npm - @rainy-updates/cli - Versions diffs - 0.5.6 → 0.6.0 - Mend

@rainy-updates/cli 0.5.6 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/CHANGELOG.md +133 -0
package/README.md +90 -31
package/dist/bin/cli.js +24 -482
package/dist/bin/dispatch.d.ts +16 -0
package/dist/bin/dispatch.js +147 -0
package/dist/bin/help.d.ts +1 -0
package/dist/bin/help.js +314 -0
package/dist/cache/cache.js +13 -11
package/dist/commands/audit/parser.js +2 -2
package/dist/commands/audit/runner.js +27 -46
package/dist/commands/audit/targets.js +13 -13
package/dist/commands/bisect/oracle.js +28 -11
package/dist/commands/bisect/parser.js +3 -3
package/dist/commands/bisect/runner.js +15 -8
package/dist/commands/changelog/fetcher.js +11 -5
package/dist/commands/dashboard/parser.js +103 -1
package/dist/commands/dashboard/runner.d.ts +2 -2
package/dist/commands/dashboard/runner.js +67 -37
package/dist/commands/doctor/parser.js +15 -4
package/dist/commands/doctor/runner.js +6 -3
package/dist/commands/ga/parser.js +4 -4
package/dist/commands/ga/runner.js +13 -7
package/dist/commands/health/parser.js +2 -2
package/dist/commands/licenses/runner.js +4 -4
package/dist/commands/resolve/runner.js +9 -4
package/dist/commands/review/parser.js +57 -4
package/dist/commands/review/runner.js +31 -5
package/dist/commands/snapshot/runner.js +17 -17
package/dist/commands/snapshot/store.d.ts +0 -12
package/dist/commands/snapshot/store.js +26 -38
package/dist/commands/unused/runner.js +6 -7
package/dist/commands/unused/scanner.js +17 -20
package/dist/config/loader.d.ts +2 -2
package/dist/config/loader.js +2 -5
package/dist/config/policy.js +20 -11
package/dist/core/analysis/options.d.ts +6 -0
package/dist/core/analysis/options.js +69 -0
package/dist/core/analysis/review-items.d.ts +4 -0
package/dist/core/analysis/review-items.js +128 -0
package/dist/core/analysis/run-silenced.d.ts +1 -0
package/dist/core/analysis/run-silenced.js +13 -0
package/dist/core/analysis-bundle.js +3 -211
package/dist/core/artifacts.js +6 -5
package/dist/core/baseline.js +3 -5
package/dist/core/check.js +2 -2
package/dist/core/ci.js +52 -1
package/dist/core/decision-plan.d.ts +14 -0
package/dist/core/decision-plan.js +107 -0
package/dist/core/doctor/findings.d.ts +2 -0
package/dist/core/doctor/findings.js +166 -0
package/dist/core/doctor/render.d.ts +3 -0
package/dist/core/doctor/render.js +44 -0
package/dist/core/doctor/result.d.ts +2 -0
package/dist/core/doctor/result.js +58 -0
package/dist/core/doctor/score.d.ts +5 -0
package/dist/core/doctor/score.js +28 -0
package/dist/core/fix-pr-batch.js +38 -28
package/dist/core/fix-pr.js +27 -24
package/dist/core/init-ci.js +25 -21
package/dist/core/options.js +95 -4
package/dist/core/review-model.d.ts +3 -3
package/dist/core/review-model.js +6 -67
package/dist/core/review-verdict.d.ts +2 -0
package/dist/core/review-verdict.js +14 -0
package/dist/core/summary.js +12 -0
package/dist/core/upgrade.js +64 -2
package/dist/core/verification.d.ts +2 -0
package/dist/core/verification.js +106 -0
package/dist/core/warm-cache.js +2 -2
package/dist/output/format.js +22 -0
package/dist/output/github.js +10 -0
package/dist/output/sarif.js +16 -12
package/dist/parsers/package-json.js +2 -4
package/dist/pm/detect.d.ts +3 -1
package/dist/pm/detect.js +24 -12
package/dist/pm/install.d.ts +2 -1
package/dist/pm/install.js +15 -16
package/dist/registry/npm.js +34 -76
package/dist/rup +0 -0
package/dist/types/index.d.ts +104 -5
package/dist/ui/tui.d.ts +4 -1
package/dist/ui/tui.js +5 -4
package/dist/utils/io.js +5 -6
package/dist/utils/lockfile.js +24 -19
package/dist/utils/runtime-paths.d.ts +4 -0
package/dist/utils/runtime-paths.js +35 -0
package/dist/utils/runtime.d.ts +7 -0
package/dist/utils/runtime.js +32 -0
package/dist/workspace/discover.js +55 -51
package/package.json +16 -16
package/dist/ui/dashboard/DashboardTUI.d.ts +0 -6
package/dist/ui/dashboard/DashboardTUI.js +0 -34
package/dist/ui/dashboard/components/DetailPanel.d.ts +0 -4
package/dist/ui/dashboard/components/DetailPanel.js +0 -30
package/dist/ui/dashboard/components/Footer.d.ts +0 -4
package/dist/ui/dashboard/components/Footer.js +0 -9
package/dist/ui/dashboard/components/Header.d.ts +0 -4
package/dist/ui/dashboard/components/Header.js +0 -12
package/dist/ui/dashboard/components/Sidebar.d.ts +0 -4
package/dist/ui/dashboard/components/Sidebar.js +0 -23
package/dist/ui/dashboard/store.d.ts +0 -34
package/dist/ui/dashboard/store.js +0 -148

package/dist/bin/dispatch.js ADDED Viewed

@@ -0,0 +1,147 @@
+import { check } from "../core/check.js";
+import { upgrade } from "../core/upgrade.js";
+import { warmCache } from "../core/warm-cache.js";
+import { runCi } from "../core/ci.js";
+import { initCiWorkflow } from "../core/init-ci.js";
+import { diffBaseline, saveBaseline } from "../core/baseline.js";
+import { setRuntimeExitCode, writeStdout, } from "../utils/runtime.js";
+export async function handleDirectCommand(parsed) {
+    if (parsed.command === "init-ci") {
+        const workflow = await initCiWorkflow(parsed.options.cwd, parsed.options.force, {
+            mode: parsed.options.mode,
+            schedule: parsed.options.schedule,
+        });
+        writeStdout(workflow.created
+            ? `Created CI workflow at ${workflow.path}\n`
+            : `CI workflow already exists at ${workflow.path}. Use --force to overwrite.\n`);
+        return true;
+    }
+    if (parsed.command === "baseline") {
+        if (parsed.options.action === "save") {
+            const saved = await saveBaseline(parsed.options);
+            writeStdout(`Saved baseline at ${saved.filePath} (${saved.entries} entries)\n`);
+            return true;
+        }
+        const diff = await diffBaseline(parsed.options);
+        const changes = diff.added.length + diff.removed.length + diff.changed.length;
+        if (changes === 0) {
+            writeStdout(`No baseline drift detected (${diff.filePath}).\n`);
+            return true;
+        }
+        writeStdout(`Baseline drift detected (${diff.filePath}).\n`);
+        if (diff.added.length > 0)
+            writeStdout(`Added: ${diff.added.length}\n`);
+        if (diff.removed.length > 0)
+            writeStdout(`Removed: ${diff.removed.length}\n`);
+        if (diff.changed.length > 0)
+            writeStdout(`Changed: ${diff.changed.length}\n`);
+        setRuntimeExitCode(1);
+        return true;
+    }
+    if (parsed.command === "bisect") {
+        const { runBisect } = await import("../commands/bisect/runner.js");
+        const result = await runBisect(parsed.options);
+        setRuntimeExitCode(result.breakingVersion ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "audit") {
+        const { runAudit } = await import("../commands/audit/runner.js");
+        const result = await runAudit(parsed.options);
+        setRuntimeExitCode(result.advisories.length > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "health") {
+        const { runHealth } = await import("../commands/health/runner.js");
+        const result = await runHealth(parsed.options);
+        setRuntimeExitCode(result.totalFlagged > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "unused") {
+        const { runUnused } = await import("../commands/unused/runner.js");
+        const result = await runUnused(parsed.options);
+        setRuntimeExitCode(result.totalUnused > 0 || result.totalMissing > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "resolve") {
+        const { runResolve } = await import("../commands/resolve/runner.js");
+        const result = await runResolve(parsed.options);
+        setRuntimeExitCode(result.errorConflicts > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "licenses") {
+        const { runLicenses } = await import("../commands/licenses/runner.js");
+        const result = await runLicenses(parsed.options);
+        setRuntimeExitCode(result.totalViolations > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "snapshot") {
+        const { runSnapshot } = await import("../commands/snapshot/runner.js");
+        const result = await runSnapshot(parsed.options);
+        setRuntimeExitCode(result.errors.length > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "review") {
+        const { runReview } = await import("../commands/review/runner.js");
+        const result = await runReview(parsed.options);
+        setRuntimeExitCode(result.summary.verdict === "blocked" ||
+            result.summary.verdict === "actionable" ||
+            result.summary.verdict === "review"
+            ? 1
+            : 0);
+        return true;
+    }
+    if (parsed.command === "doctor") {
+        const { runDoctor } = await import("../commands/doctor/runner.js");
+        const result = await runDoctor(parsed.options);
+        setRuntimeExitCode(result.verdict === "safe" ? 0 : 1);
+        return true;
+    }
+    if (parsed.command === "dashboard") {
+        const { runDashboard } = await import("../commands/dashboard/runner.js");
+        const result = await runDashboard(parsed.options);
+        setRuntimeExitCode(result.errors.length > 0 ? 1 : 0);
+        return true;
+    }
+    if (parsed.command === "ga") {
+        const { runGa } = await import("../commands/ga/runner.js");
+        const result = await runGa(parsed.options);
+        setRuntimeExitCode(result.ready ? 0 : 1);
+        return true;
+    }
+    if (parsed.options.interactive &&
+        (parsed.command === "check" ||
+            parsed.command === "upgrade" ||
+            parsed.command === "ci")) {
+        const { runDashboard } = await import("../commands/dashboard/runner.js");
+        const result = await runDashboard({
+            ...parsed.options,
+            mode: parsed.command === "upgrade" ? "upgrade" : "review",
+            focus: "all",
+            applySelected: parsed.command === "upgrade",
+        });
+        setRuntimeExitCode(result.errors.length > 0 ? 1 : 0);
+        return true;
+    }
+    return false;
+}
+export async function runPrimaryCommand(parsed) {
+    if (parsed.command === "upgrade") {
+        return upgrade(parsed.options);
+    }
+    if (parsed.command === "warm-cache") {
+        return warmCache(parsed.options);
+    }
+    if (parsed.command === "ci") {
+        return runCi(parsed.options);
+    }
+    if (parsed.options.fixPr) {
+        const upgradeOptions = {
+            ...parsed.options,
+            install: false,
+            packageManager: "auto",
+            sync: false,
+        };
+        return upgrade(upgradeOptions);
+    }
+    return check(parsed.options);
+}

package/dist/bin/help.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function renderHelp(command?: string): string;

package/dist/bin/help.js ADDED Viewed

@@ -0,0 +1,314 @@
+export function renderHelp(command) {
+    const isCommand = command && !command.startsWith("-");
+    if (isCommand && command === "check") {
+        return `rainy-updates check [options]
+Detect candidate dependency updates. This is the first step in the flow:
+  check detects
+  doctor summarizes
+  review decides
+  upgrade applies
+Options:
+  --workspace
+  --target patch|minor|major|latest
+  --filter <pattern>
+  --reject <pattern>
+  --dep-kinds deps,dev,optional,peer
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --cache-ttl <seconds>
+  --stream
+  --policy-file <path>
+  --offline
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --fix-pr-no-checkout
+  --fix-pr-batch-size <n>
+  --no-pr-report
+  --json-file <path>
+  --github-output <path>
+  --sarif-file <path>
+  --pr-report-file <path>
+  --fail-on none|patch|minor|major|any
+  --max-updates <n>
+  --group-by none|name|scope|kind|risk
+  --group-max <n>
+  --cooldown-days <n>
+  --pr-limit <n>
+  --only-changed
+  --interactive
+  --plan-file <path>
+  --verify none|install|test|install,test
+  --test-command <cmd>
+  --verification-report-file <path>
+  --show-impact
+  --show-links
+  --show-homepage
+  --lockfile-mode preserve|update|error
+  --log-level error|warn|info|debug
+  --ci`;
+    }
+    if (isCommand && command === "warm-cache") {
+        return `rainy-updates warm-cache [options]
+Pre-warm local metadata cache for faster CI checks.
+Options:
+  --workspace
+  --target patch|minor|major|latest
+  --filter <pattern>
+  --reject <pattern>
+  --dep-kinds deps,dev,optional,peer
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --cache-ttl <seconds>
+  --offline
+  --stream
+  --json-file <path>
+  --github-output <path>
+  --sarif-file <path>
+  --pr-report-file <path>`;
+    }
+    if (isCommand && command === "upgrade") {
+        return `rainy-updates upgrade [options]
+Apply an approved change set to package.json manifests.
+Options:
+  --workspace
+  --sync
+  --install
+  --pm auto|bun|npm|pnpm|yarn
+  --target patch|minor|major|latest
+  --policy-file <path>
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --fix-pr-no-checkout
+  --fix-pr-batch-size <n>
+  --interactive
+  --from-plan <path>
+  --verify none|install|test|install,test
+  --test-command <cmd>
+  --verification-report-file <path>
+  --lockfile-mode preserve|update|error
+  --no-pr-report
+  --json-file <path>
+  --pr-report-file <path>`;
+    }
+    if (isCommand && command === "ci") {
+        return `rainy-updates ci [options]
+Run CI-oriented automation around the same lifecycle:
+  check detects
+  doctor summarizes
+  review decides
+  upgrade applies
+Options:
+  --workspace
+  --mode minimal|strict|enterprise
+  --gate check|doctor|review|upgrade
+  --group-by none|name|scope|kind|risk
+  --group-max <n>
+  --cooldown-days <n>
+  --pr-limit <n>
+  --only-changed
+  --offline
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --stream
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --fix-pr-no-checkout
+  --fix-pr-batch-size <n>
+  --no-pr-report
+  --plan-file <path>
+  --verify none|install|test|install,test
+  --test-command <cmd>
+  --verification-report-file <path>
+  --json-file <path>
+  --github-output <path>
+  --sarif-file <path>
+  --pr-report-file <path>
+  --fail-on none|patch|minor|major|any
+  --max-updates <n>
+  --lockfile-mode preserve|update|error
+  --log-level error|warn|info|debug
+  --ci`;
+    }
+    if (isCommand && command === "init-ci") {
+        return `rainy-updates init-ci [options]
+Create a GitHub Actions workflow template at:
+  .github/workflows/rainy-updates.yml
+Options:
+  --force
+  --mode minimal|strict|enterprise
+  --schedule weekly|daily|off`;
+    }
+    if (isCommand && command === "baseline") {
+        return `rainy-updates baseline [options]
+Save or compare dependency baseline snapshots.
+Options:
+  --save
+  --check
+  --file <path>
+  --workspace
+  --dep-kinds deps,dev,optional,peer
+  --ci`;
+    }
+    if (isCommand && command === "audit") {
+        return `rainy-updates audit [options]
+Scan dependencies for CVEs using OSV.dev and GitHub Advisory Database.
+Options:
+  --workspace
+  --severity critical|high|medium|low
+  --summary
+  --report table|summary|json
+  --source auto|osv|github|all
+  --fix
+  --dry-run
+  --commit
+  --pm auto|npm|pnpm|bun|yarn
+  --json-file <path>
+  --concurrency <n>
+  --registry-timeout-ms <n>`;
+    }
+    if (isCommand && command === "review") {
+        return `rainy-updates review [options]
+Review is the decision center of Rainy Updates.
+Use it to inspect risk, security, peer, license, and policy context before applying changes.
+Options:
+  --workspace
+  --interactive
+  --security-only
+  --risk critical|high|medium|low
+  --diff patch|minor|major|latest
+  --apply-selected
+  --plan-file <path>
+  --show-changelog
+  --policy-file <path>
+  --json-file <path>
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>`;
+    }
+    if (isCommand && command === "doctor") {
+        return `rainy-updates doctor [options]
+Produce a fast summary verdict and point the operator to review when action is needed.
+Options:
+  --workspace
+  --verdict-only
+  --include-changelog
+  --json-file <path>`;
+    }
+    if (isCommand && command === "dashboard") {
+        return `rainy-updates dashboard [options]
+Open the primary interactive dependency operations console.
+Options:
+  --workspace
+  --mode check|review|upgrade
+  --focus all|security|risk|major|blocked|workspace
+  --apply-selected
+  --plan-file <path>
+  --verify none|install|test|install,test
+  --test-command <cmd>
+  --verification-report-file <path>
+  --cwd <path>`;
+    }
+    if (isCommand && command === "ga") {
+        return `rainy-updates ga [options]
+Audit release and CI readiness for Rainy Updates.
+Options:
+  --workspace
+  --json-file <path>
+  --cwd <path>`;
+    }
+    return `rainy-updates (rup / rainy-up) <command> [options]
+Commands:
+  check       Detect candidate updates
+  doctor      Summarize what matters
+  review      Decide what to do
+  upgrade     Apply the approved change set
+  dashboard   Open the primary interactive dependency dashboard
+  ci          Run CI-focused orchestration
+  warm-cache  Warm local cache for fast/offline checks
+  init-ci     Scaffold GitHub Actions workflow
+  baseline    Save/check dependency baseline snapshots
+  audit       Scan dependencies for CVEs (OSV.dev + GitHub)
+  health      Detect stale/deprecated/unmaintained packages
+  bisect      Find which version of a dep introduced a failure
+  unused      Detect unused or missing npm dependencies
+  resolve     Check peer dependency conflicts (pure-TS, no subprocess)
+  licenses    Scan dependency licenses and generate SPDX SBOM
+  snapshot    Save, list, restore, and diff dependency state snapshots
+  ga          Audit GA and CI readiness for this checkout
+Global options:
+  --cwd <path>
+  --workspace
+  --target patch|minor|major|latest
+  --format table|json|minimal|github|metrics
+  --json-file <path>
+  --github-output <path>
+  --sarif-file <path>
+  --pr-report-file <path>
+  --policy-file <path>
+  --fail-on none|patch|minor|major|any
+  --max-updates <n>
+  --group-by none|name|scope|kind|risk
+  --group-max <n>
+  --cooldown-days <n>
+  --pr-limit <n>
+  --only-changed
+  --interactive
+  --show-impact
+  --show-links
+  --show-homepage
+  --mode minimal|strict|enterprise
+  --fix-pr
+  --fix-branch <name>
+  --fix-commit-message <text>
+  --fix-dry-run
+  --fix-pr-no-checkout
+  --fix-pr-batch-size <n>
+  --no-pr-report
+  --log-level error|warn|info|debug
+  --concurrency <n>
+  --registry-timeout-ms <n>
+  --registry-retries <n>
+  --cache-ttl <seconds>
+  --offline
+  --stream
+  --lockfile-mode preserve|update|error
+  --ci
+  --help, -h
+  --version, -v`;
+}

package/dist/cache/cache.js CHANGED Viewed

@@ -1,7 +1,7 @@
-import { promises as fs } from "node:fs";
-import os from "node:os";
 import path from "node:path";
-import process from "node:process";
+import { writeFileAtomic } from "../utils/io.js";
+import { getCacheDir } from "../utils/runtime-paths.js";
+import { readEnv } from "../utils/runtime.js";
 class FileCacheStore {
     filePath;
     constructor(filePath) {
@@ -15,19 +15,19 @@ class FileCacheStore {
             return null;
         return {
             ...entry,
-            availableVersions: Array.isArray(entry.availableVersions) ? entry.availableVersions : [entry.latestVersion],
+            availableVersions: Array.isArray(entry.availableVersions)
+                ? entry.availableVersions
+                : [entry.latestVersion],
         };
     }
     async set(entry) {
         const entries = await this.readEntries();
         entries[this.getKey(entry.packageName, entry.target)] = entry;
-        await fs.mkdir(path.dirname(this.filePath), { recursive: true });
-        await fs.writeFile(this.filePath, JSON.stringify(entries), "utf8");
+        await writeFileAtomic(this.filePath, JSON.stringify(entries));
     }
     async readEntries() {
         try {
-            const content = await fs.readFile(this.filePath, "utf8");
-            return JSON.parse(content);
+            return (await Bun.file(this.filePath).json());
         }
         catch {
             return {};
@@ -93,7 +93,9 @@ class SqliteCacheStore {
     }
     ensureSchema() {
         try {
-            const columns = this.db.prepare("PRAGMA table_info(versions);").all();
+            const columns = this.db
+                .prepare("PRAGMA table_info(versions);")
+                .all();
             const hasAvailableVersions = columns.some((column) => column.name === "available_versions");
             if (!hasAvailableVersions) {
                 this.db.exec("ALTER TABLE versions ADD COLUMN available_versions TEXT;");
@@ -117,8 +119,8 @@ export class VersionCache {
         this.fallbackReason = fallbackReason;
     }
     static async create(customPath) {
-        const basePath = customPath ?? path.join(os.homedir(), ".cache", "rainy-updates");
-        if (process.env.RAINY_UPDATES_CACHE_BACKEND === "file") {
+        const basePath = customPath ?? getCacheDir();
+        if (readEnv("RAINY_UPDATES_CACHE_BACKEND") === "file") {
             const jsonPath = path.join(basePath, "cache.json");
             return new VersionCache(new FileCacheStore(jsonPath), "file", true, "forced via RAINY_UPDATES_CACHE_BACKEND=file");
         }

package/dist/commands/audit/parser.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import path from "node:path";
-import process from "node:process";
+import { getRuntimeCwd } from "../../utils/runtime.js";
 const SEVERITY_LEVELS = ["critical", "high", "medium", "low"];
 const SOURCE_MODES = ["auto", "osv", "github", "all"];
 export function parseSeverity(value) {
@@ -10,7 +10,7 @@ export function parseSeverity(value) {
 }
 export function parseAuditArgs(args) {
     const options = {
-        cwd: process.cwd(),
+        cwd: getRuntimeCwd(),
         workspace: false,
         severity: undefined,
         fix: false,

package/dist/commands/audit/runner.js CHANGED Viewed

@@ -1,10 +1,9 @@
-import { spawn } from "node:child_process";
-import { promises as fs } from "node:fs";
-import path from "node:path";
 import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
+import { detectPackageManager as detectProjectPackageManager, resolvePackageManager, } from "../../pm/detect.js";
 import { discoverPackageDirs } from "../../workspace/discover.js";
 import { writeFileAtomic } from "../../utils/io.js";
 import { stableStringify } from "../../utils/stable-json.js";
+import { writeStderr, writeStdout } from "../../utils/runtime.js";
 import { fetchAdvisories } from "./fetcher.js";
 import { resolveAuditTargets } from "./targets.js";
 import { filterBySeverity, buildPatchMap, renderAuditSourceHealth, renderAuditSummary, renderAuditTable, summarizeAdvisories, } from "./mapper.js";
@@ -55,7 +54,7 @@ export async function runAudit(options) {
         return result;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
+        writeStderr(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
     }
     const fetched = await fetchAdvisories(targetResolution.targets, {
         concurrency: options.concurrency,
@@ -81,12 +80,12 @@ export async function runAudit(options) {
     result.autoFixable = advisories.filter((a) => a.patchedVersion !== null).length;
     if (!options.silent) {
         if (options.reportFormat === "summary") {
-            process.stdout.write(renderAuditSummary(result.packages) +
+            writeStdout(renderAuditSummary(result.packages) +
                 renderAuditSourceHealth(result.sourceHealth) +
                 "\n");
         }
         else if (options.reportFormat === "table" || !options.jsonFile) {
-            process.stdout.write(renderAuditTable(advisories) +
+            writeStdout(renderAuditTable(advisories) +
                 renderAuditSourceHealth(result.sourceHealth) +
                 "\n");
         }
@@ -102,7 +101,7 @@ export async function runAudit(options) {
             warnings: result.warnings,
         }, 2) + "\n");
         if (!options.silent) {
-            process.stderr.write(`[audit] JSON report written to ${options.jsonFile}\n`);
+            writeStderr(`[audit] JSON report written to ${options.jsonFile}\n`);
         }
     }
     if (options.fix && result.autoFixable > 0) {
@@ -122,40 +121,41 @@ async function applyFix(advisories, options) {
     const patchMap = buildPatchMap(advisories);
     if (patchMap.size === 0)
         return;
-    const pm = await detectPackageManager(options.cwd, options.packageManager);
+    const detected = await detectProjectPackageManager(options.cwd);
+    const pm = resolvePackageManager(options.packageManager, detected);
     const installArgs = buildInstallArgs(pm, patchMap);
     const installCmd = `${pm} ${installArgs.join(" ")}`;
     if (options.dryRun) {
         if (!options.silent) {
-            process.stderr.write(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
+            writeStderr(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
             if (options.commit) {
                 const msg = buildCommitMessage(patchMap);
-                process.stderr.write(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
+                writeStderr(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
             }
         }
         return;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] Applying ${patchMap.size} fix(es)...\n`);
-        process.stderr.write(`  → ${installCmd}\n`);
+        writeStderr(`[audit] Applying ${patchMap.size} fix(es)...\n`);
+        writeStderr(`  → ${installCmd}\n`);
     }
     try {
         await runCommand(pm, installArgs, options.cwd);
     }
     catch (err) {
         if (!options.silent) {
-            process.stderr.write(`[audit] Install failed: ${String(err)}\n`);
+            writeStderr(`[audit] Install failed: ${String(err)}\n`);
         }
         return;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] ✔ Patches applied successfully.\n`);
+        writeStderr(`[audit] ✔ Patches applied successfully.\n`);
     }
     if (options.commit) {
         await commitFix(patchMap, options.cwd, options.silent);
     }
     else if (!options.silent) {
-        process.stderr.write(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
+        writeStderr(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
     }
 }
 function buildInstallArgs(pm, patchMap) {
@@ -205,48 +205,29 @@ function buildCommitMessage(patchMap) {
     const names = items.map(([n]) => n).join(", ");
     return `fix(security): patch ${items.length} vulnerabilities — ${names} (rup audit)`;
 }
-/** Detects the package manager in use by checking for lockfiles. */
-async function detectPackageManager(cwd, explicit) {
-    if (explicit !== "auto")
-        return explicit;
-    const checks = [
-        ["bun.lock", "bun"],
-        ["bun.lockb", "bun"],
-        ["pnpm-lock.yaml", "pnpm"],
-        ["yarn.lock", "yarn"],
-    ];
-    for (const [lockfile, pm] of checks) {
-        try {
-            await fs.access(path.join(cwd, lockfile));
-            return pm;
-        }
-        catch {
-            // not found, try next
-        }
-    }
-    return "npm"; // default
-}
 /** Spawns a subprocess, pipes stdio live to the terminal. */
 function runCommand(cmd, args, cwd, ignoreErrors = false) {
-    return new Promise((resolve, reject) => {
-        const child = spawn(cmd, args, {
-            cwd,
-            stdio: "inherit", // stream stdout/stderr live
-            shell: process.platform === "win32",
-        });
-        child.on("close", (code) => {
+    return new Promise(async (resolve, reject) => {
+        try {
+            const proc = Bun.spawn([cmd, ...args], {
+                cwd,
+                stdin: "inherit",
+                stdout: "inherit",
+                stderr: "inherit",
+            });
+            const code = await proc.exited;
             if (code === 0 || ignoreErrors) {
                 resolve();
             }
             else {
                 reject(new Error(`${cmd} exited with code ${code}`));
             }
-        });
-        child.on("error", (err) => {
+        }
+        catch (err) {
             if (ignoreErrors)
                 resolve();
             else
                 reject(err);
-        });
+        }
     });
 }