@visulima/vis 1.0.0-alpha.11 → 1.0.0-alpha.13

package/dist/packem_chunks/handler29.js

@@ -1,458 +1,23 @@
-import { createRequire as __cjs_createRequire } from "node:module";
+var re=Object.defineProperty;var V=(t,n)=>re(t,"name",{value:n,configurable:!0});import{dim as b,yellow as Y,cyan as Z,magenta as _,red as ee}from"@visulima/colorize";import{isAccessibleSync as G,readFileSync as B,writeFileSync as Q}from"@visulima/fs";import{readYamlSync as se}from"@visulima/fs/yaml";import{join as H}from"@visulima/path";import{r as oe,R as ae,A as ce,p as a,V as le,b as de,U as ue,t as ge,F as W}from"./bin.js";import{l as fe,f as pe,s as he}from"../packem_shared/dependency-scan-COr5n63B.js";var ve=Object.defineProperty,S=V((t,n)=>ve(t,"name",{value:n,configurable:!0}),"o");const L=S(t=>Array.isArray(t)?t.filter(n=>typeof n=="string"):[],"toStringArray"),K=S((t,n)=>{for(const r of n)if(r===t||r.endsWith("*")&&t.startsWith(r.slice(0,-1)))return!0;return!1},"matchesGlobList"),te=S(t=>{const n=H(t,"pnpm-workspace.yaml");if(!G(n))return{excludedPackages:[],ignoredAdvisories:[]};try{const r=se(n);return{excludedPackages:[],ignoredAdvisories:[...L(r?.auditConfig?.ignoreCves),...L(r?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readPnpmAuditExclusions"),ne=S(t=>{const n=H(t,".yarnrc.yml");if(!G(n))return{excludedPackages:[],ignoredAdvisories:[]};try{const r=se(n);return{excludedPackages:L(r?.npmAuditExcludePackages),ignoredAdvisories:L(r?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readYarnAuditExclusions"),me=S((t,n)=>{switch(n){case"pnpm":return te(t);case"yarn":return ne(t);default:return{excludedPackages:[],ignoredAdvisories:[]}}},"readNativeAuditExclusions"),X=S((t,n,r)=>{if(K(t,n.ignoredAdvisories))return!0;if(r){for(const l of r)if(K(l,n.ignoredAdvisories))return!0}return!1},"isAdvisoryExcluded"),$e=S((t,n)=>K(t,n.excludedPackages),"isPackageExcluded"),ke=S((t,n,r)=>{if(r.length===0)return["No advisory IDs to sync."];const l=[];switch(t){case"bun":{l.push(`bun has no audit config file. Use CLI flags: bun audit ${r.map(f=>`--ignore ${f}`).join(" ")}`);break}case"npm":{l.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const f=H(n,"pnpm-workspace.yaml");if(!G(f)){l.push("pnpm-workspace.yaml not found. Cannot sync.");break}const h=te(n),k=new Set(h.ignoredAdvisories.filter(c=>c.startsWith("CVE-"))),m=new Set(h.ignoredAdvisories.filter(c=>c.startsWith("GHSA-"))),y=r.filter(c=>c.startsWith("CVE-")),$=r.filter(c=>c.startsWith("GHSA-")),p=[...new Set([...k,...y])],d=[...new Set([...m,...$])],v=y.filter(c=>!k.has(c)).length,w=$.filter(c=>!m.has(c)).length;if(v===0&&w===0){l.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let g=B(f);if(p.length>0){const c=`  ignoreCves:
+${p.map(x=>`    - ${x}`).join(`
+`)}
+`;/auditConfig:/.test(g)?g=/ignoreCves:/.test(g)?g.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,c):g.replace(/auditConfig:\s*\n/,`auditConfig:
+${c}`):g=`${g.trimEnd()}
 
-const __cjs_require = __cjs_createRequire(import.meta.url);
+auditConfig:
+${c}`,v>0&&l.push(`Added ${String(v)} new CVE${v===1?"":"s"} to pnpm-workspace.yaml (${String(p.length)} total)`)}if(d.length>0){const c=`  ignoreGhsas:
+${d.map(x=>`    - ${x}`).join(`
+`)}
+`;/auditConfig:/.test(g)&&(g=/ignoreGhsas:/.test(g)?g.replace(/ignoreGhsas:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,c):g.replace(/(auditConfig:[\s\S]*?)(\n\S|\n?$)/m,`$1${c}$2`)),w>0&&l.push(`Added ${String(w)} new GHSA${w===1?"":"s"} to pnpm-workspace.yaml (${String(d.length)} total)`)}Q(f,g);break}case"yarn":{const f=H(n,".yarnrc.yml");if(!G(f)){l.push(".yarnrc.yml not found. Cannot sync.");break}const h=ne(n),k=new Set(h.ignoredAdvisories),m=[...new Set([...k,...r])],y=r.filter(d=>!k.has(d)).length;if(y===0){l.push("All advisory IDs already present in .yarnrc.yml.");break}let $=B(f);const p=`npmAuditIgnoreAdvisories:
+${m.map(d=>`  - "${d}"`).join(`
+`)}
+`;$=/npmAuditIgnoreAdvisories:/.test($)?$.replace(/npmAuditIgnoreAdvisories:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,p):`${$.trimEnd()}
 
-const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
-
-const __cjs_getBuiltinModule = (module) => {
-    // Check if we're in Node.js and version supports getBuiltinModule
-    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
-        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
-        // Node.js 20.16.0+ and 22.3.0+
-        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
-            return __cjs_getProcess.getBuiltinModule(module);
-        }
-    }
-    // Fallback to createRequire
-    return __cjs_require(module);
-};
-
-const {
-  createInterface
-} = __cjs_getBuiltinModule("node:readline");
-import { green, dim, red, yellow } from '@visulima/colorize';
-import { readJsonSync, writeJsonSync } from '@visulima/fs';
-import { findPackageManagerSync } from '@visulima/package';
-import { join } from '@visulima/path';
-import { coerce } from 'semver';
-import { r as resolveInstaller, F as runAdd, a as buildSocketOptions, p as pail, f as fetchSocketReports, d as discoverWorkspace, x as runInstall, t as findAcceptedRisk, G as formatReportSummary, H as scoreLabel, I as formatAcceptedRiskSnippet, J as getFullPackageName, j as scoreColor, D as DEFAULT_LOW_SCORE_THRESHOLD } from './bin.js';
-import { r as runTyposquatCheck } from '../packem_shared/typosquats-C-bCh3PX.js';
-import { r as readCatalogs } from '../packem_shared/catalog-BJTtyi-O.js';
-import { p as parsePackageArgument, t as toStringArray } from '../packem_shared/utils-CthVdBPS.js';
-
-const buildCatalogRef = (catalogName) => catalogName === "default" ? "catalog:" : `catalog:${catalogName}`;
-const labelForCatalog = (catalogName) => catalogName === "default" ? "default catalog" : `catalog "${catalogName}"`;
-const resolveFromCatalogs = (name, catalogs) => {
-  const matchedCatalogs = [];
-  for (const [key, deps] of catalogs) {
-    if (key.includes(":")) {
-      continue;
-    }
-    if (deps.has(name)) {
-      matchedCatalogs.push(key);
-    }
-  }
-  if (matchedCatalogs.length === 0) {
-    return void 0;
-  }
-  if (matchedCatalogs.length === 1) {
-    const [only] = matchedCatalogs;
-    return { source: labelForCatalog(only), spec: buildCatalogRef(only) };
-  }
-  const preferred = matchedCatalogs.find((c) => c === "default") ?? matchedCatalogs[0];
-  const others = matchedCatalogs.filter((c) => c !== preferred);
-  return {
-    candidates: [...matchedCatalogs],
-    conflict: true,
-    source: `${labelForCatalog(preferred)} (also in: ${others.map(labelForCatalog).join(", ")})`,
-    spec: buildCatalogRef(preferred)
-  };
-};
-const resolveFromSiblings = (name, catalogs) => {
-  const tally = /* @__PURE__ */ new Map();
-  for (const [key, deps] of catalogs) {
-    if (!key.includes(":")) {
-      continue;
-    }
-    const range = deps.get(name);
-    if (range !== void 0) {
-      tally.set(range, (tally.get(range) ?? 0) + 1);
-    }
-  }
-  if (tally.size === 0) {
-    return void 0;
-  }
-  const entries = [...tally.entries()];
-  const total = entries.reduce((a, [, count]) => a + count, 0);
-  if (entries.length === 1) {
-    const [[range]] = entries;
-    return {
-      source: `siblings (${String(total)} pkg${total === 1 ? "" : "s"} on ${range})`,
-      spec: range
-    };
-  }
-  const sorted = [...entries].sort((a, b) => b[1] - a[1]);
-  const [chosen, chosenCount] = sorted[0];
-  const others = sorted.slice(1).map(([range, count]) => `${range} (×${String(count)})`);
-  return {
-    candidates: sorted.map(([range]) => range),
-    conflict: true,
-    source: `siblings (most common: ${chosen} ×${String(chosenCount)}; conflicts: ${others.join(", ")})`,
-    spec: chosen
-  };
-};
-const conformToCatalog = (name, catalogs) => {
-  const fromCatalog = resolveFromCatalogs(name, catalogs);
-  if (fromCatalog) {
-    return fromCatalog;
-  }
-  return resolveFromSiblings(name, catalogs);
-};
-
-const resolveLatestVersions = async (packageNames, timeoutMs = 1e4) => {
-  const results = /* @__PURE__ */ new Map();
-  const controller = new AbortController();
-  const timeout = setTimeout(() => {
-    controller.abort();
-  }, timeoutMs);
-  try {
-    const fetches = packageNames.map(async (name) => {
-      try {
-        const response = await fetch(`https://registry.npmjs.org/${name}/latest`, {
-          headers: { Accept: "application/json" },
-          signal: controller.signal
-        });
-        if (response.ok) {
-          const data = await response.json();
-          if (data.version) {
-            results.set(name, data.version);
-          }
-        }
-      } catch {
-      }
-    });
-    await Promise.all(fetches);
-  } finally {
-    clearTimeout(timeout);
-  }
-  return results;
-};
-const displaySecurityReports = (reports, minimumScore, acceptedRisks) => {
-  const lowScorePackages = [];
-  for (const report of reports.values()) {
-    const { overall } = report.score;
-    const color = scoreColor(overall);
-    const pct = `${String(Math.round(overall * 100))}%`;
-    const alertCount = report.alerts.length;
-    const fullName = getFullPackageName(report);
-    const accepted = findAcceptedRisk(fullName, report.version, acceptedRisks);
-    const colorFunction = color === "red" ? red : color === "yellow" ? yellow : green;
-    if (accepted) {
-      pail.info(`  ${colorFunction(pct)} ${formatReportSummary(report)} ${dim(`[accepted: ${accepted.reason}]`)}`);
-    } else {
-      pail.info(`  ${colorFunction(pct)} ${formatReportSummary(report)}`);
-    }
-    if (alertCount > 0) {
-      const critHigh = report.alerts.filter((a) => a.severity === "critical" || a.severity === "high").length;
-      if (critHigh > 0) {
-        pail.warn(`    ${String(critHigh)} critical/high alert${critHigh === 1 ? "" : "s"}`);
-      }
-    }
-    if (overall < minimumScore && !accepted) {
-      lowScorePackages.push(report);
-    }
-  }
-  return lowScorePackages;
-};
-const confirmLowScorePackages = async (lowScorePackages, minimumScore) => {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  const ask = (question) => new Promise((resolve) => {
-    rl.question(question, (answer2) => {
-      resolve(answer2.trim());
-    });
-  });
-  const pct = String(Math.round(minimumScore * 100));
-  pail.warn("");
-  pail.warn(`${String(lowScorePackages.length)} package${lowScorePackages.length === 1 ? "" : "s"} scored below the minimum threshold (${pct}%):`);
-  for (const report of lowScorePackages) {
-    const name = getFullPackageName(report);
-    const score = `${String(Math.round(report.score.overall * 100))}%`;
-    pail.warn(`  • ${name}@${report.version} — score: ${score} (${scoreLabel(report.score.overall)})`);
-  }
-  pail.warn("");
-  const answer = await ask("Continue adding these packages? [y/N] ");
-  if (answer.toLowerCase() !== "y" && answer.toLowerCase() !== "yes") {
-    rl.close();
-    return false;
-  }
-  const rememberAnswer = await ask("Remember this decision? (prints config snippet) [y/N] ");
-  rl.close();
-  if (rememberAnswer.toLowerCase() === "y" || rememberAnswer.toLowerCase() === "yes") {
-    pail.notice("");
-    pail.notice("Add the following to security.socket.acceptedRisks in vis.config.ts:");
-    pail.notice("");
-    for (const report of lowScorePackages) {
-      const fullName = getFullPackageName(report);
-      const snippet = formatAcceptedRiskSnippet(fullName, report.version, report.score.overall, "Reviewed and accepted");
-      pail.notice(snippet);
-    }
-    pail.notice("");
-  }
-  return true;
-};
-const runSocketPreCheck = async (packages, socketOptions, minimumScore, acceptedRisks) => {
-  const parsed = packages.map(parsePackageArgument);
-  const coercedSpecs = /* @__PURE__ */ new Map();
-  for (const p of parsed) {
-    if (p.versionSpec) {
-      const coerced = coerce(p.versionSpec);
-      if (coerced) {
-        coercedSpecs.set(p.name, coerced.version);
-      }
-    }
-  }
-  const needsResolution = parsed.filter((p) => !coercedSpecs.has(p.name)).map((p) => p.name);
-  const resolvedVersions = needsResolution.length > 0 ? await resolveLatestVersions(needsResolution) : /* @__PURE__ */ new Map();
-  const lookupPackages = [];
-  for (const p of parsed) {
-    const version = coercedSpecs.get(p.name) ?? resolvedVersions.get(p.name);
-    if (version) {
-      lookupPackages.push({ name: p.name, version });
-    }
-  }
-  if (lookupPackages.length === 0) {
-    return true;
-  }
-  pail.info("");
-  pail.info("Socket.dev security check:");
-  const reports = await fetchSocketReports(lookupPackages, socketOptions);
-  if (reports.size === 0) {
-    pail.info("  Could not fetch security data. Proceeding.");
-    return true;
-  }
-  const lowScorePackages = displaySecurityReports(reports, minimumScore, acceptedRisks);
-  if (lowScorePackages.length === 0) {
-    pail.info("");
-    return true;
-  }
-  if (!process.stdin.isTTY) {
-    pail.warn(
-      `Aborting: ${String(lowScorePackages.length)} package${lowScorePackages.length === 1 ? "" : "s"} below minimum score. Use --no-socket-check to skip.`
-    );
-    return false;
-  }
-  return confirmLowScorePackages(lowScorePackages, minimumScore);
-};
-const SIBLING_SECTIONS = ["dependencies", "devDependencies", "peerDependencies", "optionalDependencies"];
-const pickDepSection = (options) => {
-  if (options.savePeer) {
-    return "peerDependencies";
-  }
-  if (options.saveOptional) {
-    return "optionalDependencies";
-  }
-  if (options.saveDev) {
-    return "devDependencies";
-  }
-  return "dependencies";
-};
-const applyExactPrefix = (spec, exact) => {
-  if (spec.startsWith("catalog:")) {
-    return spec;
-  }
-  if (!exact) {
-    return spec;
-  }
-  return spec.replace(/^[\^~]/, "");
-};
-const planConformedSpecs = async (packages, catalogs) => {
-  const slots = [];
-  for (const argument of packages) {
-    const { name, versionSpec } = parsePackageArgument(argument);
-    if (!name) {
-      continue;
-    }
-    if (versionSpec !== void 0) {
-      slots.push({ explicit: versionSpec, name });
-      continue;
-    }
-    const conformed = conformToCatalog(name, catalogs);
-    if (conformed) {
-      if (conformed.conflict) {
-        pail.warn(`${name}: ambiguous constraint — picking ${conformed.spec} (${conformed.source}). Pass ${name}@<version> to override.`);
-      }
-      slots.push({ entry: { name, source: conformed.source, spec: conformed.spec }, kind: "resolved", name });
-      continue;
-    }
-    slots.push({ kind: "missing", name });
-  }
-  const missingNames = slots.filter((s) => "kind" in s && s.kind === "missing").map((s) => s.name);
-  const latest = missingNames.length > 0 ? await resolveLatestVersions(missingNames) : /* @__PURE__ */ new Map();
-  return slots.map((slot) => {
-    if ("explicit" in slot) {
-      return { name: slot.name, source: "explicit", spec: slot.explicit };
-    }
-    if (slot.kind === "resolved") {
-      return slot.entry;
-    }
-    const version = latest.get(slot.name);
-    if (version === void 0) {
-      throw new Error(`--to: cannot resolve a version for "${slot.name}" (not in any catalog or sibling, and registry lookup failed). Pass ${slot.name}@<version> explicitly.`);
-    }
-    const spec = `^${version}`;
-    pail.info(`${slot.name}: no existing constraint — using registry latest (${spec}). Add to a catalog to share this version across workspace packages.`);
-    return { name: slot.name, source: "registry latest", spec };
-  });
-};
-const applyPlannedSpecsToPackageJson = (pkgJson, planned, section, exact) => {
-  for (const { name, spec } of planned) {
-    const finalSpec = applyExactPrefix(spec, exact);
-    for (const otherSection of SIBLING_SECTIONS) {
-      if (otherSection === section) {
-        continue;
-      }
-      const block2 = pkgJson[otherSection];
-      if (block2?.[name] !== void 0) {
-        delete block2[name];
-        if (Object.keys(block2).length === 0) {
-          delete pkgJson[otherSection];
-        }
-      }
-    }
-    let block = pkgJson[section];
-    if (block === void 0) {
-      block = {};
-      pkgJson[section] = block;
-    }
-    block[name] = finalSpec;
-  }
-};
-const applyConformedAdd = async ({
-  ignoreScripts,
-  logger,
-  options,
-  packages,
-  pm,
-  target,
-  visConfig,
-  workspaceRoot
-}) => {
-  const { workspace } = discoverWorkspace(workspaceRoot, visConfig ?? {});
-  const project = workspace.projects[target];
-  if (!project) {
-    const available = Object.keys(workspace.projects).sort();
-    throw new Error(
-      `--to: workspace package "${target}" not found. Available: ${available.length > 0 ? available.slice(0, 10).join(", ") : "(none)"}${available.length > 10 ? `, ... (${String(available.length - 10)} more)` : ""}.`
-    );
-  }
-  const targetPkgPath = join(workspaceRoot, project.root, "package.json");
-  const { packageManager } = findPackageManagerSync(workspaceRoot);
-  const catalogs = readCatalogs(workspaceRoot, packageManager);
-  const section = pickDepSection(options);
-  const exact = options.exact ?? false;
-  const planned = await planConformedSpecs(packages, catalogs);
-  if (planned.length === 0) {
-    return 0;
-  }
-  const pkgJson = readJsonSync(targetPkgPath);
-  applyPlannedSpecsToPackageJson(pkgJson, planned, section, exact);
-  writeJsonSync(targetPkgPath, pkgJson, { detectIndent: true, overwrite: true });
-  for (const entry of planned) {
-    const finalSpec = applyExactPrefix(entry.spec, exact);
-    pail.info(`${green("+")} ${entry.name}@${finalSpec} → ${target}/${section} (${dim(entry.source)})`);
-  }
-  return runInstall(
-    pm,
-    {
-      dev: false,
-      filter: [],
-      force: false,
-      frozenLockfile: false,
-      ignoreScripts,
-      lockfileOnly: false,
-      noOptional: false,
-      offline: false,
-      prod: false,
-      recursive: false,
-      silent: false,
-      workspaceRoot: false
-    },
-    workspaceRoot,
-    logger
-  );
-};
-const execute = async ({ argument, logger, options, visConfig, workspaceRoot: wsRoot }) => {
-  let packages = argument;
-  if (!packages || packages.length === 0) {
-    throw new Error("No packages specified. Usage: vis add <packages...>");
-  }
-  if (!options.noTyposquatCheck) {
-    const parsed = packages.map((p) => parsePackageArgument(p));
-    const result = await runTyposquatCheck(
-      parsed.map((p) => p.name),
-      visConfig?.security?.typosquatAllowlist
-    );
-    if (!result.ok) {
-      process.exitCode = 1;
-      return;
-    }
-    packages = parsed.map((p, i) => {
-      const corrected = result.packages[i];
-      if (corrected !== p.name) {
-        return p.versionSpec ? `${corrected}@${p.versionSpec}` : corrected ?? "";
-      }
-      return packages[i] ?? "";
-    });
-  }
-  if (!options.noSocketCheck) {
-    const socketOptions = buildSocketOptions(visConfig?.security?.socket);
-    if (socketOptions) {
-      const minimumScore = socketOptions.minimumScore ?? DEFAULT_LOW_SCORE_THRESHOLD;
-      const shouldContinue = await runSocketPreCheck(packages, socketOptions, minimumScore, visConfig?.security?.socket?.acceptedRisks);
-      if (!shouldContinue) {
-        process.exitCode = 1;
-        return;
-      }
-    }
-  }
-  const cwd = process.cwd();
-  const pm = resolveInstaller(wsRoot ?? cwd, { configBackend: visConfig?.install?.backend });
-  const ignoreScripts = !options.runScripts;
-  if (options.to) {
-    if (options.global || options.workspaceRoot) {
-      throw new Error("--to is incompatible with --global / --workspace-root.");
-    }
-    if (options.filter && toStringArray(options.filter).length > 0) {
-      throw new Error("--to and --filter are mutually exclusive — --to already targets one package.");
-    }
-    if (!wsRoot) {
-      throw new Error("--to requires a monorepo workspace. Run from inside a pnpm/bun/yarn/npm workspace.");
-    }
-    const code2 = await applyConformedAdd({
-      ignoreScripts,
-      logger,
-      options,
-      packages,
-      pm,
-      target: options.to,
-      visConfig,
-      workspaceRoot: wsRoot
-    });
-    if (code2 !== 0) {
-      process.exitCode = code2;
-    }
-    return;
-  }
-  const code = runAdd(
-    pm,
-    {
-      exact: options.exact || false,
-      filter: toStringArray(options.filter),
-      global: options.global || false,
-      optional: options.saveOptional || false,
-      packages,
-      peer: options.savePeer || false,
-      saveDev: options.saveDev || false,
-      workspace: options.workspace || false,
-      workspaceRoot: options.workspaceRoot || false
-    },
-    cwd,
-    logger,
-    { ignoreScripts }
-  );
-  if (code !== 0) {
-    process.exitCode = code;
-  }
-};
-
-export { execute as default };
+${p}`,Q(f,$),l.push(`Synced ${String(y)} advisor${y===1?"y":"ies"} to .yarnrc.yml (${String(m.length)} total)`);break}default:l.push(`Unknown package manager: ${t}`)}return l},"syncAcceptedRisksToNativeConfig");var ye=Object.defineProperty,R=V((t,n)=>ye(t,"name",{value:n,configurable:!0}),"m");const U={CRITICAL:0,HIGH:1,LOW:3,MODERATE:2,UNKNOWN:4},Ae={critical:ee,high:_,low:Z,medium:Y},j=R((t,n)=>{const r=U[n.toUpperCase()]??U.MODERATE??2;return(U[t.toUpperCase()]??4)<=r},"severityPassesFilter"),Se={CRITICAL:ee,HIGH:_,LOW:Z,MODERATE:Y,UNKNOWN:b},we=R((t,n,r,l)=>{const f=Se[r.severity]??b,h=l?` ${b("[acknowledged]")}`:"",k=r.fixedVersions??[],m=k.length>0?` (fix: ${k.join(", ")})`:"";return`  ${f(r.severity)} ${r.id} — ${t}@${n}${h}
+    ${r.summary}${m}`},"formatVulnLine"),Ce=R((t,n)=>{const r=oe(t),l=`${String(Math.round(t.score.overall*100))}%`,f=n?` ${b("[acknowledged]")}`:"",h=t.alerts.length>0?`, ${String(t.alerts.length)} alert${t.alerts.length===1?"":"s"}`:"";return`  ${l} ${r}@${t.version} (${ae(t.score.overall)}${h})${f}`},"formatSocketLine"),Re=R(async(t,n,r,l)=>{const f=n.severity??"low",h=n.format==="json"||!!n.json,k=!!n.fix,m=!!n.showAccepted,y=r?.security?.socket,$=y?.acceptedRisks,p=ce(t),d=me(t,p.name);(d.ignoredAdvisories.length>0||d.excludedPackages.length>0)&&a.info(`Loaded ${String(d.ignoredAdvisories.length)} ignored advisor${d.ignoredAdvisories.length===1?"y":"ies"} and ${String(d.excludedPackages.length)} excluded package${d.excludedPackages.length===1?"":"s"} from ${p.name} config.`);const v=fe(t,p.name);if(v.length===0){a.info(`No ${p.name} lockfile entries found. Run ${p.name} install first.`);return}h||a.info(`Scanning ${String(v.length)} installed packages…`);const w=v.map(e=>({name:e.name,version:e.version})),g=le(y),c=pe(t,p.name),x=[{id:"vulnerabilities",label:"Known vulnerabilities (OSV)"},...g?[{id:"socket",label:"Socket.dev supply-chain reports"}]:[]],C=he(x,{live:!h}),ie=Date.now(),E=R(e=>{const s=Date.now()-e;return s>=1e3?`${(s/1e3).toFixed(1)}s`:`${String(Math.round(s))}ms`},"fmtElapsed");let q,J;try{const e=Date.now(),s=Date.now();C.start("vulnerabilities"),g&&C.start("socket"),[q,J]=await Promise.all([de(w).then(i=>{let o=0;for(const u of i.values())o+=u.length;return C.finish("vulnerabilities",o>0?"warn":"ok",o>0?`${String(o)} found · ${E(e)}`:`none found · ${E(e)}`),i}).catch(i=>{const o=i instanceof Error?i.message:String(i);return C.finish("vulnerabilities","error",o),new Map}),g?ue(w,g).then(i=>{let o=0,u=0;for(const D of i.values())o+=D.alerts.length,D.score.overall<W&&(u+=1);const O=o+u;return C.finish("socket",O>0?"warn":"ok",O>0?`${String(o)} alert${o===1?"":"s"}, ${String(u)} low-score · ${E(s)}`:`clean · ${E(s)}`),i}).catch(i=>{const o=i instanceof Error?i.message:String(i);return C.finish("socket","error",o),new Map}):Promise.resolve(new Map)])}finally{C.stop()}h||a.info(b(`Scan completed in ${E(ie)}`));const M=[];for(const e of v){if($e(e.name,d))continue;const s=q.get(e.name)??[],i=J.get(`${e.name}@${e.version}`),o=ge(e.name,e.version,$),u=s.length>0,O=i?i.score.overall<W:!1,D=i?i.alerts.length>0:!1;(u||O||D)&&M.push({acceptedRisk:o,name:e.name,socketReport:i,version:e.version,vulnerabilities:s})}const A=M.filter(e=>{const s=e.vulnerabilities.some(u=>j(u.severity,f)),i=e.socketReport?.alerts.some(u=>j(u.severity==="medium"?"MODERATE":u.severity.toUpperCase(),f)),o=e.socketReport&&e.socketReport.score.overall<W;return s||i||o});if(h){const e={duplicates:c.map(s=>({name:s.name,versionCount:s.versions.length,versions:s.versions})),packages:v.length,results:A.map(s=>({acceptedRisk:s.acceptedRisk??null,name:s.name,socketAlerts:s.socketReport?.alerts??[],socketScore:s.socketReport?.score.overall??null,version:s.version,vulnerabilities:s.vulnerabilities})),summary:{accepted:A.filter(s=>s.acceptedRisk).length,duplicatePackages:c.length,issues:A.filter(s=>!s.acceptedRisk).length,total:A.length}};process.stdout.write(`${JSON.stringify(e,void 0,2)}
+`),n.exitCode&&e.summary.issues>0&&(process.exitCode=1);return}if(A.length===0){a.success(`No security issues found across ${String(v.length)} packages.`);return}const I={CRITICAL:[],HIGH:[],LOW:[],MODERATE:[]};for(const e of A)for(const s of e.vulnerabilities)if(j(s.severity,f)){const i=s.severity==="UNKNOWN"?"LOW":s.severity;I[i]?.push({entry:e,vuln:s})}let F=0,T=0;for(const e of["CRITICAL","HIGH","MODERATE","LOW"]){const s=I[e];if(!(!s||s.length===0)){a.info(`
+── ${e} (${String(s.length)}) ──`);for(const{entry:i,vuln:o}of s){const u=!!i.acceptedRisk||X(o.id,d,o.aliases);u&&(T++,!m)||(F++,a.info(we(i.name,i.version,o,u)),k&&(o.fixedVersions??[]).length>0&&a.notice(`    Fix: update to ${o.fixedVersions.at(-1)}`))}}}const P=A.filter(e=>e.socketReport&&(e.socketReport.score.overall<W||e.socketReport.alerts.length>0));if(P.length>0){a.info(`
+── Socket.dev Supply Chain (${String(P.length)}) ──`);for(const e of P){if(!e.socketReport)continue;const s=!!e.acceptedRisk;if(!(s&&!m)){a.info(Ce(e.socketReport,s));for(const i of e.socketReport.alerts){const o=Ae[i.severity]??b;a.info(`    ${o(`[${i.severity.toUpperCase()}]`)} ${i.type} — ${i.category}`)}}}}if(c.length>0){a.info(`
+── Duplicate Dependencies (${String(c.length)}) ──`);for(const e of c){const s=e.versions.join(", ");a.info(`  ${e.name} — ${String(e.versions.length)} versions: ${Y(s)}`)}}const N=R(e=>!!e.acceptedRisk||e.vulnerabilities.length>0&&e.vulnerabilities.every(s=>X(s.id,d,s.aliases)),"isEntryExcluded"),z=A.filter(e=>!N(e)).length;if(a.info(""),a.info("─ Audit Summary"),a.info(`  ${String(v.length)} packages scanned`),d.ignoredAdvisories.length>0&&a.info(`  ${String(d.ignoredAdvisories.length)} ${p.name} audit exclusion${d.ignoredAdvisories.length===1?"":"s"} applied`),F>0){const e=I.CRITICAL?.filter(i=>!N(i.entry)).length??0,s=I.HIGH?.filter(i=>!N(i.entry)).length??0;a.error(`  ${String(F)} vulnerabilit${F===1?"y":"ies"} found`),e>0&&a.error(`    ${String(e)} critical`),s>0&&a.warn(`    ${String(s)} high`)}else a.success("  No vulnerabilities found");if(P.length>0){const e=P.filter(s=>!N(s)).length;a.warn(`  ${String(e)} package${e===1?"":"s"} with Socket.dev supply chain issues`)}if(c.length>0&&(a.warn(`  ${String(c.length)} package${c.length===1?"":"s"} with duplicate versions`),a.notice("  Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates.")),T>0&&(a.info(`  ${String(T)} acknowledged (accepted risks)`),m||a.notice("  Use --show-accepted to see acknowledged issues.")),z===0&&a.success(`
+  All issues are acknowledged. No action required.`),n.sync&&$){const e=new Set;for(const i of M)if(i.acceptedRisk){for(const o of i.vulnerabilities)if((o.id.startsWith("CVE-")||o.id.startsWith("GHSA-"))&&e.add(o.id),o.aliases)for(const u of o.aliases)(u.startsWith("CVE-")||u.startsWith("GHSA-"))&&e.add(u)}const s=[...e];if(s.length>0){a.info("");const i=ke(p.name,t,s);for(const o of i)a.success(`  ${o}`)}else a.info(`
+No advisory IDs to sync to native PM config.`)}n.exitCode&&z>0&&(process.exitCode=1)},"executeAudit"),Oe=R(async({logger:t,options:n,visConfig:r,workspaceRoot:l})=>{if(!l)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await Re(l,n,r,t)},"execute");export{Oe as default};

package/dist/packem_chunks/handler3.js

@@ -1,95 +1,4 @@
-import { findPackageManagerSync } from '@visulima/package';
-import { v as validateAnalysisType, r as runAiAnalysis, f as formatAiAnalysis } from '../packem_shared/ai-analysis-CHeB1joD.js';
-import { f as fetchSocketReports, a as buildSocketOptions } from './bin.js';
-import { r as readCatalogs, f as fetchPackageVersions, p as parseVersion, a as fetchVulnerabilities, g as getUpdateType, e as extractPrefix } from '../packem_shared/catalog-BJTtyi-O.js';
-
-const VERSION_PREFIX_REGEX = /^[\^~>=<]+/;
-const execute = async ({ argument, logger, options, visConfig, workspaceRoot: wsRoot }) => {
-  if (!wsRoot) {
-    throw new Error("Could not determine workspace root. Run this command inside a monorepo.");
-  }
-  const positionalArguments = argument;
-  const packageName = positionalArguments[0];
-  if (!packageName) {
-    throw new Error("Package name is required. Usage: vis analyze <package> [version]");
-  }
-  const targetVersionArgument = positionalArguments[1];
-  const { packageManager } = findPackageManagerSync(wsRoot);
-  let currentRange;
-  let catalogName = "default";
-  const catalogs = readCatalogs(wsRoot, packageManager);
-  for (const [name, deps] of catalogs) {
-    const range = deps.get(packageName);
-    if (range) {
-      currentRange = range;
-      catalogName = name;
-      break;
-    }
-  }
-  if (!currentRange) {
-    throw new Error(`Package "${packageName}" not found in any catalog or package.json. Make sure it exists in your workspace dependencies.`);
-  }
-  let targetVersion;
-  if (targetVersionArgument) {
-    targetVersion = targetVersionArgument;
-  } else {
-    logger.info(`Fetching latest version for ${packageName}...
-`);
-    const info = await fetchPackageVersions(packageName);
-    if (!info.latest) {
-      throw new Error(`Could not determine latest version for "${packageName}".`);
-    }
-    targetVersion = info.latest;
-  }
-  const current = parseVersion(currentRange);
-  const target = parseVersion(targetVersion);
-  if (!current || !target) {
-    throw new Error(`Could not parse versions: current="${currentRange}", target="${targetVersion}".`);
-  }
-  const updateType = getUpdateType(current, target);
-  if (updateType === "none") {
-    logger.info(`${packageName} is already at ${targetVersion}. Nothing to analyze.`);
-    return;
-  }
-  const prefix = extractPrefix(currentRange);
-  const entry = {
-    catalogName,
-    currentRange,
-    newRange: `${prefix}${targetVersion}`,
-    packageName,
-    targetVersion,
-    updateType
-  };
-  const analysisType = validateAnalysisType(options.aiType ?? "impact");
-  if (analysisType === "security" || options.security) {
-    logger.info("Checking for known vulnerabilities...\n");
-    const version = currentRange.replace(VERSION_PREFIX_REGEX, "");
-    const vulnMap = await fetchVulnerabilities([{ name: packageName, version }]);
-    const vulns = vulnMap.get(packageName);
-    if (vulns && vulns.length > 0) {
-      entry.vulnerabilities = vulns;
-    }
-    const socketOptions = buildSocketOptions(visConfig?.security?.socket);
-    if (socketOptions) {
-      const reports = await fetchSocketReports([{ name: packageName, version }], socketOptions);
-      const report = reports.get(`${packageName}@${version}`);
-      if (report) {
-        entry.socketReport = {
-          alerts: report.alerts,
-          license: report.license,
-          score: report.score
-        };
-      }
-    }
-  }
-  const result = await runAiAnalysis([entry], logger, visConfig?.ai, analysisType);
-  const format = options.format ?? "table";
-  if (format === "json") {
-    process.stdout.write(`${JSON.stringify(result, void 0, 2)}
-`);
-  } else {
-    logger.info(formatAiAnalysis(result));
-  }
-};
-
-export { execute as default };
+var x=Object.defineProperty;var h=(n,t)=>x(n,"name",{value:t,configurable:!0});import{findPackageManagerSync as N}from"@visulima/package";import{H as P,e as U,Z as j}from"../packem_shared/ai-analysis-hm8d2W7z.js";import{g as M,a as O,E as b,i as T,L as z,b as S,V,U as q}from"./bin.js";var A=Object.defineProperty,F=h((n,t)=>A(n,"name",{value:t,configurable:!0}),"x");const H=/^[\^~>=<]+/,B=F(async({argument:n,logger:t,options:f,visConfig:u,workspaceRoot:g})=>{if(!g)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");const p=n,e=p[0];if(!e)throw new Error("Package name is required. Usage: vis analyze <package> [version]");const m=p[1],{packageManager:E}=N(g);let o,w="default";const C=M(g,E);for(const[a,i]of C){const s=i.get(e);if(s){o=s,w=a;break}}if(!o)throw new Error(`Package "${e}" not found in any catalog or package.json. Make sure it exists in your workspace dependencies.`);let r;if(m)r=m;else{t.info(`Fetching latest version for ${e}...
+`);const a=await O(e);if(!a.latest)throw new Error(`Could not determine latest version for "${e}".`);r=a.latest}const d=b(o),k=b(r);if(!d||!k)throw new Error(`Could not parse versions: current="${o}", target="${r}".`);const y=T(d,k);if(y==="none"){t.info(`${e} is already at ${r}. Nothing to analyze.`);return}const R=z(o),l={catalogName:w,currentRange:o,newRange:`${R}${r}`,packageName:e,targetVersion:r,updateType:y},v=P(f.aiType??"impact");if(v==="security"||f.security){t.info(`Checking for known vulnerabilities...
+`);const a=o.replace(H,""),i=(await S([{name:e,version:a}])).get(e);i&&i.length>0&&(l.vulnerabilities=i);const s=V(u?.security?.socket);if(s){const c=(await q([{name:e,version:a}],s)).get(`${e}@${a}`);c&&(l.socketReport={alerts:c.alerts,license:c.license,score:c.score})}}const $=await U([l],t,u?.ai,v);(f.format??"table")==="json"?process.stdout.write(`${JSON.stringify($,void 0,2)}
+`):t.info(j($))},"execute");export{B as default};