npm - @vibedrift/cli - Versions diffs - 0.4.3 → 0.4.5 - Mend

@vibedrift/cli 0.4.3 → 0.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -24,6 +24,7 @@ __export(function_extractor_exports, {
   extractAllFunctions: () => extractAllFunctions,
   extractFunctionsFromFile: () => extractFunctionsFromFile,
   simpleHash: () => simpleHash,
+  toFunctionRef: () => toFunctionRef,
   tokenizeBody: () => tokenizeBody
 });
 function detectDomainCategory(name, body) {
@@ -149,6 +150,9 @@ function extractAllFunctions(files) {
   }
   return allFunctions;
 }
+function toFunctionRef(fn) {
+  return { file: fn.file, relativePath: fn.relativePath, name: fn.name, line: fn.line };
+}
 var init_function_extractor = __esm({
   "src/codedna/function-extractor.ts"() {
     "use strict";
@@ -254,12 +258,9 @@ function fnv1aHash(str) {
   const h2 = (hash2 >>> 0).toString(16).padStart(8, "0");
   return h1 + h2;
 }
-function toRef(fn) {
-  return { file: fn.file, relativePath: fn.relativePath, name: fn.name, line: fn.line };
-}
 function computeSemanticFingerprints(functions) {
   return functions.map((fn) => ({
-    functionRef: toRef(fn),
+    functionRef: toFunctionRef(fn),
     normalizedHash: fnv1aHash(normalizeBody(fn.rawBody, fn.language))
   }));
 }
@@ -321,6 +322,7 @@ var init_semantic_fingerprint = __esm({
   "src/codedna/semantic-fingerprint.ts"() {
     "use strict";
     init_esm_shims();
+    init_function_extractor();
   }
 });
@@ -366,9 +368,6 @@ function classifyLine(line, language) {
   }
   return null;
 }
-function toRef2(fn) {
-  return { file: fn.file, relativePath: fn.relativePath, name: fn.name, line: fn.line };
-}
 function extractOperationSequences(functions) {
   return functions.map((fn) => {
     const lines = fn.rawBody.split("\n");
@@ -381,7 +380,7 @@ function extractOperationSequences(functions) {
         }
       }
     }
-    return { functionRef: toRef2(fn), sequence };
+    return { functionRef: toFunctionRef(fn), sequence };
   });
 }
 function lcsLength(a, b) {
@@ -456,6 +455,7 @@ var init_operation_sequence = __esm({
   "src/codedna/operation-sequence.ts"() {
     "use strict";
     init_esm_shims();
+    init_function_extractor();
   }
 });
@@ -2735,10 +2735,13 @@ var importsAnalyzer = {
     );
     const esmFiles = [];
     const cjsFiles = [];
+    const SKIP_PATH = /(?:fixtures?|testdata|__fixtures__|__mocks__)[/\\]/i;
     for (const file of jsFiles) {
       if (CONFIG_FILE_PATTERN.test(file.relativePath)) continue;
+      if (SKIP_PATH.test(file.relativePath)) continue;
+      const stripped = file.content.replace(/\/[^/\n]+\/[gimsuvy]*/g, '""').replace(/`[^`]*`/g, '""');
       const hasESM = ESM_PATTERN.test(file.content);
-      const hasCJS = CJS_PATTERN.test(file.content);
+      const hasCJS = CJS_PATTERN.test(stripped);
       if (hasESM && hasCJS) {
         findings.push({
           analyzerId: "imports",
@@ -2908,8 +2911,11 @@ var NODE_BUILTINS = /* @__PURE__ */ new Set([
 ]);
 var JS_IMPORT_PATTERNS = [
   /(?:import|from)\s+['"]([^./][^'"]*)['"]/g,
-  /require\(\s*['"]([^./][^'"]*)['"]\s*\)/g
+  /require\(\s*['"]([^./][^'"]*)['"]\s*\)/g,
+  // Dynamic imports: await import("pkg") or import("pkg")
+  /import\(\s*['"]([^./][^'"]*)['"]\s*\)/g
 ];
+var FIXTURE_PATH_PATTERN = /(?:fixtures?|testdata|__fixtures__|__mocks__)[/\\]/i;
 function extractGoImports(content) {
   const imports = [];
   const singlePattern = /^import\s+"([^"]+)"/gm;
@@ -2998,7 +3004,7 @@ function analyzeJsDeps(ctx) {
   const imported = /* @__PURE__ */ new Set();
   const importLocations = /* @__PURE__ */ new Map();
   const jsFiles = ctx.files.filter(
-    (f) => f.language === "javascript" || f.language === "typescript"
+    (f) => (f.language === "javascript" || f.language === "typescript") && !FIXTURE_PATH_PATTERN.test(f.relativePath)
   );
   for (const file of jsFiles) {
     for (const pattern of JS_IMPORT_PATTERNS) {
@@ -3856,11 +3862,12 @@ var SECURITY_PATTERNS = [
     id: "ssrf-risk",
     name: "SSRF risk",
     pattern: /(?:fetch|axios\.get|http\.get|requests\.get|httpClient)\s*\(\s*(?:[`'"].*\$\{|[^'"]*\+)/g,
-    severity: "warning",
-    confidence: 0.6,
-    message: "Potential SSRF: user-controlled value in URL construction",
+    severity: "info",
+    confidence: 0.4,
+    message: "URL constructed from variable \u2014 review if the source is user-controlled",
     languages: "all",
-    tags: ["security", "ssrf"]
+    tags: ["security", "ssrf"],
+    negativeFilter: /(?:API_URL|BASE_URL|apiUrl|baseUrl|base\s*\+|endpoint|config\.|process\.env)/i
   },
   // === Python-specific ===
   {
@@ -3916,7 +3923,9 @@ var securityAnalyzer = {
   async analyze(ctx) {
     const findings = [];
     const projectLanguages = [...ctx.languageBreakdown.keys()];
+    const PATTERN_DEF = /(?:pattern\s*:|regex\s*:|RegExp\s*\(|name\s*:|message\s*:|id\s*:|label\s*:)/;
     for (const file of ctx.files) {
+      if (/(?:fixtures?|testdata|__fixtures__|__mocks__)[/\\]/i.test(file.relativePath)) continue;
       for (const pattern of SECURITY_PATTERNS) {
         if (pattern.languages !== "all") {
           if (!file.language || !pattern.languages.includes(file.language)) continue;
@@ -3924,10 +3933,11 @@ var securityAnalyzer = {
         const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
         let match;
         while ((match = regex.exec(file.content)) !== null) {
+          const lineStart = file.content.lastIndexOf("\n", match.index) + 1;
+          const lineEnd = file.content.indexOf("\n", match.index);
+          const line = file.content.slice(lineStart, lineEnd === -1 ? void 0 : lineEnd);
+          if (PATTERN_DEF.test(line)) continue;
           if (pattern.negativeFilter) {
-            const lineStart2 = file.content.lastIndexOf("\n", match.index) + 1;
-            const lineEnd2 = file.content.indexOf("\n", match.index);
-            const line = file.content.slice(lineStart2, lineEnd2 === -1 ? void 0 : lineEnd2);
             if (pattern.negativeFilter.test(line)) continue;
           }
           if (pattern.contextRequired) {
@@ -3939,9 +3949,7 @@ var securityAnalyzer = {
             if (!pattern.contextRequired.test(context)) continue;
           }
           const lineNum = getLineNumber(file.content, match.index);
-          const lineStart = file.content.lastIndexOf("\n", match.index) + 1;
-          const lineEnd = file.content.indexOf("\n", match.index);
-          const snippet = file.content.slice(lineStart, lineEnd === -1 ? void 0 : lineEnd).trim();
+          const snippet = line.trim();
           findings.push({
             analyzerId: "security",
             severity: pattern.severity,
@@ -4959,9 +4967,6 @@ var DRIFT_WEIGHTS = {
 // src/drift/architectural-contradiction.ts
 init_esm_shims();
-function getLine(content, index) {
-  return content.slice(0, index).split("\n").length;
-}
 function getLineContent(content, lineNum) {
   return (content.split("\n")[lineNum - 1] ?? "").trim();
 }
@@ -4970,7 +4975,7 @@ function extractEvidence(content, pattern, maxResults = 3) {
   const regex = new RegExp(pattern.source, pattern.flags);
   let match;
   while ((match = regex.exec(content)) !== null && evidence.length < maxResults) {
-    const line = getLine(content, match.index);
+    const line = getLineNumber(content, match.index);
     evidence.push({ line, code: getLineContent(content, line) });
   }
   return evidence;
@@ -8034,6 +8039,16 @@ function previewToken(token) {
   if (token.length <= 12) return token.slice(0, 4) + "\u2026";
   return token.slice(0, 12) + "\u2026";
 }
+function describeSource(source) {
+  switch (source) {
+    case "flag":
+      return "command-line flag";
+    case "env":
+      return "VIBEDRIFT_TOKEN environment variable";
+    case "config":
+      return "~/.vibedrift/config.json";
+  }
+}
 // src/auth/api.ts
 init_esm_shims();
@@ -8832,16 +8847,6 @@ async function runStatus() {
   }
   console.log("");
 }
-function describeSource(source) {
-  switch (source) {
-    case "flag":
-      return "command-line flag";
-    case "env":
-      return "VIBEDRIFT_TOKEN environment variable";
-    case "config":
-      return "~/.vibedrift/config.json";
-  }
-}
 // src/cli/commands/usage.ts
 init_esm_shims();
@@ -9038,7 +9043,7 @@ async function runDoctor() {
   if (!resolved) {
     info("Login state", "not logged in");
   } else {
-    ok("Token source", describeSource2(resolved.source));
+    ok("Token source", describeSource(resolved.source));
     ok("Token preview", previewToken(resolved.token));
     if (resolved.source === "config") {
       if (config.email) ok("Email", config.email);
@@ -9110,16 +9115,6 @@ function bad(value) {
 function info(label, value) {
   console.log(`    ${chalk10.dim("\xB7")} ${label.padEnd(14)} ${chalk10.dim(value)}`);
 }
-function describeSource2(source) {
-  switch (source) {
-    case "flag":
-      return "command-line flag";
-    case "env":
-      return "VIBEDRIFT_TOKEN environment variable";
-    case "config":
-      return "~/.vibedrift/config.json";
-  }
-}
 // src/cli/commands/feedback.ts
 init_esm_shims();