@rainy-updates/cli 0.5.7 → 0.6.0

package/dist/cache/cache.js

@@ -1,7 +1,7 @@
-import { promises as fs } from "node:fs";
-import os from "node:os";
 import path from "node:path";
-import process from "node:process";
+import { writeFileAtomic } from "../utils/io.js";
+import { getCacheDir } from "../utils/runtime-paths.js";
+import { readEnv } from "../utils/runtime.js";
 class FileCacheStore {
     filePath;
     constructor(filePath) {
@@ -15,19 +15,19 @@ class FileCacheStore {
             return null;
         return {
             ...entry,
-            availableVersions: Array.isArray(entry.availableVersions) ? entry.availableVersions : [entry.latestVersion],
+            availableVersions: Array.isArray(entry.availableVersions)
+                ? entry.availableVersions
+                : [entry.latestVersion],
         };
     }
     async set(entry) {
         const entries = await this.readEntries();
         entries[this.getKey(entry.packageName, entry.target)] = entry;
-        await fs.mkdir(path.dirname(this.filePath), { recursive: true });
-        await fs.writeFile(this.filePath, JSON.stringify(entries), "utf8");
+        await writeFileAtomic(this.filePath, JSON.stringify(entries));
     }
     async readEntries() {
         try {
-            const content = await fs.readFile(this.filePath, "utf8");
-            return JSON.parse(content);
+            return (await Bun.file(this.filePath).json());
         }
         catch {
             return {};
@@ -93,7 +93,9 @@ class SqliteCacheStore {
     }
     ensureSchema() {
         try {
-            const columns = this.db.prepare("PRAGMA table_info(versions);").all();
+            const columns = this.db
+                .prepare("PRAGMA table_info(versions);")
+                .all();
             const hasAvailableVersions = columns.some((column) => column.name === "available_versions");
             if (!hasAvailableVersions) {
                 this.db.exec("ALTER TABLE versions ADD COLUMN available_versions TEXT;");
@@ -117,8 +119,8 @@ export class VersionCache {
         this.fallbackReason = fallbackReason;
     }
     static async create(customPath) {
-        const basePath = customPath ?? path.join(os.homedir(), ".cache", "rainy-updates");
-        if (process.env.RAINY_UPDATES_CACHE_BACKEND === "file") {
+        const basePath = customPath ?? getCacheDir();
+        if (readEnv("RAINY_UPDATES_CACHE_BACKEND") === "file") {
             const jsonPath = path.join(basePath, "cache.json");
             return new VersionCache(new FileCacheStore(jsonPath), "file", true, "forced via RAINY_UPDATES_CACHE_BACKEND=file");
         }

package/dist/commands/audit/parser.js

@@ -1,5 +1,5 @@
 import path from "node:path";
-import process from "node:process";
+import { getRuntimeCwd } from "../../utils/runtime.js";
 const SEVERITY_LEVELS = ["critical", "high", "medium", "low"];
 const SOURCE_MODES = ["auto", "osv", "github", "all"];
 export function parseSeverity(value) {
@@ -10,7 +10,7 @@ export function parseSeverity(value) {
 }
 export function parseAuditArgs(args) {
     const options = {
-        cwd: process.cwd(),
+        cwd: getRuntimeCwd(),
         workspace: false,
         severity: undefined,
         fix: false,

package/dist/commands/audit/runner.js

@@ -1,10 +1,9 @@
-import { spawn } from "node:child_process";
-import { promises as fs } from "node:fs";
-import path from "node:path";
 import { collectDependencies, readManifest, } from "../../parsers/package-json.js";
+import { detectPackageManager as detectProjectPackageManager, resolvePackageManager, } from "../../pm/detect.js";
 import { discoverPackageDirs } from "../../workspace/discover.js";
 import { writeFileAtomic } from "../../utils/io.js";
 import { stableStringify } from "../../utils/stable-json.js";
+import { writeStderr, writeStdout } from "../../utils/runtime.js";
 import { fetchAdvisories } from "./fetcher.js";
 import { resolveAuditTargets } from "./targets.js";
 import { filterBySeverity, buildPatchMap, renderAuditSourceHealth, renderAuditSummary, renderAuditTable, summarizeAdvisories, } from "./mapper.js";
@@ -55,7 +54,7 @@ export async function runAudit(options) {
         return result;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
+        writeStderr(`[audit] Querying ${describeSourceMode(options.sourceMode)} for ${targetResolution.targets.length} dependency version${targetResolution.targets.length === 1 ? "" : "s"}...\n`);
     }
     const fetched = await fetchAdvisories(targetResolution.targets, {
         concurrency: options.concurrency,
@@ -81,12 +80,12 @@ export async function runAudit(options) {
     result.autoFixable = advisories.filter((a) => a.patchedVersion !== null).length;
     if (!options.silent) {
         if (options.reportFormat === "summary") {
-            process.stdout.write(renderAuditSummary(result.packages) +
+            writeStdout(renderAuditSummary(result.packages) +
                 renderAuditSourceHealth(result.sourceHealth) +
                 "\n");
         }
         else if (options.reportFormat === "table" || !options.jsonFile) {
-            process.stdout.write(renderAuditTable(advisories) +
+            writeStdout(renderAuditTable(advisories) +
                 renderAuditSourceHealth(result.sourceHealth) +
                 "\n");
         }
@@ -102,7 +101,7 @@ export async function runAudit(options) {
             warnings: result.warnings,
         }, 2) + "\n");
         if (!options.silent) {
-            process.stderr.write(`[audit] JSON report written to ${options.jsonFile}\n`);
+            writeStderr(`[audit] JSON report written to ${options.jsonFile}\n`);
         }
     }
     if (options.fix && result.autoFixable > 0) {
@@ -122,40 +121,41 @@ async function applyFix(advisories, options) {
     const patchMap = buildPatchMap(advisories);
     if (patchMap.size === 0)
         return;
-    const pm = await detectPackageManager(options.cwd, options.packageManager);
+    const detected = await detectProjectPackageManager(options.cwd);
+    const pm = resolvePackageManager(options.packageManager, detected);
     const installArgs = buildInstallArgs(pm, patchMap);
     const installCmd = `${pm} ${installArgs.join(" ")}`;
     if (options.dryRun) {
         if (!options.silent) {
-            process.stderr.write(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
+            writeStderr(`[audit] --dry-run: would execute:\n  ${installCmd}\n`);
             if (options.commit) {
                 const msg = buildCommitMessage(patchMap);
-                process.stderr.write(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
+                writeStderr(`[audit] --dry-run: would commit:\n  git commit -m "${msg}"\n`);
             }
         }
         return;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] Applying ${patchMap.size} fix(es)...\n`);
-        process.stderr.write(`  → ${installCmd}\n`);
+        writeStderr(`[audit] Applying ${patchMap.size} fix(es)...\n`);
+        writeStderr(`  → ${installCmd}\n`);
     }
     try {
         await runCommand(pm, installArgs, options.cwd);
     }
     catch (err) {
         if (!options.silent) {
-            process.stderr.write(`[audit] Install failed: ${String(err)}\n`);
+            writeStderr(`[audit] Install failed: ${String(err)}\n`);
         }
         return;
     }
     if (!options.silent) {
-        process.stderr.write(`[audit] ✔ Patches applied successfully.\n`);
+        writeStderr(`[audit] ✔ Patches applied successfully.\n`);
     }
     if (options.commit) {
         await commitFix(patchMap, options.cwd, options.silent);
     }
     else if (!options.silent) {
-        process.stderr.write(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
+        writeStderr(`[audit] Tip: run with --commit to automatically commit the changes.\n`);
     }
 }
 function buildInstallArgs(pm, patchMap) {
@@ -205,48 +205,29 @@ function buildCommitMessage(patchMap) {
     const names = items.map(([n]) => n).join(", ");
     return `fix(security): patch ${items.length} vulnerabilities — ${names} (rup audit)`;
 }
-/** Detects the package manager in use by checking for lockfiles. */
-async function detectPackageManager(cwd, explicit) {
-    if (explicit !== "auto")
-        return explicit;
-    const checks = [
-        ["bun.lock", "bun"],
-        ["bun.lockb", "bun"],
-        ["pnpm-lock.yaml", "pnpm"],
-        ["yarn.lock", "yarn"],
-    ];
-    for (const [lockfile, pm] of checks) {
-        try {
-            await fs.access(path.join(cwd, lockfile));
-            return pm;
-        }
-        catch {
-            // not found, try next
-        }
-    }
-    return "npm"; // default
-}
 /** Spawns a subprocess, pipes stdio live to the terminal. */
 function runCommand(cmd, args, cwd, ignoreErrors = false) {
-    return new Promise((resolve, reject) => {
-        const child = spawn(cmd, args, {
-            cwd,
-            stdio: "inherit", // stream stdout/stderr live
-            shell: process.platform === "win32",
-        });
-        child.on("close", (code) => {
+    return new Promise(async (resolve, reject) => {
+        try {
+            const proc = Bun.spawn([cmd, ...args], {
+                cwd,
+                stdin: "inherit",
+                stdout: "inherit",
+                stderr: "inherit",
+            });
+            const code = await proc.exited;
             if (code === 0 || ignoreErrors) {
                 resolve();
             }
             else {
                 reject(new Error(`${cmd} exited with code ${code}`));
             }
-        });
-        child.on("error", (err) => {
+        }
+        catch (err) {
             if (ignoreErrors)
                 resolve();
             else
                 reject(err);
-        });
+        }
     });
 }

package/dist/commands/audit/targets.js

@@ -1,4 +1,3 @@
-import { promises as fs } from "node:fs";
 import path from "node:path";
 const LOCKFILE_PRIORITY = [
     "package-lock.json",
@@ -86,13 +85,9 @@ async function findNearestLockfiles(rootCwd, startDir) {
     while (true) {
         for (const fileName of LOCKFILE_PRIORITY) {
             const candidate = path.join(current, fileName);
-            try {
-                await fs.access(candidate);
+            if (await fileExists(candidate)) {
                 found.push(candidate);
             }
-            catch {
-                // ignore missing
-            }
         }
         if (current === rootCwd)
             break;
@@ -115,9 +110,6 @@ async function resolveFromPackageLock(lockfilePath, packageDir, packageName) {
         if (version)
             return version;
     }
-    if (!relDir) {
-        return parsed.dependencies?.[packageName]?.version ?? null;
-    }
     return parsed.dependencies?.[packageName]?.version ?? null;
 }
 async function resolveFromPnpmLock(lockfilePath, packageDir, packageName) {
@@ -149,8 +141,8 @@ async function resolveFromBunLock(lockfilePath, packageDir, packageName) {
 async function readPackageLock(lockfilePath) {
     let promise = packageLockCache.get(lockfilePath);
     if (!promise) {
-        promise = fs
-            .readFile(lockfilePath, "utf8")
+        promise = Bun.file(lockfilePath)
+            .text()
             .then((content) => JSON.parse(content));
         packageLockCache.set(lockfilePath, promise);
     }
@@ -159,7 +151,7 @@ async function readPackageLock(lockfilePath) {
 async function readPnpmLock(lockfilePath) {
     let promise = pnpmLockCache.get(lockfilePath);
     if (!promise) {
-        promise = fs.readFile(lockfilePath, "utf8").then(parsePnpmLock);
+        promise = Bun.file(lockfilePath).text().then(parsePnpmLock);
         pnpmLockCache.set(lockfilePath, promise);
     }
     return await promise;
@@ -167,7 +159,7 @@ async function readPnpmLock(lockfilePath) {
 async function readBunLock(lockfilePath) {
     let promise = bunLockCache.get(lockfilePath);
     if (!promise) {
-        promise = fs.readFile(lockfilePath, "utf8").then(parseBunLock);
+        promise = Bun.file(lockfilePath).text().then(parseBunLock);
         bunLockCache.set(lockfilePath, promise);
     }
     return await promise;
@@ -312,3 +304,11 @@ function normalizePnpmVersion(value) {
 function trimYamlKey(value) {
     return value.trim().replace(/^['"]|['"]$/g, "");
 }
+async function fileExists(filePath) {
+    try {
+        return await Bun.file(filePath).exists();
+    }
+    catch {
+        return false;
+    }
+}

package/dist/commands/bisect/oracle.js

@@ -1,5 +1,5 @@
-import { spawn } from "node:child_process";
 import path from "node:path";
+import { detectPackageManager, resolvePackageManager } from "../../pm/detect.js";
 /**
  * The "oracle" for bisect: installs a specific version of a package
  * into the project's node_modules (via the shell), then runs --cmd.
@@ -11,7 +11,9 @@ export async function bisectOracle(packageName, version, options) {
         process.stderr.write(`[bisect:dry-run] Would test ${packageName}@${version}\n`);
         return "skip";
     }
-    const installResult = await runShell(`npm install --no-save ${packageName}@${version}`, options.cwd);
+    const detected = await detectPackageManager(options.cwd);
+    const packageManager = resolvePackageManager("auto", detected, "bun");
+    const installResult = await runShell(buildInstallCommand(packageManager, packageName, version), options.cwd);
     if (installResult !== 0) {
         process.stderr.write(`[bisect] Failed to install ${packageName}@${version}, skipping.\n`);
         return "skip";
@@ -22,15 +24,30 @@ export async function bisectOracle(packageName, version, options) {
     process.stderr.write(`[bisect] ${packageName}@${version} → ${outcome}\n`);
     return outcome;
 }
-function runShell(command, cwd) {
-    return new Promise((resolve) => {
-        const [bin, ...args] = command.split(" ");
-        const child = spawn(bin, args, {
+async function runShell(command, cwd) {
+    try {
+        const shellCmd = process.env.SHELL || "sh";
+        const proc = Bun.spawn([shellCmd, "-c", command], {
             cwd: path.resolve(cwd),
-            shell: true,
-            stdio: "pipe",
+            stdout: "pipe",
+            stderr: "pipe",
         });
-        child.on("close", (code) => resolve(code ?? 1));
-        child.on("error", () => resolve(1));
-    });
+        return await proc.exited;
+    }
+    catch {
+        return 1;
+    }
+}
+function buildInstallCommand(packageManager, packageName, version) {
+    const spec = `${packageName}@${version}`;
+    switch (packageManager) {
+        case "bun":
+            return `bun add --exact --no-save ${spec}`;
+        case "pnpm":
+            return `pnpm add --save-exact --no-save ${spec}`;
+        case "yarn":
+            return `npm install --no-save --save-exact ${spec}`;
+        default:
+            return `npm install --no-save --save-exact ${spec}`;
+    }
 }

package/dist/commands/bisect/parser.js

@@ -1,11 +1,11 @@
 import path from "node:path";
-import process from "node:process";
+import { getRuntimeCwd } from "../../utils/runtime.js";
 export function parseBisectArgs(args) {
     const options = {
-        cwd: process.cwd(),
+        cwd: getRuntimeCwd(),
         packageName: "",
         versionRange: undefined,
-        testCommand: "npm test",
+        testCommand: "",
         concurrency: 4,
         registryTimeoutMs: 8000,
         cacheTtlSeconds: 3600,

package/dist/commands/bisect/runner.js

@@ -1,26 +1,33 @@
+import { detectPackageManager, resolvePackageManager } from "../../pm/detect.js";
 import { fetchBisectVersions, bisectVersions } from "./engine.js";
 /**
  * Entry point for the `bisect` command. Lazy-loaded by cli.ts.
  * Fully isolated: does NOT import anything from core/options.ts.
  */
 export async function runBisect(options) {
-    process.stderr.write(`\n[bisect] Fetching available versions for ${options.packageName}...\n`);
-    const versions = await fetchBisectVersions(options);
+    const detected = await detectPackageManager(options.cwd);
+    const runtimeOptions = {
+        ...options,
+        testCommand: options.testCommand ||
+            `${resolvePackageManager("auto", detected, "bun")} test`,
+    };
+    process.stderr.write(`\n[bisect] Fetching available versions for ${runtimeOptions.packageName}...\n`);
+    const versions = await fetchBisectVersions(runtimeOptions);
     if (versions.length === 0) {
-        throw new Error(`No versions found for package "${options.packageName}".`);
+        throw new Error(`No versions found for package "${runtimeOptions.packageName}".`);
     }
     process.stderr.write(`[bisect] Found ${versions.length} versions. Starting binary search...\n`);
-    if (options.versionRange) {
-        process.stderr.write(`[bisect] Range: ${options.versionRange}\n`);
+    if (runtimeOptions.versionRange) {
+        process.stderr.write(`[bisect] Range: ${runtimeOptions.versionRange}\n`);
     }
-    const result = await bisectVersions(versions, options);
+    const result = await bisectVersions(versions, runtimeOptions);
     if (result.breakingVersion) {
-        process.stdout.write(`\n✖ Break introduced in ${options.packageName}@${result.breakingVersion}\n` +
+        process.stdout.write(`\n✖ Break introduced in ${runtimeOptions.packageName}@${result.breakingVersion}\n` +
             `  Last good version: ${result.lastGoodVersion ?? "none"}\n` +
             `  Tested: ${result.totalVersionsTested} versions in ${result.iterations} iterations\n`);
     }
     else {
-        process.stdout.write(`\n✔ No breaking version found for ${options.packageName} (all versions passed).\n` +
+        process.stdout.write(`\n✔ No breaking version found for ${runtimeOptions.packageName} (all versions passed).\n` +
             `  Tested: ${result.totalVersionsTested} versions\n`);
     }
     return result;

package/dist/commands/changelog/fetcher.js

@@ -1,12 +1,12 @@
-import os from "node:os";
+import { mkdir } from "node:fs/promises";
 import path from "node:path";
-import { promises as fs } from "node:fs";
+import { getCacheDir } from "../../utils/runtime-paths.js";
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
 class ChangelogCache {
     db = null;
     dbPath;
     constructor() {
-        const basePath = path.join(os.homedir(), ".cache", "rainy-updates");
+        const basePath = getCacheDir();
         this.dbPath = path.join(basePath, "cache.db");
     }
     async init() {
@@ -14,7 +14,7 @@ class ChangelogCache {
             return;
         try {
             if (typeof Bun !== "undefined") {
-                await fs.mkdir(path.dirname(this.dbPath), { recursive: true });
+                await mkdir(path.dirname(this.dbPath), { recursive: true });
                 const mod = await import("bun:sqlite");
                 this.db = new mod.Database(this.dbPath, { create: true });
                 this.db.exec(`
@@ -111,7 +111,7 @@ export async function fetchChangelog(packageName, repositoryUrl) {
             if (contentsRes.ok) {
                 const fileContent = await contentsRes.json();
                 if (fileContent.content && fileContent.encoding === "base64") {
-                    content = Buffer.from(fileContent.content, "base64").toString("utf-8");
+                    content = decodeBase64Utf8(fileContent.content);
                 }
             }
         }
@@ -128,3 +128,9 @@ export async function fetchChangelog(packageName, repositoryUrl) {
         return null;
     }
 }
+function decodeBase64Utf8(value) {
+    const normalized = value.replace(/\s+/g, "");
+    const binary = atob(normalized);
+    const bytes = Uint8Array.from(binary, (char) => char.charCodeAt(0));
+    return new TextDecoder().decode(bytes);
+}

package/dist/commands/dashboard/parser.js

@@ -1,7 +1,10 @@
+import path from "node:path";
 export function parseDashboardArgs(args) {
     const options = {
         cwd: process.cwd(),
         target: "latest",
+        filter: undefined,
+        reject: undefined,
         includeKinds: [
             "dependencies",
             "devDependencies",
@@ -12,19 +15,44 @@ export function parseDashboardArgs(args) {
         ci: false,
         format: "table",
         workspace: false,
+        jsonFile: undefined,
+        githubOutputFile: undefined,
+        sarifFile: undefined,
         concurrency: 16,
         registryTimeoutMs: 8000,
         registryRetries: 3,
         offline: false,
         stream: false,
+        policyFile: undefined,
+        prReportFile: undefined,
+        failOn: "none",
+        maxUpdates: undefined,
+        fixPr: false,
+        fixBranch: "chore/rainy-updates",
+        fixCommitMessage: undefined,
+        fixDryRun: false,
+        fixPrNoCheckout: false,
+        fixPrBatchSize: undefined,
+        noPrReport: false,
         logLevel: "info",
         groupBy: "none",
+        groupMax: undefined,
+        cooldownDays: undefined,
+        prLimit: undefined,
         onlyChanged: false,
         ciProfile: "minimal",
         lockfileMode: "preserve",
         interactive: true,
         showImpact: false,
         showHomepage: true,
+        mode: "review",
+        focus: "all",
+        applySelected: false,
+        decisionPlanFile: undefined,
+        verify: "none",
+        testCommand: undefined,
+        verificationReportFile: undefined,
+        ciGate: "check",
     };
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
@@ -44,16 +72,90 @@ export function parseDashboardArgs(args) {
         if (arg === "--view") {
             throw new Error("Missing value for --view");
         }
+        if (arg === "--mode" && nextArg) {
+            if (nextArg === "check" ||
+                nextArg === "review" ||
+                nextArg === "upgrade") {
+                options.mode = nextArg;
+                i++;
+                continue;
+            }
+            throw new Error(`Invalid --mode: ${nextArg}`);
+        }
+        if (arg === "--mode") {
+            throw new Error("Missing value for --mode");
+        }
+        if (arg === "--focus" && nextArg) {
+            if (nextArg === "all" ||
+                nextArg === "security" ||
+                nextArg === "risk" ||
+                nextArg === "major" ||
+                nextArg === "blocked" ||
+                nextArg === "workspace") {
+                options.focus = nextArg;
+                i++;
+                continue;
+            }
+            throw new Error(`Invalid --focus: ${nextArg}`);
+        }
+        if (arg === "--focus") {
+            throw new Error("Missing value for --focus");
+        }
+        if (arg === "--apply-selected") {
+            options.applySelected = true;
+            continue;
+        }
+        if (arg === "--verify" && nextArg) {
+            if (nextArg === "none" ||
+                nextArg === "install" ||
+                nextArg === "test" ||
+                nextArg === "install,test") {
+                options.verify = nextArg;
+                i++;
+                continue;
+            }
+            throw new Error(`Invalid --verify: ${nextArg}`);
+        }
+        if (arg === "--verify") {
+            throw new Error("Missing value for --verify");
+        }
+        if (arg === "--test-command" && nextArg) {
+            options.testCommand = nextArg;
+            i++;
+            continue;
+        }
+        if (arg === "--test-command") {
+            throw new Error("Missing value for --test-command");
+        }
+        if (arg === "--verification-report-file" && nextArg) {
+            options.verificationReportFile = path.resolve(options.cwd, nextArg);
+            i++;
+            continue;
+        }
+        if (arg === "--verification-report-file") {
+            throw new Error("Missing value for --verification-report-file");
+        }
+        if (arg === "--plan-file" && nextArg) {
+            options.decisionPlanFile = path.resolve(options.cwd, nextArg);
+            i++;
+            continue;
+        }
+        if (arg === "--plan-file") {
+            throw new Error("Missing value for --plan-file");
+        }
         // Pass through common workspace / cwd args
         if (arg === "--workspace") {
             options.workspace = true;
             continue;
         }
         if (arg === "--cwd" && nextArg) {
-            options.cwd = nextArg;
+            options.cwd = path.resolve(nextArg);
             i++;
             continue;
         }
+        if (arg.startsWith("-")) {
+            throw new Error(`Unknown dashboard option: ${arg}`);
+        }
     }
     return options;
 }

package/dist/commands/dashboard/runner.d.ts

@@ -1,2 +1,2 @@
-import type { DashboardOptions, DashboardResult } from "../../types/index.js";
-export declare function runDashboard(options: DashboardOptions): Promise<DashboardResult>;
+import type { DashboardOptions, DashboardResult, ReviewResult } from "../../types/index.js";
+export declare function runDashboard(options: DashboardOptions, prebuiltReview?: ReviewResult): Promise<DashboardResult>;