@rainy-updates/cli 0.5.2-rc.2 → 0.5.3

package/dist/output/sarif.js

@@ -30,6 +30,15 @@ export function createSarifReport(result) {
             kind: update.kind,
             diffType: update.diffType,
             resolvedVersion: update.toVersionResolved,
+            impactRank: update.impactScore?.rank,
+            impactScore: update.impactScore?.score,
+            riskLevel: update.riskLevel,
+            riskScore: update.riskScore,
+            riskCategories: update.riskCategories ?? [],
+            recommendedAction: update.recommendedAction,
+            advisoryCount: update.advisoryCount ?? 0,
+            peerConflictSeverity: update.peerConflictSeverity ?? "none",
+            licenseStatus: update.licenseStatus ?? "allowed",
         },
     }));
     const errorResults = [...result.errors].sort((a, b) => a.localeCompare(b)).map((error) => ({
@@ -75,6 +84,11 @@ export function createSarifReport(result) {
                     prLimitHit: result.summary.prLimitHit,
                     fixPrBranchesCreated: result.summary.fixPrBranchesCreated,
                     durationMs: result.summary.durationMs,
+                    verdict: result.summary.verdict,
+                    riskPackages: result.summary.riskPackages ?? 0,
+                    securityPackages: result.summary.securityPackages ?? 0,
+                    peerConflictPackages: result.summary.peerConflictPackages ?? 0,
+                    licenseViolationPackages: result.summary.licenseViolationPackages ?? 0,
                 },
             },
         ],

package/dist/registry/npm.d.ts

@@ -1,3 +1,13 @@
+interface RegistryConfig {
+    defaultRegistry: string;
+    scopedRegistries: Map<string, string>;
+    authByRegistry: Map<string, RegistryAuth>;
+}
+interface RegistryAuth {
+    token?: string;
+    basicAuth?: string;
+    alwaysAuth: boolean;
+}
 export interface ResolveManyOptions {
     concurrency: number;
     timeoutMs?: number;
@@ -12,6 +22,10 @@ export interface ResolveManyResult {
         latestVersion: string | null;
         versions: string[];
         publishedAtByVersion: Record<string, number>;
+        homepage?: string;
+        repository?: string;
+        installScriptByVersion: Record<string, boolean>;
+        maintainerCount: number | null;
     }>;
     errors: Map<string, string>;
 }
@@ -24,6 +38,10 @@ export declare class NpmRegistryClient {
         latestVersion: string | null;
         versions: string[];
         publishedAtByVersion: Record<string, number>;
+        homepage?: string;
+        repository?: string;
+        installScriptByVersion: Record<string, boolean>;
+        maintainerCount: number | null;
     }>;
     resolveLatestVersion(packageName: string, timeoutMs?: number): Promise<string | null>;
     resolveManyPackageMetadata(packageNames: string[], options: ResolveManyOptions): Promise<ResolveManyResult>;
@@ -32,3 +50,7 @@ export declare class NpmRegistryClient {
         errors: Map<string, string>;
     }>;
 }
+export declare function loadRegistryConfig(cwd: string): Promise<RegistryConfig>;
+export declare function resolveRegistryForPackage(packageName: string, config: RegistryConfig): string;
+export declare function resolveAuthHeader(registry: string, config: RegistryConfig): string | undefined;
+export {};

package/dist/registry/npm.js

@@ -22,7 +22,13 @@ export class NpmRegistryClient {
             try {
                 const response = await requester(packageName, timeoutMs);
                 if (response.status === 404) {
-                    return { latestVersion: null, versions: [], publishedAtByVersion: {} };
+                    return {
+                        latestVersion: null,
+                        versions: [],
+                        publishedAtByVersion: {},
+                        installScriptByVersion: {},
+                        maintainerCount: null,
+                    };
                 }
                 if (response.status === 429 || response.status >= 500) {
                     throw new RetryableRegistryError(`Registry temporary error: ${response.status}`, response.retryAfterMs ?? computeBackoffMs(attempt));
@@ -35,6 +41,12 @@ export class NpmRegistryClient {
                     latestVersion: response.data?.["dist-tags"]?.latest ?? null,
                     versions,
                     publishedAtByVersion: extractPublishTimes(response.data?.time),
+                    homepage: response.data?.homepage,
+                    repository: normalizeRepository(response.data?.repository),
+                    installScriptByVersion: detectInstallScriptsByVersion(response.data?.versions),
+                    maintainerCount: Array.isArray(response.data?.maintainers)
+                        ? response.data?.maintainers.length
+                        : null,
                 };
             }
             catch (error) {
@@ -94,6 +106,23 @@ export class NpmRegistryClient {
 function sleep(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms));
 }
+function normalizeRepository(value) {
+    if (!value)
+        return undefined;
+    if (typeof value === "string")
+        return value;
+    return value.url;
+}
+function detectInstallScriptsByVersion(versions) {
+    if (!versions)
+        return {};
+    const results = {};
+    for (const [version, metadata] of Object.entries(versions)) {
+        const scripts = metadata?.scripts;
+        results[version] = Boolean(scripts?.preinstall || scripts?.install || scripts?.postinstall);
+    }
+    return results;
+}
 function computeBackoffMs(attempt) {
     const baseMs = Math.max(120, attempt * 180);
     const jitterMs = Math.floor(Math.random() * 120);
@@ -195,7 +224,7 @@ async function tryCreateUndiciRequester(registryConfig) {
         return null;
     }
 }
-async function loadRegistryConfig(cwd) {
+export async function loadRegistryConfig(cwd) {
     const homeNpmrc = path.join(os.homedir(), ".npmrc");
     const projectNpmrc = path.join(cwd, ".npmrc");
     const merged = new Map();
@@ -274,7 +303,7 @@ function normalizeRegistryUrl(value) {
     const normalized = value.endsWith("/") ? value : `${value}/`;
     return normalized;
 }
-function resolveRegistryForPackage(packageName, config) {
+export function resolveRegistryForPackage(packageName, config) {
     const scope = extractScope(packageName);
     if (scope) {
         const scoped = config.scopedRegistries.get(scope);
@@ -295,7 +324,7 @@ function buildRegistryUrl(registry, packageName) {
     const base = normalizeRegistryUrl(registry);
     return new URL(encodeURIComponent(packageName), base).toString();
 }
-function resolveAuthHeader(registry, config) {
+export function resolveAuthHeader(registry, config) {
     const registryUrl = normalizeRegistryUrl(registry);
     const auth = findRegistryAuth(registryUrl, config.authByRegistry);
     if (!auth)

package/dist/risk/index.d.ts

@@ -0,0 +1,3 @@
+import type { ReviewItem } from "../types/index.js";
+import type { RiskContext } from "./types.js";
+export declare function applyRiskAssessments(items: ReviewItem[], context: RiskContext): ReviewItem[];

package/dist/risk/index.js

@@ -0,0 +1,24 @@
+import { assessRisk } from "./scorer.js";
+export function applyRiskAssessments(items, context) {
+    return items.map((item) => {
+        const assessment = assessRisk({
+            update: item.update,
+            advisories: item.advisories,
+            health: item.health,
+            peerConflicts: item.peerConflicts,
+            licenseViolation: item.update.licenseStatus === "denied",
+            unusedIssues: item.unusedIssues,
+        }, context);
+        return {
+            ...item,
+            update: {
+                ...item.update,
+                riskLevel: assessment.level,
+                riskScore: assessment.score,
+                riskReasons: assessment.reasons,
+                riskCategories: assessment.categories,
+                recommendedAction: assessment.recommendedAction,
+            },
+        };
+    });
+}

package/dist/risk/scorer.d.ts

@@ -0,0 +1,3 @@
+import type { RiskAssessment } from "../types/index.js";
+import type { RiskContext, RiskInput } from "./types.js";
+export declare function assessRisk(input: RiskInput, context: RiskContext): RiskAssessment;

package/dist/risk/scorer.js

@@ -0,0 +1,114 @@
+import { detectInstallScriptsRisk } from "./signals/install-scripts.js";
+import { detectTyposquatRisk } from "./signals/typosquat.js";
+import { detectFreshPackageRisk } from "./signals/fresh-package.js";
+import { detectSuspiciousMetadataRisk } from "./signals/metadata.js";
+import { detectMutableSourceRisk } from "./signals/mutable-source.js";
+import { detectMaintainerChurnRisk } from "./signals/maintainer-churn.js";
+export function assessRisk(input, context) {
+    // Base factors model direct supply-chain behavior; modifiers adjust operational severity.
+    const baseFactors = [];
+    const modifierFactors = [];
+    if (input.advisories.length > 0) {
+        baseFactors.push({
+            code: "known-vulnerability",
+            weight: 35,
+            category: "known-vulnerability",
+            message: `${input.advisories.length} known vulnerability finding(s) affect this package.`,
+        });
+    }
+    const installScripts = detectInstallScriptsRisk(input);
+    if (installScripts)
+        baseFactors.push(installScripts);
+    const typosquat = detectTyposquatRisk(input, context);
+    if (typosquat)
+        baseFactors.push(typosquat);
+    const freshPackage = detectFreshPackageRisk(input);
+    if (freshPackage)
+        baseFactors.push(freshPackage);
+    const metadata = detectSuspiciousMetadataRisk(input);
+    if (metadata)
+        baseFactors.push(metadata);
+    const mutableSource = detectMutableSourceRisk(input);
+    if (mutableSource)
+        baseFactors.push(mutableSource);
+    const maintainerChurn = detectMaintainerChurnRisk(input);
+    if (maintainerChurn)
+        baseFactors.push(maintainerChurn);
+    if (input.peerConflicts.some((conflict) => conflict.severity === "error")) {
+        modifierFactors.push({
+            code: "peer-conflict",
+            weight: 20,
+            category: "operational-health",
+            message: "Peer dependency conflicts block safe application.",
+        });
+    }
+    if (input.licenseViolation) {
+        modifierFactors.push({
+            code: "license-violation",
+            weight: 20,
+            category: "operational-health",
+            message: "License policy would block or require review for this update.",
+        });
+    }
+    if (input.health?.flags.includes("deprecated")) {
+        modifierFactors.push({
+            code: "deprecated-package",
+            weight: 10,
+            category: "operational-health",
+            message: "Package is deprecated.",
+        });
+    }
+    else if (input.health?.flags.includes("stale") ||
+        input.health?.flags.includes("unmaintained")) {
+        modifierFactors.push({
+            code: "stale-package",
+            weight: 5,
+            category: "operational-health",
+            message: "Package has stale operational health signals.",
+        });
+    }
+    if (input.update.diffType === "major") {
+        modifierFactors.push({
+            code: "major-version",
+            weight: 10,
+            category: "operational-health",
+            message: "Update crosses a major version boundary.",
+        });
+    }
+    const baseScore = baseFactors.reduce((sum, factor) => sum + factor.weight, 0);
+    const modifierScore = modifierFactors.reduce((sum, factor) => sum + factor.weight, 0);
+    const factors = [...baseFactors, ...modifierFactors];
+    const score = Math.min(100, baseScore + modifierScore);
+    const level = scoreToLevel(score);
+    const categories = Array.from(new Set(factors.map((factor) => factor.category)));
+    const reasons = factors.map((factor) => factor.message);
+    return {
+        score,
+        level,
+        reasons,
+        categories,
+        recommendedAction: recommendAction(level, input),
+        factors,
+    };
+}
+function scoreToLevel(score) {
+    if (score >= 70)
+        return "critical";
+    if (score >= 45)
+        return "high";
+    if (score >= 20)
+        return "medium";
+    return "low";
+}
+function recommendAction(level, input) {
+    if (input.peerConflicts.some((conflict) => conflict.severity === "error")) {
+        return "Run `rup resolve --after-update` before applying this update.";
+    }
+    if (input.advisories.length > 0) {
+        return "Review in `rup review` and consider `rup audit --fix` for the secure minimum patch.";
+    }
+    if (level === "critical" || level === "high") {
+        return "Keep this update in review until the risk reasons are cleared.";
+    }
+    return "Safe to keep in the review queue and apply after normal verification.";
+}

package/dist/risk/signals/fresh-package.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectFreshPackageRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/fresh-package.js

@@ -0,0 +1,22 @@
+export function detectFreshPackageRisk(input) {
+    const age = input.update.publishAgeDays;
+    if (typeof age !== "number")
+        return null;
+    if (age <= 7) {
+        return {
+            code: "fresh-package-7d",
+            weight: 20,
+            category: "behavioral-risk",
+            message: `Resolved version was published ${age} day(s) ago.`,
+        };
+    }
+    if (age <= 30) {
+        return {
+            code: "fresh-package-30d",
+            weight: 10,
+            category: "behavioral-risk",
+            message: `Resolved version was published ${age} day(s) ago.`,
+        };
+    }
+    return null;
+}

package/dist/risk/signals/install-scripts.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectInstallScriptsRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/install-scripts.js

@@ -0,0 +1,10 @@
+export function detectInstallScriptsRisk(input) {
+    if (!input.update.hasInstallScript)
+        return null;
+    return {
+        code: "install-scripts",
+        weight: 20,
+        category: "behavioral-risk",
+        message: "Resolved package includes install lifecycle scripts.",
+    };
+}

package/dist/risk/signals/maintainer-churn.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectMaintainerChurnRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/maintainer-churn.js

@@ -0,0 +1,11 @@
+export function detectMaintainerChurnRisk(input) {
+    if (input.update.maintainerChurn !== "elevated-change") {
+        return null;
+    }
+    return {
+        code: "maintainer-churn",
+        weight: 15,
+        category: "behavioral-risk",
+        message: "Maintainer profile looks unstable for a recent release based on available registry metadata.",
+    };
+}

package/dist/risk/signals/metadata.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectSuspiciousMetadataRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/metadata.js

@@ -0,0 +1,18 @@
+export function detectSuspiciousMetadataRisk(input) {
+    const { homepage, repository } = input.update;
+    const homepageMissing = !homepage;
+    const repositoryMissing = !repository;
+    const repositoryMalformed = typeof repository === "string" &&
+        !repository.startsWith("http://") &&
+        !repository.startsWith("https://") &&
+        !repository.startsWith("git+");
+    if ((homepageMissing && repositoryMissing) || repositoryMalformed) {
+        return {
+            code: "suspicious-metadata",
+            weight: 10,
+            category: "behavioral-risk",
+            message: "Package metadata is incomplete or uses a non-canonical repository reference.",
+        };
+    }
+    return null;
+}

package/dist/risk/signals/mutable-source.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskInput } from "../types.js";
+export declare function detectMutableSourceRisk(input: RiskInput): RiskFactor | null;

package/dist/risk/signals/mutable-source.js

@@ -0,0 +1,24 @@
+const MUTABLE_PATTERNS = [
+    "git+",
+    "github:",
+    "gitlab:",
+    "http://",
+    "https://",
+    "git://",
+];
+export function detectMutableSourceRisk(input) {
+    const raw = input.update.fromRange;
+    if (!MUTABLE_PATTERNS.some((pattern) => raw.startsWith(pattern))) {
+        return null;
+    }
+    const immutableCommitPinned = /#[a-f0-9]{7,40}$/i.test(raw);
+    if (immutableCommitPinned) {
+        return null;
+    }
+    return {
+        code: "mutable-source",
+        weight: 25,
+        category: "behavioral-risk",
+        message: "Dependency uses a mutable git/http source without an immutable commit pin.",
+    };
+}

package/dist/risk/signals/typosquat.d.ts

@@ -0,0 +1,3 @@
+import type { RiskFactor } from "../../types/index.js";
+import type { RiskContext, RiskInput } from "../types.js";
+export declare function detectTyposquatRisk(input: RiskInput, context: RiskContext): RiskFactor | null;

package/dist/risk/signals/typosquat.js

@@ -0,0 +1,70 @@
+const HIGH_VALUE_PACKAGES = [
+    "react",
+    "react-dom",
+    "next",
+    "typescript",
+    "lodash",
+    "axios",
+    "zod",
+    "vite",
+    "eslint",
+    "express",
+];
+export function detectTyposquatRisk(input, context) {
+    const target = normalizeName(input.update.name);
+    if (target.length < 4)
+        return null;
+    const candidates = new Set([
+        ...HIGH_VALUE_PACKAGES,
+        ...Array.from(context.knownPackageNames),
+    ]);
+    for (const candidate of candidates) {
+        const normalizedCandidate = normalizeName(candidate);
+        if (!normalizedCandidate || normalizedCandidate === target)
+            continue;
+        if (Math.abs(normalizedCandidate.length - target.length) > 1)
+            continue;
+        if (isTransposition(normalizedCandidate, target) || levenshtein(normalizedCandidate, target) === 1) {
+            return {
+                code: "typosquat-heuristic",
+                weight: 25,
+                category: "behavioral-risk",
+                message: `Package name is highly similar to "${candidate}", which may indicate typosquatting.`,
+            };
+        }
+    }
+    return null;
+}
+function normalizeName(value) {
+    const trimmed = value.startsWith("@") ? value.split("/")[1] ?? value : value;
+    return trimmed.replace(/[^a-z0-9]/gi, "").toLowerCase();
+}
+function isTransposition(left, right) {
+    if (left.length !== right.length || left === right)
+        return false;
+    const mismatches = [];
+    for (let index = 0; index < left.length; index += 1) {
+        if (left[index] !== right[index])
+            mismatches.push(index);
+        if (mismatches.length > 2)
+            return false;
+    }
+    if (mismatches.length !== 2)
+        return false;
+    const [first, second] = mismatches;
+    return left[first] === right[second] && left[second] === right[first];
+}
+function levenshtein(left, right) {
+    const matrix = Array.from({ length: left.length + 1 }, () => Array(right.length + 1).fill(0));
+    for (let i = 0; i <= left.length; i += 1)
+        matrix[i][0] = i;
+    for (let j = 0; j <= right.length; j += 1)
+        matrix[0][j] = j;
+    for (let i = 1; i <= left.length; i += 1) {
+        for (let j = 1; j <= right.length; j += 1) {
+            const cost = left[i - 1] === right[j - 1] ? 0 : 1;
+            matrix[i][j] = Math.min(matrix[i - 1][j] + 1, matrix[i][j - 1] + 1, matrix[i - 1][j - 1] + cost);
+        }
+    }
+    return matrix[left.length][right.length];
+}

package/dist/risk/types.d.ts

@@ -0,0 +1,15 @@
+import type { HealthResult, PackageUpdate, PeerConflict, RiskAssessment, UnusedDependency, CveAdvisory } from "../types/index.js";
+export interface RiskInput {
+    update: PackageUpdate;
+    advisories: CveAdvisory[];
+    health?: HealthResult["metrics"][number];
+    peerConflicts: PeerConflict[];
+    licenseViolation: boolean;
+    unusedIssues: UnusedDependency[];
+}
+export interface RiskContext {
+    knownPackageNames: ReadonlySet<string>;
+}
+export interface RiskSignalResult {
+    assessment: RiskAssessment;
+}

package/dist/risk/types.js

@@ -0,0 +1 @@
+export {};

package/dist/types/index.d.ts

@@ -3,6 +3,10 @@ export type TargetLevel = "patch" | "minor" | "major" | "latest";
 export type GroupBy = "none" | "name" | "scope" | "kind" | "risk";
 export type CiProfile = "minimal" | "strict" | "enterprise";
 export type LockfileMode = "preserve" | "update" | "error";
+export type Verdict = "safe" | "review" | "blocked" | "actionable";
+export type RiskLevel = "critical" | "high" | "medium" | "low";
+export type RiskCategory = "known-vulnerability" | "behavioral-risk" | "operational-health";
+export type MaintainerChurnStatus = "unknown" | "stable" | "elevated-change";
 export type OutputFormat = "table" | "json" | "minimal" | "github" | "metrics";
 export type FailOnLevel = "none" | "patch" | "minor" | "major" | "any";
 export type LogLevel = "error" | "warn" | "info" | "debug";
@@ -44,6 +48,9 @@ export interface RunOptions {
     onlyChanged: boolean;
     ciProfile: CiProfile;
     lockfileMode: LockfileMode;
+    interactive: boolean;
+    showImpact: boolean;
+    showHomepage: boolean;
 }
 export interface CheckOptions extends RunOptions {
 }
@@ -86,6 +93,21 @@ export interface PackageUpdate {
     reason?: string;
     impactScore?: ImpactScore;
     homepage?: string;
+    repository?: string;
+    publishedAt?: string;
+    publishAgeDays?: number | null;
+    hasInstallScript?: boolean;
+    maintainerCount?: number | null;
+    maintainerChurn?: MaintainerChurnStatus;
+    riskLevel?: RiskLevel;
+    riskScore?: number;
+    riskReasons?: string[];
+    riskCategories?: RiskCategory[];
+    recommendedAction?: string;
+    advisoryCount?: number;
+    peerConflictSeverity?: "none" | PeerConflictSeverity;
+    licenseStatus?: "allowed" | "review" | "denied";
+    healthStatus?: "healthy" | HealthFlag;
 }
 export interface Summary {
     contractVersion: "2";
@@ -126,6 +148,13 @@ export interface Summary {
     prLimitHit: boolean;
     streamedEvents: number;
     policyOverridesApplied: number;
+    verdict?: Verdict;
+    interactiveSession?: boolean;
+    riskPackages?: number;
+    securityPackages?: number;
+    peerConflictPackages?: number;
+    licenseViolationPackages?: number;
+    privateRegistryPackages?: number;
 }
 export interface CheckResult {
     projectPath: string;
@@ -303,6 +332,62 @@ export interface ResolveResult {
     errors: string[];
     warnings: string[];
 }
+export interface RiskSignal {
+    packageName: string;
+    code: string;
+    weight: number;
+    category: RiskCategory;
+    level: RiskLevel;
+    reasons: string[];
+}
+export interface RiskFactor {
+    code: string;
+    weight: number;
+    category: RiskCategory;
+    message: string;
+}
+export interface RiskAssessment {
+    score: number;
+    level: RiskLevel;
+    reasons: string[];
+    categories: RiskCategory[];
+    recommendedAction: string;
+    factors: RiskFactor[];
+}
+export interface ReviewItem {
+    update: PackageUpdate;
+    advisories: CveAdvisory[];
+    health?: PackageHealthMetric;
+    peerConflicts: PeerConflict[];
+    license?: PackageLicense;
+    unusedIssues: UnusedDependency[];
+    selected: boolean;
+}
+export interface ReviewResult {
+    projectPath: string;
+    target: TargetLevel;
+    summary: Summary;
+    items: ReviewItem[];
+    updates: PackageUpdate[];
+    errors: string[];
+    warnings: string[];
+}
+export interface ReviewOptions extends CheckOptions {
+    securityOnly: boolean;
+    risk?: RiskLevel;
+    diff?: TargetLevel;
+    applySelected: boolean;
+}
+export interface DoctorOptions extends CheckOptions {
+    verdictOnly: boolean;
+}
+export interface DoctorResult {
+    verdict: Verdict;
+    summary: Summary;
+    review: ReviewResult;
+    primaryFindings: string[];
+    recommendedCommand: string;
+}
 export type UnusedKind = "declared-not-imported" | "imported-not-declared";
 export interface UnusedDependency {
     name: string;

package/dist/ui/tui.d.ts

@@ -1,6 +1,2 @@
 import type { PackageUpdate } from "../types/index.js";
-export declare function VersionDiff({ from, to }: {
-    from: string;
-    to: string;
-}): import("react/jsx-runtime").JSX.Element;
 export declare function runTui(updates: PackageUpdate[]): Promise<PackageUpdate[]>;