@trustify-da/trustify-da-javascript-client 0.3.0-ea.ff266a3 → 0.3.0-ea.ff694a0

package/dist/src/tools.d.ts

@@ -61,6 +61,32 @@ export function toPurlFromString(strPurl: any): PackageURL | null;
  * @param {string} cwd - directory for which to find the root of the git repository.
  */
 export function getGitRootDir(cwd: string): string | undefined;
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath: string): string;
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir: string, wrapperName: string, repoRoot?: string): string | undefined;
+/**
+ * Resolve a build-tool binary, preferring a wrapper when configured.
+ *
+ * @param {string} globalBinary - Global binary name (e.g. `mvn`, `gradle`)
+ * @param {string} localWrapper - Wrapper filename (e.g. `mvnw`, `gradlew.bat`)
+ * @param {string} startDir - Directory from which to start the wrapper search
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {string} Path to the resolved binary
+ */
+export function resolveBinary(globalBinary: string, localWrapper: string, startDir: string, opts?: import("./index.js").Options): string;
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/tools.js

@@ -1,4 +1,6 @@
 import { execFileSync } from "child_process";
+import fs from 'node:fs';
+import path from 'node:path';
 import { EOL } from "os";
 import { HttpsProxyAgent } from "https-proxy-agent";
 import { PackageURL } from "packageurl-js";
@@ -128,6 +130,62 @@ export function getGitRootDir(cwd) {
         return undefined;
     }
 }
+/**
+ * Normalize a filesystem path, lowercasing on Windows for case-insensitive comparison.
+ *
+ * @param {string} thePath
+ * @returns {string}
+ */
+export function normalizePath(thePath) {
+    const normalized = path.resolve(thePath).normalize();
+    return process.platform === 'win32' ? normalized.toLowerCase() : normalized;
+}
+/**
+ * Walk up from `startDir` to `repoRoot` looking for an executable wrapper script.
+ *
+ * @param {string} startDir - Absolute directory to start from
+ * @param {string} wrapperName - Wrapper filename (e.g. `mvnw`, `gradlew`)
+ * @param {string} [repoRoot] - Stop boundary (defaults to git root or filesystem root)
+ * @returns {string | undefined}
+ */
+export function traverseForWrapper(startDir, wrapperName, repoRoot = undefined) {
+    const currentDir = normalizePath(startDir);
+    repoRoot = repoRoot || getGitRootDir(currentDir) || path.parse(currentDir).root;
+    const wrapperPath = path.join(currentDir, wrapperName);
+    try {
+        fs.accessSync(wrapperPath, fs.constants.X_OK);
+        return wrapperPath;
+    }
+    catch {
+        const rootDir = path.parse(currentDir).root;
+        if (currentDir === repoRoot || currentDir === rootDir) {
+            return undefined;
+        }
+        const parentDir = path.dirname(currentDir);
+        if (parentDir === currentDir || parentDir === rootDir) {
+            return undefined;
+        }
+        return traverseForWrapper(parentDir, wrapperName, repoRoot);
+    }
+}
+/**
+ * Resolve a build-tool binary, preferring a wrapper when configured.
+ *
+ * @param {string} globalBinary - Global binary name (e.g. `mvn`, `gradle`)
+ * @param {string} localWrapper - Wrapper filename (e.g. `mvnw`, `gradlew.bat`)
+ * @param {string} startDir - Directory from which to start the wrapper search
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {string} Path to the resolved binary
+ */
+export function resolveBinary(globalBinary, localWrapper, startDir, opts = {}) {
+    if (getWrapperPreference(globalBinary, opts)) {
+        const wrapper = traverseForWrapper(startDir, localWrapper);
+        if (wrapper !== undefined) {
+            return wrapper;
+        }
+    }
+    return getCustomPath(globalBinary, opts);
+}
 /** this method invokes command string in a process in a synchronous way.
  * @param {string} bin - the command to be invoked
  * @param {Array<string>} args - the args to pass to the binary

package/dist/src/workspace.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Resolve ignore globs for workspace discovery: defaults + `TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE` + `opts.workspaceDiscoveryIgnore`.
+ * Patterns are fast-glob / micromatch style, relative to the workspace root (forward slashes).
+ *
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {string[]}
+ */
+export function resolveWorkspaceDiscoveryIgnore(opts?: {
+    workspaceDiscoveryIgnore?: string[];
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
+    [key: string]: unknown;
+}): string[];
+/**
+ * Drop manifest paths whose location matches an ignore pattern (e.g. root unshift, Cargo paths).
+ *
+ * @param {string[]} manifestPaths
+ * @param {string} root
+ * @param {string[]} ignorePatterns
+ * @returns {string[]}
+ */
+export function filterManifestPathsByDiscoveryIgnore(manifestPaths: string[], root: string, ignorePatterns: string[]): string[];
+/**
+ * @typedef {{ valid: true, name: string, version: string } | { valid: false, error: string }} ValidatePackageJsonResult
+ */
+/**
+ * Validate a package.json has non-empty `name` and `version` (required for stable SBOM root identity in batch).
+ *
+ * @param {string} packageJsonPath - Absolute or relative path to package.json
+ * @returns {ValidatePackageJsonResult}
+ */
+export function validatePackageJson(packageJsonPath: string): ValidatePackageJsonResult;
+/**
+ * Discover all package.json paths in a JS/TS workspace.
+ * Reads pnpm-workspace.yaml or package.json workspaces.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}] - optional `workspaceDiscoveryIgnore` globs (merged with defaults and env)
+ * @returns {Promise<string[]>} Paths to package.json files (absolute)
+ */
+export function discoverWorkspacePackages(workspaceRoot: string, opts?: {
+    workspaceDiscoveryIgnore?: string[];
+    TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string;
+    [key: string]: unknown;
+}): Promise<string[]>;
+/**
+ * Convert workspace glob patterns to manifest-file glob patterns,
+ * correctly handling negation prefixes.
+ *
+ * @param {string[]} patterns - Workspace glob patterns (may include negations)
+ * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
+ * @returns {string[]}
+ */
+export function toManifestGlobPatterns(patterns: string[], manifestFileName: string): string[];
+/**
+ * Discover all Cargo.toml manifest paths in a Cargo workspace.
+ * Uses `cargo metadata` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain Cargo.toml and Cargo.lock)
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to Cargo.toml files (absolute)
+ */
+export function discoverWorkspaceCrates(workspaceRoot: string, opts?: import("./index.js").Options): Promise<string[]>;
+export type ValidatePackageJsonResult = {
+    valid: true;
+    name: string;
+    version: string;
+} | {
+    valid: false;
+    error: string;
+};

package/dist/src/workspace.js

@@ -0,0 +1,256 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import fg from 'fast-glob';
+import { load as yamlLoad } from 'js-yaml';
+import micromatch from 'micromatch';
+import { getCustom, getCustomPath, invokeCommand } from './tools.js';
+/** Default paths skipped during JS workspace discovery (merged with user patterns). */
+const DEFAULT_WORKSPACE_DISCOVERY_IGNORE = [
+    '**/node_modules/**',
+    '**/.git/**',
+];
+/**
+ * Resolve ignore globs for workspace discovery: defaults + `TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE` + `opts.workspaceDiscoveryIgnore`.
+ * Patterns are fast-glob / micromatch style, relative to the workspace root (forward slashes).
+ *
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}]
+ * @returns {string[]}
+ */
+export function resolveWorkspaceDiscoveryIgnore(opts = {}) {
+    const merged = [...DEFAULT_WORKSPACE_DISCOVERY_IGNORE];
+    const fromEnv = getCustom('TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE', null, opts);
+    if (fromEnv && String(fromEnv).trim()) {
+        merged.push(...String(fromEnv).split(',').map(s => s.trim()).filter(Boolean));
+    }
+    const extra = opts.workspaceDiscoveryIgnore;
+    if (Array.isArray(extra)) {
+        for (const p of extra) {
+            if (typeof p === 'string' && p.trim()) {
+                merged.push(p.trim());
+            }
+        }
+    }
+    return [...new Set(merged)];
+}
+/**
+ * @param {string} root - Workspace root (absolute)
+ * @param {string[]} ignorePatterns
+ */
+function buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns) {
+    return {
+        cwd: root,
+        absolute: true,
+        onlyFiles: true,
+        ignore: ignorePatterns,
+        followSymbolicLinks: false,
+    };
+}
+/**
+ * @param {string} filePath - Absolute path
+ * @param {string} root - Workspace root (absolute)
+ * @returns {string} Relative path with forward slashes
+ */
+function relativePathForGlobMatch(filePath, root) {
+    const rel = path.relative(root, filePath);
+    return rel.split(path.sep).join('/');
+}
+/**
+ * Drop manifest paths whose location matches an ignore pattern (e.g. root unshift, Cargo paths).
+ *
+ * @param {string[]} manifestPaths
+ * @param {string} root
+ * @param {string[]} ignorePatterns
+ * @returns {string[]}
+ */
+export function filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns) {
+    if (!ignorePatterns.length) {
+        return manifestPaths;
+    }
+    const resolvedRoot = path.resolve(root);
+    return manifestPaths.filter(absPath => {
+        const rel = relativePathForGlobMatch(absPath, resolvedRoot);
+        if (rel === '') {
+            return true;
+        }
+        return !ignorePatterns.some(pattern => micromatch.isMatch(rel, pattern, { dot: true }));
+    });
+}
+/**
+ * @typedef {{ valid: true, name: string, version: string } | { valid: false, error: string }} ValidatePackageJsonResult
+ */
+/**
+ * Validate a package.json has non-empty `name` and `version` (required for stable SBOM root identity in batch).
+ *
+ * @param {string} packageJsonPath - Absolute or relative path to package.json
+ * @returns {ValidatePackageJsonResult}
+ */
+export function validatePackageJson(packageJsonPath) {
+    let content;
+    try {
+        const raw = fs.readFileSync(packageJsonPath, 'utf-8');
+        content = JSON.parse(raw);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { valid: false, error: `Invalid package.json: ${msg}` };
+    }
+    if (!content || typeof content !== 'object') {
+        return { valid: false, error: 'package.json must be a JSON object' };
+    }
+    const name = content.name;
+    const version = content.version;
+    if (typeof name !== 'string' || !name.trim()) {
+        return { valid: false, error: 'Missing or invalid name' };
+    }
+    if (typeof version !== 'string' || !version.trim()) {
+        return { valid: false, error: 'Missing or invalid version' };
+    }
+    return { valid: true, name: name.trim(), version: version.trim() };
+}
+/**
+ * Discover all package.json paths in a JS/TS workspace.
+ * Reads pnpm-workspace.yaml or package.json workspaces.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root
+ * @param {{ workspaceDiscoveryIgnore?: string[], TRUSTIFY_DA_WORKSPACE_DISCOVERY_IGNORE?: string, [key: string]: unknown }} [opts={}] - optional `workspaceDiscoveryIgnore` globs (merged with defaults and env)
+ * @returns {Promise<string[]>} Paths to package.json files (absolute)
+ */
+export async function discoverWorkspacePackages(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    const globOpts = buildWorkspaceDiscoveryGlobOptions(root, ignorePatterns);
+    const pnpmWorkspace = path.join(root, 'pnpm-workspace.yaml');
+    const packageJson = path.join(root, 'package.json');
+    if (fs.existsSync(pnpmWorkspace)) {
+        return discoverFromPnpmWorkspace(root, pnpmWorkspace, globOpts, ignorePatterns);
+    }
+    if (fs.existsSync(packageJson)) {
+        return discoverFromPackageJsonWorkspaces(root, packageJson, globOpts, ignorePatterns);
+    }
+    return [];
+}
+/**
+ * @param {string} root
+ * @param {string} pnpmWorkspacePath
+ * @param {object} globOpts - fast-glob options (cwd, ignore, followSymbolicLinks, …)
+ * @param {string[]} ignorePatterns - for post-filter
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPnpmWorkspace(root, pnpmWorkspacePath, globOpts, ignorePatterns) {
+    const content = fs.readFileSync(pnpmWorkspacePath, 'utf-8');
+    const packages = parsePnpmPackages(content);
+    if (packages.length === 0) {
+        return [];
+    }
+    const patterns = toManifestGlobPatterns(packages, 'package.json');
+    const manifestPaths = await fg(patterns, globOpts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Parse the `packages` array from pnpm-workspace.yaml content.
+ * @param {string} content - Raw YAML content
+ * @returns {string[]}
+ */
+function parsePnpmPackages(content) {
+    let doc;
+    try {
+        doc = yamlLoad(content);
+    }
+    catch {
+        return [];
+    }
+    if (!doc || typeof doc !== 'object' || !Array.isArray(doc.packages)) {
+        return [];
+    }
+    return doc.packages.filter(p => typeof p === 'string' && p.trim()).map(p => p.trim());
+}
+/**
+ * Convert workspace glob patterns to manifest-file glob patterns,
+ * correctly handling negation prefixes.
+ *
+ * @param {string[]} patterns - Workspace glob patterns (may include negations)
+ * @param {string} manifestFileName - e.g. 'package.json' or 'Cargo.toml'
+ * @returns {string[]}
+ */
+export function toManifestGlobPatterns(patterns, manifestFileName) {
+    return patterns.map(p => {
+        if (p.startsWith('!')) {
+            return `!${p.slice(1)}/${manifestFileName}`;
+        }
+        return `${p}/${manifestFileName}`;
+    });
+}
+/**
+ * @param {string} root
+ * @param {string} packageJsonPath
+ * @param {object} globOpts
+ * @param {string[]} ignorePatterns
+ * @returns {Promise<string[]>}
+ */
+async function discoverFromPackageJsonWorkspaces(root, packageJsonPath, globOpts, ignorePatterns) {
+    let pkg;
+    try {
+        pkg = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    }
+    catch {
+        return [];
+    }
+    const workspaces = pkg.workspaces;
+    if (!workspaces) {
+        return [];
+    }
+    const raw = Array.isArray(workspaces) ? workspaces : workspaces.packages || [];
+    const patterns = toManifestGlobPatterns(raw.filter(p => typeof p === 'string'), 'package.json');
+    if (patterns.length === 0) {
+        return [];
+    }
+    const manifestPaths = await fg(patterns, globOpts);
+    const rootPkg = path.join(root, 'package.json');
+    if (fs.existsSync(rootPkg) && !manifestPaths.includes(rootPkg)) {
+        manifestPaths.unshift(rootPkg);
+    }
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}
+/**
+ * Discover all Cargo.toml manifest paths in a Cargo workspace.
+ * Uses `cargo metadata` to get workspace members.
+ *
+ * @param {string} workspaceRoot - Absolute or relative path to workspace root (must contain Cargo.toml and Cargo.lock)
+ * @param {import('./index.js').Options} [opts={}]
+ * @returns {Promise<string[]>} Paths to Cargo.toml files (absolute)
+ */
+export async function discoverWorkspaceCrates(workspaceRoot, opts = {}) {
+    const root = path.resolve(workspaceRoot);
+    const cargoToml = path.join(root, 'Cargo.toml');
+    const cargoLock = path.join(root, 'Cargo.lock');
+    if (!fs.existsSync(cargoToml) || !fs.existsSync(cargoLock)) {
+        return [];
+    }
+    const cargoBin = getCustomPath('cargo', opts);
+    let output;
+    try {
+        output = invokeCommand(cargoBin, ['metadata', '--format-version', '1', '--no-deps'], { cwd: root });
+    }
+    catch {
+        return [];
+    }
+    let metadata;
+    try {
+        metadata = JSON.parse(output.toString().trim());
+    }
+    catch {
+        return [];
+    }
+    const memberIds = new Set(metadata.workspace_members || []);
+    const manifestPaths = [];
+    for (const pkg of metadata.packages || []) {
+        if (memberIds.has(pkg.id) && pkg.manifest_path) {
+            const manifestPath = path.resolve(pkg.manifest_path);
+            if (fs.existsSync(manifestPath)) {
+                manifestPaths.push(manifestPath);
+            }
+        }
+    }
+    const ignorePatterns = resolveWorkspaceDiscoveryIgnore(opts);
+    return filterManifestPathsByDiscoveryIgnore(manifestPaths, root, ignorePatterns);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@trustify-da/trustify-da-javascript-client",
-	"version": "0.3.0-ea.ff266a3",
+	"version": "0.3.0-ea.ff694a0",
 	"description": "Code-Ready Dependency Analytics JavaScript API.",
 	"license": "Apache-2.0",
 	"homepage": "https://github.com/guacsec/trustify-da-javascript-client#README.md",
@@ -38,23 +38,32 @@
 		"lint": "eslint src test --ext js",
 		"lint:fix": "eslint src test --ext js --fix",
 		"test": "c8 npm run tests",
-		"tests": "mocha --config .mocharc.json --grep \".*analysis module.*\" --invert",
+		"tests": "mocha --config .mocharc.json",
 		"tests:rep": "mocha --reporter-option maxDiffSize=0 --reporter json > unit-tests-result.json",
+		"pretest": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm src/providers/tree-sitter-gomod.wasm",
 		"precompile": "rm -rf dist",
-		"compile": "tsc -p tsconfig.json"
+		"compile": "tsc -p tsconfig.json",
+		"compile:dev": "tsc -p tsconfig.dev.json",
+		"postcompile": "cp node_modules/tree-sitter-requirements/tree-sitter-requirements.wasm dist/src/providers/tree-sitter-requirements.wasm && cp node_modules/tree-sitter-gomod/tree-sitter-gomod.wasm dist/src/providers/tree-sitter-gomod.wasm"
 	},
 	"dependencies": {
 		"@babel/core": "^7.23.2",
 		"@cyclonedx/cyclonedx-library": "^6.13.0",
 		"eslint-import-resolver-typescript": "^4.4.4",
-		"fast-toml": "^0.5.4",
+		"fast-glob": "^3.3.3",
 		"fast-xml-parser": "^5.3.4",
 		"help": "^3.0.2",
 		"https-proxy-agent": "^7.0.6",
+		"js-yaml": "^4.1.1",
+		"jsonc-parser": "^3.3.1",
+		"micromatch": "^4.0.8",
 		"node-fetch": "^3.3.2",
+		"p-limit": "^4.0.0",
 		"packageurl-js": "~1.0.2",
+		"smol-toml": "^1.6.0",
+		"tree-sitter-gomod": "github:strum355/tree-sitter-go-mod#56326f2ad478892ace58ff247a97d492a3cbcdda",
 		"tree-sitter-requirements": "github:Strum355/tree-sitter-requirements#d0261ee76b84253997fe70d7d397e78c006c3801",
-		"web-tree-sitter": "^0.26.6",
+		"web-tree-sitter": "^0.26.7",
 		"yargs": "^18.0.0"
 	},
 	"devDependencies": {

package/dist/src/license/compatibility.d.ts

@@ -1,18 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory?: string, dependencyCategory?: string): "compatible" | "incompatible" | "unknown";

package/dist/src/license/compatibility.js

@@ -1,45 +0,0 @@
-/**
- * License compatibility: whether a dependency license is compatible with the project license.
- * Relies on backend-provided license categories.
- *
- * Compatibility is based on restrictiveness hierarchy:
- * PERMISSIVE < WEAK_COPYLEFT < STRONG_COPYLEFT
- *
- * A dependency is compatible if it's equal or less restrictive than the project license.
- * A dependency is incompatible if it's more restrictive than the project license.
- */
-/**
- * Check if a dependency's license is compatible with the project license based on backend categories.
- *
- * @param {string} [projectCategory] - backend category for project license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @param {string} [dependencyCategory] - backend category for dependency license: PERMISSIVE | WEAK_COPYLEFT | STRONG_COPYLEFT | UNKNOWN
- * @returns {'compatible'|'incompatible'|'unknown'}
- */
-export function getCompatibility(projectCategory, dependencyCategory) {
-    if (!projectCategory || !dependencyCategory) {
-        return 'unknown';
-    }
-    const proj = projectCategory.toUpperCase();
-    const dep = dependencyCategory.toUpperCase();
-    // Unknown categories
-    if (proj === 'UNKNOWN' || dep === 'UNKNOWN') {
-        return 'unknown';
-    }
-    // Define restrictiveness levels (higher number = more restrictive)
-    const restrictiveness = {
-        'PERMISSIVE': 1,
-        'WEAK_COPYLEFT': 2,
-        'STRONG_COPYLEFT': 3
-    };
-    const projLevel = restrictiveness[proj];
-    const depLevel = restrictiveness[dep];
-    if (projLevel === undefined || depLevel === undefined) {
-        return 'unknown';
-    }
-    // Dependency is more restrictive than project → incompatible
-    if (depLevel > projLevel) {
-        return 'incompatible';
-    }
-    // Dependency is equal or less restrictive → compatible
-    return 'compatible';
-}