@visulima/vis 1.0.0-alpha.11 → 1.0.0-alpha.13

package/dist/packem_chunks/handler42.js

@@ -1,797 +1,5 @@
-import { createRequire as __cjs_createRequire } from "node:module";
-
-const __cjs_require = __cjs_createRequire(import.meta.url);
-
-const __cjs_getProcess = typeof globalThis !== "undefined" && typeof globalThis.process !== "undefined" ? globalThis.process : process;
-
-const __cjs_getBuiltinModule = (module) => {
-    // Check if we're in Node.js and version supports getBuiltinModule
-    if (typeof __cjs_getProcess !== "undefined" && __cjs_getProcess.versions && __cjs_getProcess.versions.node) {
-        const [major, minor] = __cjs_getProcess.versions.node.split(".").map(Number);
-        // Node.js 20.16.0+ and 22.3.0+
-        if (major > 22 || (major === 22 && minor >= 3) || (major === 20 && minor >= 16)) {
-            return __cjs_getProcess.getBuiltinModule(module);
-        }
-    }
-    // Fallback to createRequire
-    return __cjs_require(module);
-};
-
-const {
-  readdirSync,
-  writeFileSync
-} = __cjs_getBuiltinModule("node:fs");
-import { readJsonSync, readFileSync, ensureDirSync } from '@visulima/fs';
-import { join, resolve, dirname } from '@visulima/path';
-import { d as discoverWorkspace, b as buildProjectGraph, p as pail } from './bin.js';
-const {
-  randomUUID
-} = __cjs_getBuiltinModule("node:crypto");
-import { toXML } from 'jstoxml';
-import { r as resolveFocusProjects } from '../packem_shared/docker-2iZzc280.js';
-import { parseLockFileContent } from '@visulima/package';
-import semver from 'semver';
-
-const readJsonSafe = (path) => {
-  try {
-    return readJsonSync(path);
-  } catch {
-    return void 0;
-  }
-};
-const isSafePackageName = (name) => {
-  if (name.length === 0 || name.includes("..") || name.startsWith(".") || name.includes("\0") || name.includes("\\")) {
-    return false;
-  }
-  if (name.startsWith("@")) {
-    const slashIndex = name.indexOf("/");
-    return slashIndex > 1 && !name.includes("/", slashIndex + 1);
-  }
-  return !name.includes("/");
-};
-const isSafeVersion = (version) => version.length > 0 && !version.includes("/") && !version.includes("\\") && !version.includes("..") && !version.includes("\0");
-const readPnpmVirtualStore = (workspaceRoot, name, version) => {
-  const encodedName = name.replaceAll("/", "+");
-  const exactDir = `${encodedName}@${version}`;
-  const pnpmRoot = join(workspaceRoot, "node_modules", ".pnpm");
-  const exact = readJsonSafe(join(pnpmRoot, exactDir, "node_modules", name, "package.json"));
-  if (exact) {
-    return exact;
-  }
-  let directories;
-  try {
-    directories = readdirSync(pnpmRoot);
-  } catch {
-    return void 0;
-  }
-  const prefix = `${exactDir}_`;
-  for (const directory of directories) {
-    if (!directory.startsWith(prefix)) {
-      continue;
-    }
-    const metadata = readJsonSafe(join(pnpmRoot, directory, "node_modules", name, "package.json"));
-    if (metadata) {
-      return metadata;
-    }
-  }
-  return void 0;
-};
-const readHoistedCopy = (workspaceRoot, name, version) => {
-  const metadata = readJsonSafe(join(workspaceRoot, "node_modules", name, "package.json"));
-  return metadata?.version === version ? metadata : void 0;
-};
-const readInstalledPackageMetadata = (workspaceRoot, name, version) => {
-  if (!isSafePackageName(name) || !isSafeVersion(version)) {
-    return void 0;
-  }
-  return readPnpmVirtualStore(workspaceRoot, name, version) ?? readHoistedCopy(workspaceRoot, name, version);
-};
-
-const KNOWN_SPDX_IDS = /* @__PURE__ */ new Set([
-  "0BSD",
-  "AGPL-3.0",
-  "AGPL-3.0-only",
-  "AGPL-3.0-or-later",
-  "Apache-1.1",
-  "Apache-2.0",
-  "Artistic-2.0",
-  "BlueOak-1.0.0",
-  "BSD-2-Clause",
-  "BSD-3-Clause",
-  "BSL-1.0",
-  "CC0-1.0",
-  "CC-BY-3.0",
-  "CC-BY-4.0",
-  "CDDL-1.0",
-  "CDDL-1.1",
-  "EPL-1.0",
-  "EPL-2.0",
-  "GPL-2.0",
-  "GPL-2.0-only",
-  "GPL-2.0-or-later",
-  "GPL-3.0",
-  "GPL-3.0-only",
-  "GPL-3.0-or-later",
-  "ISC",
-  "LGPL-2.0",
-  "LGPL-2.1",
-  "LGPL-3.0",
-  "MIT",
-  "MIT-0",
-  "MPL-1.1",
-  "MPL-2.0",
-  "Python-2.0",
-  "Unlicense",
-  "WTFPL",
-  "Zlib"
-]);
-const SPDX_ALIASES = {
-  apache2: "Apache-2.0",
-  "apache 2.0": "Apache-2.0",
-  bsd: "BSD-3-Clause",
-  "bsd-2": "BSD-2-Clause",
-  "bsd-3": "BSD-3-Clause",
-  mit: "MIT",
-  public: "Unlicense",
-  "public domain": "Unlicense"
-};
-const LOWERCASE_SPDX_LOOKUP = (() => {
-  const map = /* @__PURE__ */ new Map();
-  for (const id of KNOWN_SPDX_IDS) {
-    map.set(id.toLowerCase(), id);
-  }
-  for (const [alias, canonical] of Object.entries(SPDX_ALIASES)) {
-    map.set(alias, canonical);
-  }
-  return map;
-})();
-const normalizeSpdxId = (raw) => {
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) {
-    return void 0;
-  }
-  if (KNOWN_SPDX_IDS.has(trimmed)) {
-    return trimmed;
-  }
-  return LOWERCASE_SPDX_LOOKUP.get(trimmed.toLowerCase());
-};
-const extractLicenseChoice = (input) => {
-  let rawValue;
-  if (typeof input.license === "string") {
-    rawValue = input.license;
-  } else if (input.license && typeof input.license === "object" && typeof input.license.type === "string") {
-    rawValue = input.license.type;
-  } else if (Array.isArray(input.licenses) && input.licenses.length > 0) {
-    const first = input.licenses[0];
-    if (first && typeof first.type === "string") {
-      rawValue = first.type;
-    }
-  }
-  if (!rawValue) {
-    return void 0;
-  }
-  const trimmed = rawValue.trim();
-  if (trimmed.length === 0) {
-    return void 0;
-  }
-  if (/[()]|\b(and|or|with)\b/i.test(trimmed)) {
-    return [{ expression: trimmed }];
-  }
-  const spdxId = normalizeSpdxId(trimmed);
-  if (spdxId) {
-    return [{ license: { id: spdxId } }];
-  }
-  return [{ license: { name: trimmed } }];
-};
-
-const SRI_TO_CYCLONEDX_ALG = {
-  sha256: "SHA-256",
-  sha384: "SHA-384",
-  sha512: "SHA-512"
-};
-const SRI_HEX_LENGTH = {
-  sha256: 64,
-  sha384: 96,
-  sha512: 128
-};
-const toResolvedPackage = (entry) => {
-  const resolved = { name: entry.name, version: entry.version };
-  const { integrity } = entry;
-  if (integrity && integrity.hex.length === SRI_HEX_LENGTH[integrity.algorithm]) {
-    resolved.hash = {
-      alg: SRI_TO_CYCLONEDX_ALG[integrity.algorithm],
-      content: integrity.hex
-    };
-  }
-  if (entry.dependencies) {
-    resolved.dependencies = entry.dependencies;
-  }
-  if (entry.peerDependencies) {
-    resolved.peerDependencies = entry.peerDependencies;
-  }
-  if (entry.optionalDependencies) {
-    resolved.optionalDependencies = entry.optionalDependencies;
-  }
-  return resolved;
-};
-const LOCKFILE_CANDIDATES = [
-  { file: "pnpm-lock.yaml", type: "pnpm" },
-  { file: "package-lock.json", type: "npm" },
-  { file: "yarn.lock", type: "yarn" },
-  { file: "bun.lock", type: "bun" }
-];
-const readLockfilePackages = (workspaceRoot) => {
-  for (const { file, type } of LOCKFILE_CANDIDATES) {
-    let content;
-    try {
-      content = readFileSync(join(workspaceRoot, file));
-    } catch {
-      continue;
-    }
-    const packages = /* @__PURE__ */ new Map();
-    for (const entry of parseLockFileContent(content, type)) {
-      packages.set(`${entry.name}@${entry.version}`, toResolvedPackage(entry));
-    }
-    return { packages, type };
-  }
-  return void 0;
-};
-
-const encodeSegment = (input) => input.replaceAll(/[^\w.~-]/g, (char) => {
-  const codePoint = char.codePointAt(0) ?? 0;
-  return `%${codePoint.toString(16).toUpperCase().padStart(2, "0")}`;
-});
-const toNpmPurl = (packageName, version) => {
-  const lowered = packageName.toLowerCase();
-  if (lowered.startsWith("@")) {
-    const slashIndex = lowered.indexOf("/");
-    if (slashIndex > 0) {
-      const namespace = lowered.slice(0, slashIndex);
-      const name = lowered.slice(slashIndex + 1);
-      return `pkg:npm/${encodeSegment(namespace)}/${encodeSegment(name)}@${encodeSegment(version)}`;
-    }
-  }
-  return `pkg:npm/${encodeSegment(lowered)}@${encodeSegment(version)}`;
-};
-
-const stripProtocolPrefix = (specifier) => {
-  const colonIndex = specifier.indexOf(":");
-  if (colonIndex <= 0) {
-    return specifier;
-  }
-  const prefix = specifier.slice(0, colonIndex);
-  return prefix === "npm" ? specifier.slice(colonIndex + 1) : specifier;
-};
-const resolveSpecifier = (name, specifier, index) => {
-  const versions = index.get(name);
-  if (!versions || versions.size === 0) {
-    return void 0;
-  }
-  if (versions.has(specifier)) {
-    return specifier;
-  }
-  const stripped = stripProtocolPrefix(specifier);
-  if (stripped !== specifier && versions.has(stripped)) {
-    return stripped;
-  }
-  const list = [...versions];
-  const best = semver.maxSatisfying(list, stripped, { includePrerelease: true });
-  if (best) {
-    return best;
-  }
-  return list[0];
-};
-
-const CYCLONEDX_SPEC_VERSION = "1.6";
-const CYCLONEDX_BOM_FORMAT = "CycloneDX";
-const CYCLONEDX_SCHEMA_URL = "http://cyclonedx.org/schema/bom-1.6.schema.json";
-const GENERATOR_NAME = "@visulima/vis";
-const readPackageJson = (path) => {
-  try {
-    return readJsonSync(path);
-  } catch {
-    return void 0;
-  }
-};
-const toAuthorString = (author) => {
-  if (!author) {
-    return void 0;
-  }
-  if (typeof author === "string") {
-    return author;
-  }
-  if (typeof author === "object" && author.name) {
-    return author.email ? `${author.name} <${author.email}>` : author.name;
-  }
-  return void 0;
-};
-const toRepositoryUrl = (repository) => {
-  if (!repository) {
-    return void 0;
-  }
-  if (typeof repository === "string") {
-    return repository;
-  }
-  return repository.url;
-};
-const toBugsUrl = (bugs) => {
-  if (!bugs) {
-    return void 0;
-  }
-  if (typeof bugs === "string") {
-    return bugs;
-  }
-  return bugs.url;
-};
-const buildExternalReferences = (pkg) => {
-  const references = [];
-  if (pkg.homepage) {
-    references.push({ type: "website", url: pkg.homepage });
-  }
-  const vcs = toRepositoryUrl(pkg.repository);
-  if (vcs) {
-    references.push({ type: "vcs", url: vcs });
-  }
-  const issues = toBugsUrl(pkg.bugs);
-  if (issues) {
-    references.push({ type: "issue-tracker", url: issues });
-  }
-  return references.length > 0 ? references : void 0;
-};
-const decoratePackageComponent = (component, pkg) => {
-  if (!pkg) {
-    return;
-  }
-  if (pkg.description) {
-    component.description = pkg.description;
-  }
-  const author = toAuthorString(pkg.author);
-  if (author) {
-    component.author = author;
-  }
-  const license = extractLicenseChoice(pkg);
-  if (license) {
-    component.licenses = license;
-  }
-  const references = buildExternalReferences(pkg);
-  if (references) {
-    component.externalReferences = references;
-  }
-};
-const buildCycloneDxBom = (options) => {
-  const { focus, generatorVersion, includeDev = false, now = /* @__PURE__ */ new Date(), projectGraph, serialNumber, workspace, workspaceRoot } = options;
-  const projectNames = focus && focus.length > 0 ? [...resolveFocusProjects(focus, projectGraph)].sort() : Object.keys(workspace.projects).sort();
-  const inScope = new Set(projectNames);
-  const projectPackages = /* @__PURE__ */ new Map();
-  for (const name of projectNames) {
-    const projectConfig = workspace.projects[name];
-    if (projectConfig) {
-      projectPackages.set(name, readPackageJson(join(workspaceRoot, projectConfig.root, "package.json")));
-    }
-  }
-  const projectComponents = [];
-  const projectBomRefs = /* @__PURE__ */ new Map();
-  for (const name of projectNames) {
-    const projectConfig = workspace.projects[name];
-    if (!projectConfig) {
-      continue;
-    }
-    const pkg = projectPackages.get(name);
-    const version = pkg?.version ?? "0.0.0";
-    const bomRef = toNpmPurl(name, version);
-    projectBomRefs.set(name, bomRef);
-    const component = {
-      "bom-ref": bomRef,
-      name,
-      purl: bomRef,
-      type: projectConfig.projectType === "application" ? "application" : "library",
-      version
-    };
-    decoratePackageComponent(component, pkg);
-    projectComponents.push(component);
-  }
-  const lockfile = readLockfilePackages(workspaceRoot);
-  const lockfileByRef = /* @__PURE__ */ new Map();
-  const versionIndex = /* @__PURE__ */ new Map();
-  if (lockfile) {
-    for (const pkg of lockfile.packages.values()) {
-      lockfileByRef.set(`${pkg.name}@${pkg.version}`, pkg);
-      let versions = versionIndex.get(pkg.name);
-      if (!versions) {
-        versions = /* @__PURE__ */ new Set();
-        versionIndex.set(pkg.name, versions);
-      }
-      versions.add(pkg.version);
-    }
-  }
-  const requiredSeed = [];
-  const optionalSeed = [];
-  const directDepEdges = /* @__PURE__ */ new Map();
-  for (const name of projectNames) {
-    const pkg = projectPackages.get(name);
-    if (!pkg) {
-      continue;
-    }
-    const requiredMaps = [pkg.dependencies, pkg.peerDependencies];
-    if (includeDev) {
-      requiredMaps.push(pkg.devDependencies);
-    }
-    const edges = /* @__PURE__ */ new Set();
-    const seedRef = (target, depMap) => {
-      if (!depMap) {
-        return;
-      }
-      for (const [depName, specifier] of Object.entries(depMap)) {
-        if (inScope.has(depName)) {
-          const ref = projectBomRefs.get(depName);
-          if (ref) {
-            edges.add(ref);
-          }
-          continue;
-        }
-        const resolvedVersion = resolveSpecifier(depName, specifier, versionIndex);
-        if (resolvedVersion) {
-          edges.add(toNpmPurl(depName, resolvedVersion));
-          target.push(`${depName}@${resolvedVersion}`);
-        }
-      }
-    };
-    for (const depMap of requiredMaps) {
-      seedRef(requiredSeed, depMap);
-    }
-    seedRef(optionalSeed, pkg.optionalDependencies);
-    directDepEdges.set(name, edges);
-  }
-  const reachableRegistryRefs = /* @__PURE__ */ new Map();
-  const registryDepEdges = /* @__PURE__ */ new Map();
-  const walk = (seeds, scope) => {
-    const queue = [...seeds];
-    while (queue.length > 0) {
-      const ref = queue.pop();
-      const existing = reachableRegistryRefs.get(ref);
-      if (existing === "required" || existing === "optional" && scope === "optional") {
-        continue;
-      }
-      reachableRegistryRefs.set(ref, scope);
-      const entry = lockfileByRef.get(ref);
-      if (!entry) {
-        continue;
-      }
-      const outgoing = registryDepEdges.get(ref) ?? /* @__PURE__ */ new Set();
-      const inheritedMaps = [entry.dependencies, entry.peerDependencies];
-      for (const depMap of inheritedMaps) {
-        if (!depMap) {
-          continue;
-        }
-        for (const [depName, specifiers] of Object.entries(depMap)) {
-          for (const specifier of specifiers) {
-            const resolvedVersion = resolveSpecifier(depName, specifier, versionIndex);
-            if (!resolvedVersion) {
-              continue;
-            }
-            outgoing.add(toNpmPurl(depName, resolvedVersion));
-            queue.push(`${depName}@${resolvedVersion}`);
-          }
-        }
-      }
-      if (entry.optionalDependencies) {
-        for (const [depName, specifiers] of Object.entries(entry.optionalDependencies)) {
-          for (const specifier of specifiers) {
-            const resolvedVersion = resolveSpecifier(depName, specifier, versionIndex);
-            if (!resolvedVersion) {
-              continue;
-            }
-            outgoing.add(toNpmPurl(depName, resolvedVersion));
-            optionalSeed.push(`${depName}@${resolvedVersion}`);
-          }
-        }
-      }
-      if (outgoing.size > 0) {
-        registryDepEdges.set(ref, outgoing);
-      }
-    }
-  };
-  walk(requiredSeed, "required");
-  walk(optionalSeed, "optional");
-  const registryComponents = [];
-  const sortedRefs = [...reachableRegistryRefs.keys()].sort();
-  for (const ref of sortedRefs) {
-    const pkg = lockfileByRef.get(ref);
-    if (!pkg) {
-      continue;
-    }
-    const purl = toNpmPurl(pkg.name, pkg.version);
-    const component = {
-      "bom-ref": purl,
-      name: pkg.name,
-      purl,
-      scope: reachableRegistryRefs.get(ref) ?? "required",
-      type: "library",
-      version: pkg.version
-    };
-    if (pkg.hash) {
-      component.hashes = [pkg.hash];
-    }
-    decoratePackageComponent(component, readInstalledPackageMetadata(workspaceRoot, pkg.name, pkg.version));
-    registryComponents.push(component);
-  }
-  const dependencies = [];
-  for (const [projectName, edges] of directDepEdges) {
-    const ref = projectBomRefs.get(projectName);
-    if (!ref) {
-      continue;
-    }
-    const dependsOn = [...edges].sort();
-    dependencies.push(dependsOn.length > 0 ? { dependsOn, ref } : { ref });
-  }
-  for (const ref of sortedRefs) {
-    const pkg = lockfileByRef.get(ref);
-    if (!pkg) {
-      continue;
-    }
-    const purl = toNpmPurl(pkg.name, pkg.version);
-    const outgoing = registryDepEdges.get(ref);
-    const dependsOn = outgoing ? [...outgoing].sort() : [];
-    dependencies.push(dependsOn.length > 0 ? { dependsOn, ref: purl } : { ref: purl });
-  }
-  dependencies.sort((a, b) => a.ref.localeCompare(b.ref));
-  const rootPkg = readPackageJson(join(workspaceRoot, "package.json"));
-  const metadataComponent = (() => {
-    if (focus?.length === 1) {
-      const match = projectComponents.find((component2) => component2.name === focus[0]);
-      if (match) {
-        return {
-          "bom-ref": match["bom-ref"],
-          name: match.name,
-          purl: match.purl,
-          type: match.type,
-          version: match.version
-        };
-      }
-    }
-    const rootName = rootPkg?.name ?? "workspace";
-    const rootVersion = rootPkg?.version ?? "0.0.0";
-    const rootRef = toNpmPurl(rootName, rootVersion);
-    const component = {
-      "bom-ref": rootRef,
-      name: rootName,
-      purl: rootRef,
-      type: "application",
-      version: rootVersion
-    };
-    decoratePackageComponent(component, rootPkg);
-    return component;
-  })();
-  const metadataRef = metadataComponent["bom-ref"];
-  const filteredProjectComponents = metadataRef ? projectComponents.filter((component) => component["bom-ref"] !== metadataRef) : projectComponents;
-  return {
-    $schema: CYCLONEDX_SCHEMA_URL,
-    bomFormat: CYCLONEDX_BOM_FORMAT,
-    components: [...filteredProjectComponents, ...registryComponents],
-    dependencies,
-    metadata: {
-      component: metadataComponent,
-      lifecycles: [{ phase: "build" }],
-      timestamp: now.toISOString(),
-      tools: {
-        components: [
-          {
-            name: GENERATOR_NAME,
-            type: "application",
-            ...generatorVersion ? { version: generatorVersion } : {}
-          }
-        ]
-      }
-    },
-    serialNumber: serialNumber ?? `urn:uuid:${randomUUID()}`,
-    specVersion: CYCLONEDX_SPEC_VERSION,
-    version: 1
-  };
-};
-const serializeBomToXml = (bom) => {
-  const rootAttributes = {
-    version: bom.version ?? 1,
-    xmlns: "http://cyclonedx.org/schema/bom/1.6"
-  };
-  if (bom.serialNumber) {
-    rootAttributes.serialNumber = bom.serialNumber;
-  }
-  const content = [];
-  if (bom.metadata) {
-    content.push(metadataToXmlElement(bom.metadata));
-  }
-  if (bom.components && bom.components.length > 0) {
-    content.push({
-      _content: bom.components.map(componentToXmlElement),
-      _name: "components"
-    });
-  }
-  if (bom.dependencies && bom.dependencies.length > 0) {
-    content.push({
-      _content: bom.dependencies.map(dependencyToXmlElement),
-      _name: "dependencies"
-    });
-  }
-  const xml = toXML(
-    {
-      _attrs: rootAttributes,
-      _content: content,
-      _name: "bom"
-    },
-    {
-      header: true,
-      indent: "  ",
-      selfCloseTags: true
-    }
-  );
-  return `${xml}
-`;
-};
-const metadataToXmlElement = (metadata) => {
-  const children = [];
-  if (metadata.timestamp) {
-    children.push({ timestamp: metadata.timestamp });
-  }
-  if (metadata.lifecycles && metadata.lifecycles.length > 0) {
-    children.push({
-      _content: metadata.lifecycles.map((lifecycle) => {
-        const entries = [];
-        if (lifecycle.phase) {
-          entries.push({ phase: lifecycle.phase });
-        }
-        if (lifecycle.name) {
-          entries.push({ name: lifecycle.name });
-        }
-        if (lifecycle.description) {
-          entries.push({ description: lifecycle.description });
-        }
-        return { _content: entries, _name: "lifecycle" };
-      }),
-      _name: "lifecycles"
-    });
-  }
-  if (metadata.tools?.components) {
-    children.push({
-      _content: [
-        {
-          _content: metadata.tools.components.map(componentToXmlElement),
-          _name: "components"
-        }
-      ],
-      _name: "tools"
-    });
-  }
-  if (metadata.component) {
-    children.push(componentToXmlElement(metadata.component));
-  }
-  return { _content: children, _name: "metadata" };
-};
-const componentToXmlElement = (component) => {
-  const attributes = { type: component.type };
-  if (component["bom-ref"]) {
-    attributes["bom-ref"] = component["bom-ref"];
-  }
-  const children = [];
-  if (component.group) {
-    children.push({ group: component.group });
-  }
-  children.push({ name: component.name });
-  if (component.version) {
-    children.push({ version: component.version });
-  }
-  if (component.description) {
-    children.push({ description: component.description });
-  }
-  if (component.author) {
-    children.push({ author: component.author });
-  }
-  if (component.hashes && component.hashes.length > 0) {
-    children.push({
-      _content: component.hashes.map((hash) => {
-        return {
-          _attrs: { alg: hash.alg },
-          _content: hash.content,
-          _name: "hash"
-        };
-      }),
-      _name: "hashes"
-    });
-  }
-  const licenses = licensesToXmlElement(component.licenses);
-  if (licenses) {
-    children.push(licenses);
-  }
-  if (component.purl) {
-    children.push({ purl: component.purl });
-  }
-  if (component.scope) {
-    children.push({ scope: component.scope });
-  }
-  if (component.externalReferences && component.externalReferences.length > 0) {
-    children.push({
-      _content: component.externalReferences.map((reference) => {
-        return {
-          _attrs: { type: reference.type },
-          _content: [{ url: reference.url }],
-          _name: "reference"
-        };
-      }),
-      _name: "externalReferences"
-    });
-  }
-  return { _attrs: attributes, _content: children, _name: "component" };
-};
-const licensesToXmlElement = (licenses) => {
-  if (!licenses || licenses.length === 0) {
-    return void 0;
-  }
-  const entries = [];
-  for (const entry of licenses) {
-    if ("expression" in entry) {
-      entries.push({ expression: entry.expression });
-      continue;
-    }
-    const licenseChildren = [];
-    if ("id" in entry.license && entry.license.id) {
-      licenseChildren.push({ id: entry.license.id });
-    } else if ("name" in entry.license && entry.license.name) {
-      licenseChildren.push({ name: entry.license.name });
-    }
-    entries.push({ _content: licenseChildren, _name: "license" });
-  }
-  return { _content: entries, _name: "licenses" };
-};
-const dependencyToXmlElement = (dep) => {
-  if (dep.dependsOn && dep.dependsOn.length > 0) {
-    return {
-      _attrs: { ref: dep.ref },
-      _content: dep.dependsOn.map((child) => {
-        return {
-          _attrs: { ref: child },
-          _name: "dependency"
-        };
-      }),
-      _name: "dependency"
-    };
-  }
-  return { _attrs: { ref: dep.ref }, _name: "dependency" };
-};
-
-const SBOM_FORMATS = ["json", "xml"];
-const isSbomFormat = (value) => SBOM_FORMATS.includes(value);
-const execute = async ({ options, visConfig, workspaceRoot: wsRoot }) => {
-  if (!wsRoot) {
-    throw new Error("Could not determine workspace root. Run inside a monorepo.");
-  }
-  const { packageJsons, workspace } = discoverWorkspace(wsRoot, visConfig);
-  const projectGraph = buildProjectGraph(wsRoot, workspace, packageJsons);
-  const focusRaw = options.focus;
-  const focus = focusRaw ? focusRaw.split(",").map((name) => name.trim()).filter(Boolean) : void 0;
-  const format = (options.format ?? "json").toLowerCase();
-  if (!isSbomFormat(format)) {
-    throw new Error(`Unknown --format: "${format}". Expected one of: ${SBOM_FORMATS.join(", ")}.`);
-  }
-  const bom = buildCycloneDxBom({
-    focus,
-    includeDev: Boolean(options.includeDev),
-    projectGraph,
-    workspace,
-    workspaceRoot: wsRoot
-  });
-  const serialized = format === "xml" ? serializeBomToXml(bom) : `${JSON.stringify(bom, void 0, 2)}
-`;
-  const output = options.output ?? (format === "xml" ? "sbom.cdx.xml" : "sbom.cdx.json");
-  if (output === "-") {
-    process.stdout.write(serialized);
-    return;
-  }
-  const outPath = resolve(wsRoot, output);
-  ensureDirSync(dirname(outPath));
-  writeFileSync(outPath, serialized, "utf8");
-  const componentCount = bom.components?.length ?? 0;
-  const dependencyCount = bom.dependencies?.length ?? 0;
-  pail.success(`SBOM written to ${outPath}`);
-  pail.notice(`${componentCount} components, ${dependencyCount} dependency edges`);
-};
-
-export { execute as default };
+var _e=Object.defineProperty;var C=(e,n)=>_e(e,"name",{value:n,configurable:!0});import{createRequire as ve}from"node:module";import{readJsonSync as pe,readFileSync as ke,ensureDirSync as je}from"@visulima/fs";import{join as F,resolve as Le,dirname as Ce}from"@visulima/path";import{aE as Pe,k as we,y as Ae,p as se}from"./bin.js";import{r as xe}from"../packem_shared/docker-D6OGr5_S.js";import{parseLockFileContent as De}from"@visulima/package";const $e=ve(import.meta.url),H=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,ie=C(e=>{if(typeof H<"u"&&H.versions&&H.versions.node){const[n,t]=H.versions.node.split(".").map(Number);if(n>22||n===22&&t>=3||n===20&&t>=16)return H.getBuiltinModule(e)}return $e(e)},"__cjs_getBuiltinModule"),{readdirSync:Oe,writeFileSync:Se}=ie("node:fs"),{randomUUID:Te}=ie("node:crypto");var Be=Object.defineProperty,k=C((e,n)=>Be(e,"name",{value:n,configurable:!0}),"a$1");const f={ARRAY:"array",BOOLEAN:"boolean",DATE:"date",FUNCTION:"function",JSTOXML_OBJECT:"jstoxml-object",NULL:"null",NUMBER:"number",OBJECT:"object",STRING:"string"},Ee=[f.STRING,f.NUMBER,f.BOOLEAN],Re='<?xml version="1.0" encoding="UTF-8"?>',re=["_selfCloseTag","_attrs"],Me=k((e="",n=0)=>e.repeat(n),"getIndentStr"),Z=k(e=>Array.isArray(e)&&f.ARRAY||typeof e===f.OBJECT&&e!==null&&e._name&&f.JSTOXML_OBJECT||e instanceof Date&&f.DATE||e===null&&f.NULL||typeof e,"getType"),le=k(e=>e.startsWith("<![CDATA["),"isCDATA"),ue=k((e="",n={},t)=>{let o=e;if(typeof e===f.STRING){if(le(e))return e;const s=new RegExp(`(${Object.keys(n).join("|")})(?!(\\w|#)*;)`,"g");o=String(e).replace(s,(p,d)=>n[d]||"")}return typeof t=="function"?t(o):o},"mapStr"),Ne=k((e={},n,t,o)=>(Array.isArray(e)?e:Object.entries(e).map(([s,p])=>({[s]:p}))).reduce((s,p)=>{const d=Object.keys(p)[0],b=p[d];if(typeof t===f.FUNCTION&&t(d,b))return s;const m=n?ue(b,n):b,h=!o&&m===!0?"":`="${m}"`;return s.push(`${d}${h}`),s},[]),"getAttributeKeyVals"),Ie=k((e={},n,t,o)=>{const s=Ne(e,n,t,o);return s.length===0?"":` ${s.join(" ")}`},"formatAttributes"),Ue=k((e={})=>Object.keys(e).map(n=>({_name:n,_content:e[n]})),"objToArray"),Fe=k(e=>Ee.includes(Z(e)),"isPrimitive"),Ge=k(e=>!e.match("<"),"isSimpleXML"),Je=k(({header:e,isOutputStart:n})=>e&&n?typeof e===f.BOOLEAN?Re:e:"","getHeaderString"),ce={"<":"&lt;",">":"&gt;","&":"&amp;",'"':"&quot;"},q=k((e={},n={})=>{const{depth:t=0,indent:o,_isFirstItem:s,_isOutputStart:p=!0,header:d,attributeReplacements:b={},attributeFilter:m,attributeExplicitTrue:h=!1,contentReplacements:B={},contentMap:P,selfCloseTags:j=!0}=n,M=typeof b=="boolean"&&!b?{}:{...ce,...b},G=typeof B=="boolean"&&!B?{}:{...ce,...B},w=typeof o=="string",A=Me(o,t),Y=Z(e),J=Je({header:d,indent:o,depth:t,isOutputStart:p}),N=p&&!J&&s&&t===0,I=w&&!N?`
+`:"";let $="";switch(Y){case f.JSTOXML_OBJECT:{const{_name:y,_content:l}=e;if(l===null&&typeof P!="function"){$=`${I}${A}${y}`;break}if(Array.isArray(l)&&l.every(Fe))return l.map(L=>q({_name:y,_content:L},{...n,depth:t,_isOutputStart:!1})).join("");if(re.includes(y))break;const v=q(l,{...n,depth:t+1,_isOutputStart:N}),E=Z(v),O=Ge(v),S=le(v),R=`${I}${A}`;if(y==="_comment"){$+=`${R}<!-- ${l} -->`;break}const K=E==="undefined"||v==="",c=j,r=e._selfCloseTag,i=typeof r===f.BOOLEAN?K&&r:K&&c,a=i?"/":"",u=Ie(e._attrs,M,m,h),g=`<${y}${u}${a}>`,T=w&&!O&&!S?`
+${A}`:"",x=i?"":`${v}${T}</${y}>`;$+=`${R}${g}${x}`;break}case f.OBJECT:{const y=Object.keys(e);$=y.map((l,v)=>{const E={...n,_isFirstItem:v===0,_isLastItem:v+1===y.length,_isOutputStart:N},O={_name:l};if(Z(e[l])===f.OBJECT&&(re.forEach(S=>{const R=e[l][S];typeof R<"u"&&(O[S]=R,delete e[l][S])}),typeof e[l]._content<"u"&&Object.keys(e[l]).length>1)){const S=Object.assign({},e[l]);delete S._content,O._content=[...Ue(S),e[l]._content]}return typeof O._content>"u"&&(O._content=e[l]),q(O,E)},n).join("");break}case f.FUNCTION:{const y=e(n);$=q(y,n);break}case f.ARRAY:{$=e.map((y,l)=>{const v={...n,_isFirstItem:l===0,_isLastItem:l+1===e.length,_isOutputStart:N};return q(y,v)}).join("");break}default:{$=ue(e,G,P);break}}return`${J}${$}`},"toXML");var Xe=Object.defineProperty,z=C((e,n)=>Xe(e,"name",{value:n,configurable:!0}),"r$1");const te=z(e=>{try{return pe(e)}catch{return}},"readJsonSafe"),qe=z(e=>{if(e.length===0||e.includes("..")||e.startsWith(".")||e.includes("\0")||e.includes("\\"))return!1;if(e.startsWith("@")){const n=e.indexOf("/");return n>1&&!e.includes("/",n+1)}return!e.includes("/")},"isSafePackageName"),ze=z(e=>e.length>0&&!e.includes("/")&&!e.includes("\\")&&!e.includes("..")&&!e.includes("\0"),"isSafeVersion"),We=z((e,n,t)=>{const o=`${n.replaceAll("/","+")}@${t}`,s=F(e,"node_modules",".pnpm"),p=te(F(s,o,"node_modules",n,"package.json"));if(p)return p;let d;try{d=Oe(s)}catch{return}const b=`${o}_`;for(const m of d){if(!m.startsWith(b))continue;const h=te(F(s,m,"node_modules",n,"package.json"));if(h)return h}},"readPnpmVirtualStore"),He=z((e,n,t)=>{const o=te(F(e,"node_modules",n,"package.json"));return o?.version===t?o:void 0},"readHoistedCopy"),Ve=z((e,n,t)=>{if(!(!qe(n)||!ze(t)))return We(e,n,t)??He(e,n,t)},"readInstalledPackageMetadata");var Ye=Object.defineProperty,me=C((e,n)=>Ye(e,"name",{value:n,configurable:!0}),"i");const fe=new Set(["0BSD","AGPL-3.0","AGPL-3.0-only","AGPL-3.0-or-later","Apache-1.1","Apache-2.0","Artistic-2.0","BlueOak-1.0.0","BSD-2-Clause","BSD-3-Clause","BSL-1.0","CC0-1.0","CC-BY-3.0","CC-BY-4.0","CDDL-1.0","CDDL-1.1","EPL-1.0","EPL-2.0","GPL-2.0","GPL-2.0-only","GPL-2.0-or-later","GPL-3.0","GPL-3.0-only","GPL-3.0-or-later","ISC","LGPL-2.0","LGPL-2.1","LGPL-3.0","MIT","MIT-0","MPL-1.1","MPL-2.0","Python-2.0","Unlicense","WTFPL","Zlib"]),Ke={apache2:"Apache-2.0","apache 2.0":"Apache-2.0",bsd:"BSD-3-Clause","bsd-2":"BSD-2-Clause","bsd-3":"BSD-3-Clause",mit:"MIT",public:"Unlicense","public domain":"Unlicense"},Ze=(()=>{const e=new Map;for(const n of fe)e.set(n.toLowerCase(),n);for(const[n,t]of Object.entries(Ke))e.set(n,t);return e})(),Qe=me(e=>{const n=e.trim();if(n.length!==0)return fe.has(n)?n:Ze.get(n.toLowerCase())},"normalizeSpdxId"),en=me(e=>{let n;if(typeof e.license=="string")n=e.license;else if(e.license&&typeof e.license=="object"&&typeof e.license.type=="string")n=e.license.type;else if(Array.isArray(e.licenses)&&e.licenses.length>0){const s=e.licenses[0];s&&typeof s.type=="string"&&(n=s.type)}if(!n)return;const t=n.trim();if(t.length===0)return;if(/[()]|\b(?:and|or|with)\b/i.test(t))return[{expression:t}];const o=Qe(t);return o?[{license:{id:o}}]:[{license:{name:t}}]},"extractLicenseChoice");var nn=Object.defineProperty,de=C((e,n)=>nn(e,"name",{value:n,configurable:!0}),"t");const tn={sha256:"SHA-256",sha384:"SHA-384",sha512:"SHA-512"},on={sha256:64,sha384:96,sha512:128},sn=de(e=>{const n={name:e.name,version:e.version},{integrity:t}=e;return t&&t.hex.length===on[t.algorithm]&&(n.hash={alg:tn[t.algorithm],content:t.hex}),e.dependencies&&(n.dependencies=e.dependencies),e.peerDependencies&&(n.peerDependencies=e.peerDependencies),e.optionalDependencies&&(n.optionalDependencies=e.optionalDependencies),n},"toResolvedPackage"),rn=[{file:"pnpm-lock.yaml",type:"pnpm"},{file:"package-lock.json",type:"npm"},{file:"yarn.lock",type:"yarn"},{file:"bun.lock",type:"bun"}],cn=de(e=>{for(const{file:n,type:t}of rn){let o;try{o=ke(F(e,n))}catch{continue}const s=new Map;for(const p of De(o,t))s.set(`${p.name}@${p.version}`,sn(p));return{packages:s,type:t}}},"readLockfilePackages");var an=Object.defineProperty,he=C((e,n)=>an(e,"name",{value:n,configurable:!0}),"r");const V=he(e=>e.replaceAll(/[^\w.~-]/g,n=>`%${(n.codePointAt(0)??0).toString(16).toUpperCase().padStart(2,"0")}`),"encodeSegment"),U=he((e,n)=>{const t=e.toLowerCase();if(t.startsWith("@")){const o=t.indexOf("/");if(o>0){const s=t.slice(0,o),p=t.slice(o+1);return`pkg:npm/${V(s)}/${V(p)}@${V(n)}`}}return`pkg:npm/${V(t)}@${V(n)}`},"toNpmPurl");var pn=Object.defineProperty,ye=C((e,n)=>pn(e,"name",{value:n,configurable:!0}),"s");const ln=ye(e=>{const n=e.indexOf(":");return n<=0?e:e.slice(0,n)==="npm"?e.slice(n+1):e},"stripProtocolPrefix"),ee=ye((e,n,t)=>{const o=t.get(e);if(!o||o.size===0)return;if(o.has(n))return n;const s=ln(n);if(s!==n&&o.has(s))return s;const p=[...o];return Pe.maxSatisfying(p,s,{includePrerelease:!0})||p[0]},"resolveSpecifier");var un=Object.defineProperty,_=C((e,n)=>un(e,"name",{value:n,configurable:!0}),"p");const mn="1.6",fn="CycloneDX",dn="http://cyclonedx.org/schema/bom-1.6.schema.json",hn="@visulima/vis",ae=_(e=>{try{return pe(e)}catch{return}},"readPackageJson"),yn=_(e=>{if(e){if(typeof e=="string")return e;if(typeof e=="object"&&e.name)return e.email?`${e.name} <${e.email}>`:e.name}},"toAuthorString"),gn=_(e=>{if(e)return typeof e=="string"?e:e.url},"toRepositoryUrl"),bn=_(e=>{if(e)return typeof e=="string"?e:e.url},"toBugsUrl"),_n=_(e=>{const n=[];e.homepage&&n.push({type:"website",url:e.homepage});const t=gn(e.repository);t&&n.push({type:"vcs",url:t});const o=bn(e.bugs);return o&&n.push({type:"issue-tracker",url:o}),n.length>0?n:void 0},"buildExternalReferences"),ne=_((e,n)=>{if(!n)return;n.description&&(e.description=n.description);const t=yn(n.author);t&&(e.author=t);const o=en(n);o&&(e.licenses=o);const s=_n(n);s&&(e.externalReferences=s)},"decoratePackageComponent"),vn=_(e=>{const{focus:n,generatorVersion:t,includeDev:o=!1,now:s=new Date,projectGraph:p,serialNumber:d,workspace:b,workspaceRoot:m}=e,h=n&&n.length>0?[...xe(n,p)].sort():Object.keys(b.projects).sort(),B=new Set(h),P=new Map;for(const c of h){const r=b.projects[c];r&&P.set(c,ae(F(m,r.root,"package.json")))}const j=[],M=new Map;for(const c of h){const r=b.projects[c];if(!r)continue;const i=P.get(c),a=i?.version??"0.0.0",u=U(c,a);M.set(c,u);const g={"bom-ref":u,name:c,purl:u,type:r.projectType==="application"?"application":"library",version:a};ne(g,i),j.push(g)}const G=cn(m),w=new Map,A=new Map;if(G)for(const c of G.packages.values()){w.set(`${c.name}@${c.version}`,c);let r=A.get(c.name);r||(r=new Set,A.set(c.name,r)),r.add(c.version)}const Y=[],J=[],N=new Map;for(const c of h){const r=P.get(c);if(!r)continue;const i=[r.dependencies,r.peerDependencies];o&&i.push(r.devDependencies);const a=new Set,u=_((g,T)=>{if(T)for(const[x,L]of Object.entries(T)){if(B.has(x)){const X=M.get(x);X&&a.add(X);continue}const D=ee(x,L,A);D&&(a.add(U(x,D)),g.push(`${x}@${D}`))}},"seedRef");for(const g of i)u(Y,g);u(J,r.optionalDependencies),N.set(c,a)}const I=new Map,$=new Map,y=_((c,r)=>{const i=[...c];for(;i.length>0;){const a=i.pop(),u=I.get(a);if(u==="required"||u==="optional"&&r==="optional")continue;I.set(a,r);const g=w.get(a);if(!g)continue;const T=$.get(a)??new Set,x=[g.dependencies,g.peerDependencies];for(const L of x)if(L)for(const[D,X]of Object.entries(L))for(const W of X){const Q=ee(D,W,A);Q&&(T.add(U(D,Q)),i.push(`${D}@${Q}`))}if(g.optionalDependencies)for(const[L,D]of Object.entries(g.optionalDependencies))for(const X of D){const W=ee(L,X,A);W&&(T.add(U(L,W)),J.push(`${L}@${W}`))}T.size>0&&$.set(a,T)}},"walk");y(Y,"required"),y(J,"optional");const l=[],v=[...I.keys()].sort();for(const c of v){const r=w.get(c);if(!r)continue;const i=U(r.name,r.version),a={"bom-ref":i,name:r.name,purl:i,scope:I.get(c)??"required",type:"library",version:r.version};r.hash&&(a.hashes=[r.hash]),ne(a,Ve(m,r.name,r.version)),l.push(a)}const E=[];for(const[c,r]of N){const i=M.get(c);if(!i)continue;const a=[...r].sort();E.push(a.length>0?{dependsOn:a,ref:i}:{ref:i})}for(const c of v){const r=w.get(c);if(!r)continue;const i=U(r.name,r.version),a=$.get(c),u=a?[...a].sort():[];E.push(u.length>0?{dependsOn:u,ref:i}:{ref:i})}E.sort((c,r)=>c.ref.localeCompare(r.ref));const O=ae(F(m,"package.json")),S=(()=>{if(n?.length===1){const u=j.find(g=>g.name===n[0]);if(u)return{"bom-ref":u["bom-ref"],name:u.name,purl:u.purl,type:u.type,version:u.version}}const c=O?.name??"workspace",r=O?.version??"0.0.0",i=U(c,r),a={"bom-ref":i,name:c,purl:i,type:"application",version:r};return ne(a,O),a})(),R=S["bom-ref"],K=R?j.filter(c=>c["bom-ref"]!==R):j;return{$schema:dn,bomFormat:fn,components:[...K,...l],dependencies:E,metadata:{component:S,lifecycles:[{phase:"build"}],timestamp:s.toISOString(),tools:{components:[{name:hn,type:"application",...t?{version:t}:{}}]}},serialNumber:d??`urn:uuid:${Te()}`,specVersion:mn,version:1}},"buildCycloneDxBom"),$n=_(e=>{const n={version:e.version??1,xmlns:"http://cyclonedx.org/schema/bom/1.6"};e.serialNumber&&(n.serialNumber=e.serialNumber);const t=[];return e.metadata&&t.push(On(e.metadata)),e.components&&e.components.length>0&&t.push({_content:e.components.map(o=>oe(o)),_name:"components"}),e.dependencies&&e.dependencies.length>0&&t.push({_content:e.dependencies.map(o=>kn(o)),_name:"dependencies"}),`${q({_attrs:n,_content:t,_name:"bom"},{header:!0,indent:"  ",selfCloseTags:!0})}
+`},"serializeBomToXml"),On=_(e=>{const n=[];return e.timestamp&&n.push({timestamp:e.timestamp}),e.lifecycles&&e.lifecycles.length>0&&n.push({_content:e.lifecycles.map(t=>{const o=[];return t.phase&&o.push({phase:t.phase}),t.name&&o.push({name:t.name}),t.description&&o.push({description:t.description}),{_content:o,_name:"lifecycle"}}),_name:"lifecycles"}),e.tools?.components&&n.push({_content:[{_content:e.tools.components.map(t=>oe(t)),_name:"components"}],_name:"tools"}),e.component&&n.push(oe(e.component)),{_content:n,_name:"metadata"}},"metadataToXmlElement"),oe=_(e=>{const n={type:e.type};e["bom-ref"]&&(n["bom-ref"]=e["bom-ref"]);const t=[];e.group&&t.push({group:e.group}),t.push({name:e.name}),e.version&&t.push({version:e.version}),e.description&&t.push({description:e.description}),e.author&&t.push({author:e.author}),e.hashes&&e.hashes.length>0&&t.push({_content:e.hashes.map(s=>({_attrs:{alg:s.alg},_content:s.content,_name:"hash"})),_name:"hashes"});const o=Sn(e.licenses);return o&&t.push(o),e.purl&&t.push({purl:e.purl}),e.scope&&t.push({scope:e.scope}),e.externalReferences&&e.externalReferences.length>0&&t.push({_content:e.externalReferences.map(s=>({_attrs:{type:s.type},_content:[{url:s.url}],_name:"reference"})),_name:"externalReferences"}),{_attrs:n,_content:t,_name:"component"}},"componentToXmlElement"),Sn=_(e=>{if(!e||e.length===0)return;const n=[];for(const t of e){if("expression"in t){n.push({expression:t.expression});continue}const o=[];"id"in t.license&&t.license.id?o.push({id:t.license.id}):"name"in t.license&&t.license.name&&o.push({name:t.license.name}),n.push({_content:o,_name:"license"})}return{_content:n,_name:"licenses"}},"licensesToXmlElement"),kn=_(e=>e.dependsOn&&e.dependsOn.length>0?{_attrs:{ref:e.ref},_content:e.dependsOn.map(n=>({_attrs:{ref:n},_name:"dependency"})),_name:"dependency"}:{_attrs:{ref:e.ref},_name:"dependency"},"dependencyToXmlElement");var jn=Object.defineProperty,ge=C((e,n)=>jn(e,"name",{value:n,configurable:!0}),"m");const be=["json","xml"],Ln=ge(e=>be.includes(e),"isSbomFormat"),Bn=ge(async({options:e,visConfig:n,workspaceRoot:t})=>{if(!t)throw new Error("Could not determine workspace root. Run inside a monorepo.");const{packageJsons:o,workspace:s}=we(t,n),p=Ae(t,s,o),d=e.focus,b=d?d.split(",").map(w=>w.trim()).filter(Boolean):void 0,m=(e.format??"json").toLowerCase();if(!Ln(m))throw new Error(`Unknown --format: "${m}". Expected one of: ${be.join(", ")}.`);const h=vn({focus:b,includeDev:!!e.includeDev,projectGraph:p,workspace:s,workspaceRoot:t}),B=m==="xml"?$n(h):`${JSON.stringify(h,void 0,2)}
+`,P=e.output??(m==="xml"?"sbom.cdx.xml":"sbom.cdx.json");if(P==="-"){process.stdout.write(B);return}const j=Le(t,P);je(Ce(j)),Se(j,B,"utf8");const M=h.components?.length??0,G=h.dependencies?.length??0;se.success(`SBOM written to ${j}`),se.notice(`${M} components, ${G} dependency edges`)},"execute");export{Bn as default};