npm - @visulima/vis - Versions diffs - 1.0.0-alpha.21 → 1.0.0-alpha.23 - Mend

@visulima/vis 1.0.0-alpha.21 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/CHANGELOG.md +103 -0
package/LICENSE.md +204 -9
package/README.md +21 -4
package/dashboard/dist/index.html +152 -0
package/dist/bin.js +1 -1
package/dist/binx.js +3 -0
package/dist/config/index.d.ts +208 -28
package/dist/config/index.js +1 -1
package/dist/packem_chunks/bin.js +360 -354
package/dist/packem_chunks/bloom-status.js +2 -0
package/dist/packem_chunks/bloom-sync.js +2 -0
package/dist/packem_chunks/cache-attestation.js +1 -0
package/dist/packem_chunks/config.js +15 -15
package/dist/packem_chunks/doctor-probe.js +2 -2
package/dist/packem_chunks/fix.js +3 -3
package/dist/packem_chunks/handler.js +1 -1
package/dist/packem_chunks/handler10.js +2 -1
package/dist/packem_chunks/handler11.js +1 -5
package/dist/packem_chunks/handler12.js +5 -1
package/dist/packem_chunks/handler13.js +1 -27
package/dist/packem_chunks/handler14.js +28 -5
package/dist/packem_chunks/handler15.js +5 -1
package/dist/packem_chunks/handler16.js +1 -1
package/dist/packem_chunks/handler17.js +1 -1
package/dist/packem_chunks/handler18.js +1 -1
package/dist/packem_chunks/handler19.js +1 -1
package/dist/packem_chunks/handler2.js +4 -2
package/dist/packem_chunks/handler20.js +1 -5
package/dist/packem_chunks/handler21.js +5 -2
package/dist/packem_chunks/handler22.js +2 -2
package/dist/packem_chunks/handler23.js +2 -18
package/dist/packem_chunks/handler24.js +1 -1
package/dist/packem_chunks/handler25.js +1 -1
package/dist/packem_chunks/handler26.js +5 -5
package/dist/packem_chunks/handler27.js +1 -1
package/dist/packem_chunks/handler28.js +1 -1
package/dist/packem_chunks/handler29.js +1 -1
package/dist/packem_chunks/handler3.js +4 -4
package/dist/packem_chunks/handler30.js +3 -3
package/dist/packem_chunks/handler31.js +4 -4
package/dist/packem_chunks/handler32.js +3 -3
package/dist/packem_chunks/handler33.js +1 -1
package/dist/packem_chunks/handler34.js +24 -24
package/dist/packem_chunks/handler35.js +5 -3
package/dist/packem_chunks/handler36.js +21 -6
package/dist/packem_chunks/handler37.js +60 -21
package/dist/packem_chunks/handler38.js +6 -428
package/dist/packem_chunks/handler39.js +708 -6
package/dist/packem_chunks/handler4.js +6 -8
package/dist/packem_chunks/handler40.js +11 -11
package/dist/packem_chunks/handler41.js +286 -10
package/dist/packem_chunks/handler42.js +11 -11
package/dist/packem_chunks/handler43.js +10 -25
package/dist/packem_chunks/handler44.js +25 -24
package/dist/packem_chunks/handler45.js +23 -212
package/dist/packem_chunks/handler46.js +2 -2
package/dist/packem_chunks/handler47.js +1 -1
package/dist/packem_chunks/handler48.js +53 -46
package/dist/packem_chunks/handler49.js +6 -6
package/dist/packem_chunks/handler5.js +8 -1
package/dist/packem_chunks/handler6.js +1 -1
package/dist/packem_chunks/handler7.js +1 -1
package/dist/packem_chunks/handler8.js +1 -1
package/dist/packem_chunks/handler9.js +1 -2
package/dist/packem_chunks/heal-accept.js +4 -4
package/dist/packem_chunks/heal.js +1 -1
package/dist/packem_chunks/help-command.js +16 -16
package/dist/packem_chunks/index.js +2 -2
package/dist/packem_chunks/keys-refresh.js +1 -1
package/dist/packem_chunks/list.js +2 -2
package/dist/packem_chunks/loader.js +4 -1
package/dist/packem_chunks/loader2.js +1 -0
package/dist/packem_chunks/prune.js +1 -1
package/dist/packem_chunks/run.js +1 -1
package/dist/packem_chunks/status.js +2 -2
package/dist/packem_chunks/sync.js +2 -2
package/dist/packem_chunks/sync2.js +2 -2
package/dist/packem_chunks/tripwire.js +2 -2
package/dist/packem_chunks/verify-lockfile.js +2 -0
package/dist/packem_shared/{advisories-DsynpacV.js → advisories-U1QKY_tg.js} +1 -1
package/dist/packem_shared/{ai-analysis-uYuTIIXi.js → ai-analysis-B8pDCOuT.js} +2 -2
package/dist/packem_shared/ai-fix-DiGSrGKv.js +43 -0
package/dist/packem_shared/anolilab-text-CAM_E6uK.js +13 -0
package/dist/packem_shared/applyDefaults-KxZkvlp3.js +1 -0
package/dist/packem_shared/build-scripts-3E2pmscY.js +1 -0
package/dist/packem_shared/cyclonedx-B293T7R0.js +4 -0
package/dist/packem_shared/dependency-scan-BbtivycX.js +1 -0
package/dist/packem_shared/docker-BhBBfWfc.js +60 -0
package/dist/packem_shared/failure-log-B0Uh-65U.js +2 -0
package/dist/packem_shared/index-C1w1GXdS.js +1 -0
package/dist/packem_shared/index-CZX_II5N.js +29 -0
package/dist/packem_shared/index.server-B7ETiT4C.js +2 -0
package/dist/packem_shared/license-zZU7aavK.js +1 -0
package/dist/packem_shared/{lifecycle-Dv3nAtoD.js → lifecycle-wRE7ymVc.js} +2 -2
package/dist/packem_shared/{lockfile-C5DYMHVq.js → lockfile-CQLFNyVa.js} +1 -1
package/dist/packem_shared/manifests-Z3spBpxv.js +1 -0
package/dist/packem_shared/{min-release-age-BFozFonQ.js → min-release-age-Cz6HbF-I.js} +2 -2
package/dist/packem_shared/{native-config-sync-Dvi1g2nQ.js → native-config-sync-BOeuyrBj.js} +5 -5
package/dist/packem_shared/osv-bloom-CyCDpXBl.js +2 -0
package/dist/packem_shared/pm-runner-CVliR6Ie.js +1 -0
package/dist/packem_shared/provenance-BcldGs02.js +1 -0
package/dist/packem_shared/readFileSync-CGmzMUF2-D6rUjGDn.js +1 -0
package/dist/packem_shared/registry-keys-pemEkRM9.js +1 -0
package/dist/packem_shared/resolve-explicit-2G-2HWtR.js +5 -0
package/dist/packem_shared/runtime-check-DgXsKCsv.js +1 -0
package/dist/packem_shared/s1ngularity-Boxkax0D.js +1 -0
package/dist/packem_shared/scan-progress-EbvmIh4i.js +2 -0
package/dist/packem_shared/{selectors-B2ISH581.js → selectors-BE2BCnTR.js} +1 -1
package/dist/packem_shared/signatures-SO-fyExV.js +2 -0
package/dist/packem_shared/toolchain-Jx2lkAYy.js +5 -0
package/dist/packem_shared/typosquats-CioMnpnb.js +1 -0
package/dist/packem_shared/verify-C8EAHql6.js +1 -0
package/dist/packem_shared/{vis-update-app-CFrlJ3mW.js → vis-update-app-BWA1kA1q.js} +1 -1
package/index.d.ts +78 -0
package/index.js +57 -53
package/package.json +34 -13
package/schemas/project.schema.json +37 -7
package/schemas/vis-config.schema.json +2395 -1996
package/dist/packem_shared/ai-cache-DuwHYx2O.js +0 -1
package/dist/packem_shared/ai-fix-DzrA-dVz.js +0 -43
package/dist/packem_shared/applyDefaults-BOVDw1jD.js +0 -1
package/dist/packem_shared/build-scripts-DsWMSWDs.js +0 -1
package/dist/packem_shared/cache-directory-DQak1Vjc.js +0 -1
package/dist/packem_shared/cyclonedx-CiHXuG8M.js +0 -4
package/dist/packem_shared/dependency-scan-DC3nAFHS.js +0 -1
package/dist/packem_shared/docker-B-CIN_nj.js +0 -60
package/dist/packem_shared/failure-log-C3LEMmkq.js +0 -2
package/dist/packem_shared/flakiness-Dq6K4ymq.js +0 -1
package/dist/packem_shared/manifests-B0fMp872.js +0 -1
package/dist/packem_shared/registry-keys-CewRFW0e.js +0 -1
package/dist/packem_shared/resolve-explicit-CC4Kifk5.js +0 -5
package/dist/packem_shared/run-summary-utils-BaBGP3bo.js +0 -1
package/dist/packem_shared/runtime-check-BusAwPb2.js +0 -1
package/dist/packem_shared/scan-progress-CMynp3eA.js +0 -2
package/dist/packem_shared/signatures-5ZdjJ2Pu.js +0 -2
package/dist/packem_shared/toolchain-Cc3cwyLP.js +0 -5
package/dist/packem_shared/typosquats-BCeR-sLf.js +0 -1
package/dist/packem_shared/verify-07kUNTuP.js +0 -1
package/dist/packem_shared/xxh3-DrAUNq4n.js +0 -1

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,106 @@
+## @visulima/vis [1.0.0-alpha.23](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.22...@visulima/vis@1.0.0-alpha.23) (2026-05-20)
+### Features
+* **vis:** add dashboard command with browser UI for cache and run metrics ([f94fcd9](https://github.com/visulima/visulima/commit/f94fcd94ef04f74e20ce308769d79cbd21d9fd60))
+* **vis:** add HTML graph report ([92865a2](https://github.com/visulima/visulima/commit/92865a2973a36f8c43adaf023ecd68e3859d0c68))
+* **vis:** add visx/vx npx-style entry point ([3802695](https://github.com/visulima/visulima/commit/3802695f3a0cf2776aaf706183ed2032324532bd))
+* **vis:** rebuild dashboard with Hono SSE + Vite + shadcn/ui ([f9df814](https://github.com/visulima/visulima/commit/f9df814683c6a1c967d8cbe15bee1b13959b5ab7))
+* **vis:** redesign audit HTML report + add --explain AI helper ([6b0ab9f](https://github.com/visulima/visulima/commit/6b0ab9ffe36c732a4ac0c05a4ad9453d51fbe89b))
+* **vis:** redesign dashboard with Nothing-inspired UI ([7cfc81d](https://github.com/visulima/visulima/commit/7cfc81d8592cdfda0086700363dbeac39650d1d7))
+### Bug Fixes
+* **ci:** address review findings — injection, perms, defaults, fetch hardening ([0192278](https://github.com/visulima/visulima/commit/0192278b63a0178262c08a3d77fa0e832d085147))
+* **vis:** address audit findings on dashboard + visx + defineConfig refactor ([1eb8ae5](https://github.com/visulima/visulima/commit/1eb8ae5820d425780b9f5c05f153b68fe74a8a36))
+* **vis:** clean up dashboard audit nits — typos, dead code, redundant calls ([46a5c0e](https://github.com/visulima/visulima/commit/46a5c0ed8116f79c0307d51a1eb7c9d8ae419dde))
+* **vis:** harden dashboard server, metrics, and live UI ([be4c6a1](https://github.com/visulima/visulima/commit/be4c6a134410ef9e2b893d57ee6e2c1b163c4b88))
+* **vis:** key doctor cache on the resolved npm lockfile ([628a21d](https://github.com/visulima/visulima/commit/628a21d62285d6299fe399409783c297c64f9e1b))
+* **vis:** name the actual lockfile in npm pruner messages ([c783683](https://github.com/visulima/visulima/commit/c78368392930c3eafdb6e0c056535217665b2f07))
+* **vis:** prune npm-shrinkwrap.json into the Docker context ([ecfb54c](https://github.com/visulima/visulima/commit/ecfb54c7c515a14509c71458468c99c000b07d21))
+* **vis:** render task failure block lazily at the consumer ([cb35aa7](https://github.com/visulima/visulima/commit/cb35aa78550408b462e9a1ec2af3eddb65a27b87))
+### Miscellaneous Chores
+* ignore sample-workspace .vis dirs and refresh license artifact ([0f88438](https://github.com/visulima/visulima/commit/0f884380bcc7b25ac0beec5994256cc5b956a167))
+* **vis:** make sample-workspace tasks cacheable ([a1db143](https://github.com/visulima/visulima/commit/a1db143b57a594470b9bf5695c60a0ced18344e3))
+### Code Refactoring
+* **vis:** extract tryLoadSourceMap helper ([5b06bb6](https://github.com/visulima/visulima/commit/5b06bb69876e4870e75985a75ff22e299c8cf583))
+* **vis:** make defineConfig a pure typed-identity ([28f6f3f](https://github.com/visulima/visulima/commit/28f6f3f909a89103b972ca50a502fb6145d87794))
+### Tests
+* **vis:** align task-store tests with lazy failure rendering ([9ddf5de](https://github.com/visulima/visulima/commit/9ddf5de95a41d89b4c9a33bbb88e777b909b6aee))
+### Continuous Integration
+* tighten workflow yaml + restore missing publint dep ([b478f9a](https://github.com/visulima/visulima/commit/b478f9a9329d9c7243e694e3f360d385cc34567c))
+### Dependencies
+* **@visulima/error:** upgraded to 6.0.0-alpha.27
+* **@visulima/tui:** upgraded to 1.0.0-alpha.18
+* **@visulima/ansi:** upgraded to 4.0.0-alpha.14
+* **@visulima/cerebro:** upgraded to 3.0.0-alpha.26
+* **@visulima/fs:** upgraded to 5.0.0-alpha.25
+* **@visulima/package:** upgraded to 5.0.0-alpha.24
+## @visulima/vis [1.0.0-alpha.22](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.21...@visulima/vis@1.0.0-alpha.22) (2026-05-19)
+### Features
+* **task-runner:** auto-capture outputs for compound build scripts ([e084434](https://github.com/visulima/visulima/commit/e0844344cf184177999a82b708299f08fbfd31ec))
+* **task-runner:** per-target hashMode "trace" opt-in ([#643](https://github.com/visulima/visulima/issues/643)) ([32353ff](https://github.com/visulima/visulima/commit/32353ff7a760ae9486e23cc4042fab46a2f2cc11))
+* **vis:** add composite s1ngularity supply-chain marshall ([44cdeaf](https://github.com/visulima/visulima/commit/44cdeafb58eefcef061ffaab6822d4628cb06b2c))
+* **vis:** add deprecation + package-age marshalls ([5547840](https://github.com/visulima/visulima/commit/5547840b5aef9689f4080c77c44d3884309b0601))
+* **vis:** add deps.dev as supply-chain security provider alongside Socket ([7f752d2](https://github.com/visulima/visulima/commit/7f752d250fa3c96d2ec01ca58bddf911586ea949))
+* **vis:** add lockfile supply-chain verification ([a8c741d](https://github.com/visulima/visulima/commit/a8c741d80b52b275cde11be188ab22c41a11f5f4))
+* **vis:** add migrate verify-graph equivalence verification ([697e2c0](https://github.com/visulima/visulima/commit/697e2c0888c596e4bcee0a12922db76937a29175))
+* **vis:** add Snyk security provider ([aba3571](https://github.com/visulima/visulima/commit/aba35710719d1325b311bf80d81a91c91e75aa1f))
+* **vis:** add write guard, watchman backend, vcs hints ([5127d79](https://github.com/visulima/visulima/commit/5127d79ad2aa523760517601f71fdf38571ca4d3))
+* **vis:** attested keyless-signed remote cache (Sigstore) ([4732610](https://github.com/visulima/visulima/commit/47326103a668ab99fcfc4e21f2c9efeaa5892944))
+* **vis:** default inferTargets on with guarded script enrichment ([29cabd1](https://github.com/visulima/visulima/commit/29cabd1763ce915cbfa6aaa85b1c29a020d72b01))
+* **vis:** harden bootstrap installers + add lint CI ([49ec0a2](https://github.com/visulima/visulima/commit/49ec0a25e76ab5865cd2a2dce49413311fcf389c))
+* **vis:** integrate aube package manager + offline OSV bloom prefilter ([9513e09](https://github.com/visulima/visulima/commit/9513e0930c6fbcdb00e42df2ab9c650194a35eb4))
+* **vis:** scan npm-shrinkwrap.json with precedence ([ae907f1](https://github.com/visulima/visulima/commit/ae907f18e560eed7c80c7738650330909a254148))
+* **vis:** security check on by default for update, add --no-security ([e8db4c8](https://github.com/visulima/visulima/commit/e8db4c88a4c64038ca00c46b2a63083fee224637))
+* **vis:** source-mapped, code-framed task failure rendering ([95b2343](https://github.com/visulima/visulima/commit/95b2343d7299ab8537c5a4ef0205ddeee9146c58))
+### Bug Fixes
+* **vis:** harden marshall pipeline and failure-render ANSI stripping ([22dc431](https://github.com/visulima/visulima/commit/22dc431ac3e841a2a342f297673b4d5f1a0a8a43))
+* **vis:** make write guard github/gitlab asymmetry explicit ([0202fd9](https://github.com/visulima/visulima/commit/0202fd99e920173cbbb5e9711bb2df9528d25e42))
+* **vis:** parse pnpm v11 multi-document lockfiles ([94024b6](https://github.com/visulima/visulima/commit/94024b65310ab70ef4a3d4fed93f4987203f4a57))
+* **vis:** version the packument cache so stale entries can't blind marshalls ([6741f55](https://github.com/visulima/visulima/commit/6741f551ed9c1a28a2184672ed644dd06344c93b))
+* **vis:** wire s1ngularity into the vis inspect dispatch ([0e355eb](https://github.com/visulima/visulima/commit/0e355eb44acfcf50caf09f7b0954038def735278))
+### Documentation
+* **vis:** add MARSHALL_DISABLE_S1NGULARITY to shell-alias guide ([fee4979](https://github.com/visulima/visulima/commit/fee4979338cd255ee5c4ff1e52e99e545695e4d7))
+* **vis:** document lockfile supply-chain verification ([05c338f](https://github.com/visulima/visulima/commit/05c338f55f7069ed59018e64be3d24016ab3fb66))
+* **vis:** document s1ngularity marshall in add/update/inspect ([6a14d5c](https://github.com/visulima/visulima/commit/6a14d5c190a6125817abe9c3e35afde87893228a))
+### Styles
+* **vis:** prettier/eslint conformance sweep ([dd200bd](https://github.com/visulima/visulima/commit/dd200bd84c022f5fd8819ce23bab2c1c4cace1ed))
+### Miscellaneous Chores
+* **vis:** remove competitive-analysis and priority-roadmap docs ([3116348](https://github.com/visulima/visulima/commit/3116348a5f76772ace9f285d136d352a815c3f0a))
+### Dependencies
+* **@visulima/error:** upgraded to 6.0.0-alpha.26
+* **@visulima/task-runner:** upgraded to 1.0.0-alpha.15
+* **@visulima/tui:** upgraded to 1.0.0-alpha.17
+* **@visulima/cerebro:** upgraded to 3.0.0-alpha.25
+* **@visulima/fs:** upgraded to 5.0.0-alpha.24
+* **@visulima/package:** upgraded to 5.0.0-alpha.23
 ## @visulima/vis [1.0.0-alpha.21](https://github.com/visulima/visulima/compare/@visulima/vis@1.0.0-alpha.20...@visulima/vis@1.0.0-alpha.21) (2026-05-16)

package/LICENSE.md CHANGED Viewed

@@ -3552,14 +3552,11 @@ Repository: git+https://github.com/visulima/visulima.git
 > >
 > >
 > > # Licenses of bundled types
-> >
 > > The published @visulima/string artifact additionally contains code with the following licenses:
 > > MIT
 > >
 > > # Bundled types:
-> >
 > > ## fastest-levenshtein
-> >
 > > License: MIT
 > > By: Kasper U. Weihe
 > > Repository: git+https://github.com/ka-weihe/fastest-levenshtein.git
@@ -3585,6 +3582,74 @@ Repository: git+https://github.com/visulima/visulima.git
 > > > LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 > > > OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 > > > SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## get-east-asian-width
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/get-east-asian-width
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## indent-string
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/indent-string
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## redent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/redent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## strip-indent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/strip-indent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 >
 > ---------------------------------------
 >
@@ -5545,14 +5610,11 @@ Repository: git+https://github.com/visulima/visulima.git
 > >
 > >
 > > # Licenses of bundled types
-> >
 > > The published @visulima/string artifact additionally contains code with the following licenses:
 > > MIT
 > >
 > > # Bundled types:
-> >
 > > ## fastest-levenshtein
-> >
 > > License: MIT
 > > By: Kasper U. Weihe
 > > Repository: git+https://github.com/ka-weihe/fastest-levenshtein.git
@@ -5578,6 +5640,74 @@ Repository: git+https://github.com/visulima/visulima.git
 > > > LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 > > > OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 > > > SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## get-east-asian-width
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/get-east-asian-width
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## indent-string
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/indent-string
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## redent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/redent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## strip-indent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/strip-indent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 >
 > ---------------------------------------
 >
@@ -6142,14 +6272,11 @@ Repository: git+https://github.com/visulima/visulima.git
 > >
 > >
 > > # Licenses of bundled types
-> >
 > > The published @visulima/string artifact additionally contains code with the following licenses:
 > > MIT
 > >
 > > # Bundled types:
-> >
 > > ## fastest-levenshtein
-> >
 > > License: MIT
 > > By: Kasper U. Weihe
 > > Repository: git+https://github.com/ka-weihe/fastest-levenshtein.git
@@ -6175,6 +6302,74 @@ Repository: git+https://github.com/visulima/visulima.git
 > > > LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 > > > OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 > > > SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## get-east-asian-width
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/get-east-asian-width
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## indent-string
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/indent-string
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## redent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/redent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+> >
+> > ---------------------------------------
+> >
+> > ## strip-indent
+> > License: MIT
+> > By: Sindre Sorhus
+> > Repository: sindresorhus/strip-indent
+> >
+> > > MIT License
+> > >
+> > > Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (https://sindresorhus.com)
+> > >
+> > > Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+> > >
+> > > The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+> > >
+> > > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 ---------------------------------------

package/README.md CHANGED Viewed

@@ -74,7 +74,7 @@
 - **`vis catalog check / update`** — pnpm + bun workspace catalog management
 - **`vis secrets`** — Rust-native secret scanning (gitleaks detection engine)
-- **`vis audit`** — OSV.dev vulnerability scanning
+- **`vis audit`** — OSV.dev vulnerability scanning with pluggable supply-chain providers ([Socket.dev](https://socket.dev) and [Google deps.dev](https://deps.dev), merged when both are enabled). `--explain` adds a plain-English AI explanation per finding (auto-detects an installed AI CLI, cached, no API key) in the terminal, JSON, and HTML report
 - **`vis docker scaffold`** — lockfile pruning for pnpm / npm / yarn classic + berry / bun, matching turbo's killer Docker-cache feature
 - **`vis hook install / migrate`** — git hooks (husky migration supported)
 - **`vis staged`** — built-in `lint-staged` replacement, no peer dependency
@@ -84,7 +84,7 @@
 ### Toolchain & runtime
 - **Pluggable installer** — defaults to the lockfile-detected PM (pnpm/npm/yarn/bun); auto-uses [aube](https://github.com/endevco/aube) when on `PATH`, with a single switch (`install.backend` / `--installer` / `--no-aube`) to pin or bypass it
-- **Cold-start one-liner** — `curl -fsSL https://visulima.com/install.sh | bash` (Linux/macOS/WSL) or PowerShell equivalent installs a version manager, Node LTS, and `vis`
+- **Cold-start one-liner** — `curl -fsSL https://visulima.com/install.sh | bash` (Linux/macOS/WSL) or PowerShell equivalent installs the latest Node LTS (or a version manager on request) and `vis`
 - **`vis toolchain`** — delegates to proto / mise / fnm / volta
 - **Built on Cerebro** — robust CLI with built-in help, version, and shell completion
@@ -106,7 +106,7 @@ pnpm add @visulima/vis
 ### Cold start (no Node? no manager?)
-One-liner bootstrap that installs a version manager, Node LTS, and `vis` in one go.
+One-liner bootstrap that installs Node and `vis` in one go. When no Node is found it installs the latest Node LTS directly by default (OS package manager, falling back to the official nodejs.org build); a version manager (proto / fnm / mise / volta) is offered as an opt-in alternative. Pin a specific major with `VIS_NODE_MAJOR`.
 **Linux / macOS / WSL** (bash):
@@ -164,7 +164,7 @@ Resolution precedence (highest first):
 1. `--installer <name>` CLI flag — `auto`, `aube`, `pnpm`, `npm`, `yarn`, or `bun` (or `--no-aube` to force the lockfile-detected PM for a single run; `--no-aube` wins over every other source).
 2. `VIS_INSTALLER` environment variable — same accepted values as the flag.
 3. `install.backend` in `vis.config.ts` — same accepted values; the team-wide pin.
-4. Auto-detect — `aube` when it's on `PATH`, otherwise the lockfile-detected PM (`pnpm-lock.yaml` → pnpm, `package-lock.json` → npm, `yarn.lock` → yarn, `bun.lockb` → bun).
+4. Auto-detect — `aube` when it's on `PATH` or `aube-lock.yaml` is present, otherwise the lockfile-detected PM (`pnpm-lock.yaml` → pnpm, `package-lock.json` → npm, `yarn.lock` → yarn, `bun.lockb` → bun).
 Each step is consulted in order; the first one that resolves to a concrete backend wins. Picking an explicit value (`pnpm`, `npm`, …) at any level always beats the auto-detect step below it, so you can override the team default for a single shell session via `VIS_INSTALLER=pnpm vis install` without touching the config file.
@@ -185,6 +185,21 @@ Aube reuses pnpm/npm/yarn/bun lockfile formats but its serialized output isn't b
 Aube already skips dependency lifecycle scripts by default. `--ignore-scripts` is a no-op under aube (`vis install` warns when you pass it). To opt specific packages back in, run `aube approve-builds` — the inverse direction from the pnpm/npm `--ignore-scripts` model.
+### Audit delegation
+When aube is the active installer, `vis audit` delegates to `aube audit` so a single, consistent vulnerability scan runs regardless of entry point. Resolution mirrors the installer chain:
+1. `--backend <name>` CLI flag — `auto`, `aube`, or `vis`.
+2. `VIS_AUDIT_BACKEND` env var.
+3. `security.audit.backend` in `vis.config.ts`.
+4. Defaults to `auto` — delegates only when `install.backend` (or `VIS_INSTALLER`) resolves to aube AND `aube` is on `PATH`.
+Vis-only features (`--report`, `--fix-transitive`, `--usage`, `--policies`, `--format sarif|csaf|cyclonedx-vex`, `--ecosystem` beyond npm) print a warning and are dropped when delegating; pass `--backend vis` to force the built-in OSV/Socket scanner.
+### Doctor visibility
+When aube is the installer, `vis doctor` surfaces aube's effective hardening posture (`paranoid`, `trustPolicy`, `blockExoticSubdeps`, `jailBuilds`, `strictDepBuilds`, `minimumReleaseAge`, `allowBuilds`) alongside the existing vis `security.policies.*` findings, reading from `aube-workspace.yaml` (or falling back to `pnpm-workspace.yaml`). Aube's defaults are already hardened, so most entries render as `ok` — the section turns into a positive confirmation rather than a wall of warnings.
 ## Commands
 | Command                 | Alias  | Description                                                          |
@@ -420,6 +435,8 @@ If you would like to help take a look at the [list of issues](https://github.com
 | [Syncpack](https://github.com/JamieMason/syncpack)         | `vis migrate syncpack`    | Workspace dependency policy |
 | [Sherif](https://github.com/QuiiBz/sherif)                 | `vis migrate sherif`      | Monorepo linter             |
+After migrating a task runner, run `vis migrate verify-graph` to prove the migration preserved the task graph and cache-key surface — it diffs the original `turbo` / `nx` / `moon` config against the generated `vis.config.*` across six axes (target set, `dependsOn`, `inputs`, `outputs`, `env`, `cache`) and exits non-zero on any dropped task or narrowed cache key, so it can gate CI.
 ## Made with ❤️ at Anolilab
 This is an open source project and will always remain free to use. If you think it's cool, please star it 🌟. [Anolilab](https://www.anolilab.com/open-source) is a Development and AI Studio. Contact us at [hello@anolilab.com](mailto:hello@anolilab.com) if you need any help with these technologies or just want to say hi!