@santi020k/dep-beacon-core 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @santi020k/dep-beacon-core
+
+## 1.0.0
+
+### Major Changes
+
+- [`3de4494`](https://github.com/santi020k/dep-beacon/commit/3de4494e78654920f0dfe7d95b4f25c0eb53821b) Thanks [@santi020k](https://github.com/santi020k)! - Initial Dep Beacon release with npm manifest CodeLens, pnpm workspace catalog support, OSV security checks, docs, and VS Code packaging.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Santiago Molina
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,9 @@
+# @santi020k/dep-beacon-core
+
+Core analysis engine for Dep Beacon.
+
+```ts
+import { analyzeDependency, parseManifest } from '@santi020k/dep-beacon-core'
+```
+
+The package parses npm ecosystem manifests, resolves pnpm workspace catalog entries, calculates next minor, next major, and latest update targets, and can enrich results with OSV.dev vulnerability data.

package/dist/analyzer.d.ts

@@ -0,0 +1,12 @@
+import { OsvClient } from './osv.js';
+import { NpmRegistryClient } from './registry.js';
+import type { AnalyzeDependencyOptions, AnalyzeManyOptions, DependencyAnalysis, DependencyEntry, VulnerabilitySummary } from './types.js';
+export declare const analyzeDependency: (dependency: DependencyEntry, options?: AnalyzeDependencyOptions & {
+    registryClient?: NpmRegistryClient;
+    vulnerability?: VulnerabilitySummary;
+}) => Promise<DependencyAnalysis>;
+export declare const analyzeDependencies: (dependencies: readonly DependencyEntry[], options?: AnalyzeManyOptions & {
+    osvClient?: OsvClient;
+    registryClient?: NpmRegistryClient;
+}) => Promise<DependencyAnalysis[]>;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkB,SAAS,EAAE,MAAM,UAAU,CAAA;AACpD,OAAO,EAAuB,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtE,OAAO,KAAK,EACV,wBAAwB,EACxB,kBAAkB,EAClB,kBAAkB,EAClB,eAAe,EAMf,oBAAoB,EACrB,MAAM,YAAY,CAAA;AAwJnB,eAAO,MAAM,iBAAiB,GAC5B,YAAY,eAAe,EAC3B,UAAS,wBAAwB,GAAG;IAClC,cAAc,CAAC,EAAE,iBAAiB,CAAA;IAClC,aAAa,CAAC,EAAE,oBAAoB,CAAA;CAChC,KACL,OAAO,CAAC,kBAAkB,CAyC5B,CAAA;AAED,eAAO,MAAM,mBAAmB,GAC9B,cAAc,SAAS,eAAe,EAAE,EACxC,UAAS,kBAAkB,GAAG;IAC5B,SAAS,CAAC,EAAE,SAAS,CAAA;IACrB,cAAc,CAAC,EAAE,iBAAiB,CAAA;CAC9B,KACL,OAAO,CAAC,kBAAkB,EAAE,CAqC9B,CAAA"}

package/dist/analyzer.js

@@ -0,0 +1,154 @@
+import { getOsvQueryKey, OsvClient } from './osv.js';
+import { createNpmPackageUrl, NpmRegistryClient } from './registry.js';
+import { computeUpdateTargets, getDependencyStatus, getInvalidSpecMessage, normalizeDependencySpec, specLooksPublished, specSatisfiesLatest, } from './versions.js';
+const createProtocolAnalysis = (dependency, displaySpec, message) => ({
+    dependency,
+    displaySpec,
+    exists: true,
+    isLatestSatisfied: false,
+    message,
+    packageUrl: createNpmPackageUrl(dependency.packageName),
+    status: 'protocol',
+    targets: {},
+});
+const unsupportedProtocolMessage = (dependency) => dependency.spec.startsWith('catalog:')
+    ? 'This dependency uses a catalog reference that could not be resolved from pnpm-workspace.yaml.'
+    : 'This dependency uses a local, workspace, git, or URL protocol, so Dep Beacon does not query npm for it.';
+const createEmptyRangeAnalysis = (dependency, displaySpec, packageName) => ({
+    dependency,
+    displaySpec,
+    exists: false,
+    isLatestSatisfied: false,
+    message: 'This dependency has an empty version range.',
+    packageUrl: createNpmPackageUrl(packageName),
+    status: 'invalid',
+    targets: {},
+});
+const lookupFailureStatus = (error) => error.code === 'not-found' ? 'missing' : 'invalid';
+const createLookupFailureAnalysis = (dependency, displaySpec, packageName, error) => ({
+    dependency,
+    displaySpec,
+    exists: false,
+    isLatestSatisfied: false,
+    message: error.message,
+    packageUrl: createNpmPackageUrl(packageName),
+    status: lookupFailureStatus(error),
+    targets: {},
+});
+const createInvalidTargetAnalysis = (dependency, displaySpec, packageName, range, metadata, targets) => ({
+    dependency,
+    displaySpec,
+    exists: false,
+    isLatestSatisfied: false,
+    message: getInvalidSpecMessage(range),
+    packageUrl: createNpmPackageUrl(packageName),
+    registry: metadata,
+    status: 'invalid',
+    targets,
+});
+const withVulnerability = (analysis, vulnerability) => {
+    if (!vulnerability)
+        return analysis;
+    const status = getDependencyStatus({
+        exists: analysis.exists,
+        isLatestSatisfied: analysis.isLatestSatisfied,
+        statusBeforeVulnerability: analysis.status,
+        vulnerability,
+    });
+    const label = vulnerability.severity === 'unknown' ? 'known' : vulnerability.severity;
+    return {
+        ...analysis,
+        message: `${analysis.message} OSV reports ${label} vulnerability data for this version.`,
+        status,
+        vulnerability,
+    };
+};
+const createVersionMessage = (exists, isLatestSatisfied, latestMessage) => {
+    if (!exists)
+        return `The declared version floor is not published. ${latestMessage}`;
+    if (isLatestSatisfied)
+        return `Current range accepts the latest published version. ${latestMessage}`;
+    return `A newer version is available. ${latestMessage}`;
+};
+const createVersionAnalysis = (args) => {
+    const exists = specLooksPublished(args.range, args.metadata);
+    const isLatestSatisfied = specSatisfiesLatest(args.range, args.targets.latest, args.includePrerelease);
+    const status = getDependencyStatus({
+        exists,
+        isLatestSatisfied,
+        statusBeforeVulnerability: exists ? 'outdated' : 'missing',
+        vulnerability: args.vulnerability,
+    });
+    const latestMessage = args.targets.latest ? `Latest is ${args.targets.latest}.` : 'No latest npm version was found.';
+    const message = createVersionMessage(exists, isLatestSatisfied, latestMessage);
+    return withVulnerability({
+        dependency: args.dependency,
+        displaySpec: args.displaySpec,
+        exists,
+        isLatestSatisfied,
+        message,
+        packageUrl: createNpmPackageUrl(args.packageName),
+        registry: args.metadata,
+        status,
+        targets: args.targets,
+    }, args.vulnerability);
+};
+export const analyzeDependency = async (dependency, options = {}) => {
+    const normalized = normalizeDependencySpec(dependency, options.catalogSnapshot);
+    const includePrerelease = options.includePrerelease ?? false;
+    if (normalized.protocol === 'unsupported') {
+        return createProtocolAnalysis(dependency, normalized.displaySpec, unsupportedProtocolMessage(dependency));
+    }
+    const range = normalized.spec.trim();
+    if (range.length === 0) {
+        return createEmptyRangeAnalysis(dependency, normalized.displaySpec, normalized.packageName);
+    }
+    const registryClient = options.registryClient ?? new NpmRegistryClient({ registryUrl: options.registryUrl });
+    const lookup = await registryClient.getPackage(normalized.packageName);
+    if (!lookup.ok) {
+        return createLookupFailureAnalysis(dependency, normalized.displaySpec, normalized.packageName, lookup.error);
+    }
+    const targets = computeUpdateTargets(range, lookup.metadata, includePrerelease);
+    if (!targets.current) {
+        return createInvalidTargetAnalysis(dependency, normalized.displaySpec, normalized.packageName, range, lookup.metadata, targets);
+    }
+    return createVersionAnalysis({
+        dependency,
+        displaySpec: normalized.displaySpec,
+        includePrerelease,
+        metadata: lookup.metadata,
+        packageName: normalized.packageName,
+        range,
+        targets,
+        vulnerability: options.vulnerability,
+    });
+};
+export const analyzeDependencies = async (dependencies, options = {}) => {
+    const registryClient = options.registryClient ?? new NpmRegistryClient({ registryUrl: options.registryUrl });
+    const baseAnalyses = await Promise.all(dependencies.map((dependency) => analyzeDependency(dependency, {
+        ...options,
+        registryClient,
+        vulnerability: undefined,
+    })));
+    if (!options.vulnerabilities)
+        return baseAnalyses;
+    const osvClient = options.osvClient ?? new OsvClient();
+    const queries = baseAnalyses.flatMap((analysis) => {
+        const version = analysis.targets.current;
+        if (!version || analysis.status === 'protocol' || analysis.status === 'invalid')
+            return [];
+        return [{
+                name: analysis.registry?.name ?? analysis.dependency.packageName,
+                version,
+            }];
+    });
+    const vulnerabilities = await osvClient.queryMany(queries);
+    return baseAnalyses.map((analysis) => {
+        const version = analysis.targets.current;
+        if (!version)
+            return analysis;
+        const packageName = analysis.registry?.name ?? analysis.dependency.packageName;
+        return withVulnerability(analysis, vulnerabilities.get(getOsvQueryKey({ name: packageName, version })));
+    });
+};
+//# sourceMappingURL=analyzer.js.map

package/dist/analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../src/analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AAatE,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACnB,qBAAqB,EACrB,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,GACpB,MAAM,eAAe,CAAA;AAEtB,MAAM,sBAAsB,GAAG,CAAC,UAA2B,EAAE,WAAmB,EAAE,OAAe,EAAsB,EAAE,CAAC,CAAC;IACzH,UAAU;IACV,WAAW;IACX,MAAM,EAAE,IAAI;IACZ,iBAAiB,EAAE,KAAK;IACxB,OAAO;IACP,UAAU,EAAE,mBAAmB,CAAC,UAAU,CAAC,WAAW,CAAC;IACvD,MAAM,EAAE,UAAU;IAClB,OAAO,EAAE,EAAE;CACZ,CAAC,CAAA;AAEF,MAAM,0BAA0B,GAAG,CAAC,UAA2B,EAAU,EAAE,CACzE,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;IACpC,CAAC,CAAC,+FAA+F;IACjG,CAAC,CAAC,yGAAyG,CAAA;AAE/G,MAAM,wBAAwB,GAAG,CAC/B,UAA2B,EAC3B,WAAmB,EACnB,WAAmB,EACC,EAAE,CAAC,CAAC;IACxB,UAAU;IACV,WAAW;IACX,MAAM,EAAE,KAAK;IACb,iBAAiB,EAAE,KAAK;IACxB,OAAO,EAAE,6CAA6C;IACtD,UAAU,EAAE,mBAAmB,CAAC,WAAW,CAAC;IAC5C,MAAM,EAAE,SAAS;IACjB,OAAO,EAAE,EAAE;CACZ,CAAC,CAAA;AAEF,MAAM,mBAAmB,GAAG,CAAC,KAA0B,EAAoB,EAAE,CAC3E,KAAK,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;AAEpD,MAAM,2BAA2B,GAAG,CAClC,UAA2B,EAC3B,WAAmB,EACnB,WAAmB,EACnB,KAA0B,EACN,EAAE,CAAC,CAAC;IACxB,UAAU;IACV,WAAW;IACX,MAAM,EAAE,KAAK;IACb,iBAAiB,EAAE,KAAK;IACxB,OAAO,EAAE,KAAK,CAAC,OAAO;IACtB,UAAU,EAAE,mBAAmB,CAAC,WAAW,CAAC;IAC5C,MAAM,EAAE,mBAAmB,CAAC,KAAK,CAAC;IAClC,OAAO,EAAE,EAAE;CACZ,CAAC,CAAA;AAEF,MAAM,2BAA2B,GAAG,CAClC,UAA2B,EAC3B,WAAmB,EACnB,WAAmB,EACnB,KAAa,EACb,QAA4B,EAC5B,OAAgC,EACZ,EAAE,CAAC,CAAC;IACxB,UAAU;IACV,WAAW;IACX,MAAM,EAAE,KAAK;IACb,iBAAiB,EAAE,KAAK;IACxB,OAAO,EAAE,qBAAqB,CAAC,KAAK,CAAC;IACrC,UAAU,EAAE,mBAAmB,CAAC,WAAW,CAAC;IAC5C,QAAQ,EAAE,QAAQ;IAClB,MAAM,EAAE,SAAS;IACjB,OAAO;CACR,CAAC,CAAA;AAEF,MAAM,iBAAiB,GAAG,CACxB,QAA4B,EAC5B,aAA+C,EAC3B,EAAE;IACtB,IAAI,CAAC,aAAa;QAAE,OAAO,QAAQ,CAAA;IAEnC,MAAM,MAAM,GAAG,mBAAmB,CAAC;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,iBAAiB,EAAE,QAAQ,CAAC,iBAAiB;QAC7C,yBAAyB,EAAE,QAAQ,CAAC,MAAM;QAC1C,aAAa;KACd,CAAC,CAAA;IAEF,MAAM,KAAK,GAAG,aAAa,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAA;IAErF,OAAO;QACL,GAAG,QAAQ;QACX,OAAO,EAAE,GAAG,QAAQ,CAAC,OAAO,gBAAgB,KAAK,uCAAuC;QACxF,MAAM;QACN,aAAa;KACd,CAAA;AACH,CAAC,CAAA;AAED,MAAM,oBAAoB,GAAG,CAC3B,MAAe,EACf,iBAA0B,EAC1B,aAAqB,EACb,EAAE;IACV,IAAI,CAAC,MAAM;QAAE,OAAO,gDAAgD,aAAa,EAAE,CAAA;IAEnF,IAAI,iBAAiB;QAAE,OAAO,uDAAuD,aAAa,EAAE,CAAA;IAEpG,OAAO,iCAAiC,aAAa,EAAE,CAAA;AACzD,CAAC,CAAA;AAED,MAAM,qBAAqB,GAAG,CAC5B,IASC,EACmB,EAAE;IACtB,MAAM,MAAM,GAAG,kBAAkB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAA;IAC5D,MAAM,iBAAiB,GAAG,mBAAmB,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAEtG,MAAM,MAAM,GAAG,mBAAmB,CAAC;QACjC,MAAM;QACN,iBAAiB;QACjB,yBAAyB,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QAC1D,aAAa,EAAE,IAAI,CAAC,aAAa;KAClC,CAAC,CAAA;IAEF,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,kCAAkC,CAAA;IACpH,MAAM,OAAO,GAAG,oBAAoB,CAAC,MAAM,EAAE,iBAAiB,EAAE,aAAa,CAAC,CAAA;IAE9E,OAAO,iBAAiB,CAAC;QACvB,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM;QACN,iBAAiB;QACjB,OAAO;QACP,UAAU,EAAE,mBAAmB,CAAC,IAAI,CAAC,WAAW,CAAC;QACjD,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,MAAM;QACN,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,EAAE,IAAI,CAAC,aAAa,CAAC,CAAA;AACxB,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,EACpC,UAA2B,EAC3B,UAGI,EAAE,EACuB,EAAE;IAC/B,MAAM,UAAU,GAAG,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,eAAe,CAAC,CAAA;IAC/E,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,KAAK,CAAA;IAE5D,IAAI,UAAU,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC1C,OAAO,sBAAsB,CAC3B,UAAU,EACV,UAAU,CAAC,WAAW,EACtB,0BAA0B,CAAC,UAAU,CAAC,CACvC,CAAA;IACH,CAAC;IAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;IAEpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,wBAAwB,CAAC,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,WAAW,CAAC,CAAA;IAC7F,CAAC;IAED,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;IAC5G,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,UAAU,CAAC,WAAW,CAAC,CAAA;IAEtE,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QACf,OAAO,2BAA2B,CAAC,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,CAAA;IAC9G,CAAC;IAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAA;IAE/E,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO,2BAA2B,CAAC,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE,UAAU,CAAC,WAAW,EAAE,KAAK,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACjI,CAAC;IAED,OAAO,qBAAqB,CAAC;QAC3B,UAAU;QACV,WAAW,EAAE,UAAU,CAAC,WAAW;QACnC,iBAAiB;QACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,UAAU,CAAC,WAAW;QACnC,KAAK;QACL,OAAO;QACP,aAAa,EAAE,OAAO,CAAC,aAAa;KACrC,CAAC,CAAA;AACJ,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,KAAK,EACtC,YAAwC,EACxC,UAGI,EAAE,EACyB,EAAE;IACjC,MAAM,cAAc,GAAG,OAAO,CAAC,cAAc,IAAI,IAAI,iBAAiB,CAAC,EAAE,WAAW,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAA;IAE5G,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,YAAY,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,iBAAiB,CAAC,UAAU,EAAE;QAC7D,GAAG,OAAO;QACV,cAAc;QACd,aAAa,EAAE,SAAS;KACzB,CAAC,CAAC,CACJ,CAAA;IAED,IAAI,CAAC,OAAO,CAAC,eAAe;QAAE,OAAO,YAAY,CAAA;IAEjD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,SAAS,EAAE,CAAA;IAEtD,MAAM,OAAO,GAAe,YAAY,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,EAAE;QAC5D,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAA;QAExC,IAAI,CAAC,OAAO,IAAI,QAAQ,CAAC,MAAM,KAAK,UAAU,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,EAAE,CAAA;QAE1F,OAAO,CAAC;gBACN,IAAI,EAAE,QAAQ,CAAC,QAAQ,EAAE,IAAI,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW;gBAChE,OAAO;aACR,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;IAE1D,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE;QACnC,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAA;QAExC,IAAI,CAAC,OAAO;YAAE,OAAO,QAAQ,CAAA;QAE7B,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,CAAA;QAE9E,OAAO,iBAAiB,CAAC,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,CAAA;IACzG,CAAC,CAAC,CAAA;AACJ,CAAC,CAAA"}

package/dist/catalogs.d.ts

@@ -0,0 +1,5 @@
+import type { CatalogSnapshot } from './types.js';
+export declare const createEmptyCatalogSnapshot: () => CatalogSnapshot;
+export declare const mergeCatalogSnapshots: (...snapshots: readonly CatalogSnapshot[]) => CatalogSnapshot;
+export declare const resolveCatalogSpec: (snapshot: CatalogSnapshot | undefined, packageName: string, spec: string) => string | undefined;
+//# sourceMappingURL=catalogs.d.ts.map

package/dist/catalogs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalogs.d.ts","sourceRoot":"","sources":["../src/catalogs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAEjD,eAAO,MAAM,0BAA0B,QAAO,eAG5C,CAAA;AAEF,eAAO,MAAM,qBAAqB,GAAI,GAAG,WAAW,SAAS,eAAe,EAAE,KAAG,eAoBhF,CAAA;AAED,eAAO,MAAM,kBAAkB,GAC7B,UAAU,eAAe,GAAG,SAAS,EACrC,aAAa,MAAM,EACnB,MAAM,MAAM,KACX,MAAM,GAAG,SAaX,CAAA"}

package/dist/catalogs.js

@@ -0,0 +1,33 @@
+export const createEmptyCatalogSnapshot = () => ({
+    default: new Map(),
+    named: new Map(),
+});
+export const mergeCatalogSnapshots = (...snapshots) => {
+    const merged = createEmptyCatalogSnapshot();
+    for (const snapshot of snapshots) {
+        for (const [packageName, spec] of snapshot.default) {
+            merged.default.set(packageName, spec);
+        }
+        for (const [catalogName, entries] of snapshot.named) {
+            const target = merged.named.get(catalogName) ?? new Map();
+            for (const [packageName, spec] of entries) {
+                target.set(packageName, spec);
+            }
+            merged.named.set(catalogName, target);
+        }
+    }
+    return merged;
+};
+export const resolveCatalogSpec = (snapshot, packageName, spec) => {
+    if (!snapshot)
+        return undefined;
+    if (spec === 'catalog:') {
+        return snapshot.default.get(packageName);
+    }
+    const catalogMatch = /^catalog:(?<catalogName>[a-z0-9_-]+)$/iu.exec(spec);
+    const catalogName = catalogMatch?.groups?.catalogName;
+    if (!catalogName)
+        return undefined;
+    return snapshot.named.get(catalogName)?.get(packageName);
+};
+//# sourceMappingURL=catalogs.js.map

package/dist/catalogs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"catalogs.js","sourceRoot":"","sources":["../src/catalogs.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,0BAA0B,GAAG,GAAoB,EAAE,CAAC,CAAC;IAChE,OAAO,EAAE,IAAI,GAAG,EAAE;IAClB,KAAK,EAAE,IAAI,GAAG,EAAE;CACjB,CAAC,CAAA;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,GAAG,SAAqC,EAAmB,EAAE;IACjG,MAAM,MAAM,GAAG,0BAA0B,EAAE,CAAA;IAE3C,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACnD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;QACvC,CAAC;QAED,KAAK,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,IAAI,GAAG,EAAkB,CAAA;YAEzE,KAAK,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,OAAO,EAAE,CAAC;gBAC1C,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;YAC/B,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;QACvC,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,QAAqC,EACrC,WAAmB,EACnB,IAAY,EACQ,EAAE;IACtB,IAAI,CAAC,QAAQ;QAAE,OAAO,SAAS,CAAA;IAE/B,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,OAAO,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,YAAY,GAAG,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IACzE,MAAM,WAAW,GAAG,YAAY,EAAE,MAAM,EAAE,WAAW,CAAA;IAErD,IAAI,CAAC,WAAW;QAAE,OAAO,SAAS,CAAA;IAElC,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,GAAG,CAAC,WAAW,CAAC,CAAA;AAC1D,CAAC,CAAA"}

package/dist/fetch.d.ts

@@ -0,0 +1,3 @@
+import type { FetchLike } from './types.js';
+export declare const fetchWithTimeout: (fetcher: FetchLike, input: string, init?: RequestInit, timeoutMs?: number) => Promise<Response>;
+//# sourceMappingURL=fetch.d.ts.map

package/dist/fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.d.ts","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAI3C,eAAO,MAAM,gBAAgB,GAC3B,SAAS,SAAS,EAClB,OAAO,MAAM,EACb,OAAM,WAAgB,EACtB,kBAAsC,KACrC,OAAO,CAAC,QAAQ,CAuBlB,CAAA"}

package/dist/fetch.js

@@ -0,0 +1,25 @@
+const DEFAULT_REQUEST_TIMEOUT_MS = 10_000;
+export const fetchWithTimeout = async (fetcher, input, init = {}, timeoutMs = DEFAULT_REQUEST_TIMEOUT_MS) => {
+    if (!Number.isFinite(timeoutMs) || timeoutMs <= 0)
+        return fetcher(input, init);
+    const controller = new AbortController();
+    const timer = setTimeout(() => {
+        controller.abort();
+    }, timeoutMs);
+    try {
+        return await fetcher(input, {
+            ...init,
+            signal: controller.signal,
+        });
+    }
+    catch (error) {
+        if (controller.signal.aborted) {
+            throw new Error(`Request timed out after ${timeoutMs}ms.`, { cause: error });
+        }
+        throw error;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+};
+//# sourceMappingURL=fetch.js.map

package/dist/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../src/fetch.ts"],"names":[],"mappings":"AAEA,MAAM,0BAA0B,GAAG,MAAM,CAAA;AAEzC,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,EACnC,OAAkB,EAClB,KAAa,EACb,OAAoB,EAAE,EACtB,SAAS,GAAG,0BAA0B,EACnB,EAAE;IACrB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,IAAI,CAAC;QAAE,OAAO,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA;IAE9E,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAA;IAExC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;QAC5B,UAAU,CAAC,KAAK,EAAE,CAAA;IACpB,CAAC,EAAE,SAAS,CAAC,CAAA;IAEb,IAAI,CAAC;QACH,OAAO,MAAM,OAAO,CAAC,KAAK,EAAE;YAC1B,GAAG,IAAI;YACP,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,UAAU,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,2BAA2B,SAAS,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAA;QAC9E,CAAC;QAED,MAAM,KAAK,CAAA;IACb,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAA;IACrB,CAAC;AACH,CAAC,CAAA"}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { analyzeDependencies, analyzeDependency } from './analyzer.js';
+export { createEmptyCatalogSnapshot, mergeCatalogSnapshots, resolveCatalogSpec } from './catalogs.js';
+export { collectCatalogSnapshot, isSupportedManifestPath, parseManifest } from './manifest.js';
+export { OsvClient } from './osv.js';
+export { parsePackageJsonManifest } from './package-json.js';
+export { parsePnpmWorkspaceManifest } from './pnpm-workspace.js';
+export { createNpmPackageUrl, NpmRegistryClient } from './registry.js';
+export { replaceDependencySpec, sortPackageJsonDependencies } from './sort.js';
+export type { AnalyzeDependencyOptions, AnalyzeManyOptions, CatalogSnapshot, DependencyAnalysis, DependencyEntry, DependencyManager, DependencySection, DependencySourceKind, DependencyStatus, DependencyUpdateTargets, FetchLike, ManifestParseError, ManifestParseResult, NpmPackageMetadata, OsvQuery, RegistryLookupError, RegistryLookupResult, Severity, TextPosition, TextRange, VulnerabilitySummary, } from './types.js';
+export { createTargetSpec, getLatestVersion, getVersionPrefix, isHighRiskSeverity, normalizeDependencySpec, specLooksPublished, specSatisfiesLatest, versionCandidates, } from './versions.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtE,OAAO,EAAE,0BAA0B,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA;AACrG,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAC9F,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,OAAO,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAA;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAA;AAChE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtE,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAA;AAC9E,YAAY,EACV,wBAAwB,EACxB,kBAAkB,EAClB,eAAe,EACf,kBAAkB,EAClB,eAAe,EACf,iBAAiB,EACjB,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,uBAAuB,EACvB,SAAS,EACT,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,QAAQ,EACR,mBAAmB,EACnB,oBAAoB,EACpB,QAAQ,EACR,YAAY,EACZ,SAAS,EACT,oBAAoB,GACrB,MAAM,YAAY,CAAA;AACnB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,eAAe,CAAA"}

package/dist/index.js

@@ -0,0 +1,10 @@
+export { analyzeDependencies, analyzeDependency } from './analyzer.js';
+export { createEmptyCatalogSnapshot, mergeCatalogSnapshots, resolveCatalogSpec } from './catalogs.js';
+export { collectCatalogSnapshot, isSupportedManifestPath, parseManifest } from './manifest.js';
+export { OsvClient } from './osv.js';
+export { parsePackageJsonManifest } from './package-json.js';
+export { parsePnpmWorkspaceManifest } from './pnpm-workspace.js';
+export { createNpmPackageUrl, NpmRegistryClient } from './registry.js';
+export { replaceDependencySpec, sortPackageJsonDependencies } from './sort.js';
+export { createTargetSpec, getLatestVersion, getVersionPrefix, isHighRiskSeverity, normalizeDependencySpec, specLooksPublished, specSatisfiesLatest, versionCandidates, } from './versions.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtE,OAAO,EAAE,0BAA0B,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAA;AACrG,OAAO,EAAE,sBAAsB,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAC9F,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,OAAO,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAA;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAA;AAChE,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtE,OAAO,EAAE,qBAAqB,EAAE,2BAA2B,EAAE,MAAM,WAAW,CAAA;AAwB9E,OAAO,EACL,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,iBAAiB,GAClB,MAAM,eAAe,CAAA"}

package/dist/manifest.d.ts

@@ -0,0 +1,5 @@
+import type { CatalogSnapshot, ManifestParseResult } from './types.js';
+export declare const isSupportedManifestPath: (filePath: string) => boolean;
+export declare const parseManifest: (filePath: string, text: string) => ManifestParseResult;
+export declare const collectCatalogSnapshot: (manifests: readonly ManifestParseResult[]) => CatalogSnapshot;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAA;AAEtE,eAAO,MAAM,uBAAuB,GAAI,UAAU,MAAM,KAAG,OAI1D,CAAA;AAED,eAAO,MAAM,aAAa,GAAI,UAAU,MAAM,EAAE,MAAM,MAAM,KAAG,mBAkB9D,CAAA;AAED,eAAO,MAAM,sBAAsB,GAAI,WAAW,SAAS,mBAAmB,EAAE,KAAG,eACT,CAAA"}

package/dist/manifest.js

@@ -0,0 +1,28 @@
+import { basename } from 'node:path';
+import { mergeCatalogSnapshots } from './catalogs.js';
+import { parsePackageJsonManifest } from './package-json.js';
+import { parsePnpmWorkspaceManifest } from './pnpm-workspace.js';
+export const isSupportedManifestPath = (filePath) => {
+    const name = basename(filePath);
+    return name === 'package.json' || name === 'pnpm-workspace.yaml' || name === 'pnpm-workspace.yml';
+};
+export const parseManifest = (filePath, text) => {
+    const name = basename(filePath);
+    if (name === 'package.json')
+        return parsePackageJsonManifest(text);
+    if (name === 'pnpm-workspace.yaml' || name === 'pnpm-workspace.yml')
+        return parsePnpmWorkspaceManifest(text);
+    return {
+        catalogs: {
+            default: new Map(),
+            named: new Map(),
+        },
+        dependencies: [],
+        errors: [{
+                message: `${name} is not a supported Dep Beacon manifest.`,
+            }],
+        source: 'package-json',
+    };
+};
+export const collectCatalogSnapshot = (manifests) => mergeCatalogSnapshots(...manifests.map((manifest) => manifest.catalogs));
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAA;AAEpC,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAA;AACrD,OAAO,EAAE,wBAAwB,EAAE,MAAM,mBAAmB,CAAA;AAC5D,OAAO,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAA;AAGhE,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,QAAgB,EAAW,EAAE;IACnE,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAE/B,OAAO,IAAI,KAAK,cAAc,IAAI,IAAI,KAAK,qBAAqB,IAAI,IAAI,KAAK,oBAAoB,CAAA;AACnG,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,QAAgB,EAAE,IAAY,EAAuB,EAAE;IACnF,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAE/B,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAA;IAElE,IAAI,IAAI,KAAK,qBAAqB,IAAI,IAAI,KAAK,oBAAoB;QAAE,OAAO,0BAA0B,CAAC,IAAI,CAAC,CAAA;IAE5G,OAAO;QACL,QAAQ,EAAE;YACR,OAAO,EAAE,IAAI,GAAG,EAAE;YAClB,KAAK,EAAE,IAAI,GAAG,EAAE;SACjB;QACD,YAAY,EAAE,EAAE;QAChB,MAAM,EAAE,CAAC;gBACP,OAAO,EAAE,GAAG,IAAI,0CAA0C;aAC3D,CAAC;QACF,MAAM,EAAE,cAAc;KACvB,CAAA;AACH,CAAC,CAAA;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,SAAyC,EAAmB,EAAE,CACnG,qBAAqB,CAAC,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAA"}

package/dist/osv.d.ts

@@ -0,0 +1,12 @@
+import type { FetchLike, OsvQuery, VulnerabilitySummary } from './types.js';
+export declare class OsvClient {
+    #private;
+    constructor(options?: {
+        baseUrl?: string;
+        fetch?: FetchLike;
+        requestTimeoutMs?: number;
+    });
+    queryMany(queries: readonly OsvQuery[]): Promise<Map<string, VulnerabilitySummary>>;
+}
+export declare const getOsvQueryKey: (query: OsvQuery) => string;
+//# sourceMappingURL=osv.d.ts.map

package/dist/osv.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../src/osv.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAY,oBAAoB,EAAE,MAAM,YAAY,CAAA;AA0IrF,qBAAa,SAAS;;gBAMR,OAAO,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,SAAS,CAAC;QAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;KAAO;IAQtF,SAAS,CAAC,OAAO,EAAE,SAAS,QAAQ,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;CA6E1F;AAED,eAAO,MAAM,cAAc,UAnHF,QAAQ,KAAG,MAmHE,CAAA"}

package/dist/osv.js

@@ -0,0 +1,165 @@
+import { fetchWithTimeout } from './fetch.js';
+const SEVERITY_RANK = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+    none: 0,
+    unknown: 0,
+};
+const isRecord = (value) => typeof value === 'object' && value !== null && !Array.isArray(value);
+const severityFromString = (value) => {
+    if (typeof value !== 'string')
+        return 'unknown';
+    const normalized = value.toLowerCase();
+    if (normalized === 'critical')
+        return 'critical';
+    if (normalized === 'high')
+        return 'high';
+    if (normalized === 'moderate' || normalized === 'medium')
+        return 'medium';
+    if (normalized === 'low')
+        return 'low';
+    return 'unknown';
+};
+const severityFromCvss = (score) => {
+    const vectorScore = /\/[ACIP]:([0-9.]+)/u.exec(score)?.[1];
+    const parsed = Number.parseFloat(vectorScore ?? score);
+    if (!Number.isFinite(parsed))
+        return 'unknown';
+    if (parsed >= 9)
+        return 'critical';
+    if (parsed >= 7)
+        return 'high';
+    if (parsed >= 4)
+        return 'medium';
+    if (parsed > 0)
+        return 'low';
+    return 'none';
+};
+const maxSeverity = (severities) => severities.reduce((highest, severity) => (SEVERITY_RANK[severity] > SEVERITY_RANK[highest] ? severity : highest), 'unknown');
+const vulnerabilitySeverity = (vulnerability) => {
+    const severities = [];
+    for (const severity of vulnerability.severity ?? []) {
+        if (typeof severity.score === 'string') {
+            severities.push(severityFromCvss(severity.score));
+        }
+    }
+    severities.push(severityFromString(vulnerability.database_specific?.severity));
+    for (const affected of vulnerability.affected ?? []) {
+        severities.push(severityFromString(affected.database_specific?.severity));
+        severities.push(severityFromString(affected.ecosystem_specific?.severity));
+    }
+    return maxSeverity(severities);
+};
+const toVulnerability = (value) => {
+    if (!isRecord(value))
+        return undefined;
+    return value;
+};
+const toBatchResponse = (value) => {
+    if (!isRecord(value) || !Array.isArray(value.results))
+        return { results: [] };
+    return {
+        results: value.results.map((result) => {
+            if (!isRecord(result) || !Array.isArray(result.vulns))
+                return { vulns: [] };
+            return {
+                vulns: result.vulns.flatMap((vulnerability) => {
+                    if (!isRecord(vulnerability) || typeof vulnerability.id !== 'string')
+                        return [];
+                    return [{ id: vulnerability.id }];
+                }),
+            };
+        }),
+    };
+};
+const queryKey = (query) => `${query.name}@${query.version}`;
+const vulnerabilityIds = (result) => (result?.vulns ?? []).flatMap((vulnerability) => (typeof vulnerability.id === 'string' ? [vulnerability.id] : []));
+const vulnerabilityAliases = (details) => {
+    const aliases = new Set();
+    for (const detail of details) {
+        if (!detail)
+            continue;
+        for (const alias of detail.aliases ?? []) {
+            if (typeof alias === 'string')
+                aliases.add(alias);
+        }
+    }
+    return [...aliases];
+};
+const vulnerabilitySeverities = (details) => details.flatMap((detail) => (detail ? [vulnerabilitySeverity(detail)] : []));
+export class OsvClient {
+    #baseUrl;
+    #detailCache = new Map();
+    #fetch;
+    #requestTimeoutMs;
+    constructor(options = {}) {
+        this.#baseUrl = (options.baseUrl ?? 'https://api.osv.dev').replace(/\/+$/u, '');
+        this.#fetch = options.fetch ?? fetch;
+        this.#requestTimeoutMs = options.requestTimeoutMs ?? 10_000;
+    }
+    async queryMany(queries) {
+        if (queries.length === 0)
+            return new Map();
+        let batch;
+        try {
+            const response = await fetchWithTimeout(this.#fetch, `${this.#baseUrl}/v1/querybatch`, {
+                body: JSON.stringify({
+                    queries: queries.map((query) => ({
+                        package: {
+                            ecosystem: 'npm',
+                            name: query.name,
+                        },
+                        version: query.version,
+                    })),
+                }),
+                headers: {
+                    'content-type': 'application/json',
+                },
+                method: 'POST',
+            }, this.#requestTimeoutMs);
+            if (!response.ok)
+                return new Map();
+            batch = toBatchResponse(await response.json());
+        }
+        catch {
+            return new Map();
+        }
+        const summaries = await Promise.all(queries.map((query, index) => this.#summarizeQuery(query, batch.results?.[index])));
+        return new Map(summaries.flatMap((summary) => (summary ? [summary] : [])));
+    }
+    async #summarizeQuery(query, result) {
+        const ids = vulnerabilityIds(result);
+        if (ids.length === 0)
+            return undefined;
+        const details = await Promise.all(ids.map((id) => this.#getVulnerability(id)));
+        return [queryKey(query), {
+                aliases: vulnerabilityAliases(details),
+                ids,
+                severity: maxSeverity(vulnerabilitySeverities(details)),
+                source: 'osv',
+            }];
+    }
+    async #getVulnerability(id) {
+        const cached = this.#detailCache.get(id);
+        if (cached)
+            return cached;
+        const request = this.#requestVulnerability(id);
+        this.#detailCache.set(id, request);
+        return request;
+    }
+    async #requestVulnerability(id) {
+        try {
+            const response = await fetchWithTimeout(this.#fetch, `${this.#baseUrl}/v1/vulns/${encodeURIComponent(id)}`, {}, this.#requestTimeoutMs);
+            if (!response.ok)
+                return undefined;
+            return toVulnerability(await response.json());
+        }
+        catch {
+            return undefined;
+        }
+    }
+}
+export const getOsvQueryKey = queryKey;
+//# sourceMappingURL=osv.js.map

package/dist/osv.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"osv.js","sourceRoot":"","sources":["../src/osv.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAA;AAyB7C,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;IACP,OAAO,EAAE,CAAC;CACX,CAAA;AAED,MAAM,QAAQ,GAAG,CAAC,KAAc,EAAoC,EAAE,CACpE,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;AAEtE,MAAM,kBAAkB,GAAG,CAAC,KAAc,EAAY,EAAE;IACtD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAA;IAE/C,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAA;IAEtC,IAAI,UAAU,KAAK,UAAU;QAAE,OAAO,UAAU,CAAA;IAEhD,IAAI,UAAU,KAAK,MAAM;QAAE,OAAO,MAAM,CAAA;IAExC,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAA;IAEzE,IAAI,UAAU,KAAK,KAAK;QAAE,OAAO,KAAK,CAAA;IAEtC,OAAO,SAAS,CAAA;AAClB,CAAC,CAAA;AAED,MAAM,gBAAgB,GAAG,CAAC,KAAa,EAAY,EAAE;IACnD,MAAM,WAAW,GAAG,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,IAAI,KAAK,CAAC,CAAA;IAEtD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAA;IAE9C,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,UAAU,CAAA;IAElC,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAA;IAE9B,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAA;IAEhC,IAAI,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAA;IAE5B,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,MAAM,WAAW,GAAG,CAAC,UAA+B,EAAY,EAAE,CAChE,UAAU,CAAC,MAAM,CAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC,CAAA;AAExI,MAAM,qBAAqB,GAAG,CAAC,aAA+B,EAAY,EAAE;IAC1E,MAAM,UAAU,GAAe,EAAE,CAAA;IAEjC,KAAK,MAAM,QAAQ,IAAI,aAAa,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACpD,IAAI,OAAO,QAAQ,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;YACvC,UAAU,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAED,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,aAAa,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC,CAAA;IAE9E,KAAK,MAAM,QAAQ,IAAI,aAAa,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACpD,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,iBAAiB,EAAE,QAAQ,CAAC,CAAC,CAAA;QAEzE,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC,CAAA;IAC5E,CAAC;IAED,OAAO,WAAW,CAAC,UAAU,CAAC,CAAA;AAChC,CAAC,CAAA;AAED,MAAM,eAAe,GAAG,CAAC,KAAc,EAAgC,EAAE;IACvE,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAA;IAEtC,OAAO,KAAK,CAAA;AACd,CAAC,CAAA;AAED,MAAM,eAAe,GAAG,CAAC,KAAc,EAAoB,EAAE;IAC3D,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAA;IAE7E,OAAO;QACL,OAAO,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE;YACpC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC;gBAAE,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,CAAA;YAE3E,OAAO;gBACL,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;oBAC5C,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,OAAO,aAAa,CAAC,EAAE,KAAK,QAAQ;wBAAE,OAAO,EAAE,CAAA;oBAE/E,OAAO,CAAC,EAAE,EAAE,EAAE,aAAa,CAAC,EAAE,EAAE,CAAC,CAAA;gBACnC,CAAC,CAAC;aACH,CAAA;QACH,CAAC,CAAC;KACH,CAAA;AACH,CAAC,CAAA;AAED,MAAM,QAAQ,GAAG,CAAC,KAAe,EAAU,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,OAAO,EAAE,CAAA;AAE9E,MAAM,gBAAgB,GAAG,CAAC,MAAkC,EAAY,EAAE,CACxE,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC,OAAO,aAAa,CAAC,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;AAEpH,MAAM,oBAAoB,GAAG,CAAC,OAAkD,EAAY,EAAE;IAC5F,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAA;IAEjC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM;YAAE,SAAQ;QAErB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACzC,IAAI,OAAO,KAAK,KAAK,QAAQ;gBAAE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QACnD,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,OAAO,CAAC,CAAA;AACrB,CAAC,CAAA;AAED,MAAM,uBAAuB,GAAG,CAAC,OAAkD,EAAc,EAAE,CACjG,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;AAE9E,MAAM,OAAO,SAAS;IACX,QAAQ,CAAQ;IAChB,YAAY,GAAG,IAAI,GAAG,EAAiD,CAAA;IACvE,MAAM,CAAW;IACjB,iBAAiB,CAAQ;IAElC,YAAY,UAA8E,EAAE;QAC1F,IAAI,CAAC,QAAQ,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,qBAAqB,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAA;QAE/E,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,KAAK,IAAI,KAAK,CAAA;QAEpC,IAAI,CAAC,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,IAAI,MAAM,CAAA;IAC7D,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,OAA4B;QAC1C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,GAAG,EAAE,CAAA;QAE1C,IAAI,KAAuB,CAAA;QAE3B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,gBAAgB,EAAE;gBACrF,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;wBAC/B,OAAO,EAAE;4BACP,SAAS,EAAE,KAAK;4BAChB,IAAI,EAAE,KAAK,CAAC,IAAI;yBACjB;wBACD,OAAO,EAAE,KAAK,CAAC,OAAO;qBACvB,CAAC,CAAC;iBACJ,CAAC;gBACF,OAAO,EAAE;oBACP,cAAc,EAAE,kBAAkB;iBACnC;gBACD,MAAM,EAAE,MAAM;aACf,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAE1B,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAAE,OAAO,IAAI,GAAG,EAAE,CAAA;YAElC,KAAK,GAAG,eAAe,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;QAChD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,GAAG,EAAE,CAAA;QAClB,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CACjC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CACnF,CAAA;QAED,OAAO,IAAI,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC5E,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,KAAe,EACf,MAAkC;QAElC,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;QAEpC,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,SAAS,CAAA;QAEtC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;QAE9E,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;gBACvB,OAAO,EAAE,oBAAoB,CAAC,OAAO,CAAC;gBACtC,GAAG;gBACH,QAAQ,EAAE,WAAW,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;gBACvD,MAAM,EAAE,KAAK;aACd,CAAC,CAAA;IACJ,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,EAAU;QAChC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QAExC,IAAI,MAAM;YAAE,OAAO,MAAM,CAAA;QAEzB,MAAM,OAAO,GAAG,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAA;QAE9C,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAA;QAElC,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,EAAU;QACpC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,aAAa,kBAAkB,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA;YAEvI,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAAE,OAAO,SAAS,CAAA;YAElC,OAAO,eAAe,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;QAC/C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;CACF;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,QAAQ,CAAA"}

package/dist/package-json.d.ts

@@ -0,0 +1,3 @@
+import type { ManifestParseResult } from './types.js';
+export declare const parsePackageJsonManifest: (text: string) => ManifestParseResult;
+//# sourceMappingURL=package-json.d.ts.map

package/dist/package-json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-json.d.ts","sourceRoot":"","sources":["../src/package-json.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAA6E,mBAAmB,EAAa,MAAM,YAAY,CAAA;AAmO3I,eAAO,MAAM,wBAAwB,GAAI,MAAM,MAAM,KAAG,mBA4CvD,CAAA"}