+            licenseStatus: update.licenseStatus ?? "allowed",
         },
     }));
     const errorResults = [...result.errors].sort((a, b) => a.localeCompare(b)).map((error) => ({
@@ -75,6 +81,11 @@ export function createSarifReport(result) {
                     prLimitHit: result.summary.prLimitHit,
                     fixPrBranchesCreated: result.summary.fixPrBranchesCreated,
                     durationMs: result.summary.durationMs,
+                    verdict: result.summary.verdict,
+                    riskPackages: result.summary.riskPackages ?? 0,
+                    securityPackages: result.summary.securityPackages ?? 0,
+                    peerConflictPackages: result.summary.peerConflictPackages ?? 0,
+                    licenseViolationPackages: result.summary.licenseViolationPackages ?? 0,
                 },
             },
         ],

package/dist/registry/npm.d.ts

@@ -1,3 +1,13 @@
+interface RegistryConfig {
+    defaultRegistry: string;
+    scopedRegistries: Map<string, string>;
+    authByRegistry: Map<string, RegistryAuth>;
+}
+interface RegistryAuth {
+    token?: string;
+    basicAuth?: string;
+    alwaysAuth: boolean;
+}
 export interface ResolveManyOptions {
     concurrency: number;
     timeoutMs?: number;
@@ -12,6 +22,9 @@ export interface ResolveManyResult {
         latestVersion: string | null;
         versions: string[];
         publishedAtByVersion: Record<string, number>;
+        homepage?: string;
+        repository?: string;
+        hasInstallScript: boolean;
     }>;
     errors: Map<string, string>;
 }
@@ -24,6 +37,9 @@ export declare class NpmRegistryClient {
         latestVersion: string | null;
         versions: string[];
         publishedAtByVersion: Record<string, number>;
+        homepage?: string;
+        repository?: string;
+        hasInstallScript: boolean;
     }>;
     resolveLatestVersion(packageName: string, timeoutMs?: number): Promise<string | null>;
     resolveManyPackageMetadata(packageNames: string[], options: ResolveManyOptions): Promise<ResolveManyResult>;
@@ -32,3 +48,7 @@ export declare class NpmRegistryClient {
         errors: Map<string, string>;
     }>;
 }
+export declare function loadRegistryConfig(cwd: string): Promise<RegistryConfig>;
+export declare function resolveRegistryForPackage(packageName: string, config: RegistryConfig): string;
+export declare function resolveAuthHeader(registry: string, config: RegistryConfig): string | undefined;
+export {};

package/dist/registry/npm.js

@@ -22,7 +22,7 @@ export class NpmRegistryClient {
             try {
                 const response = await requester(packageName, timeoutMs);
                 if (response.status === 404) {
-                    return { latestVersion: null, versions: [], publishedAtByVersion: {} };
+                    return { latestVersion: null, versions: [], publishedAtByVersion: {}, hasInstallScript: false };
                 }
                 if (response.status === 429 || response.status >= 500) {
                     throw new RetryableRegistryError(`Registry temporary error: ${response.status}`, response.retryAfterMs ?? computeBackoffMs(attempt));
@@ -35,6 +35,9 @@ export class NpmRegistryClient {
                     latestVersion: response.data?.["dist-tags"]?.latest ?? null,
                     versions,
                     publishedAtByVersion: extractPublishTimes(response.data?.time),
+                    homepage: response.data?.homepage,
+                    repository: normalizeRepository(response.data?.repository),
+                    hasInstallScript: detectInstallScript(response.data?.versions),
                 };
             }
             catch (error) {
@@ -94,6 +97,26 @@ export class NpmRegistryClient {
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
+function normalizeRepository(value) {
+    if (!value)
+        return undefined;
+    if (typeof value === "string")
+        return value;
+    return value.url;
+}
+function detectInstallScript(versions) {
+    if (!versions)
+        return false;
+    for (const metadata of Object.values(versions)) {
+        const scripts = metadata?.scripts;
+        if (!scripts)
+            continue;
+        if (scripts.preinstall || scripts.install || scripts.postinstall) {
+            return true;
+        }
+    }
+    return false;
+}
 function computeBackoffMs(attempt) {
     const baseMs = Math.max(120, attempt * 180);
     const jitterMs = Math.floor(Math.random() * 120);
@@ -195,7 +218,7 @@ async function tryCreateUndiciRequester(registryConfig) {
         return null;
     }
 }
-async function loadRegistryConfig(cwd) {
+export async function loadRegistryConfig(cwd) {
     const homeNpmrc = path.join(os.homedir(), ".npmrc");
     const projectNpmrc = path.join(cwd, ".npmrc");
     const merged = new Map();
@@ -274,7 +297,7 @@ function normalizeRegistryUrl(value) {
     const normalized = value.endsWith("/") ? value : `${value}/`;
     return normalized;
 }
-function resolveRegistryForPackage(packageName, config) {
+export function resolveRegistryForPackage(packageName, config) {
     const scope = extractScope(packageName);
     if (scope) {
         const scoped = config.scopedRegistries.get(scope);
@@ -295,7 +318,7 @@ function buildRegistryUrl(registry, packageName) {
     const base = normalizeRegistryUrl(registry);
     return new URL(encodeURIComponent(packageName), base).toString();
 }
-function resolveAuthHeader(registry, config) {
+export function resolveAuthHeader(registry, config) {
     const registryUrl = normalizeRegistryUrl(registry);
     const auth = findRegistryAuth(registryUrl, config.authByRegistry);
     if (!auth)

package/dist/types/index.d.ts

@@ -3,6 +3,8 @@ export type TargetLevel = "patch" | "minor" | "major" | "latest";
 export type GroupBy = "none" | "name" | "scope" | "kind" | "risk";
 export type CiProfile = "minimal" | "strict" | "enterprise";
 export type LockfileMode = "preserve" | "update" | "error";
+export type Verdict = "safe" | "review" | "blocked" | "actionable";
+export type RiskLevel = "critical" | "high" | "medium" | "low";
 export type OutputFormat = "table" | "json" | "minimal" | "github" | "metrics";
 export type FailOnLevel = "none" | "patch" | "minor" | "major" | "any";
 export type LogLevel = "error" | "warn" | "info" | "debug";
@@ -44,6 +46,9 @@ export interface RunOptions {
     onlyChanged: boolean;
     ciProfile: CiProfile;
     lockfileMode: LockfileMode;
+    interactive: boolean;
+    showImpact: boolean;
+    showHomepage: boolean;
 }
 export interface CheckOptions extends RunOptions {
 }
@@ -86,6 +91,12 @@ export interface PackageUpdate {
     reason?: string;
     impactScore?: ImpactScore;
     homepage?: string;
+    riskLevel?: RiskLevel;
+    riskReasons?: string[];
+    advisoryCount?: number;
+    peerConflictSeverity?: "none" | PeerConflictSeverity;
+    licenseStatus?: "allowed" | "review" | "denied";
+    healthStatus?: "healthy" | HealthFlag;
 }
 export interface Summary {
     contractVersion: "2";
@@ -126,6 +137,13 @@ export interface Summary {
     prLimitHit: boolean;
     streamedEvents: number;
     policyOverridesApplied: number;
+    verdict?: Verdict;
+    interactiveSession?: boolean;
+    riskPackages?: number;
+    securityPackages?: number;
+    peerConflictPackages?: number;
+    licenseViolationPackages?: number;
+    privateRegistryPackages?: number;
 }
 export interface CheckResult {
     projectPath: string;
@@ -162,14 +180,20 @@ export interface VersionResolver {
     resolveLatestVersion(packageName: string): Promise<string | null>;
 }
 export type AuditSeverity = "critical" | "high" | "medium" | "low";
-export type AuditReportFormat = "table" | "json";
+export type AuditReportFormat = "table" | "json" | "summary";
+export type AuditSourceMode = "auto" | "osv" | "github" | "all";
+export type AuditSourceName = "osv" | "github";
+export type AuditSourceStatusLevel = "ok" | "partial" | "failed";
 export interface AuditOptions {
     cwd: string;
     workspace: boolean;
     severity?: AuditSeverity;
     fix: boolean;
     dryRun: boolean;
+    commit: boolean;
+    packageManager: "auto" | "npm" | "pnpm" | "bun" | "yarn";
     reportFormat: AuditReportFormat;
+    sourceMode: AuditSourceMode;
     jsonFile?: string;
     concurrency: number;
     registryTimeoutMs: number;
@@ -177,17 +201,44 @@ export interface AuditOptions {
 export interface CveAdvisory {
     cveId: string;
     packageName: string;
+    currentVersion: string | null;
     severity: AuditSeverity;
     vulnerableRange: string;
     patchedVersion: string | null;
     title: string;
     url: string;
+    sources: readonly AuditSourceName[];
+}
+export interface AuditPackageSummary {
+    packageName: string;
+    currentVersion: string | null;
+    severity: AuditSeverity;
+    advisoryCount: number;
+    patchedVersion: string | null;
+    sources: readonly AuditSourceName[];
+}
+export interface AuditSourceStatus {
+    source: AuditSourceName;
+    status: AuditSourceStatusLevel;
+    attemptedTargets: number;
+    successfulTargets: number;
+    failedTargets: number;
+    advisoriesFound: number;
+    message?: string;
 }
 export interface AuditResult {
     advisories: CveAdvisory[];
+    packages: AuditPackageSummary[];
     autoFixable: number;
     errors: string[];
     warnings: string[];
+    sourcesUsed: AuditSourceName[];
+    sourceHealth: AuditSourceStatus[];
+    resolution: {
+        lockfile: number;
+        manifest: number;
+        unresolved: number;
+    };
 }
 export interface BisectOptions {
     cwd: string;
@@ -270,6 +321,45 @@ export interface ResolveResult {
     errors: string[];
     warnings: string[];
 }
+export interface RiskSignal {
+    packageName: string;
+    level: RiskLevel;
+    reasons: string[];
+}
+export interface ReviewItem {
+    update: PackageUpdate;
+    advisories: CveAdvisory[];
+    health?: PackageHealthMetric;
+    peerConflicts: PeerConflict[];
+    license?: PackageLicense;
+    unusedIssues: UnusedDependency[];
+    selected: boolean;
+}
+export interface ReviewResult {
+    projectPath: string;
+    target: TargetLevel;
+    summary: Summary;
+    items: ReviewItem[];
+    updates: PackageUpdate[];
+    errors: string[];
+    warnings: string[];
+}
+export interface ReviewOptions extends CheckOptions {
+    securityOnly: boolean;
+    risk?: RiskLevel;
+    diff?: TargetLevel;
+    applySelected: boolean;
+}
+export interface DoctorOptions extends CheckOptions {
+    verdictOnly: boolean;
+}
+export interface DoctorResult {
+    verdict: Verdict;
+    summary: Summary;
+    review: ReviewResult;
+    primaryFindings: string[];
+    recommendedCommand: string;
+}
 export type UnusedKind = "declared-not-imported" | "imported-not-declared";
 export interface UnusedDependency {
     name: string;

package/dist/ui/tui.d.ts

@@ -0,0 +1,2 @@
+import type { PackageUpdate } from "../types/index.js";
+export declare function runTui(updates: PackageUpdate[]): Promise<PackageUpdate[]>;

package/dist/ui/tui.js

@@ -0,0 +1,107 @@
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
+import { useState } from "react";
+import { Box, render, Text, useInput } from "ink";
+const FILTER_ORDER = [
+    "all",
+    "security",
+    "risky",
+    "major",
+];
+function VersionDiff({ from, to }) {
+    return (_jsxs(Box, { children: [_jsx(Text, { color: "gray", children: from }), _jsxs(Text, { color: "gray", children: [" ", " -> ", " "] }), _jsx(Text, { color: "green", children: to })] }));
+}
+function riskColor(level) {
+    switch (level) {
+        case "critical":
+            return "red";
+        case "high":
+            return "yellow";
+        case "medium":
+            return "cyan";
+        default:
+            return "green";
+    }
+}
+function diffColor(level) {
+    switch (level) {
+        case "major":
+            return "red";
+        case "minor":
+            return "yellow";
+        case "patch":
+            return "green";
+        default:
+            return "cyan";
+    }
+}
+function TuiApp({ updates, onComplete }) {
+    const [cursorIndex, setCursorIndex] = useState(0);
+    const [filterIndex, setFilterIndex] = useState(0);
+    const [selectedIndices, setSelectedIndices] = useState(new Set(updates.map((_, index) => index)));
+    const activeFilter = FILTER_ORDER[filterIndex] ?? "all";
+    const filteredIndices = updates
+        .map((update, index) => ({ update, index }))
+        .filter(({ update }) => {
+        if (activeFilter === "security")
+            return (update.advisoryCount ?? 0) > 0;
+        if (activeFilter === "risky") {
+            return update.riskLevel === "critical" || update.riskLevel === "high";
+        }
+        if (activeFilter === "major")
+            return update.diffType === "major";
+        return true;
+    })
+        .map(({ index }) => index);
+    const boundedCursor = Math.min(cursorIndex, Math.max(0, filteredIndices.length - 1));
+    const focusedIndex = filteredIndices[boundedCursor] ?? 0;
+    const focusedUpdate = updates[focusedIndex];
+    useInput((input, key) => {
+        if (key.leftArrow) {
+            setFilterIndex((prev) => Math.max(0, prev - 1));
+            setCursorIndex(0);
+        }
+        if (key.rightArrow) {
+            setFilterIndex((prev) => Math.min(FILTER_ORDER.length - 1, prev + 1));
+            setCursorIndex(0);
+        }
+        if (key.upArrow) {
+            setCursorIndex((prev) => Math.max(0, prev - 1));
+        }
+        if (key.downArrow) {
+            setCursorIndex((prev) => Math.min(filteredIndices.length - 1, Math.max(0, prev + 1)));
+        }
+        if (input === "a") {
+            setSelectedIndices(new Set(filteredIndices));
+        }
+        if (input === "n") {
+            setSelectedIndices(new Set());
+        }
+        if (input === " ") {
+            setSelectedIndices((prev) => {
+                const next = new Set(prev);
+                if (next.has(focusedIndex))
+                    next.delete(focusedIndex);
+                else
+                    next.add(focusedIndex);
+                return next;
+            });
+        }
+        if (key.return) {
+            onComplete(updates.filter((_, index) => selectedIndices.has(index)));
+        }
+    });
+    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, color: "cyan", children: "Rainy Review TUI" }), _jsx(Text, { color: "gray", children: "Left/Right filter  Up/Down move  Space toggle  A select all view  N clear  Enter confirm" }), _jsx(Box, { marginTop: 1, children: FILTER_ORDER.map((filter, index) => (_jsx(Box, { marginRight: 2, children: _jsxs(Text, { color: index === filterIndex ? "cyan" : "gray", children: ["[", filter, "]"] }) }, filter))) }), _jsxs(Box, { marginTop: 1, flexDirection: "row", children: [_jsxs(Box, { width: 72, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Updates" }), filteredIndices.length === 0 ? (_jsx(Text, { color: "gray", children: "No updates match this filter." })) : (filteredIndices.map((index, visibleIndex) => {
+                                const update = updates[index];
+                                const isFocused = visibleIndex === boundedCursor;
+                                const isSelected = selectedIndices.has(index);
+                                return (_jsxs(Box, { flexDirection: "row", children: [_jsxs(Text, { color: isFocused ? "cyan" : "gray", children: [isFocused ? ">" : " ", " ", isSelected ? "[x]" : "[ ]", " "] }), _jsx(Box, { width: 22, children: _jsx(Text, { bold: isFocused, children: update.name }) }), _jsx(Box, { width: 10, children: _jsx(Text, { color: diffColor(update.diffType), children: update.diffType }) }), _jsx(Box, { width: 18, children: _jsx(Text, { color: riskColor(update.riskLevel), children: update.riskLevel ?? update.impactScore?.rank ?? "low" }) }), _jsx(VersionDiff, { from: update.fromRange, to: update.toVersionResolved })] }, `${update.packagePath}:${update.name}`));
+                            }))] }), _jsxs(Box, { marginLeft: 1, width: 46, flexDirection: "column", borderStyle: "round", borderColor: "gray", paddingX: 1, children: [_jsx(Text, { bold: true, children: "Details" }), focusedUpdate ? (_jsxs(_Fragment, { children: [_jsx(Text, { children: focusedUpdate.name }), _jsxs(Text, { color: "gray", children: ["package: ", focusedUpdate.packagePath] }), _jsxs(Text, { children: ["diff: ", _jsx(Text, { color: diffColor(focusedUpdate.diffType), children: focusedUpdate.diffType })] }), _jsxs(Text, { children: ["risk: ", _jsx(Text, { color: riskColor(focusedUpdate.riskLevel), children: focusedUpdate.riskLevel ?? focusedUpdate.impactScore?.rank ?? "low" })] }), _jsxs(Text, { children: ["impact: ", focusedUpdate.impactScore?.score ?? 0] }), _jsxs(Text, { children: ["advisories: ", focusedUpdate.advisoryCount ?? 0] }), _jsxs(Text, { children: ["peer: ", focusedUpdate.peerConflictSeverity ?? "none"] }), _jsxs(Text, { children: ["license: ", focusedUpdate.licenseStatus ?? "allowed"] }), _jsxs(Text, { children: ["health: ", focusedUpdate.healthStatus ?? "healthy"] }), focusedUpdate.homepage ? (_jsxs(Text, { color: "blue", children: ["homepage: ", focusedUpdate.homepage] })) : (_jsx(Text, { color: "gray", children: "homepage: unavailable" })), focusedUpdate.riskReasons && focusedUpdate.riskReasons.length > 0 ? (_jsxs(_Fragment, { children: [_jsx(Text, { bold: true, children: "Reasons" }), focusedUpdate.riskReasons.slice(0, 4).map((reason) => (_jsxs(Text, { color: "gray", children: ["- ", reason] }, reason)))] })) : (_jsx(Text, { color: "gray", children: "No elevated risk reasons." }))] })) : (_jsx(Text, { color: "gray", children: "No update selected." }))] })] }), _jsx(Box, { marginTop: 1, borderStyle: "round", borderColor: "gray", paddingX: 1, children: _jsxs(Text, { color: "gray", children: [selectedIndices.size, " selected of ", updates.length, ". Filter: ", activeFilter, "."] }) })] }));
+}
+export async function runTui(updates) {
+    return new Promise((resolve) => {
+        const { unmount } = render(_jsx(TuiApp, { updates: updates, onComplete: (selected) => {
+                unmount();
+                resolve(selected);
+            } }));
+    });
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rainy-updates/cli",
-  "version": "0.5.2-rc.1",
+  "version": "0.5.2",
   "description": "The fastest DevOps-first dependency CLI. Checks, audits, upgrades, bisects, and automates npm/pnpm dependencies in CI.",
   "type": "module",
   "private": false,
@@ -56,7 +56,10 @@
     "test": "bun test",
     "lint": "bunx biome check src tests",
     "check": "bun run typecheck && bun test",
-    "perf:smoke": "node scripts/perf-smoke.mjs",
+    "perf:smoke": "node scripts/perf-smoke.mjs && RAINY_UPDATES_PERF_SCENARIO=resolve node scripts/perf-smoke.mjs && RAINY_UPDATES_PERF_SCENARIO=ci node scripts/perf-smoke.mjs",
+    "perf:check": "node scripts/perf-smoke.mjs",
+    "perf:resolve": "RAINY_UPDATES_PERF_SCENARIO=resolve node scripts/perf-smoke.mjs",
+    "perf:ci": "RAINY_UPDATES_PERF_SCENARIO=ci node scripts/perf-smoke.mjs",
     "test:prod": "node dist/bin/cli.js --help && node dist/bin/cli.js --version",
     "prepublishOnly": "bun run check && bun run build && bun run test:prod"
   },
@@ -69,9 +72,16 @@
   },
   "devDependencies": {
     "@types/bun": "latest",
+    "@types/react": "^19.2.14",
+    "ink-testing-library": "^4.0.0",
     "typescript": "^5.9.3"
   },
   "optionalDependencies": {
     "undici": "^7.22.0"
+  },
+  "dependencies": {
+    "ink": "^6.8.0",
+    "react": "^19.2.4",
+    "zod": "^4.3.6"
   }
 }