@visulima/vis 1.0.0-alpha.22 → 1.0.0-alpha.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (137) hide show
  1. package/CHANGELOG.md +50 -0
  2. package/LICENSE.md +132 -2
  3. package/README.md +1 -1
  4. package/dashboard/dist/index.html +152 -0
  5. package/dist/bin.js +1 -1
  6. package/dist/binx.js +3 -0
  7. package/dist/config/index.d.ts +20 -33
  8. package/dist/config/index.js +1 -1
  9. package/dist/packem_chunks/bin.js +373 -367
  10. package/dist/packem_chunks/bloom-status.js +2 -2
  11. package/dist/packem_chunks/bloom-sync.js +2 -2
  12. package/dist/packem_chunks/config.js +12 -12
  13. package/dist/packem_chunks/doctor-probe.js +2 -2
  14. package/dist/packem_chunks/fix.js +3 -3
  15. package/dist/packem_chunks/handler.js +1 -1
  16. package/dist/packem_chunks/handler10.js +1 -1
  17. package/dist/packem_chunks/handler11.js +1 -1
  18. package/dist/packem_chunks/handler12.js +3 -3
  19. package/dist/packem_chunks/handler13.js +1 -1
  20. package/dist/packem_chunks/handler14.js +10 -10
  21. package/dist/packem_chunks/handler15.js +2 -2
  22. package/dist/packem_chunks/handler16.js +1 -1
  23. package/dist/packem_chunks/handler17.js +1 -1
  24. package/dist/packem_chunks/handler18.js +1 -1
  25. package/dist/packem_chunks/handler19.js +1 -1
  26. package/dist/packem_chunks/handler2.js +1 -1
  27. package/dist/packem_chunks/handler20.js +1 -1
  28. package/dist/packem_chunks/handler21.js +2 -2
  29. package/dist/packem_chunks/handler22.js +2 -2
  30. package/dist/packem_chunks/handler23.js +2 -2
  31. package/dist/packem_chunks/handler24.js +1 -18
  32. package/dist/packem_chunks/handler25.js +1 -1
  33. package/dist/packem_chunks/handler26.js +5 -1
  34. package/dist/packem_chunks/handler27.js +1 -5
  35. package/dist/packem_chunks/handler28.js +3 -1
  36. package/dist/packem_chunks/handler29.js +1 -3
  37. package/dist/packem_chunks/handler3.js +1 -1
  38. package/dist/packem_chunks/handler30.js +7 -1
  39. package/dist/packem_chunks/handler31.js +32 -6
  40. package/dist/packem_chunks/handler32.js +3 -33
  41. package/dist/packem_chunks/handler33.js +1 -3
  42. package/dist/packem_chunks/handler34.js +26 -1
  43. package/dist/packem_chunks/handler35.js +5 -26
  44. package/dist/packem_chunks/handler36.js +22 -5
  45. package/dist/packem_chunks/handler37.js +60 -21
  46. package/dist/packem_chunks/handler38.js +6 -428
  47. package/dist/packem_chunks/handler39.js +708 -61
  48. package/dist/packem_chunks/handler4.js +1 -1
  49. package/dist/packem_chunks/handler40.js +24 -6
  50. package/dist/packem_chunks/handler41.js +237 -166
  51. package/dist/packem_chunks/handler42.js +153 -24
  52. package/dist/packem_chunks/handler43.js +10 -153
  53. package/dist/packem_chunks/handler44.js +25 -10
  54. package/dist/packem_chunks/handler45.js +24 -25
  55. package/dist/packem_chunks/handler46.js +3 -24
  56. package/dist/packem_chunks/handler47.js +27 -3
  57. package/dist/packem_chunks/handler48.js +168 -21
  58. package/dist/packem_chunks/handler49.js +33 -173
  59. package/dist/packem_chunks/handler5.js +6 -6
  60. package/dist/packem_chunks/handler6.js +1 -1
  61. package/dist/packem_chunks/handler7.js +1 -1
  62. package/dist/packem_chunks/handler8.js +1 -1
  63. package/dist/packem_chunks/handler9.js +1 -1
  64. package/dist/packem_chunks/heal-accept.js +4 -4
  65. package/dist/packem_chunks/heal.js +1 -1
  66. package/dist/packem_chunks/help-command.js +2 -2
  67. package/dist/packem_chunks/index.js +2 -2
  68. package/dist/packem_chunks/keys-refresh.js +1 -1
  69. package/dist/packem_chunks/list.js +2 -2
  70. package/dist/packem_chunks/loader.js +2 -2
  71. package/dist/packem_chunks/loader2.js +1 -1
  72. package/dist/packem_chunks/prune.js +1 -1
  73. package/dist/packem_chunks/run.js +1 -1
  74. package/dist/packem_chunks/status.js +2 -2
  75. package/dist/packem_chunks/sync.js +2 -2
  76. package/dist/packem_chunks/sync2.js +2 -2
  77. package/dist/packem_chunks/tripwire.js +2 -2
  78. package/dist/packem_chunks/verify-lockfile.js +2 -2
  79. package/dist/packem_shared/{advisories-DS8JEB_g.js → advisories-U1QKY_tg.js} +1 -1
  80. package/dist/packem_shared/{ai-analysis-DGBZYlxF.js → ai-analysis-B8pDCOuT.js} +2 -2
  81. package/dist/packem_shared/ai-fix-DiGSrGKv.js +43 -0
  82. package/dist/packem_shared/anolilab-text-CAM_E6uK.js +13 -0
  83. package/dist/packem_shared/applyDefaults-KxZkvlp3.js +1 -0
  84. package/dist/packem_shared/build-scripts-3E2pmscY.js +1 -0
  85. package/dist/packem_shared/{cyclonedx-CO7-Y1B1.js → cyclonedx-B293T7R0.js} +3 -3
  86. package/dist/packem_shared/dependency-scan-BbtivycX.js +1 -0
  87. package/dist/packem_shared/docker-BhBBfWfc.js +60 -0
  88. package/dist/packem_shared/failure-log-B0Uh-65U.js +2 -0
  89. package/dist/packem_shared/index-C1w1GXdS.js +1 -0
  90. package/dist/packem_shared/index-CZX_II5N.js +29 -0
  91. package/dist/packem_shared/index.server-B7ETiT4C.js +2 -0
  92. package/dist/packem_shared/{lifecycle-boYwVQSE.js → lifecycle-wRE7ymVc.js} +2 -2
  93. package/dist/packem_shared/{lockfile-C5DYMHVq.js → lockfile-CQLFNyVa.js} +1 -1
  94. package/dist/packem_shared/manifests-Z3spBpxv.js +1 -0
  95. package/dist/packem_shared/{min-release-age-D462DvYM.js → min-release-age-Cz6HbF-I.js} +2 -2
  96. package/dist/packem_shared/native-config-sync-BOeuyrBj.js +21 -0
  97. package/dist/packem_shared/{osv-bloom-QSAn2Dcw.js → osv-bloom-CyCDpXBl.js} +2 -2
  98. package/dist/packem_shared/pm-runner-CVliR6Ie.js +1 -0
  99. package/dist/packem_shared/provenance-BcldGs02.js +1 -0
  100. package/dist/packem_shared/readFileSync-CGmzMUF2-D6rUjGDn.js +1 -0
  101. package/dist/packem_shared/registry-keys-pemEkRM9.js +1 -0
  102. package/dist/packem_shared/{resolve-explicit-BgFQHUEP.js → resolve-explicit-2G-2HWtR.js} +3 -3
  103. package/dist/packem_shared/runtime-check-DgXsKCsv.js +1 -0
  104. package/dist/packem_shared/s1ngularity-Boxkax0D.js +1 -0
  105. package/dist/packem_shared/scan-progress-EbvmIh4i.js +2 -0
  106. package/dist/packem_shared/{selectors-B2ISH581.js → selectors-BE2BCnTR.js} +1 -1
  107. package/dist/packem_shared/{signatures-b-jJYoZd.js → signatures-SO-fyExV.js} +1 -1
  108. package/dist/packem_shared/toolchain-Jx2lkAYy.js +5 -0
  109. package/dist/packem_shared/typosquats-CioMnpnb.js +1 -0
  110. package/dist/packem_shared/verify-C8EAHql6.js +1 -0
  111. package/dist/packem_shared/{vis-update-app-Bnu1EIgE.js → vis-update-app-BWA1kA1q.js} +1 -1
  112. package/index.js +26 -26
  113. package/package.json +23 -12
  114. package/schemas/vis-config.schema.json +61 -12
  115. package/dist/packem_chunks/handler50.js +0 -34
  116. package/dist/packem_shared/ai-cache-BjlXWJtl.js +0 -1
  117. package/dist/packem_shared/ai-fix-BhcTrkuW.js +0 -43
  118. package/dist/packem_shared/applyDefaults-BOVDw1jD.js +0 -1
  119. package/dist/packem_shared/build-scripts-DsWMSWDs.js +0 -1
  120. package/dist/packem_shared/cache-directory-DQak1Vjc.js +0 -1
  121. package/dist/packem_shared/dependency-scan-DPHTzA5r.js +0 -1
  122. package/dist/packem_shared/docker-lk0-5Z-i.js +0 -60
  123. package/dist/packem_shared/failure-log-DF7nrFIs.js +0 -2
  124. package/dist/packem_shared/flakiness-DKCOYwN7.js +0 -1
  125. package/dist/packem_shared/index-B4gpNmrG.js +0 -1
  126. package/dist/packem_shared/manifests-B0fMp872.js +0 -1
  127. package/dist/packem_shared/native-config-sync-B0_ef78M.js +0 -21
  128. package/dist/packem_shared/provenance-smHa8efI.js +0 -1
  129. package/dist/packem_shared/registry-keys-3qaVog76.js +0 -1
  130. package/dist/packem_shared/run-summary-utils-DIJV_dUD.js +0 -1
  131. package/dist/packem_shared/runtime-check-DrMx4Q9L.js +0 -1
  132. package/dist/packem_shared/s1ngularity-CwSBPB3I.js +0 -1
  133. package/dist/packem_shared/scan-progress-CMynp3eA.js +0 -2
  134. package/dist/packem_shared/toolchain-OH1PXwbZ.js +0 -5
  135. package/dist/packem_shared/typosquats-CJ4o1l7U.js +0 -1
  136. package/dist/packem_shared/verify-CQbzknur.js +0 -1
  137. package/dist/packem_shared/xxh3-DrAUNq4n.js +0 -1
package/dist/packem_chunks/handler41.js CHANGED
@@ -1,215 +1,286 @@
1
- var kt=Object.defineProperty;var O=(e,t)=>kt(e,"name",{value:t,configurable:!0});import{createRequire as bt}from"node:module";import{aD as Nt,o as Le,aB as G,r as Ct,t as Rt,b3 as Ot,E as j,e as fe,q as st,b4 as rt,a as ge,a9 as Et,ac as It,p as d,A as jt,i as _e,b as Pt,T as Dt,f as Lt,aa as Ue,C as Wt,O as Mt,af as Tt,s as Ie,u as Ht}from"./bin.js";import{M as H,i as B,$ as me,B as Be,n as ot,C as Vt}from"./config.js";import{whichBin as Ft}from"#native";import{t as Gt,b as _t}from"../packem_shared/cyclonedx-CO7-Y1B1.js";import{s as qt}from"../packem_shared/scan-progress-CMynp3eA.js";import{r as Kt,A as qe,q as Ke}from"../packem_shared/advisories-DS8JEB_g.js";import{l as zt,f as Jt}from"../packem_shared/dependency-scan-DPHTzA5r.js";import{r as Yt}from"../packem_shared/manifests-B0fMp872.js";import{l as Zt,p as Xt,O as Qt}from"../packem_shared/osv-bloom-QSAn2Dcw.js";import{s as ue,g as es,p as ts,e as ss}from"../packem_shared/index-B4gpNmrG.js";const $t=bt(import.meta.url),X=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,he=O(e=>{if(typeof X<"u"&&X.versions&&X.versions.node){const[t,s]=X.versions.node.split(".").map(Number);if(t>22||t===22&&s>=3||t===20&&s>=16)return X.getBuiltinModule(e)}return $t(e)},"__cjs_getBuiltinModule"),{spawnSync:wt}=he("node:child_process"),{existsSync:Qe,readFileSync:et,writeFileSync:tt,renameSync:xt,unlinkSync:St}=he("node:fs"),{createInterface:At}=he("node:readline"),{relative:Ut,join:Bt}=he("node:path");var rs=Object.defineProperty,os=O((e,t)=>rs(e,"name",{value:t,configurable:!0}),"t"),ns=Object.defineProperty,as=os((e,t)=>ns(e,"name",{value:t,configurable:!0}),"s"),is=Object.defineProperty,cs=as((e,t)=>is(e,"name",{value:t,configurable:!0}),"n");const ze=cs((e,t={})=>{Array.isArray(t.extensions)||(t.extensions=["js","mjs","cjs","ts"]);const s=[];for(const r of Nt(e,t))s.push(r.path);return s},"collectSync");var ls=Object.defineProperty,_=O((e,t)=>ls(e,"name",{value:t,configurable:!0}),"o$1");const ve=_(e=>Array.isArray(e)?e.filter(t=>typeof t=="string"):[],"toStringArray"),je=_((e,t)=>{for(const s of t)if(s===e||s.endsWith("*")&&e.startsWith(s.slice(0,-1)))return!0;return!1},"matchesGlobList"),nt=_(e=>{const t=H(e,"pnpm-workspace.yaml");if(!B(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const s=Le(t);return{excludedPackages:[],ignoredAdvisories:[...ve(s?.auditConfig?.ignoreCves),...ve(s?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readPnpmAuditExclusions"),at=_(e=>{const t=H(e,".yarnrc.yml");if(!B(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const s=Le(t);return{excludedPackages:ve(s?.npmAuditExcludePackages),ignoredAdvisories:ve(s?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readYarnAuditExclusions"),ds=_((e,t)=>{switch(t){case"pnpm":return nt(e);case"yarn":return at(e);default:return{excludedPackages:[],ignoredAdvisories:[]}}},"readNativeAuditExclusions"),ee=_((e,t,s)=>{if(je(e,t.ignoredAdvisories))return!0;if(s){for(const r of s)if(je(r,t.ignoredAdvisories))return!0}return!1},"isAdvisoryExcluded"),ps=_((e,t)=>je(e,t.excludedPackages),"isPackageExcluded"),us=_((e,t,s)=>{if(s.length===0)return["No advisory IDs to sync."];const r=[];switch(e){case"bun":{r.push(`bun has no audit config file. Use CLI flags: bun audit ${s.map(o=>`--ignore ${o}`).join(" ")}`);break}case"npm":{r.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const o=H(t,"pnpm-workspace.yaml");if(!B(o)){r.push("pnpm-workspace.yaml not found. Cannot sync.");break}const a=nt(t),n=new Set(a.ignoredAdvisories.filter(k=>k.startsWith("CVE-"))),l=new Set(a.ignoredAdvisories.filter(k=>k.startsWith("GHSA-"))),p=s.filter(k=>k.startsWith("CVE-")),u=s.filter(k=>k.startsWith("GHSA-")),g=[...new Set([...n,...p])],b=[...new Set([...l,...u])],v=p.filter(k=>!n.has(k)).length,$=u.filter(k=>!l.has(k)).length;if(v===0&&$===0){r.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let y=me(o);if(g.length>0){const k=` ignoreCves:
2
- ${g.map(w=>` - ${w}`).join(`
1
+ var Et=Object.defineProperty;var R=(e,t)=>Et(e,"name",{value:t,configurable:!0});import{createRequire as Rt}from"node:module";import{E as O,e as xe,q as dt,P as gt,T as ke}from"../packem_shared/index.server-B7ETiT4C.js";import{M as z,i as Y,$ as $e,C as Mt}from"../packem_shared/readFileSync-CGmzMUF2-D6rUjGDn.js";import{am as Wt,al as Tt,a2 as zt,a3 as Vt,a4 as Ft,o as _e,E as Ht,A as _t,aN as Ut,J as Gt,N as Bt,p as d,i as Qe,b as Kt,T as qt,f as Jt,L as et,C as Yt,O as Xt,Y as Zt,s as ze}from"./bin.js";import{whichBin as Qt}from"#native";import{w as ta,r as aa,b as ra}from"../packem_shared/ai-analysis-B8pDCOuT.js";import{B as tt,n as ft}from"./config.js";import{s as G,A as ia,E as na}from"../packem_shared/pm-runner-CVliR6Ie.js";import{c as ut,s as be,g as oa,p as sa,e as ca}from"../packem_shared/index-C1w1GXdS.js";import{d as la}from"../packem_shared/anolilab-text-CAM_E6uK.js";import{t as pa,b as da}from"../packem_shared/cyclonedx-B293T7R0.js";import{s as ua}from"../packem_shared/scan-progress-EbvmIh4i.js";import{r as ma,A as at,q as rt}from"../packem_shared/advisories-U1QKY_tg.js";import{l as ha,f as va}from"../packem_shared/dependency-scan-BbtivycX.js";import{r as wa}from"../packem_shared/manifests-Z3spBpxv.js";import{l as ba,p as ya,O as xa}from"../packem_shared/osv-bloom-CyCDpXBl.js";const jt=Rt(import.meta.url),te=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,oe=R(e=>{if(typeof te<"u"&&te.versions&&te.versions.node){const[t,a]=te.versions.node.split(".").map(Number);if(t>22||t===22&&a>=3||t===20&&a>=16)return te.getBuiltinModule(e)}return jt(e)},"__cjs_getBuiltinModule"),{spawnSync:Ot}=oe("node:child_process"),{existsSync:ct,readFileSync:lt,writeFileSync:pt,renameSync:Pt,unlinkSync:Lt}=oe("node:fs"),{createInterface:Dt}=oe("node:readline"),{stripVTControlCharacters:ea}=oe("node:util"),{relative:ga,join:fa}=oe("node:path");var ka=Object.defineProperty,$a=R((e,t)=>ka(e,"name",{value:t,configurable:!0}),"t"),Sa=Object.defineProperty,Aa=$a((e,t)=>Sa(e,"name",{value:t,configurable:!0}),"s"),Na=Object.defineProperty,Ca=Aa((e,t)=>Na(e,"name",{value:t,configurable:!0}),"n");const it=Ca((e,t={})=>{Array.isArray(t.extensions)||(t.extensions=["js","mjs","cjs","ts"]);const a=[];for(const r of Wt(e,t))a.push(r.path);return a},"collectSync");var Ia=Object.defineProperty,V=R((e,t)=>Ia(e,"name",{value:t,configurable:!0}),"a$1");const ye=V(e=>`${e.packageName}@${e.packageVersion}:${e.vulnerability.id}`,"explainKey"),Ea=V(e=>e==null||e===!0||e===""||e==="true"||e.toString().toLowerCase()==="all","isSelectAll"),Ra=V((e,t)=>{if(Ea(t))return e;const a=String(t).trim();if(/^\d+$/.test(a)){const i=Number.parseInt(a,10)-1,o=e[i];return o?[o]:[]}const r=a.toLowerCase();return e.filter(i=>{const{aliases:o,id:n}=i.vulnerability;return n.toLowerCase()===r||(o??[]).some(l=>l.toLowerCase()===r)})},"selectTargets"),ja=V(e=>{const{packageName:t,packageVersion:a,vulnerability:r}=e,i=(r.aliases??[]).join(", ")||"none",o=(r.fixedVersions??[]).join(", ")||"no fixed version published";return`You are a security engineer. Explain this dependency vulnerability for a developer triaging it.
2
+
3
+ Package: ${t}@${a}
4
+ Advisory: ${r.id} (aliases: ${i})
5
+ Severity: ${r.severity}
6
+ Fixed in: ${o}
7
+ Summary: ${r.summary}
8
+
9
+ Respond ONLY with valid JSON in this exact structure, each value 1-3 plain sentences, no markdown:
10
+ {
11
+ "whatItIs": "what the vulnerability is and how it is exploited",
12
+ "areYouAtRisk": "what usage pattern makes an app actually exposed; be honest that lockfile presence alone is not exploitation",
13
+ "whatToDo": "the concrete remediation step"
14
+ }`},"buildExplainPrompt"),we=V(e=>ea(e).replaceAll(/[\u0000-\u0008\u000B-\u001F\u007F]/gu,"").trim(),"sanitize"),Oa=V(e=>`What it is: ${e.whatItIs}
15
+ Are you at risk: ${e.areYouAtRisk}
16
+ What to do: ${e.whatToDo}`,"formatExplanation"),Pa=V(e=>{const t=ta(e);if(t&&typeof t=="object"){const a=t,r=typeof a.whatItIs=="string"?we(a.whatItIs):"",i=typeof a.areYouAtRisk=="string"?we(a.areYouAtRisk):"",o=typeof a.whatToDo=="string"?we(a.whatToDo):"";if(r||i||o)return Oa({areYouAtRisk:i,whatItIs:r,whatToDo:o})}return we(e)},"parseExplanation"),La=V(async(e,t,a)=>{let r=0;const i=Array.from({length:Math.min(t,e.length)},async()=>{for(;r<e.length;){const o=r;r+=1;const n=e[o];n!==void 0&&await a(n)}});await Promise.all(i)},"mapWithConcurrency"),Da=3,Ma={resolveProvider:ra,runWithRetry:aa},Wa=V(async(e,t,a,r=Ma)=>{const i=new Map;if(e.length===0)return i;const o=r.resolveProvider(t);if(!o)return a?.info?.("No AI CLI provider found on PATH — skipping --explain."),i;const n=Tt("security",t?.cacheTtl);return await La(e,Da,async l=>{const g=ye(l),v=zt({id:l.vulnerability.id,kind:"audit-explain",name:l.packageName,provider:o.name,version:l.packageVersion}),h=Vt(v);if(typeof h=="string"){i.set(g,h);return}try{const u=await r.runWithRetry(o,ja(l)),m=Pa(u);m&&(i.set(g,m),Ft(v,m,n))}catch(u){const m=u instanceof Error?u.message:String(u);a?.warn?.(`Explain failed for ${l.vulnerability.id} (${m}).`)}}),i},"explainFindings");var Ta=Object.defineProperty,B=R((e,t)=>Ta(e,"name",{value:t,configurable:!0}),"o$1");const Se=B(e=>Array.isArray(e)?e.filter(t=>typeof t=="string"):[],"toStringArray"),Ve=B((e,t)=>{for(const a of t)if(a===e||a.endsWith("*")&&e.startsWith(a.slice(0,-1)))return!0;return!1},"matchesGlobList"),mt=B(e=>{const t=z(e,"pnpm-workspace.yaml");if(!Y(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const a=_e(t);return{excludedPackages:[],ignoredAdvisories:[...Se(a?.auditConfig?.ignoreCves),...Se(a?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readPnpmAuditExclusions"),ht=B(e=>{const t=z(e,".yarnrc.yml");if(!Y(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const a=_e(t);return{excludedPackages:Se(a?.npmAuditExcludePackages),ignoredAdvisories:Se(a?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},"readYarnAuditExclusions"),za=B((e,t)=>{switch(t){case"pnpm":return mt(e);case"yarn":return ht(e);default:return{excludedPackages:[],ignoredAdvisories:[]}}},"readNativeAuditExclusions"),ie=B((e,t,a)=>{if(Ve(e,t.ignoredAdvisories))return!0;if(a){for(const r of a)if(Ve(r,t.ignoredAdvisories))return!0}return!1},"isAdvisoryExcluded"),Va=B((e,t)=>Ve(e,t.excludedPackages),"isPackageExcluded"),Fa=B((e,t,a)=>{if(a.length===0)return["No advisory IDs to sync."];const r=[];switch(e){case"bun":{r.push(`bun has no audit config file. Use CLI flags: bun audit ${a.map(i=>`--ignore ${i}`).join(" ")}`);break}case"npm":{r.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const i=z(t,"pnpm-workspace.yaml");if(!Y(i)){r.push("pnpm-workspace.yaml not found. Cannot sync.");break}const o=mt(t),n=new Set(o.ignoredAdvisories.filter(y=>y.startsWith("CVE-"))),l=new Set(o.ignoredAdvisories.filter(y=>y.startsWith("GHSA-"))),g=a.filter(y=>y.startsWith("CVE-")),v=a.filter(y=>y.startsWith("GHSA-")),h=[...new Set([...n,...g])],u=[...new Set([...l,...v])],m=g.filter(y=>!n.has(y)).length,x=v.filter(y=>!l.has(y)).length;if(m===0&&x===0){r.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let b=$e(i);if(h.length>0){const y=` ignoreCves:
17
+ ${h.map($=>` - ${$}`).join(`
3
18
  `)}
4
- `;/auditConfig:/.test(y)?y=/ignoreCves:/.test(y)?y.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,k):y.replace(/auditConfig:\s*\n/,`auditConfig:
5
- ${k}`):y=`${y.trimEnd()}
19
+ `;/auditConfig:/.test(b)?b=/ignoreCves:/.test(b)?b.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,y):b.replace(/auditConfig:\s*\n/,`auditConfig:
20
+ ${y}`):b=`${b.trimEnd()}
6
21
 
7
22
  auditConfig:
8
- ${k}`,v>0&&r.push(`Added ${String(v)} new CVE${v===1?"":"s"} to pnpm-workspace.yaml (${String(g.length)} total)`)}if(b.length>0){const k=` ignoreGhsas:
9
- ${b.map(w=>` - ${w}`).join(`
23
+ ${y}`,m>0&&r.push(`Added ${String(m)} new CVE${m===1?"":"s"} to pnpm-workspace.yaml (${String(h.length)} total)`)}if(u.length>0){const y=` ignoreGhsas:
24
+ ${u.map($=>` - ${$}`).join(`
10
25
  `)}
11
- `;/auditConfig:/.test(y)&&(y=/ignoreGhsas:/.test(y)?y.replace(/ignoreGhsas:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,k):y.replace(/(auditConfig:[\s\S]*?)(\n\S|\n?$)/m,`$1${k}$2`)),$>0&&r.push(`Added ${String($)} new GHSA${$===1?"":"s"} to pnpm-workspace.yaml (${String(b.length)} total)`)}Be(o,y);break}case"yarn":{const o=H(t,".yarnrc.yml");if(!B(o)){r.push(".yarnrc.yml not found. Cannot sync.");break}const a=at(t),n=new Set(a.ignoredAdvisories),l=[...new Set([...n,...s])],p=s.filter(b=>!n.has(b)).length;if(p===0){r.push("All advisory IDs already present in .yarnrc.yml.");break}let u=me(o);const g=`npmAuditIgnoreAdvisories:
12
- ${l.map(b=>` - "${b}"`).join(`
26
+ `;/auditConfig:/.test(b)&&(b=/ignoreGhsas:/.test(b)?b.replace(/ignoreGhsas:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,y):b.replace(/(auditConfig:[\s\S]*?)(\n\S|\n?$)/m,`$1${y}$2`)),x>0&&r.push(`Added ${String(x)} new GHSA${x===1?"":"s"} to pnpm-workspace.yaml (${String(u.length)} total)`)}tt(i,b);break}case"yarn":{const i=z(t,".yarnrc.yml");if(!Y(i)){r.push(".yarnrc.yml not found. Cannot sync.");break}const o=ht(t),n=new Set(o.ignoredAdvisories),l=[...new Set([...n,...a])],g=a.filter(u=>!n.has(u)).length;if(g===0){r.push("All advisory IDs already present in .yarnrc.yml.");break}let v=$e(i);const h=`npmAuditIgnoreAdvisories:
27
+ ${l.map(u=>` - "${u}"`).join(`
13
28
  `)}
14
- `;u=/npmAuditIgnoreAdvisories:/.test(u)?u.replace(/npmAuditIgnoreAdvisories:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,g):`${u.trimEnd()}
29
+ `;v=/npmAuditIgnoreAdvisories:/.test(v)?v.replace(/npmAuditIgnoreAdvisories:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,h):`${v.trimEnd()}
15
30
 
16
- ${g}`,Be(o,u),r.push(`Synced ${String(p)} advisor${p===1?"y":"ies"} to .yarnrc.yml (${String(l.length)} total)`);break}default:r.push(`Unknown package manager: ${e}`)}return r},"syncAcceptedRisksToNativeConfig");var fs=Object.defineProperty,q=O((e,t)=>fs(e,"name",{value:t,configurable:!0}),"p$2");const gs=["CRITICAL","HIGH","MODERATE","LOW","UNKNOWN"],S=q(e=>e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;"),"escapeHtml"),ms=q(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),vs=q((e,t)=>{if(t.length===0)return{kind:"unknown",label:"no fix"};const s=G.coerce(e);if(!s)return{kind:"unknown",label:"non-semver"};let r,o;for(const a of t){const n=G.coerce(a);if(!n)continue;const l=G.diff(s,n);l==="major"||l==="premajor"?r||(r=a):l&&!o&&(o=a)}return o?{kind:"minor-patch",label:`safe to ${o}`}:r?{kind:"major",label:`requires major bump to ${r}`}:{kind:"unknown",label:"no usable fix"}},"breakingMarker"),Je={CRITICAL:0,HIGH:1,LOW:3,MODERATE:2,UNKNOWN:4},hs=q(e=>{const{acknowledged:t,packageName:s,packageVersion:r,remediation:o,vulnerability:a}=e,{severity:n}=a,l=vs(r,a.fixedVersions),p=a.fixedVersions.length>0?a.fixedVersions.join(", "):"—",u=o?`<code class="copyable" data-cmd="${S(o)}">${S(o)}</code>`:'<span class="muted">advisory only</span>';return`<tr data-severity="${n}" data-package="${S(s)}" data-advisory="${S(a.id)}">
17
- <td><span class="badge badge-${n.toLowerCase()}">${n}</span></td>
18
- <td><span class="marker marker-${l.kind}" title="${S(l.label)}"></span></td>
19
- <td><code>${S(s)}</code></td>
20
- <td><code>${S(r)}</code></td>
21
- <td><a href="${S(ms(a.id))}" rel="noreferrer noopener" target="_blank">${S(a.id)}</a>${t?' <span class="ack">[acknowledged]</span>':""}</td>
22
- <td>${S(a.summary)}</td>
23
- <td><code>${S(p)}</code></td>
24
- <td>${u}</td>
25
- </tr>`},"renderRow"),ys=q(e=>{const t=e.now??new Date,s=[...e.findings].sort((u,g)=>{const b=Je[u.vulnerability.severity??"UNKNOWN"]??4,v=Je[g.vulnerability.severity??"UNKNOWN"]??4;return b!==v?b-v:u.packageName.localeCompare(g.packageName)||u.packageVersion.localeCompare(g.packageVersion)}),r={CRITICAL:0,HIGH:0,LOW:0,MODERATE:0,UNKNOWN:0};for(const u of s)r[u.vulnerability.severity??"UNKNOWN"]+=1;const o=s.map(u=>hs(u)).join(`
26
- `),a=gs.filter(u=>r[u]>0).map(u=>`<span class="badge badge-${u.toLowerCase()}">${r[u]} ${u}</span>`).join(" "),n=s.length===0,l=(e.policyDecisions??[]).filter(u=>u.policy!=="vulnerability"),p=[...l].sort((u,g)=>{const b=q(v=>v==="block"?0:v==="warn"?1:2,"rank");return b(u.severity)-b(g.severity)||u.policy.localeCompare(g.policy)||u.packageName.localeCompare(g.packageName)}).map(u=>{const g=u.acceptedRisk?' <span class="ack">[acknowledged]</span>':"";return`<tr>
27
- <td><span class="policy-badge policy-${u.severity}">${u.severity.toUpperCase()}</span></td>
28
- <td><code>${S(u.policy)}</code></td>
29
- <td><code>${S(u.packageName)}</code></td>
30
- <td><code>${S(u.version)}</code></td>
31
- <td>${S(u.reason)}${g}</td>
31
+ ${h}`,tt(i,v),r.push(`Synced ${String(g)} advisor${g===1?"y":"ies"} to .yarnrc.yml (${String(l.length)} total)`);break}default:r.push(`Unknown package manager: ${e}`)}return r},"syncAcceptedRisksToNativeConfig");var Ha=`/*! tailwindcss v4.3.0 | MIT License | https://tailwindcss.com */
32
+ @layer properties{@supports (((-webkit-hyphens:none)) and (not (margin-trim:inline))) or ((-moz-orient:inline) and (not (color:rgb(from red r g b)))){*,:before,:after,::backdrop{--tw-rotate-x:initial;--tw-rotate-y:initial;--tw-rotate-z:initial;--tw-skew-x:initial;--tw-skew-y:initial;--tw-space-y-reverse:0;--tw-border-style:solid;--tw-leading:initial;--tw-font-weight:initial;--tw-tracking:initial;--tw-shadow:0 0 #0000;--tw-shadow-color:initial;--tw-shadow-alpha:100%;--tw-inset-shadow:0 0 #0000;--tw-inset-shadow-color:initial;--tw-inset-shadow-alpha:100%;--tw-ring-color:initial;--tw-ring-shadow:0 0 #0000;--tw-inset-ring-color:initial;--tw-inset-ring-shadow:0 0 #0000;--tw-ring-inset:initial;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-offset-shadow:0 0 #0000;--tw-outline-style:solid;--tw-blur:initial;--tw-brightness:initial;--tw-contrast:initial;--tw-grayscale:initial;--tw-hue-rotate:initial;--tw-invert:initial;--tw-opacity:initial;--tw-saturate:initial;--tw-sepia:initial;--tw-drop-shadow:initial;--tw-drop-shadow-color:initial;--tw-drop-shadow-alpha:100%;--tw-drop-shadow-size:initial;--tw-backdrop-blur:initial;--tw-backdrop-brightness:initial;--tw-backdrop-contrast:initial;--tw-backdrop-grayscale:initial;--tw-backdrop-hue-rotate:initial;--tw-backdrop-invert:initial;--tw-backdrop-opacity:initial;--tw-backdrop-saturate:initial;--tw-backdrop-sepia:initial;--tw-duration:initial;--tw-content:""}}}@layer theme{:root,:host{--font-sans:ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";--font-mono:ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;--color-white:#fff;--spacing:.25rem;--text-sm:.875rem;--text-sm--line-height:calc(1.25 / .875);--font-weight-light:300;--font-weight-medium:500;--font-weight-semibold:600;--font-weight-bold:700;--tracking-tight:-.025em;--tracking-normal:0em;--leading-tight:1.25;--leading-snug:1.375;--radius-sm:.25rem;--ease-out:cubic-bezier(0, 0, .2, 1);--blur-sm:8px;--default-transition-duration:.15s;--default-transition-timing-function:cubic-bezier(.4, 0, .2, 1);--default-font-family:var(--font-sans);--default-mono-font-family:var(--font-mono)}}@layer base{*,:after,:before,::backdrop{box-sizing:border-box;border:0 solid;margin:0;padding:0}::file-selector-button{box-sizing:border-box;border:0 solid;margin:0;padding:0}html,:host{-webkit-text-size-adjust:100%;tab-size:4;line-height:1.5;font-family:var(--default-font-family,ui-sans-serif, system-ui, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji");font-feature-settings:var(--default-font-feature-settings,normal);font-variation-settings:var(--default-font-variation-settings,normal);-webkit-tap-highlight-color:transparent}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;-webkit-text-decoration:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:var(--default-mono-font-family,ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace);font-feature-settings:var(--default-mono-font-feature-settings,normal);font-variation-settings:var(--default-mono-font-variation-settings,normal);font-size:1em}small{font-size:80%}sub,sup{vertical-align:baseline;font-size:75%;line-height:0;position:relative}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}:-moz-focusring{outline:auto}progress{vertical-align:baseline}summary{display:list-item}ol,ul,menu{list-style:none}img,svg,video,canvas,audio,iframe,embed,object{vertical-align:middle;display:block}img,video{max-width:100%;height:auto}button,input,select,optgroup,textarea{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}::file-selector-button{font:inherit;font-feature-settings:inherit;font-variation-settings:inherit;letter-spacing:inherit;color:inherit;opacity:1;background-color:#0000;border-radius:0}:where(select:is([multiple],[size])) optgroup{font-weight:bolder}:where(select:is([multiple],[size])) optgroup option{padding-inline-start:20px}::file-selector-button{margin-inline-end:4px}::placeholder{opacity:1}@supports (not ((-webkit-appearance:-apple-pay-button))) or (contain-intrinsic-size:1px){::placeholder{color:currentColor}@supports (color:color-mix(in lab, red, red)){::placeholder{color:color-mix(in oklab, currentcolor 50%, transparent)}}}textarea{resize:vertical}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-date-and-time-value{min-height:1lh;text-align:inherit}::-webkit-datetime-edit{padding-block:0}::-webkit-datetime-edit-year-field{padding-block:0}::-webkit-datetime-edit-month-field{padding-block:0}::-webkit-datetime-edit-day-field{padding-block:0}::-webkit-datetime-edit-hour-field{padding-block:0}::-webkit-datetime-edit-minute-field{padding-block:0}::-webkit-datetime-edit-second-field{padding-block:0}::-webkit-datetime-edit-millisecond-field{padding-block:0}::-webkit-datetime-edit-meridiem-field{padding-block:0}::-webkit-calendar-picker-indicator{line-height:1}:-moz-ui-invalid{box-shadow:none}button,input:where([type=button],[type=reset],[type=submit]){appearance:button}::file-selector-button{appearance:button}::-webkit-inner-spin-button{height:auto}::-webkit-outer-spin-button{height:auto}[hidden]:where(:not([hidden=until-found])){display:none!important}:root{--bg:#f5f5f5;--panel:#fff;--panel2:#f0f0f0;--fg:#000;--muted:#555;--faint:#707070;--border:#e0e0e0;--border2:#bdbdbd;--row-hover:#f0f0f0;--accent:#d71921;--accent-soft:#d719210d;--link:#0050c0;--critical:#d71921;--high:#8a5a00;--medium:#555;--low:#707070;--unknown:#707070;--major:#d71921;--minor:#1f7a3d;--mono:ui-monospace, "SF Mono", "JetBrains Mono", "Cascadia Mono", "Roboto Mono", Menlo, Consolas, monospace;--sans:system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", sans-serif}@media (prefers-color-scheme:dark){:root{--bg:#141414;--panel:#1c1c1c;--panel2:#242424;--fg:#fff;--muted:#b8b8b8;--faint:#8a8a8a;--border:#2e2e2e;--border2:#3e3e3e;--row-hover:#1f1f1f;--accent:#ff4d54;--accent-soft:#ff4d5414;--link:#7eb0f9;--critical:#ff4d54;--high:#e0b860;--medium:#b8b8b8;--low:#8a8a8a;--unknown:#8a8a8a;--major:#ff4d54;--minor:#6dbf80}}html[data-theme=light]{--bg:#f5f5f5;--panel:#fff;--panel2:#f0f0f0;--fg:#000;--muted:#555;--faint:#707070;--border:#e0e0e0;--border2:#bdbdbd;--row-hover:#f0f0f0;--accent:#d71921;--accent-soft:#d719210d;--link:#0050c0;--critical:#d71921;--high:#8a5a00;--medium:#555;--low:#707070;--unknown:#707070;--major:#d71921;--minor:#1f7a3d}html[data-theme=dark]{--bg:#141414;--panel:#1c1c1c;--panel2:#242424;--fg:#fff;--muted:#b8b8b8;--faint:#8a8a8a;--border:#2e2e2e;--border2:#3e3e3e;--row-hover:#1f1f1f;--accent:#ff4d54;--accent-soft:#ff4d5414;--link:#7eb0f9;--critical:#ff4d54;--high:#e0b860;--medium:#b8b8b8;--low:#8a8a8a;--unknown:#8a8a8a;--major:#ff4d54;--minor:#6dbf80}*{box-sizing:border-box}html{-webkit-text-size-adjust:100%}body{font-family:var(--sans);background-color:var(--bg);background-image:radial-gradient(circle, var(--border) .5px, transparent .5px);color:var(--fg);-webkit-font-smoothing:antialiased;font-feature-settings:"ss01";background-size:14px 14px;margin:0;padding:24px;line-height:1.5}a{color:var(--link);text-decoration:none}code{font-family:var(--mono);font-size:12px}h2{font-family:var(--mono);letter-spacing:.16em;text-transform:uppercase;color:var(--muted);margin:48px 0 14px;font-size:11px;font-weight:500}input:where([type=text]),input:where(:not([type])),input:where([type=email]),input:where([type=url]),input:where([type=password]),input:where([type=number]),input:where([type=date]),input:where([type=datetime-local]),input:where([type=month]),input:where([type=search]),input:where([type=tel]),input:where([type=time]),input:where([type=week]),select:where([multiple]),textarea,select{appearance:none;--tw-shadow:0 0 #0000;background-color:#fff;border-width:1px;border-color:oklch(55.1% .027 264.364);border-radius:0;padding:.5rem .75rem;font-size:1rem;line-height:1.5rem}:is(input:where([type=text]),input:where(:not([type])),input:where([type=email]),input:where([type=url]),input:where([type=password]),input:where([type=number]),input:where([type=date]),input:where([type=datetime-local]),input:where([type=month]),input:where([type=search]),input:where([type=tel]),input:where([type=time]),input:where([type=week]),select:where([multiple]),textarea,select):focus{outline-offset:2px;--tw-ring-inset:var(--tw-empty, );--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:oklch(54.6% .245 262.881);--tw-ring-offset-shadow:var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);--tw-ring-shadow:var(--tw-ring-inset) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color);box-shadow:var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);border-color:oklch(54.6% .245 262.881);outline:2px solid #0000}input::placeholder,textarea::placeholder{color:oklch(55.1% .027 264.364);opacity:1}::-webkit-datetime-edit-fields-wrapper{padding:0}::-webkit-date-and-time-value{min-height:1.5em}::-webkit-date-and-time-value{text-align:inherit}::-webkit-datetime-edit{display:inline-flex}::-webkit-datetime-edit{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-year-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-month-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-day-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-hour-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-minute-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-second-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-millisecond-field{padding-top:0;padding-bottom:0}::-webkit-datetime-edit-meridiem-field{padding-top:0;padding-bottom:0}select{-webkit-print-color-adjust:exact;print-color-adjust:exact;background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 20 20'%3e%3cpath stroke='oklch(55.1%25 0.027 264.364)' stroke-linecap='round' stroke-linejoin='round' stroke-width='1.5' d='M6 8l4 4 4-4'/%3e%3c/svg%3e");background-position:right .5rem center;background-repeat:no-repeat;background-size:1.5em 1.5em;padding-right:2.5rem}select:where([multiple]),select:where([size]:not([size="1"])){background-image:initial;background-position:initial;background-repeat:unset;background-size:initial;print-color-adjust:unset;padding-right:.75rem}input:where([type=checkbox]),input:where([type=radio]){appearance:none;-webkit-print-color-adjust:exact;print-color-adjust:exact;vertical-align:middle;-webkit-user-select:none;user-select:none;color:oklch(54.6% .245 262.881);--tw-shadow:0 0 #0000;background-color:#fff;background-origin:border-box;border-width:1px;border-color:oklch(55.1% .027 264.364);flex-shrink:0;width:1rem;height:1rem;padding:0;display:inline-block}input:where([type=checkbox]){border-radius:0}input:where([type=radio]){border-radius:100%}input:where([type=checkbox]):focus,input:where([type=radio]):focus{outline-offset:2px;--tw-ring-inset:var(--tw-empty, );--tw-ring-offset-width:2px;--tw-ring-offset-color:#fff;--tw-ring-color:oklch(54.6% .245 262.881);--tw-ring-offset-shadow:var(--tw-ring-inset) 0 0 0 var(--tw-ring-offset-width) var(--tw-ring-offset-color);--tw-ring-shadow:var(--tw-ring-inset) 0 0 0 calc(2px + var(--tw-ring-offset-width)) var(--tw-ring-color);box-shadow:var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow);outline:2px solid #0000}input:where([type=checkbox]):checked,input:where([type=radio]):checked{background-color:currentColor;background-position:50%;background-repeat:no-repeat;background-size:100% 100%;border-color:#0000}input:where([type=checkbox]):checked{background-image:url("data:image/svg+xml,%3csvg viewBox='0 0 16 16' fill='white' xmlns='http://www.w3.org/2000/svg'%3e%3cpath d='M12.207 4.793a1 1 0 010 1.414l-5 5a1 1 0 01-1.414 0l-2-2a1 1 0 011.414-1.414L6.5 9.086l4.293-4.293a1 1 0 011.414 0z'/%3e%3c/svg%3e")}@media (forced-colors:active){input:where([type=checkbox]):checked{appearance:auto}}input:where([type=radio]):checked{background-image:url("data:image/svg+xml,%3csvg viewBox='0 0 16 16' fill='white' xmlns='http://www.w3.org/2000/svg'%3e%3ccircle cx='8' cy='8' r='3'/%3e%3c/svg%3e")}@media (forced-colors:active){input:where([type=radio]):checked{appearance:auto}}input:where([type=checkbox]):checked:hover,input:where([type=checkbox]):checked:focus,input:where([type=radio]):checked:hover,input:where([type=radio]):checked:focus{background-color:currentColor;border-color:#0000}input:where([type=checkbox]):indeterminate{background-color:currentColor;background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='none' viewBox='0 0 16 16'%3e%3cpath stroke='white' stroke-linecap='round' stroke-linejoin='round' stroke-width='2' d='M4 8h8'/%3e%3c/svg%3e");background-position:50%;background-repeat:no-repeat;background-size:100% 100%;border-color:#0000}@media (forced-colors:active){input:where([type=checkbox]):indeterminate{appearance:auto}}input:where([type=checkbox]):indeterminate:hover,input:where([type=checkbox]):indeterminate:focus{background-color:currentColor;border-color:#0000}input:where([type=file]){background:unset;border-color:inherit;font-size:unset;line-height:inherit;border-width:0;border-radius:0;padding:0}input:where([type=file]):focus{outline:1px solid buttontext;outline:1px auto -webkit-focus-ring-color}}@layer components{.masthead{border-bottom:1px solid var(--border)}.brand{font-family:var(--sans);color:var(--fg);font-size:clamp(30px,5vw,52px);font-weight:600}.brand .slash{color:var(--accent)}.brand .sub{font-family:var(--mono);letter-spacing:.22em;color:var(--faint)}.chip{font-family:var(--mono);letter-spacing:.08em;color:var(--muted);border:1px solid var(--border2)}.tbtn{font-family:var(--mono);letter-spacing:.08em;color:var(--muted);border:1px solid var(--border2);transition:border-color .2s,color .2s}.tbtn:hover{color:var(--fg);border-color:var(--fg)}.tbtn-theme{min-width:28px}.tbtn-theme .ticon{line-height:0}.tbtn-theme .ticon-sun{display:none}@media (prefers-color-scheme:dark){.tbtn-theme .ticon-moon{display:none}.tbtn-theme .ticon-sun{display:inline-flex}}html[data-theme=light] .tbtn-theme .ticon-moon{display:inline-flex}html[data-theme=light] .tbtn-theme .ticon-sun,html[data-theme=dark] .tbtn-theme .ticon-moon{display:none}html[data-theme=dark] .tbtn-theme .ticon-sun{display:inline-flex}.verdict{padding:56px 0 36px}.verdict .vnum{font-family:var(--mono);letter-spacing:-.04em;color:var(--fg);font-variant-numeric:tabular-nums;font-size:clamp(64px,14vw,148px);line-height:.85}.verdict .vsub{font-family:var(--mono);letter-spacing:.16em;color:var(--faint)}.verdict-crit .vnum{color:var(--accent)}.verdict-high .vnum{color:var(--high)}.debugbar{border-bottom:1px solid var(--border)}.dseg+.dseg{border-left:1px solid var(--border);padding-left:1.75rem}.dseg .dk{font-family:var(--mono);letter-spacing:.13em;color:var(--faint)}.dseg .dv{font-family:var(--mono);color:var(--fg);font-variant-numeric:tabular-nums;letter-spacing:-.01em;font-weight:400}.dseg .dvsep{color:var(--faint)}.dseg .dot{background:var(--unknown)}.dseg-critical .dv{color:var(--critical)}.dseg-high .dv{color:var(--high)}.dseg-moderate .dv{color:var(--medium)}.dseg-low .dv{color:var(--low)}.dseg-ok .dot{background:var(--minor)}.dseg-ok .dv{color:var(--minor)}.field{border-bottom:1px solid var(--border2);background:0 0;transition:border-color .2s}.field:focus-within{border-bottom-color:var(--fg)}.field .prompt{font-family:var(--mono);letter-spacing:.12em;color:var(--faint)}.field input,.field select{font-family:var(--mono);color:var(--fg)}.field.sel{margin-left:32px}.field select{text-transform:uppercase;letter-spacing:.06em;font-size:11px}.field select option{background:var(--panel);color:var(--fg);text-transform:none;letter-spacing:0}.field input::placeholder{color:var(--faint);text-transform:uppercase;letter-spacing:.06em;font-size:11px}#findings{border-collapse:collapse}#findings thead th{font-family:var(--mono);letter-spacing:.11em;color:var(--faint);background:var(--bg);border-bottom:1px solid var(--border2)}#findings td,#findings tbody tr:last-child td{border-bottom:1px solid var(--border)}.finding-row:hover td{background:var(--row-hover)}.sev-cell{box-shadow:inset 2px 0 0 var(--border2)}tr[data-severity=CRITICAL] .sev-cell{box-shadow:inset 2px 0 0 var(--critical)}tr[data-severity=HIGH] .sev-cell{box-shadow:inset 2px 0 0 var(--high)}tr[data-severity=MODERATE] .sev-cell{box-shadow:inset 2px 0 0 var(--medium)}tr[data-severity=LOW] .sev-cell{box-shadow:inset 2px 0 0 var(--low)}tr[data-severity=UNKNOWN] .sev-cell{box-shadow:inset 2px 0 0 var(--unknown)}.ack-row td{opacity:.4}.ack-row .summary-cell,.ack-row a{color:var(--muted)}code.pkg{color:var(--fg)}code.ver,code.fix{color:var(--muted)}code.fix{color:var(--minor)}code.copyable{cursor:copy;padding-inline:calc(var(--spacing) * 2);padding-block:calc(var(--spacing) * 1);white-space:nowrap;color:var(--fg);border:1px solid var(--border2);background:0 0;border-radius:3px;font-size:12px;transition:border-color .2s,color .2s;display:inline-block}code.copyable:hover{border-color:var(--fg)}code.copyable.copied{color:var(--minor);border-color:var(--minor)}.adv-cell a{font-family:var(--mono);color:var(--link);border-bottom:1px solid #0000;transition:border-color .2s}.adv-cell a:hover{border-bottom-color:var(--link)}.summary-cell{font-family:var(--sans);color:var(--muted);line-height:1.5}.muted{font-family:var(--mono);letter-spacing:.06em;color:var(--faint)}.ack{font-family:var(--mono);letter-spacing:.12em;color:var(--faint);border:1px solid var(--border2)}.badge{font-family:var(--mono);letter-spacing:.1em;border:1px solid}.badge:before{content:"";background:currentColor;width:5px;height:5px}.badge-critical{color:var(--critical)}.badge-high{color:var(--high)}.badge-moderate{color:var(--medium)}.badge-low{color:var(--low)}.badge-unknown{color:var(--unknown)}.marker{font-family:var(--mono);letter-spacing:.09em}.marker-major{color:var(--major)}.marker-minor-patch{color:var(--minor)}.marker-unknown{color:var(--unknown)}.empty{font-family:var(--mono);letter-spacing:.1em;color:var(--faint);border-top:1px solid var(--border);border-bottom:1px solid var(--border)}.clean{padding-top:96px;padding-bottom:96px}.clean .big{font-family:var(--mono);letter-spacing:-.03em;color:var(--fg);font-size:clamp(56px,12vw,128px);line-height:1}.clean .sub{font-family:var(--mono);letter-spacing:.16em;color:var(--faint)}#policies{border-collapse:collapse}#policies th{font-family:var(--mono);letter-spacing:.12em;color:var(--faint);background:var(--bg);border-bottom:1px solid var(--border2)}#policies td,#policies tr:last-child td{border-bottom:1px solid var(--border)}#policies code{letter-spacing:.04em;color:var(--muted)}.policy-badge{font-family:var(--mono);letter-spacing:.1em;border:1px solid}.policy-badge:before{content:"";background:currentColor;width:5px;height:5px}.policy-block{color:var(--accent)}.policy-warn{color:var(--high)}.policy-info{color:var(--muted)}.hint{font-family:var(--mono);letter-spacing:.1em;color:var(--faint)}.kbd{font-family:var(--mono);letter-spacing:.06em;color:var(--muted);background:var(--panel2);border:1px solid var(--border2)}.explain-row td{border-top:1px dotted var(--accent);border-bottom:1px solid var(--border);box-shadow:inset 2px 0 0 var(--accent);background:0 0}.finding-row:has(+.explain-row) td{border-bottom:none}.explain-row details{background:0 0}.explain-row summary::-webkit-details-marker{display:none}.intel-tag{font-family:var(--mono);letter-spacing:.16em;color:var(--accent)}.intel-hint{font-family:var(--mono);letter-spacing:.1em;color:var(--muted)}.explain-row details[open] summary .intel-hint:after{content:" [-]"}.explain-row details:not([open]) summary .intel-hint:after{content:" [+]"}.explain-body{animation:.2s both rise}.intel-key{font-family:var(--mono);letter-spacing:.12em;color:var(--accent)}.intel-val{font-family:var(--sans);color:var(--fg);line-height:1.55}.intel-prose{color:var(--muted);grid-template-columns:1fr}.intel-prose .intel-val{color:var(--muted)}.sig{font-family:var(--mono);letter-spacing:.1em;color:var(--faint);border-top:1px solid var(--border)}.sig b{color:var(--muted);font-weight:500}.sig-by{color:var(--muted)}.anolilab-logo{width:auto;height:13px;fill:var(--fg)}.anolilab-accent{fill:#dfff1b}@keyframes rise{0%{opacity:0;transform:translateY(4px)}to{opacity:1;transform:none}}@media (prefers-reduced-motion:reduce){.explain-body{animation:none}}}@layer utilities{.pointer-events-auto{pointer-events:auto}.pointer-events-none{pointer-events:none}.collapse{visibility:collapse}.invisible{visibility:hidden}.visible{visibility:visible}.absolute{position:absolute}.fixed{position:fixed}.relative{position:relative}.static{position:static}.sticky{position:sticky}.inset-0{inset:calc(var(--spacing) * 0)}.inset-x-0{inset-inline:calc(var(--spacing) * 0)}.top-0{top:calc(var(--spacing) * 0)}.top-3{top:calc(var(--spacing) * 3)}.top-4{top:calc(var(--spacing) * 4)}.top-full{top:100%}.right-0{right:calc(var(--spacing) * 0)}.right-4{right:calc(var(--spacing) * 4)}.bottom-4{bottom:calc(var(--spacing) * 4)}.bottom-5{bottom:calc(var(--spacing) * 5)}.left-0{left:calc(var(--spacing) * 0)}.left-4{left:calc(var(--spacing) * 4)}.isolate{isolation:isolate}.z-20{z-index:20}.z-30{z-index:30}.z-\\[2\\]{z-index:2}.container{width:100%}@media (min-width:40rem){.container{max-width:40rem}}@media (min-width:48rem){.container{max-width:48rem}}@media (min-width:64rem){.container{max-width:64rem}}@media (min-width:80rem){.container{max-width:80rem}}@media (min-width:96rem){.container{max-width:96rem}}.mx-1{margin-inline:calc(var(--spacing) * 1)}.mx-12{margin-inline:calc(var(--spacing) * 12)}.mx-\\[0\\.12em\\]{margin-inline:.12em}.mx-auto{margin-inline:auto}.mt-1{margin-top:calc(var(--spacing) * 1)}.mt-2{margin-top:calc(var(--spacing) * 2)}.mt-3{margin-top:calc(var(--spacing) * 3)}.mt-4{margin-top:calc(var(--spacing) * 4)}.mt-6{margin-top:calc(var(--spacing) * 6)}.mt-12{margin-top:calc(var(--spacing) * 12)}.mb-1{margin-bottom:calc(var(--spacing) * 1)}.mb-2{margin-bottom:calc(var(--spacing) * 2)}.mb-3{margin-bottom:calc(var(--spacing) * 3)}.mb-4{margin-bottom:calc(var(--spacing) * 4)}.mb-6{margin-bottom:calc(var(--spacing) * 6)}.mb-10{margin-bottom:calc(var(--spacing) * 10)}.ml-2{margin-left:calc(var(--spacing) * 2)}.ml-8{margin-left:calc(var(--spacing) * 8)}.ml-auto{margin-left:auto}.block{display:block}.contents{display:contents}.flex{display:flex}.grid{display:grid}.hidden{display:none}.inline{display:inline}.inline-block{display:inline-block}.inline-flex{display:inline-flex}.table{display:table}.size-\\[7px\\]{width:7px;height:7px}.h-2{height:calc(var(--spacing) * 2)}.h-5{height:calc(var(--spacing) * 5)}.h-7{height:calc(var(--spacing) * 7)}.h-9{height:calc(var(--spacing) * 9)}.h-10{height:calc(var(--spacing) * 10)}.h-11{height:calc(var(--spacing) * 11)}.h-\\[6px\\]{height:6px}.h-\\[7px\\]{height:7px}.h-\\[8px\\]{height:8px}.h-\\[10px\\]{height:10px}.h-\\[18px\\]{height:18px}.h-full{height:100%}.h-px{height:1px}.max-h-72{max-height:calc(var(--spacing) * 72)}.min-h-\\[400px\\]{min-height:400px}.min-h-\\[480px\\]{min-height:480px}.min-h-screen{min-height:100vh}.w-2{width:calc(var(--spacing) * 2)}.w-3{width:calc(var(--spacing) * 3)}.w-4{width:calc(var(--spacing) * 4)}.w-7{width:calc(var(--spacing) * 7)}.w-9{width:calc(var(--spacing) * 9)}.w-\\[7px\\]{width:7px}.w-\\[8px\\]{width:8px}.w-full{width:100%}.w-px{width:1px}.max-w-\\[380px\\]{max-width:380px}.max-w-\\[1080px\\]{max-width:1080px}.min-w-0{min-width:calc(var(--spacing) * 0)}.min-w-5{min-width:calc(var(--spacing) * 5)}.min-w-\\[200px\\]{min-width:200px}.min-w-\\[220px\\]{min-width:220px}.min-w-\\[260px\\]{min-width:260px}.flex-1{flex:1}.flex-\\[1_1_280px\\]{flex:280px}.flex-auto{flex:auto}.flex-none{flex:none}.shrink{flex-shrink:1}.shrink-0{flex-shrink:0}.grow{flex-grow:1}.caption-bottom{caption-side:bottom}.border-collapse{border-collapse:collapse}.transform{transform:var(--tw-rotate-x,) var(--tw-rotate-y,) var(--tw-rotate-z,) var(--tw-skew-x,) var(--tw-skew-y,)}.cursor-move{cursor:move}.cursor-pointer{cursor:pointer}.resize{resize:both}.grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.grid-cols-\\[72px_1fr\\]{grid-template-columns:72px 1fr}.flex-col{flex-direction:column}.flex-wrap{flex-wrap:wrap}.items-baseline{align-items:baseline}.items-center{align-items:center}.items-end{align-items:flex-end}.items-start{align-items:flex-start}.items-stretch{align-items:stretch}.justify-between{justify-content:space-between}.justify-center{justify-content:center}.gap-0{gap:calc(var(--spacing) * 0)}.gap-1{gap:calc(var(--spacing) * 1)}.gap-1\\.5{gap:calc(var(--spacing) * 1.5)}.gap-2{gap:calc(var(--spacing) * 2)}.gap-3{gap:calc(var(--spacing) * 3)}.gap-4{gap:calc(var(--spacing) * 4)}.gap-6{gap:calc(var(--spacing) * 6)}.gap-8{gap:calc(var(--spacing) * 8)}.gap-12{gap:calc(var(--spacing) * 12)}.gap-16{gap:calc(var(--spacing) * 16)}.gap-\\[0\\.65rem\\]{gap:.65rem}.gap-\\[2px\\]{gap:2px}.gap-\\[7px\\]{gap:7px}.gap-px{gap:1px}:where(.space-y-0\\.5>:not(:last-child)){--tw-space-y-reverse:0;margin-block-start:calc(calc(var(--spacing) * .5) * var(--tw-space-y-reverse));margin-block-end:calc(calc(var(--spacing) * .5) * calc(1 - var(--tw-space-y-reverse)))}.gap-x-3{column-gap:calc(var(--spacing) * 3)}.gap-x-6{column-gap:calc(var(--spacing) * 6)}.gap-y-1{row-gap:calc(var(--spacing) * 1)}.gap-y-2{row-gap:calc(var(--spacing) * 2)}.gap-y-3{row-gap:calc(var(--spacing) * 3)}.self-center{align-self:center}.truncate{text-overflow:ellipsis;white-space:nowrap;overflow:hidden}.overflow-auto{overflow:auto}.overflow-y-auto{overflow-y:auto}.rounded{border-radius:.25rem}.rounded-\\[3px\\]{border-radius:3px}.rounded-\\[4px\\]{border-radius:4px}.rounded-full{border-radius:3.40282e38px}.rounded-sm{border-radius:var(--radius-sm)}.border{border-style:var(--tw-border-style);border-width:1px}.border-0{border-style:var(--tw-border-style);border-width:0}.border-t{border-top-style:var(--tw-border-style);border-top-width:1px}.border-b{border-bottom-style:var(--tw-border-style);border-bottom-width:1px}.border-l-2{border-left-style:var(--tw-border-style);border-left-width:2px}.border-dashed{--tw-border-style:dashed;border-style:dashed}.bg-transparent{background-color:#0000}.p-0{padding:calc(var(--spacing) * 0)}.p-5{padding:calc(var(--spacing) * 5)}.p-6{padding:calc(var(--spacing) * 6)}.px-0{padding-inline:calc(var(--spacing) * 0)}.px-0\\.5{padding-inline:calc(var(--spacing) * .5)}.px-1{padding-inline:calc(var(--spacing) * 1)}.px-1\\.5{padding-inline:calc(var(--spacing) * 1.5)}.px-2{padding-inline:calc(var(--spacing) * 2)}.px-3{padding-inline:calc(var(--spacing) * 3)}.px-4{padding-inline:calc(var(--spacing) * 4)}.px-5{padding-inline:calc(var(--spacing) * 5)}.px-6{padding-inline:calc(var(--spacing) * 6)}.px-8{padding-inline:calc(var(--spacing) * 8)}.px-12{padding-inline:calc(var(--spacing) * 12)}.px-\\[5px\\]{padding-inline:5px}.px-\\[6px\\]{padding-inline:6px}.py-0\\.5{padding-block:calc(var(--spacing) * .5)}.py-1{padding-block:calc(var(--spacing) * 1)}.py-2{padding-block:calc(var(--spacing) * 2)}.py-2\\.5{padding-block:calc(var(--spacing) * 2.5)}.py-3{padding-block:calc(var(--spacing) * 3)}.py-4{padding-block:calc(var(--spacing) * 4)}.py-5{padding-block:calc(var(--spacing) * 5)}.py-6{padding-block:calc(var(--spacing) * 6)}.py-8{padding-block:calc(var(--spacing) * 8)}.py-12{padding-block:calc(var(--spacing) * 12)}.py-16{padding-block:calc(var(--spacing) * 16)}.py-\\[3px\\]{padding-block:3px}.py-px{padding-block:1px}.pt-0\\.5{padding-top:calc(var(--spacing) * .5)}.pt-1{padding-top:calc(var(--spacing) * 1)}.pt-2{padding-top:calc(var(--spacing) * 2)}.pt-5{padding-top:calc(var(--spacing) * 5)}.pt-7{padding-top:calc(var(--spacing) * 7)}.pt-8{padding-top:calc(var(--spacing) * 8)}.pt-12{padding-top:calc(var(--spacing) * 12)}.pr-0{padding-right:calc(var(--spacing) * 0)}.pr-2{padding-right:calc(var(--spacing) * 2)}.pr-3{padding-right:calc(var(--spacing) * 3)}.pr-6{padding-right:calc(var(--spacing) * 6)}.pb-1{padding-bottom:calc(var(--spacing) * 1)}.pb-1\\.5{padding-bottom:calc(var(--spacing) * 1.5)}.pb-4{padding-bottom:calc(var(--spacing) * 4)}.pb-5{padding-bottom:calc(var(--spacing) * 5)}.pb-6{padding-bottom:calc(var(--spacing) * 6)}.pb-8{padding-bottom:calc(var(--spacing) * 8)}.pb-12{padding-bottom:calc(var(--spacing) * 12)}.pl-0{padding-left:calc(var(--spacing) * 0)}.pl-3{padding-left:calc(var(--spacing) * 3)}.pl-4{padding-left:calc(var(--spacing) * 4)}.pl-\\[7px\\]{padding-left:7px}.text-center{text-align:center}.text-left{text-align:left}.text-right{text-align:right}.align-middle{vertical-align:middle}.align-top{vertical-align:top}.font-mono{font-family:var(--font-mono)}.font-sans{font-family:var(--font-sans)}.text-sm{font-size:var(--text-sm);line-height:var(--tw-leading,var(--text-sm--line-height))}.text-\\[9px\\]{font-size:9px}.text-\\[10px\\]{font-size:10px}.text-\\[11px\\]{font-size:11px}.text-\\[12px\\]{font-size:12px}.text-\\[13px\\]{font-size:13px}.text-\\[14px\\]{font-size:14px}.text-\\[15px\\]{font-size:15px}.text-\\[22px\\]{font-size:22px}.text-\\[28px\\]{font-size:28px}.text-\\[44px\\]{font-size:44px}.text-\\[72px\\]{font-size:72px}.text-\\[clamp\\(28px\\,5vw\\,52px\\)\\]{font-size:clamp(28px,5vw,52px)}.leading-\\[0\\.9\\]{--tw-leading:.9;line-height:.9}.leading-none{--tw-leading:1;line-height:1}.leading-snug{--tw-leading:var(--leading-snug);line-height:var(--leading-snug)}.leading-tight{--tw-leading:var(--leading-tight);line-height:var(--leading-tight)}.font-bold{--tw-font-weight:var(--font-weight-bold);font-weight:var(--font-weight-bold)}.font-light{--tw-font-weight:var(--font-weight-light);font-weight:var(--font-weight-light)}.font-medium{--tw-font-weight:var(--font-weight-medium);font-weight:var(--font-weight-medium)}.font-semibold{--tw-font-weight:var(--font-weight-semibold);font-weight:var(--font-weight-semibold)}.tracking-\\[-0\\.02em\\]{--tw-tracking:-.02em;letter-spacing:-.02em}.tracking-\\[0\\.1em\\]{--tw-tracking:.1em;letter-spacing:.1em}.tracking-\\[0\\.05em\\]{--tw-tracking:.05em;letter-spacing:.05em}.tracking-\\[0\\.08em\\]{--tw-tracking:.08em;letter-spacing:.08em}.tracking-\\[0\\.11em\\]{--tw-tracking:.11em;letter-spacing:.11em}.tracking-\\[0\\.12em\\]{--tw-tracking:.12em;letter-spacing:.12em}.tracking-\\[0\\.15em\\]{--tw-tracking:.15em;letter-spacing:.15em}.tracking-\\[0\\.16em\\]{--tw-tracking:.16em;letter-spacing:.16em}.tracking-\\[0\\.22em\\]{--tw-tracking:.22em;letter-spacing:.22em}.tracking-normal{--tw-tracking:var(--tracking-normal);letter-spacing:var(--tracking-normal)}.tracking-tight{--tw-tracking:var(--tracking-tight);letter-spacing:var(--tracking-tight)}.break-words{overflow-wrap:break-word}.break-all{word-break:break-all}.whitespace-nowrap{white-space:nowrap}.capitalize{text-transform:capitalize}.lowercase{text-transform:lowercase}.normal-case{text-transform:none}.uppercase{text-transform:uppercase}.italic{font-style:italic}.no-underline{text-decoration-line:none}.opacity-40{opacity:.4}.shadow{--tw-shadow:0 1px 3px 0 var(--tw-shadow-color,#0000001a), 0 1px 2px -1px var(--tw-shadow-color,#0000001a);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.shadow-\\[0_4px_12px_rgba\\(0\\,0\\,0\\,0\\.08\\)\\]{--tw-shadow:0 4px 12px var(--tw-shadow-color,#00000014);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.shadow-\\[0_8px_24px_rgba\\(0\\,0\\,0\\,0\\.12\\)\\]{--tw-shadow:0 8px 24px var(--tw-shadow-color,#0000001f);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.ring{--tw-ring-shadow:var(--tw-ring-inset,) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color,currentcolor);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.outline{outline-style:var(--tw-outline-style);outline-width:1px}.outline-0{outline-style:var(--tw-outline-style);outline-width:0}.blur{--tw-blur:blur(8px);filter:var(--tw-blur,) var(--tw-brightness,) var(--tw-contrast,) var(--tw-grayscale,) var(--tw-hue-rotate,) var(--tw-invert,) var(--tw-saturate,) var(--tw-sepia,) var(--tw-drop-shadow,)}.invert{--tw-invert:invert(100%);filter:var(--tw-blur,) var(--tw-brightness,) var(--tw-contrast,) var(--tw-grayscale,) var(--tw-hue-rotate,) var(--tw-invert,) var(--tw-saturate,) var(--tw-sepia,) var(--tw-drop-shadow,)}.filter{filter:var(--tw-blur,) var(--tw-brightness,) var(--tw-contrast,) var(--tw-grayscale,) var(--tw-hue-rotate,) var(--tw-invert,) var(--tw-saturate,) var(--tw-sepia,) var(--tw-drop-shadow,)}.backdrop-blur-sm{--tw-backdrop-blur:blur(var(--blur-sm));-webkit-backdrop-filter:var(--tw-backdrop-blur,) var(--tw-backdrop-brightness,) var(--tw-backdrop-contrast,) var(--tw-backdrop-grayscale,) var(--tw-backdrop-hue-rotate,) var(--tw-backdrop-invert,) var(--tw-backdrop-opacity,) var(--tw-backdrop-saturate,) var(--tw-backdrop-sepia,);backdrop-filter:var(--tw-backdrop-blur,) var(--tw-backdrop-brightness,) var(--tw-backdrop-contrast,) var(--tw-backdrop-grayscale,) var(--tw-backdrop-hue-rotate,) var(--tw-backdrop-invert,) var(--tw-backdrop-opacity,) var(--tw-backdrop-saturate,) var(--tw-backdrop-sepia,)}.transition{transition-property:color,background-color,border-color,outline-color,text-decoration-color,fill,stroke,--tw-gradient-from,--tw-gradient-via,--tw-gradient-to,opacity,box-shadow,transform,translate,scale,rotate,filter,-webkit-backdrop-filter,backdrop-filter,display,content-visibility,overlay,pointer-events;transition-timing-function:var(--tw-ease,var(--default-transition-timing-function));transition-duration:var(--tw-duration,var(--default-transition-duration))}.transition-colors{transition-property:color,background-color,border-color,outline-color,text-decoration-color,fill,stroke,--tw-gradient-from,--tw-gradient-via,--tw-gradient-to;transition-timing-function:var(--tw-ease,var(--default-transition-timing-function));transition-duration:var(--tw-duration,var(--default-transition-duration))}.duration-150{--tw-duration:.15s;transition-duration:.15s}.select-none{-webkit-user-select:none;user-select:none}.group-data-\\[state\\=off\\]\\:opacity-30:is(:where(.group)[data-state=off] *){opacity:.3}.before\\:absolute:before{content:var(--tw-content);position:absolute}.before\\:left-0:before{content:var(--tw-content);left:calc(var(--spacing) * 0)}.before\\:content-\\[\\'→\\'\\]:before{--tw-content:"→";content:var(--tw-content)}.after\\:ml-auto:after{content:var(--tw-content);margin-left:auto}.after\\:font-mono:after{content:var(--tw-content);font-family:var(--font-mono)}.after\\:text-\\[9px\\]:after{content:var(--tw-content);font-size:9px}.after\\:tracking-\\[0\\.1em\\]:after{content:var(--tw-content);--tw-tracking:.1em;letter-spacing:.1em}.after\\:content-\\[\\'ON\\'\\]:after{--tw-content:"ON";content:var(--tw-content)}.last\\:border-b-0:last-child{border-bottom-style:var(--tw-border-style);border-bottom-width:0}@media (hover:hover){.hover\\:text-white:hover{color:var(--color-white)}.hover\\:opacity-90:hover{opacity:.9}}.focus-visible\\:ring-1:focus-visible{--tw-ring-shadow:var(--tw-ring-inset,) 0 0 0 calc(1px + var(--tw-ring-offset-width)) var(--tw-ring-color,currentcolor);box-shadow:var(--tw-inset-shadow), var(--tw-inset-ring-shadow), var(--tw-ring-offset-shadow), var(--tw-ring-shadow), var(--tw-shadow)}.focus-visible\\:outline-none:focus-visible{--tw-outline-style:none;outline-style:none}.disabled\\:pointer-events-none:disabled{pointer-events:none}.disabled\\:opacity-40:disabled{opacity:.4}.data-\\[open\\=false\\]\\:hidden[data-open=false]{display:none}.data-\\[pinned\\=true\\]\\:pointer-events-auto[data-pinned=true]{pointer-events:auto}.data-\\[state\\=off\\]\\:line-through[data-state=off]{text-decoration-line:line-through}.data-\\[state\\=off\\]\\:after\\:content-\\[\\'OFF\\'\\][data-state=off]:after{--tw-content:"OFF";content:var(--tw-content)}@media (min-width:40rem){.sm\\:min-w-\\[320px\\]{min-width:320px}}@media (min-width:48rem){.md\\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.md\\:grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}.md\\:grid-cols-\\[1\\.4fr_1fr\\]{grid-template-columns:1.4fr 1fr}}.\\[\\&_svg\\]\\:size-\\[14px\\] svg{width:14px;height:14px}.\\[\\&_svg\\]\\:shrink-0 svg{flex-shrink:0}.\\[\\&_tr\\]\\:border-b-0 tr{border-bottom-style:var(--tw-border-style);border-bottom-width:0}.\\[\\&\\>\\*\\+\\*\\]\\:ml-6>*+*{margin-left:calc(var(--spacing) * 6)}.\\[\\&\\>\\*\\+\\*\\]\\:border-l>*+*{border-left-style:var(--tw-border-style);border-left-width:1px}.\\[\\&\\>\\*\\+\\*\\]\\:pl-6>*+*{padding-left:calc(var(--spacing) * 6)}.\\[\\&\\>td\\]\\:border-b>td{border-bottom-style:var(--tw-border-style);border-bottom-width:1px}}@property --tw-rotate-x{syntax:"*";inherits:false}@property --tw-rotate-y{syntax:"*";inherits:false}@property --tw-rotate-z{syntax:"*";inherits:false}@property --tw-skew-x{syntax:"*";inherits:false}@property --tw-skew-y{syntax:"*";inherits:false}@property --tw-space-y-reverse{syntax:"*";inherits:false;initial-value:0}@property --tw-border-style{syntax:"*";inherits:false;initial-value:solid}@property --tw-leading{syntax:"*";inherits:false}@property --tw-font-weight{syntax:"*";inherits:false}@property --tw-tracking{syntax:"*";inherits:false}@property --tw-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-shadow-color{syntax:"*";inherits:false}@property --tw-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-inset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-shadow-color{syntax:"*";inherits:false}@property --tw-inset-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-ring-color{syntax:"*";inherits:false}@property --tw-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-inset-ring-color{syntax:"*";inherits:false}@property --tw-inset-ring-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-ring-inset{syntax:"*";inherits:false}@property --tw-ring-offset-width{syntax:"<length>";inherits:false;initial-value:0}@property --tw-ring-offset-color{syntax:"*";inherits:false;initial-value:#fff}@property --tw-ring-offset-shadow{syntax:"*";inherits:false;initial-value:0 0 #0000}@property --tw-outline-style{syntax:"*";inherits:false;initial-value:solid}@property --tw-blur{syntax:"*";inherits:false}@property --tw-brightness{syntax:"*";inherits:false}@property --tw-contrast{syntax:"*";inherits:false}@property --tw-grayscale{syntax:"*";inherits:false}@property --tw-hue-rotate{syntax:"*";inherits:false}@property --tw-invert{syntax:"*";inherits:false}@property --tw-opacity{syntax:"*";inherits:false}@property --tw-saturate{syntax:"*";inherits:false}@property --tw-sepia{syntax:"*";inherits:false}@property --tw-drop-shadow{syntax:"*";inherits:false}@property --tw-drop-shadow-color{syntax:"*";inherits:false}@property --tw-drop-shadow-alpha{syntax:"<percentage>";inherits:false;initial-value:100%}@property --tw-drop-shadow-size{syntax:"*";inherits:false}@property --tw-backdrop-blur{syntax:"*";inherits:false}@property --tw-backdrop-brightness{syntax:"*";inherits:false}@property --tw-backdrop-contrast{syntax:"*";inherits:false}@property --tw-backdrop-grayscale{syntax:"*";inherits:false}@property --tw-backdrop-hue-rotate{syntax:"*";inherits:false}@property --tw-backdrop-invert{syntax:"*";inherits:false}@property --tw-backdrop-opacity{syntax:"*";inherits:false}@property --tw-backdrop-saturate{syntax:"*";inherits:false}@property --tw-backdrop-sepia{syntax:"*";inherits:false}@property --tw-duration{syntax:"*";inherits:false}@property --tw-content{syntax:"*";inherits:false;initial-value:""}`,_a=Object.defineProperty,q=R((e,t)=>_a(e,"name",{value:t,configurable:!0}),"d");const Ua=Ha,Ga=["CRITICAL","HIGH","MODERATE","LOW","UNKNOWN"],k=q(e=>e.replaceAll("&","&amp;").replaceAll("<","&lt;").replaceAll(">","&gt;").replaceAll('"',"&quot;").replaceAll("'","&#39;"),"escapeHtml"),Ba=q(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Ka={major:"major bump","minor-patch":"safe",unknown:"no fix"},qa=q((e,t)=>{if(t.length===0)return{kind:"unknown",label:"no fix"};const a=G.coerce(e);if(!a)return{kind:"unknown",label:"non-semver"};let r,i;for(const o of t){const n=G.coerce(o);if(!n)continue;const l=G.diff(a,n);l==="major"||l==="premajor"?r||(r=o):(l==="minor"||l==="patch"||l==="preminor"||l==="prepatch")&&!i&&(i=o)}return i?{kind:"minor-patch",label:`safe to ${i}`}:r?{kind:"major",label:`requires major bump to ${r}`}:{kind:"unknown",label:"no usable fix"}},"breakingMarker"),Ja=new Map([["are you at risk","RISK"],["what it is","VECTOR"],["what to do","ACTION"]]),Ya=q(e=>e.split(`
33
+ `).map(t=>{const a=t.trim();if(!a)return"";const r=a.match(/^([^:]{2,40}):\s*(.+)$/u);if(r?.[1]&&r[2]){const i=Ja.get(r[1].trim().toLowerCase())??r[1].trim().toUpperCase();return`<div class="intel-line grid grid-cols-[72px_1fr] items-start gap-4"><span class="intel-key pt-0.5 text-[9px] font-bold uppercase">${k(i)}</span><span class="intel-val text-[13px]">${k(r[2].trim())}</span></div>`}return`<div class="intel-line intel-prose grid items-start gap-4"><span class="intel-val text-[13px]">${k(a)}</span></div>`}).join(""),"renderExplanation"),Xa='<svg class="ticon-svg" viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" focusable="false"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"/></svg>',Za='<svg class="ticon-svg" viewBox="0 0 24 24" width="14" height="14" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true" focusable="false"><circle cx="12" cy="12" r="4"/><path d="M12 2v2m0 16v2M4.93 4.93l1.41 1.41m11.32 11.32 1.41 1.41M2 12h2m16 0h2M4.93 19.07l1.41-1.41m11.32-11.32 1.41-1.41"/></svg>',_="px-3 py-3 text-left align-middle",U="sticky top-0 z-[2] px-3 py-3 text-left text-[10px] font-medium uppercase whitespace-nowrap select-none",ae="px-3 py-3 text-left text-[10px] font-medium uppercase",Qa=q(e=>{const{acknowledged:t,explanation:a,packageName:r,packageVersion:i,remediation:o,vulnerability:n}=e,{severity:l}=n,g=qa(i,n.fixedVersions),v=n.fixedVersions.length>0?n.fixedVersions.join(", "):"—",h=o?`<code class="copyable" data-cmd="${k(o)}" title="Click to copy">${k(o)}</code>`:'<span class="muted">advisory only</span>',u=`data-severity="${l}" data-package="${k(r)}" data-advisory="${k(n.id)}"`,m=`<tr class="${t?"finding-row ack-row":"finding-row"}" ${u}>
34
+ <td class="sev-cell whitespace-nowrap ${_}"><span class="badge badge-${l.toLowerCase()} inline-flex items-center gap-[7px] rounded-[3px] py-1 pr-2 pl-[7px] text-[9px] font-bold uppercase">${l}</span></td>
35
+ <td class="${_}"><span class="marker marker-${g.kind} inline-block whitespace-nowrap align-middle text-[9px] font-bold uppercase" title="${k(g.label)}">${Ka[g.kind]}</span></td>
36
+ <td class="${_}"><code class="pkg font-medium">${k(r)}</code></td>
37
+ <td class="${_}"><code class="ver whitespace-nowrap">${k(i)}</code></td>
38
+ <td class="adv-cell whitespace-nowrap ${_}"><a href="${k(Ba(n.id))}" class="text-[12px] no-underline" rel="noreferrer noopener" target="_blank">${k(n.id)}</a>${t?' <span class="ack ml-2 inline-block px-[5px] py-px text-[9px] uppercase">acknowledged</span>':""}</td>
39
+ <td class="summary-cell ${_} min-w-[220px] text-[13px]">${k(n.summary)}</td>
40
+ <td class="${_}"><code class="fix whitespace-nowrap">${k(v)}</code></td>
41
+ <td class="${_}">${h}</td>
42
+ </tr>`;return a?`${m}
43
+ <tr class="explain-row" ${u}>
44
+ <td colspan="8" class="p-0"><details><summary class="flex cursor-pointer items-center gap-3 px-3 py-2 select-none"><span class="intel-tag text-[9px] font-bold uppercase">[ AI INTEL ]</span><span class="intel-hint text-[9px] uppercase">threat analysis · click to expand</span></summary><div class="explain-body grid gap-3 px-3 pt-1 pb-4">${Ya(a)}</div></details></td>
45
+ </tr>`:m},"renderRow"),er=q(e=>{const t=e.now??new Date,a=[...e.findings].sort(ut),r={CRITICAL:0,HIGH:0,LOW:0,MODERATE:0,UNKNOWN:0};for(const u of a)r[u.vulnerability.severity??"UNKNOWN"]+=1;const i=a.map(u=>Qa(u)).join(`
46
+ `),o=a.length===0,n=Ga.filter(u=>r[u]>0).map(u=>`<div class="dseg dseg-sev dseg-${u.toLowerCase()}"><span class="dk text-[10px] font-medium uppercase">${u}</span><span class="dv text-[22px]">${String(r[u])}</span></div>`),l=[`<div class="dseg"><span class="dk text-[10px] font-medium uppercase">scanned</span><span class="dv text-[22px]">${String(e.packagesScanned)}</span></div>`,`<div class="dseg"><span class="dk text-[10px] font-medium uppercase">findings</span><span class="dv text-[22px]"><span id="shown">${String(a.length)}</span>${o?"":`<span class="dvsep mx-1 font-light">/</span>${String(a.length)}`}</span></div>`,n.length>0?'<span class="flex-auto"></span>':"",...n,o?'<div class="dseg dseg-ok"><span class="dot inline-block size-[7px] self-center"></span><span class="dk text-[10px] font-medium uppercase">status</span><span class="dv text-[22px]">CLEAN</span></div>':""].join(""),g=o?"ok":r.CRITICAL>0?"crit":r.HIGH>0?"high":"warn",v=(e.policyDecisions??[]).filter(u=>u.policy!=="vulnerability"),h=[...v].sort((u,m)=>{const x=q(b=>b==="block"?0:b==="warn"?1:2,"rank");return x(u.severity)-x(m.severity)||u.policy.localeCompare(m.policy)||u.packageName.localeCompare(m.packageName)}).map(u=>{const m=u.acceptedRisk?' <span class="ack ml-2 inline-block px-[5px] py-px text-[9px] uppercase">[acknowledged]</span>':"";return`<tr>
47
+ <td class="px-3 py-3 align-top"><span class="policy-badge policy-${u.severity} inline-flex items-center gap-[7px] rounded-[3px] py-1 pr-2 pl-[7px] text-[10px] font-bold uppercase">${u.severity.toUpperCase()}</span></td>
48
+ <td class="px-3 py-3 align-top"><code class="uppercase">${k(u.policy)}</code></td>
49
+ <td class="px-3 py-3 align-top"><code class="uppercase">${k(u.packageName)}</code></td>
50
+ <td class="px-3 py-3 align-top"><code class="uppercase">${k(u.version)}</code></td>
51
+ <td class="px-3 py-3 align-top">${k(u.reason)}${m}</td>
32
52
  </tr>`}).join(`
33
53
  `);return`<!doctype html>
34
54
  <html lang="en">
35
55
  <head>
36
56
  <meta charset="utf-8">
37
57
  <meta name="viewport" content="width=device-width, initial-scale=1">
38
- <title>vis audit · ${S(t.toISOString().slice(0,10))}</title>
39
- <style>
40
- :root {
41
- --bg: #0e1116;
42
- --fg: #d6dde6;
43
- --muted: #8b95a1;
44
- --border: #20262e;
45
- --row-hover: #161b22;
46
- --critical: #ff4757;
47
- --high: #ff8c42;
48
- --medium: #fbbf24;
49
- --low: #38bdf8;
50
- --unknown: #6b7280;
51
- --major: #ff4757;
52
- --minor: #22c55e;
53
- }
54
- @media (prefers-color-scheme: light) {
55
- :root {
56
- --bg: #ffffff;
57
- --fg: #1f2328;
58
- --muted: #57606a;
59
- --border: #d0d7de;
60
- --row-hover: #f6f8fa;
61
- }
62
- }
63
- * { box-sizing: border-box; }
64
- body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif; background: var(--bg); color: var(--fg); margin: 0; padding: 24px; }
65
- h1 { font-size: 22px; margin: 0 0 8px; }
66
- .meta { color: var(--muted); font-size: 13px; margin-bottom: 16px; }
67
- .summary { display: flex; flex-wrap: wrap; gap: 8px; margin-bottom: 20px; }
68
- .controls { display: flex; gap: 12px; align-items: center; margin-bottom: 12px; }
69
- .controls input { background: var(--bg); color: var(--fg); border: 1px solid var(--border); padding: 6px 10px; border-radius: 6px; font-size: 13px; min-width: 240px; }
70
- .controls select { background: var(--bg); color: var(--fg); border: 1px solid var(--border); padding: 6px 10px; border-radius: 6px; font-size: 13px; }
71
- table { width: 100%; border-collapse: collapse; font-size: 13px; }
72
- th, td { padding: 8px 10px; border-bottom: 1px solid var(--border); text-align: left; vertical-align: top; }
73
- th { font-weight: 600; color: var(--muted); cursor: pointer; user-select: none; }
74
- th:hover { color: var(--fg); }
75
- tr:hover td { background: var(--row-hover); }
76
- code { font-family: ui-monospace, "SF Mono", Menlo, monospace; font-size: 12px; }
77
- code.copyable { cursor: pointer; padding: 2px 4px; border-radius: 4px; }
78
- code.copyable:hover { background: var(--row-hover); }
79
- a { color: var(--low); text-decoration: none; }
80
- a:hover { text-decoration: underline; }
81
- .muted { color: var(--muted); }
82
- .ack { color: var(--muted); font-style: italic; font-size: 12px; }
83
- .badge { display: inline-block; padding: 2px 8px; border-radius: 12px; font-size: 11px; font-weight: 600; text-transform: uppercase; }
84
- .badge-critical { background: rgba(255, 71, 87, 0.2); color: var(--critical); }
85
- .badge-high { background: rgba(255, 140, 66, 0.2); color: var(--high); }
86
- .badge-moderate { background: rgba(251, 191, 36, 0.2); color: var(--medium); }
87
- .badge-low { background: rgba(56, 189, 248, 0.2); color: var(--low); }
88
- .badge-unknown { background: rgba(107, 114, 128, 0.2); color: var(--unknown); }
89
- .marker { display: inline-block; width: 10px; height: 10px; border-radius: 50%; vertical-align: middle; }
90
- .marker-major { background: var(--major); }
91
- .marker-minor-patch { background: var(--minor); }
92
- .marker-unknown { background: var(--unknown); }
93
- .clean { padding: 32px; text-align: center; color: var(--muted); font-size: 14px; border: 1px dashed var(--border); border-radius: 8px; }
94
- h2 { font-size: 16px; margin: 24px 0 12px; }
95
- .policy-badge { display: inline-block; padding: 2px 8px; border-radius: 12px; font-size: 11px; font-weight: 600; }
96
- .policy-block { background: rgba(255, 71, 87, 0.2); color: var(--critical); }
97
- .policy-warn { background: rgba(251, 191, 36, 0.2); color: var(--medium); }
98
- .policy-info { background: rgba(107, 114, 128, 0.2); color: var(--unknown); }
99
- </style>
58
+ <title>vis audit · ${k(t.toISOString().slice(0,10))}</title>
59
+ <style>${Ua}</style>
100
60
  </head>
101
61
  <body>
102
- <h1>vis audit</h1>
103
- <div class="meta">${S(e.tool.name)} ${S(e.tool.version)} · ${S(t.toISOString())} · ${e.packagesScanned} packages scanned · ${s.length} findings</div>
104
- <div class="summary">${a||'<span class="badge badge-low">CLEAN</span>'}</div>
105
- ${n?'<div class="clean">No security issues found.</div>':`
106
- <div class="controls">
107
- <input id="filter" type="search" placeholder="Filter by package or advisory…" aria-label="Filter findings" />
108
- <select id="severity" aria-label="Filter by severity">
109
- <option value="">All severities</option>
110
- <option value="CRITICAL">Critical only</option>
111
- <option value="HIGH">High and above</option>
112
- <option value="MODERATE">Moderate and above</option>
113
- <option value="LOW">Low and above</option>
114
- </select>
62
+ <main class="mx-auto max-w-[1080px]">
63
+ <header class="masthead flex flex-wrap items-end gap-4 px-0 pt-8 pb-5">
64
+ <div class="brand leading-none tracking-tight">${(()=>{const[u,...m]=e.tool.name.split("-");return m.length>0?`${k(u??e.tool.name)}<span class="slash mx-[0.12em] font-light">/</span>${k(m.join("-"))}`:k(e.tool.name)})()}<span class="sub mt-3 block text-[11px] font-medium uppercase">dependency security report</span></div>
65
+ <span class="flex-auto"></span>
66
+ <span class="chip inline-flex h-7 items-center justify-center rounded-[4px] px-3 text-[11px] font-medium uppercase">v${k(e.tool.version)}</span>
67
+ <button id="theme" class="tbtn tbtn-theme inline-flex h-7 cursor-pointer items-center justify-center rounded-[4px] bg-transparent px-3 text-[11px] font-medium uppercase" type="button" aria-label="Toggle color theme" title="Toggle color theme"><span class="ticon ticon-moon inline-flex items-center justify-center">${Xa}</span><span class="ticon ticon-sun inline-flex items-center justify-center">${Za}</span></button>
68
+ </header>
69
+ ${o?"":`<section class="verdict verdict-${g} flex flex-wrap items-baseline gap-x-6 gap-y-1"><span class="vnum font-light">${String(a.length)}</span><span class="vsub text-[12px] uppercase">${a.length===1?"vulnerability detected":"vulnerabilities detected"}</span></section>`}
70
+ <div class="debugbar flex flex-wrap items-stretch gap-0 pt-7 pb-1">${l}</div>
71
+ <div class="pt-8">
72
+ ${o?'<div class="clean px-6 text-center"><div class="big font-light">CLEAN</div><div class="sub mt-6 text-[12px] uppercase">No security issues found.</div></div>':`
73
+ <div class="mb-6 flex flex-wrap items-center gap-0">
74
+ <label class="field flex flex-[1_1_280px] items-center"><span class="prompt pr-3 text-[10px] uppercase select-none">filter:</span><input id="filter" type="search" class="w-full border-0 bg-transparent py-2.5 pr-0 pl-0 text-[13px] outline-0" placeholder="package or advisory id…" aria-label="Filter findings" /></label>
75
+ <label class="field sel flex flex-none items-center"><span class="prompt pr-3 text-[10px] uppercase select-none">sev</span><select id="severity" class="w-full cursor-pointer border-0 bg-transparent py-2.5 pr-6 pl-0 text-[13px] outline-0" aria-label="Filter by severity">
76
+ <option value="">all severities</option>
77
+ <option value="CRITICAL">critical only</option>
78
+ <option value="HIGH">high and above</option>
79
+ <option value="MODERATE">moderate and above</option>
80
+ <option value="LOW">low and above</option>
81
+ </select></label>
82
+ <span class="hint ml-8 text-[10px] uppercase"><span class="kbd rounded-[3px] px-[6px] py-px text-[10px] font-medium uppercase">/</span> to search · <span class="kbd rounded-[3px] px-[6px] py-px text-[10px] font-medium uppercase">esc</span> to clear</span>
115
83
  </div>
116
- <table id="findings">
84
+ <table id="findings" class="w-full text-[13px]">
117
85
  <thead>
118
86
  <tr>
119
- <th data-sort="severity">Severity</th>
120
- <th title="Green = safe upgrade · Red = requires major bump">Δ</th>
121
- <th data-sort="package">Package</th>
122
- <th>Version</th>
123
- <th>Advisory</th>
124
- <th>Summary</th>
125
- <th>Fix</th>
126
- <th>Remediation</th>
87
+ <th class="${U}">Severity</th>
88
+ <th class="${U}">Upgrade</th>
89
+ <th class="${U}">Package</th>
90
+ <th class="${U}">Version</th>
91
+ <th class="${U}">Advisory</th>
92
+ <th class="${U}">Summary</th>
93
+ <th class="${U}">Fix</th>
94
+ <th class="${U}">Remediation</th>
127
95
  </tr>
128
96
  </thead>
129
97
  <tbody>
130
- ${o}
98
+ ${i}
131
99
  </tbody>
132
- </table>`}
133
- ${l.length>0?`
134
- <h2>Policy Decisions (${l.length})</h2>
135
- <table id="policies">
100
+ </table>
101
+ <div id="empty" class="empty hidden px-5 py-12 text-center text-[12px] uppercase">No findings match the current filter.</div>`}
102
+ ${v.length>0?`
103
+ <h2>Policy Decisions (${v.length})</h2>
104
+ <table id="policies" class="w-full text-[13px]">
136
105
  <thead>
137
106
  <tr>
138
- <th>Severity</th>
139
- <th>Policy</th>
140
- <th>Package</th>
141
- <th>Version</th>
142
- <th>Reason</th>
107
+ <th class="${ae}">Severity</th>
108
+ <th class="${ae}">Policy</th>
109
+ <th class="${ae}">Package</th>
110
+ <th class="${ae}">Version</th>
111
+ <th class="${ae}">Reason</th>
143
112
  </tr>
144
113
  </thead>
145
114
  <tbody>
146
- ${p}
115
+ ${h}
147
116
  </tbody>
148
117
  </table>`:""}
118
+ <footer class="sig mt-12 flex flex-wrap items-center justify-between gap-x-6 gap-y-3 pt-5 text-[10px] uppercase"><span class="sig-meta"><b>${k(e.tool.name)}</b> ${k(e.tool.version)} · generated ${k(t.toISOString())} · powered by OSV.dev</span><span class="sig-by inline-flex items-center gap-2"><span class="sig-by-label">built by</span><a class="sig-by-link inline-flex items-center" href="https://anolilab.com" rel="noreferrer noopener" target="_blank" aria-label="Anolilab">${la}</a></span></footer>
119
+ </div>
120
+ </main>
149
121
  <script>
150
122
  (() => {
151
- const rank = { CRITICAL: 0, HIGH: 1, MODERATE: 2, LOW: 3, UNKNOWN: 4 };
152
- const filter = document.getElementById('filter');
153
- const severity = document.getElementById('severity');
154
- const rows = Array.from(document.querySelectorAll('#findings tbody tr'));
123
+ const root = document.documentElement;
124
+ const themeBtn = document.getElementById('theme');
125
+ const mql = window.matchMedia('(prefers-color-scheme: dark)');
126
+
127
+ // Theme: persisted choice wins, else follow OS. JS only flips data-theme;
128
+ // CSS handles the colors and the moon/sun icon swap.
129
+ try {
130
+ const stored = localStorage.getItem('vis-audit-theme');
131
+ if (stored === 'light' || stored === 'dark') {
132
+ root.dataset.theme = stored;
133
+ }
134
+ } catch {}
135
+
136
+ themeBtn?.addEventListener('click', () => {
137
+ const isDark = root.dataset.theme ? root.dataset.theme === 'dark' : mql.matches;
138
+ const next = isDark ? 'light' : 'dark';
139
+ root.dataset.theme = next;
140
+ try {
141
+ localStorage.setItem('vis-audit-theme', next);
142
+ } catch {}
143
+ });
144
+
145
+ // Filter index: read each row's data-* once, lowercase strings ahead of
146
+ // time, and pre-rank severity. Subsequent keystrokes only compare cached
147
+ // primitives — no per-row getAttribute / toLowerCase in the hot loop.
148
+ const RANK = { CRITICAL: 0, HIGH: 1, MODERATE: 2, LOW: 3, UNKNOWN: 4 };
149
+ const UNKNOWN = RANK.UNKNOWN;
150
+ const filterInput = document.getElementById('filter');
151
+ const sevSelect = document.getElementById('severity');
152
+ const shown = document.getElementById('shown');
153
+ const empty = document.getElementById('empty');
154
+ const index = [];
155
+ for (const el of document.querySelectorAll('#findings tbody tr')) {
156
+ const d = el.dataset;
157
+ index.push({
158
+ el,
159
+ pkg: (d.package || '').toLowerCase(),
160
+ adv: (d.advisory || '').toLowerCase(),
161
+ rank: RANK[d.severity] ?? UNKNOWN,
162
+ finding: el.classList.contains('finding-row'),
163
+ hidden: false,
164
+ });
165
+ }
166
+ let emptyShown = false;
155
167
 
156
168
  const apply = () => {
157
- const q = (filter?.value ?? '').toLowerCase().trim();
158
- const minSev = severity?.value ?? '';
159
- const sevCap = minSev ? rank[minSev] ?? 4 : 4;
160
- for (const row of rows) {
161
- const pkg = row.getAttribute('data-package') ?? '';
162
- const adv = row.getAttribute('data-advisory') ?? '';
163
- const sev = row.getAttribute('data-severity') ?? 'UNKNOWN';
164
- const queryHit = !q || pkg.toLowerCase().includes(q) || adv.toLowerCase().includes(q);
165
- const sevHit = !minSev || (rank[sev] ?? 4) <= sevCap;
166
- row.style.display = queryHit && sevHit ? '' : 'none';
169
+ const q = (filterInput?.value || '').toLowerCase().trim();
170
+ const sevValue = sevSelect?.value || '';
171
+ const cap = sevValue ? (RANK[sevValue] ?? UNKNOWN) : UNKNOWN;
172
+ let visible = 0;
173
+ for (const row of index) {
174
+ const queryHit = !q || row.pkg.includes(q) || row.adv.includes(q);
175
+ const sevHit = !sevValue || row.rank <= cap;
176
+ const visibleNow = queryHit && sevHit;
177
+ if (visibleNow && row.finding) {
178
+ visible += 1;
179
+ }
180
+ // Only touch the DOM when this row's state actually changes — keeps
181
+ // continued typing from re-laying out every row on every keystroke.
182
+ if (visibleNow === !row.hidden) {
183
+ continue;
184
+ }
185
+ row.el.style.display = visibleNow ? '' : 'none';
186
+ row.hidden = !visibleNow;
187
+ }
188
+ if (shown) {
189
+ shown.textContent = String(visible);
190
+ }
191
+ const showEmpty = visible === 0;
192
+ if (empty && showEmpty !== emptyShown) {
193
+ empty.style.display = showEmpty ? 'block' : 'none';
194
+ emptyShown = showEmpty;
167
195
  }
168
196
  };
169
197
 
170
- filter?.addEventListener('input', apply);
171
- severity?.addEventListener('change', apply);
198
+ // Coalesce typing-driven updates to one pass per frame; rapid keystrokes
199
+ // (paste, IME) collapse into a single filter sweep.
200
+ let pending = 0;
201
+ const scheduleApply = () => {
202
+ if (pending) {
203
+ return;
204
+ }
205
+ pending = requestAnimationFrame(() => {
206
+ pending = 0;
207
+ apply();
208
+ });
209
+ };
210
+
211
+ filterInput?.addEventListener('input', scheduleApply);
212
+ sevSelect?.addEventListener('change', apply);
213
+
214
+ // Keyboard: "/" focuses the filter, Esc clears every active filter.
215
+ document.addEventListener('keydown', (event) => {
216
+ if (event.key === '/' && document.activeElement !== filterInput) {
217
+ event.preventDefault();
218
+ filterInput?.focus();
219
+ return;
220
+ }
221
+ if (event.key === 'Escape') {
222
+ if (filterInput) {
223
+ filterInput.value = '';
224
+ }
225
+ if (sevSelect) {
226
+ sevSelect.value = '';
227
+ }
228
+ apply();
229
+ filterInput?.blur();
230
+ }
231
+ });
172
232
 
173
- // Click-to-copy on remediation cells.
233
+ // Click-to-copy on remediation command bars (event-delegated).
174
234
  document.addEventListener('click', (event) => {
175
- const target = event.target;
176
- if (!(target instanceof HTMLElement) || !target.classList.contains('copyable')) return;
177
- const cmd = target.getAttribute('data-cmd') ?? target.textContent ?? '';
235
+ const target = event.target?.closest?.('.copyable');
236
+ // Guard re-entry during the 1s revert: a second click would otherwise
237
+ // capture "✓ copied to clipboard" as the original and never restore it.
238
+ if (!target || target.classList.contains('copied')) {
239
+ return;
240
+ }
241
+ const cmd = target.dataset.cmd ?? target.textContent ?? '';
178
242
  navigator.clipboard?.writeText(cmd).then(() => {
179
243
  const orig = target.textContent;
180
- target.textContent = 'copied';
181
- setTimeout(() => { target.textContent = orig; }, 900);
244
+ target.classList.add('copied');
245
+ target.textContent = '✓ copied to clipboard';
246
+ setTimeout(() => {
247
+ target.textContent = orig;
248
+ target.classList.remove('copied');
249
+ }, 1000);
182
250
  }).catch(() => {});
183
251
  });
252
+
253
+ apply();
184
254
  })();
185
255
  <\/script>
186
256
  </body>
187
257
  </html>
188
- `},"emitAuditHtml");var ks=Object.defineProperty,ye=O((e,t)=>ks(e,"name",{value:t,configurable:!0}),"u");const bs={CRITICAL:"CRITICAL",HIGH:"HIGH",LOW:"LOW",MODERATE:"MEDIUM",UNKNOWN:"NONE"},$s={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},Ce=ye((e,t)=>`pkg:npm/${e}@${t}`,"productId"),ws=ye(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Ye=ye((e,t)=>{const s=new Map;for(const r of e){const o=t(r),a=s.get(o);a?a.push(r):s.set(o,[r])}return s},"groupBy"),xs=ye(e=>{const t=e.now??new Date,s=t.toISOString(),r=e.trackingId??`vis-audit-${t.toISOString().slice(0,10)}`,o=[...Ye(e.findings,n=>n.packageName).entries()].sort(([n],[l])=>n.localeCompare(l)).map(([n,l])=>({branches:[...new Set(l.map(p=>p.packageVersion))].sort().map(p=>{const u=Ce(n,p);return{category:"product_version",name:p,product:{name:`${n}@${p}`,product_id:u,product_identification_helper:{purl:u}}}}),category:"product_name",name:n})),a=[...Ye(e.findings,n=>n.vulnerability.id).entries()].sort(([n],[l])=>n.localeCompare(l)).map(([n,l])=>{const p=l[0].vulnerability,u=[...new Set(l.map(w=>Ce(w.packageName,w.packageVersion)))].sort(),g=n.startsWith("CVE-"),b=[n,...p.aliases??[]],v=g?n:b.find(w=>w.startsWith("CVE-")),$=b.filter(w=>w!==v).map(w=>({system_name:w.startsWith("GHSA-")?"GitHub Security Advisory":"OSV",text:w})),y=typeof p.cvssScore=="number"&&Number.isFinite(p.cvssScore)?p.cvssScore:$s[p.severity]??0,k=l.filter(w=>w.acknowledged).map(w=>Ce(w.packageName,w.packageVersion));return{...v?{cve:v}:{},...$.length>0?{ids:$}:{},notes:[{category:"description",text:p.summary||`Advisory ${n}`,title:"Advisory description"}],product_status:{known_affected:u},references:[{category:"external",summary:`${n} advisory record`,url:ws(n)}],scores:[{cvss_v3:{baseScore:y,baseSeverity:bs[p.severity]??"NONE",vectorString:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",version:"3.1"},products:u}],title:p.summary.split(`
189
- `)[0]?.slice(0,200)||n,...k.length>0?{flags:[{label:"inline_mitigations_already_exist",product_ids:k}]}:{}}});return{document:{category:"csaf_vex",csaf_version:"2.0",distribution:{tlp:{label:"WHITE"}},publisher:{category:"vendor",name:e.tool.name,namespace:e.tool.informationUri},title:`vis audit · ${r}`,tracking:{current_release_date:s,id:r,initial_release_date:s,revision_history:[{date:s,number:"1",summary:"Initial audit emission"}],status:"final",version:"1"}},...o.length>0?{product_tree:{branches:o}}:{},...a.length>0?{vulnerabilities:a}:{}}},"emitCsaf");var Ss=Object.defineProperty,se=O((e,t)=>Ss(e,"name",{value:t,configurable:!0}),"c$2");const As={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"unknown"},Ns={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},Re=se(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Oe=se(e=>e.startsWith("CVE-")?"NVD":e.startsWith("GHSA-")?"GitHub Advisory Database":"OSV","advisorySourceName"),Ze=se((e,t)=>{const s=new Map;for(const r of e){const o=t(r),a=s.get(o);a?a.push(r):s.set(o,[r])}return s},"groupBy"),Cs=se((e,t=new Date)=>{const s=Ze(e,o=>o.vulnerability.id),r=t.toISOString();return[...s.entries()].sort(([o],[a])=>o.localeCompare(a)).map(([o,a])=>{const n=a[0].vulnerability,l=As[n.severity]??"unknown",p=typeof n.cvssScore=="number"&&Number.isFinite(n.cvssScore)?n.cvssScore:Ns[n.severity]??0,u=[...Ze(a,y=>y.packageName).entries()].sort(([y],[k])=>y.localeCompare(k)).map(([y,k])=>{const w=[...new Set(k.map(W=>W.packageVersion))].sort();return{ref:Gt(y,w[0]),versions:w.map(W=>({status:"affected",version:W}))}}),g=(n.aliases??[]).filter(y=>y!==o).map(y=>({id:y,source:{name:Oe(y),url:Re(y)}})),b=a.some(y=>y.acknowledged),v=a.every(y=>y.acknowledged)?{justification:"code_not_reachable",response:["will_not_fix"],state:"not_affected"}:b?{state:"in_triage"}:void 0,$=n.fixedVersions??[];return{"bom-ref":`vuln:${o}`,id:o,source:{name:Oe(o),url:Re(o)},...g.length>0?{references:g}:{},description:n.summary||`Advisory ${o}`,ratings:[{method:"CVSSv31",score:p,severity:l,source:{name:Oe(o),url:Re(o)}}],...$.length>0?{recommendation:`Upgrade to one of: ${$.join(", ")}`}:{},affects:u,created:r,published:r,...v?{analysis:v}:{}}})},"buildCycloneDxVulnerabilities"),Rs=se(e=>{const t=Cs(e.findings,e.now);return{...e.bom,vulnerabilities:t}},"emitCycloneDxVex");var Os=Object.defineProperty,We=O((e,t)=>Os(e,"name",{value:t,configurable:!0}),"a");const Es={CRITICAL:"error",HIGH:"error",LOW:"note",MODERATE:"warning",UNKNOWN:"none"},Is={CRITICAL:"9.5",HIGH:"8.0",LOW:"2.5",MODERATE:"5.5",UNKNOWN:"0.0"},js={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"none"},Ps=We(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),Ds=We(e=>typeof e.cvssScore=="number"&&Number.isFinite(e.cvssScore)?e.cvssScore.toFixed(1):Is[e.severity]??"0.0","securitySeverity"),Ls=We(e=>{const t=new Map,s=[],r=e.artifactUri??(Ut(e.workspaceRoot,Bt(e.workspaceRoot,"package.json"))||"package.json");for(const n of e.findings){const{acknowledged:l,packageName:p,packageVersion:u,vulnerability:g}=n,b=Es[g.severity]??"none",v=js[g.severity]??"none";t.has(g.id)||t.set(g.id,{defaultConfiguration:{level:b},fullDescription:{text:g.summary||`Advisory ${g.id}`},helpUri:Ps(g.id),id:g.id,name:g.id,properties:{precision:"very-high","security-severity":Ds(g),"severity-label":v,tags:["security","vulnerability","supply-chain",`severity:${v}`]},shortDescription:{text:(g.summary.split(`
190
- `)[0]??g.id).slice(0,200)}}),s.push({level:b,locations:[{logicalLocations:[{kind:"package",name:`${p}@${u}`}],physicalLocation:{artifactLocation:{uri:r}}}],message:{text:`${g.id}: ${p}@${u} — ${g.summary||"no summary"}${g.fixedVersions.length>0?` (fix: ${g.fixedVersions.join(", ")})`:""}`},partialFingerprints:{advisoryId:g.id,package:p,version:u},properties:{...l?{acknowledged:!0}:{},...g.aliases&&g.aliases.length>0?{aliases:g.aliases}:{},...typeof g.cvssScore=="number"?{cvssScore:g.cvssScore}:{},...g.fixedVersions.length>0?{fixedVersions:g.fixedVersions}:{},packageName:p,packageVersion:u,severityLabel:v},ruleId:g.id})}const o={block:"error",info:"note",warn:"warning"},a={block:"high",info:"none",warn:"medium"};for(const n of e.policyDecisions??[]){if(n.policy==="vulnerability")continue;const l=`vis.policy.${n.policy}`,p=o[n.severity],u=a[n.severity];t.has(l)||t.set(l,{defaultConfiguration:{level:p},fullDescription:{text:`vis policy '${n.policy}' (Socket.dev-style supply-chain gate)`},helpUri:`https://visulima.com/packages/vis/commands/audit#policy-${n.policy}`,id:l,name:l,properties:{precision:"high","security-severity":n.severity==="block"?"8.0":n.severity==="warn"?"5.5":"0.0","severity-label":u,tags:["security","supply-chain","policy",`policy:${n.policy}`]},shortDescription:{text:`vis policy: ${n.policy}`}}),s.push({level:p,locations:[{logicalLocations:[{kind:"package",name:`${n.packageName}@${n.version}`}],physicalLocation:{artifactLocation:{uri:r}}}],message:{text:n.reason},partialFingerprints:{package:n.packageName,policy:n.policy,version:n.version},properties:{...n.acceptedRisk?{acknowledged:!0}:{},packageName:n.packageName,packageVersion:n.version,severityLabel:u},ruleId:l})}return{$schema:"https://json.schemastore.org/sarif-2.1.0.json",runs:[{results:s,tool:{driver:{informationUri:e.tool.informationUri,name:e.tool.name,rules:[...t.values()],version:e.tool.version}}}],version:"2.1.0"}},"emitSarif");var Ws=Object.defineProperty,K=O((e,t)=>Ws(e,"name",{value:t,configurable:!0}),"c$1");const Ms=["dependencies","devDependencies","optionalDependencies","peerDependencies"],Xe=K(e=>{try{return{path:e,pkg:ot(e)}}catch{return}},"readPackageJsonSafe"),Ts=K(e=>{const t=[],s=Xe(H(e,"package.json"));s&&t.push({path:s.path,pkg:s.pkg,workspaceName:s.pkg.name});const r=Ct(e);let o;if(r?o=r:s?.pkg.workspaces&&(Array.isArray(s.pkg.workspaces)?o=s.pkg.workspaces:s.pkg.workspaces.packages&&(o=s.pkg.workspaces.packages)),!o)return t;for(const a of Rt(e,o)){const n=Xe(H(e,a,"package.json"));n&&t.push({path:n.path,pkg:n.pkg,workspaceName:n.pkg.name})}return t},"collectWorkspaceManifests"),Hs=K((e,t)=>{const s=[];for(const r of e)for(const o of Ms){const a=r.pkg[o]?.[t];typeof a=="string"&&s.push({field:o,manifest:r,range:a})}return s},"findDeclarations"),it=K(e=>{const t=Ts(e.workspaceRoot),s=[],r=[],o=[],a=new Set;for(const n of e.findings){const l=n.vulnerability.fixedVersions[0];if(!l){o.push({packageName:n.packageName,reason:"no-fixed-version"});continue}const p=Hs(t,n.packageName);if(p.length===0){o.push({packageName:n.packageName,reason:"transitive-only"});continue}const u=G.coerce(l),g=u?`^${u.version}`:l,b=u?u.version:l;for(const v of p){const $=`${v.manifest.path}::${v.field}::${n.packageName}::${b}`;if(a.has($))continue;a.add($);const y=Fs(b,v.range),k={currentRange:v.range,field:v.field,inRange:y,manifestPath:v.manifest.path,packageName:n.packageName,targetSpec:g,targetVersion:b,workspaceName:v.manifest.workspaceName};y||e.allowMajor===!0?s.push(k):r.push(k)}}return{apply:s,skippedMajor:r,unmatched:o}},"buildDirectApplyPlan"),Vs=/^(?:workspace|file|link|portal|patch|git\+|git:|github:|npm:|catalog|jsr|http|https):/i,Fs=K((e,t)=>{if(Vs.test(t))return!0;const s=G.coerce(e)?.version??e;try{return G.satisfies(s,t)}catch{return!0}},"satisfiesRange"),Gs=K(e=>{const t=[];if(e.apply.length>0){t.push(`Apply (${String(e.apply.length)}):`);for(const s of e.apply){const r=s.workspaceName?` [${s.workspaceName}]`:"";t.push(` + ${s.packageName}: ${s.currentRange} → ${s.targetSpec}${r}`)}}if(e.skippedMajor.length>0){t.push(`Skipped — major bump (${String(e.skippedMajor.length)}, requires --allow-major):`);for(const s of e.skippedMajor){const r=s.workspaceName?` [${s.workspaceName}]`:"";t.push(` ! ${s.packageName}: ${s.currentRange} → ${s.targetSpec}${r}`)}}if(e.unmatched.length>0){const s=e.unmatched.filter(o=>o.reason==="transitive-only"),r=e.unmatched.filter(o=>o.reason==="no-fixed-version");if(s.length>0){t.push(`Transitive only (${String(s.length)}, requires --fix-transitive):`);for(const o of s)t.push(` · ${o.packageName}`)}if(r.length>0){t.push(`No fixed version available (${String(r.length)}):`);for(const o of r)t.push(` · ${o.packageName}`)}}return t.length===0?"No direct-dep fixes to apply.":t.join(`
191
- `)},"formatDirectApplyPlan");var _s=Object.defineProperty,D=O((e,t)=>_s(e,"name",{value:t,configurable:!0}),"i");const Us={"crates.io":["Cargo.lock"],Go:["go.sum"],Maven:["gradle.lockfile","pom.xml"],PyPI:["uv.lock","poetry.lock","Pipfile.lock"],RubyGems:["Gemfile.lock"]},Bs={cargo:"crates.io","crates.io":"crates.io",go:"Go",maven:"Maven",npm:"npm",pypi:"PyPI",rubygems:"RubyGems"},ct=D(e=>Bs[e.toLowerCase()]??e,"canonicalEcosystem"),qs=D((e,t)=>{const s=ct(t),r=Us[s]??[];for(const o of r){const a=H(e,o);if(Qe(a))return a}},"findEcosystemLockfile"),Ks=D(e=>{const t=new Set,s=[];for(const r of e){const o=`${r.name}@${r.version}`;t.has(o)||(t.add(o),s.push(r))}return s},"dedupe"),zs=/\[\[package\]\]([\s\S]*?)(?=\[\[|$)/g,Js=/^\s*name\s*=\s*"([^"]+)"\s*$/m,Ys=/^\s*version\s*=\s*"([^"]+)"\s*$/m,Zs=D(e=>{const t=[];for(const s of e.matchAll(zs)){const r=s[1]??"",o=Js.exec(r)?.[1],a=Ys.exec(r)?.[1];o&&a&&t.push({isDev:!1,name:o,version:a})}return t},"parseTomlPackages"),Xs=D(e=>{let t;try{t=JSON.parse(e)}catch{return[]}if(typeof t!="object"||t===null)return[];const s=[];for(const r of["default","develop"]){const o=t[r];if(!(typeof o!="object"||o===null))for(const[a,n]of Object.entries(o)){if(typeof n!="object"||n===null)continue;const l=n.version;if(typeof l!="string")continue;const p=l.replace(/^==/,"").trim();p.length>0&&s.push({isDev:!1,name:a,version:p})}}return s},"parsePipfileLock"),Qs=/<dependency>([\s\S]*?)<\/dependency>/g,er=/<groupId>\s*([^<\s]+)\s*<\/groupId>/,tr=/<artifactId>\s*([^<\s]+)\s*<\/artifactId>/,sr=/<version>\s*([^<\s]+)\s*<\/version>/,rr=D(e=>{const t=[];for(const s of e.matchAll(Qs)){const r=s[1]??"",o=er.exec(r)?.[1],a=tr.exec(r)?.[1],n=sr.exec(r)?.[1];!o||!a||!n||n.startsWith("${")||t.push({isDev:!1,name:`${o}:${a}`,version:n})}return t},"parsePomXml"),or=D(e=>{const t=[];for(const s of e.split(/\r?\n/)){const r=s.trim();if(r.length===0||r.startsWith("#"))continue;const o=r.indexOf("="),a=(o===-1?r:r.slice(0,o)).split(":");if(a.length<3)continue;const[n,l,p]=a;!n||!l||!p||t.push({isDev:!1,name:`${n}:${l}`,version:p})}return t},"parseGradleLockfile"),nr=D(e=>{const t=[];for(const s of e.split(/\r?\n/)){const r=s.trim();if(r.length===0)continue;const o=r.split(/\s+/);if(o.length<3)continue;const[a,n]=o;if(!a||!n?.endsWith("/go.mod"))continue;const l=n.slice(0,-7);l.length!==0&&t.push({isDev:!1,name:a,version:l})}return t},"parseGoSum"),ar=/^ {4}([^ ()]+) \(([^()]+)\)\s*$/,ir=D(e=>{const t=[];let s=!1,r=!1;for(const o of e.split(/\r?\n/)){if(o.startsWith("GEM")){s=!0,r=!1;continue}if(s&&/^[A-Z]/.test(o)){s=!1,r=!1;continue}if(s&&o.trim()==="specs:"){r=!0;continue}if(r){const a=ar.exec(o);if(a){const[,n,l]=a;n&&l&&t.push({isDev:!1,name:n,version:l})}}}return t},"parseGemfileLock"),cr=D((e,t)=>{const s=qs(e,t);if(!s)return[];let r;try{r=et(s,"utf8")}catch{return[]}const o=s.split(/[/\\]/).pop()??"";let a;switch(o){case"Cargo.lock":case"poetry.lock":case"uv.lock":{a=Zs(r);break}case"Gemfile.lock":{a=ir(r);break}case"go.sum":{a=nr(r);break}case"gradle.lockfile":{a=or(r);break}case"Pipfile.lock":{a=Xs(r);break}case"pom.xml":{a=rr(r);break}default:return[]}return Ks(a)},"lockedPackagesForEcosystem");var lr=Object.defineProperty,te=O((e,t)=>lr(e,"name",{value:t,configurable:!0}),"c");const dr=["ts","tsx","js","jsx","mjs","cjs","mts","cts"],pr=[/node_modules/,/\.git/,/\.next/,/\.cache/,/dist/,/build/,/coverage/,/\.turbo/,/\.nx/,/\.parcel-cache/],ur=["dependencies","devDependencies","peerDependencies","optionalDependencies"],fr=/(?:import|export)\s+(?:[\s\S]*?from\s+)?["']([^"'\n]+)["']/g,gr=/(?:^|[^.\w$])require\s*\(\s*["']([^"'\n]+)["']\s*\)/g,mr=/\bimport\s*\(\s*["']([^"'\n]+)["']\s*\)/g,vr=te(e=>{if(e.startsWith(".")||e.startsWith("/")||/^[a-z][a-z0-9+.-]*:/i.test(e))return;const t=e.trim();if(t.length!==0){if(t.startsWith("@")){const s=t.split("/");return s.length<2?void 0:`${s[0]}/${s[1]}`}return t.split("/")[0]}},"normalizePackageName"),hr=te(e=>{const t=new Set,s=e.replaceAll(/\/\*[\s\S]*?\*\//g,"").replaceAll(/(^|[^:])\/\/.*$/gm,"$1"),r=te(o=>{o.lastIndex=0;let a;for(;(a=o.exec(s))!==null;){const n=vr(a[1]);n&&t.add(n)}},"collect");return r(fr),r(gr),r(mr),t},"extractImportedNames"),yr=te(e=>{const t=new Set;try{const s=ot(e);for(const r of ur){const o=s[r];if(o&&typeof o=="object"&&!Array.isArray(o))for(const a of Object.keys(o))t.add(a)}}catch{}return t},"extractPackageJsonNames"),kr=te(e=>{const t=e.skip??pr,s=e.extensions??dr,r=new Set;let o=0;const a=ze(e.workspaceRoot,{extensions:s,includeDirs:!1,skip:t});for(const p of a){o+=1;try{const u=et(p,"utf8");for(const g of hr(u))r.add(g)}catch{}}const n=ze(e.workspaceRoot,{extensions:["json"],includeDirs:!1,skip:t}).filter(p=>p.endsWith("/package.json")||p.endsWith(String.raw`\package.json`)||p.endsWith("package.json"));for(const p of n)for(const u of yr(p))r.add(u);if(e.alwaysAssumeUsed)for(const p of e.alwaysAssumeUsed)r.add(p);const l=new Set;for(const p of e.vulnerablePackages)r.has(p)&&l.add(p);return{filesScanned:o,importedTotal:r,reachable:l}},"computeReachableVulnerablePackages");var br=Object.defineProperty,L=O((e,t)=>br(e,"name",{value:t,configurable:!0}),"o");const $r=L(e=>{const t=G.coerce(e)?.major;return t!==void 0&&t>=10},"PNPM_V10_PLUS"),wr=L(e=>Object.fromEntries(Object.entries(e).sort(([t],[s])=>t.localeCompare(s))),"sortByKey"),xr=L((e,t)=>`${JSON.stringify(e,void 0,t)}
192
- `,"stringifyJson"),lt=L((e,t)=>{if(t.name==="pnpm"&&$r(t.version))return{filePath:H(e,"pnpm-workspace.yaml"),surface:"pnpm-workspace.yaml"};const s=H(e,"package.json");return t.name==="pnpm"?{filePath:s,surface:"package.json#pnpm.overrides"}:t.name==="yarn"?{filePath:s,surface:"package.json#resolutions"}:{filePath:s,surface:"package.json#overrides"}},"resolveOverrideSurface"),Sr=L((e,t)=>{const{filePath:s,surface:r}=lt(e,t);if(!B(s))return{};if(r==="pnpm-workspace.yaml")try{return Le(s)?.overrides??{}}catch{return{}}try{const o=JSON.parse(me(s));return r==="package.json#pnpm.overrides"?(o.pnpm??{}).overrides??{}:r==="package.json#resolutions"?o.resolutions??{}:o.overrides??{}}catch{return{}}},"readExistingOverrides"),Ar=L((e,t)=>{const s=Object.keys(t).sort();if(s.length===0&&!/^overrides\s*:/m.test(e))return e;const r=`overrides:
193
- ${s.map(o=>` '${o}': '${t[o]}'`).join(`
258
+ `},"emitAuditHtml");var tr=Object.defineProperty,Ae=R((e,t)=>tr(e,"name",{value:t,configurable:!0}),"u");const ar={CRITICAL:"CRITICAL",HIGH:"HIGH",LOW:"LOW",MODERATE:"MEDIUM",UNKNOWN:"NONE"},rr={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},De=Ae((e,t)=>`pkg:npm/${e}@${t}`,"productId"),ir=Ae(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),nt=Ae((e,t)=>{const a=new Map;for(const r of e){const i=t(r),o=a.get(i);o?o.push(r):a.set(i,[r])}return a},"groupBy"),nr=Ae(e=>{const t=e.now??new Date,a=t.toISOString(),r=e.trackingId??`vis-audit-${t.toISOString().slice(0,10)}`,i=[...nt(e.findings,n=>n.packageName).entries()].sort(([n],[l])=>n.localeCompare(l)).map(([n,l])=>({branches:[...new Set(l.map(g=>g.packageVersion))].sort().map(g=>{const v=De(n,g);return{category:"product_version",name:g,product:{name:`${n}@${g}`,product_id:v,product_identification_helper:{purl:v}}}}),category:"product_name",name:n})),o=[...nt(e.findings,n=>n.vulnerability.id).entries()].sort(([n],[l])=>n.localeCompare(l)).map(([n,l])=>{const g=l[0].vulnerability,v=[...new Set(l.map($=>De($.packageName,$.packageVersion)))].sort(),h=n.startsWith("CVE-"),u=[n,...g.aliases??[]],m=h?n:u.find($=>$.startsWith("CVE-")),x=u.filter($=>$!==m).map($=>({system_name:$.startsWith("GHSA-")?"GitHub Security Advisory":"OSV",text:$})),b=typeof g.cvssScore=="number"&&Number.isFinite(g.cvssScore)?g.cvssScore:rr[g.severity]??0,y=l.filter($=>$.acknowledged).map($=>De($.packageName,$.packageVersion));return{...m?{cve:m}:{},...x.length>0?{ids:x}:{},notes:[{category:"description",text:g.summary||`Advisory ${n}`,title:"Advisory description"}],product_status:{known_affected:v},references:[{category:"external",summary:`${n} advisory record`,url:ir(n)}],scores:[{cvss_v3:{baseScore:b,baseSeverity:ar[g.severity]??"NONE",vectorString:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",version:"3.1"},products:v}],title:g.summary.split(`
259
+ `)[0]?.slice(0,200)||n,...y.length>0?{flags:[{label:"inline_mitigations_already_exist",product_ids:y}]}:{}}});return{document:{category:"csaf_vex",csaf_version:"2.0",distribution:{tlp:{label:"WHITE"}},publisher:{category:"vendor",name:e.tool.name,namespace:e.tool.informationUri},title:`vis audit · ${r}`,tracking:{current_release_date:a,id:r,initial_release_date:a,revision_history:[{date:a,number:"1",summary:"Initial audit emission"}],status:"final",version:"1"}},...i.length>0?{product_tree:{branches:i}}:{},...o.length>0?{vulnerabilities:o}:{}}},"emitCsaf");var or=Object.defineProperty,se=R((e,t)=>or(e,"name",{value:t,configurable:!0}),"c$2");const sr={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"unknown"},cr={CRITICAL:9.5,HIGH:8,LOW:2.5,MODERATE:5.5,UNKNOWN:0},Me=se(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),We=se(e=>e.startsWith("CVE-")?"NVD":e.startsWith("GHSA-")?"GitHub Advisory Database":"OSV","advisorySourceName"),ot=se((e,t)=>{const a=new Map;for(const r of e){const i=t(r),o=a.get(i);o?o.push(r):a.set(i,[r])}return a},"groupBy"),lr=se((e,t=new Date)=>{const a=ot(e,i=>i.vulnerability.id),r=t.toISOString();return[...a.entries()].sort(([i],[o])=>i.localeCompare(o)).map(([i,o])=>{const n=o[0].vulnerability,l=sr[n.severity]??"unknown",g=typeof n.cvssScore=="number"&&Number.isFinite(n.cvssScore)?n.cvssScore:cr[n.severity]??0,v=[...ot(o,b=>b.packageName).entries()].sort(([b],[y])=>b.localeCompare(y)).map(([b,y])=>{const $=[...new Set(y.map(M=>M.packageVersion))].sort();return{ref:pa(b,$[0]),versions:$.map(M=>({status:"affected",version:M}))}}),h=(n.aliases??[]).filter(b=>b!==i).map(b=>({id:b,source:{name:We(b),url:Me(b)}})),u=o.some(b=>b.acknowledged),m=o.every(b=>b.acknowledged)?{justification:"code_not_reachable",response:["will_not_fix"],state:"not_affected"}:u?{state:"in_triage"}:void 0,x=n.fixedVersions??[];return{"bom-ref":`vuln:${i}`,id:i,source:{name:We(i),url:Me(i)},...h.length>0?{references:h}:{},description:n.summary||`Advisory ${i}`,ratings:[{method:"CVSSv31",score:g,severity:l,source:{name:We(i),url:Me(i)}}],...x.length>0?{recommendation:`Upgrade to one of: ${x.join(", ")}`}:{},affects:v,created:r,published:r,...m?{analysis:m}:{}}})},"buildCycloneDxVulnerabilities"),pr=se(e=>{const t=lr(e.findings,e.now);return{...e.bom,vulnerabilities:t}},"emitCycloneDxVex");var dr=Object.defineProperty,Ue=R((e,t)=>dr(e,"name",{value:t,configurable:!0}),"a");const gr={CRITICAL:"error",HIGH:"error",LOW:"note",MODERATE:"warning",UNKNOWN:"none"},fr={CRITICAL:"9.5",HIGH:"8.0",LOW:"2.5",MODERATE:"5.5",UNKNOWN:"0.0"},ur={CRITICAL:"critical",HIGH:"high",LOW:"low",MODERATE:"medium",UNKNOWN:"none"},mr=Ue(e=>e.startsWith("CVE-")?`https://nvd.nist.gov/vuln/detail/${e}`:e.startsWith("GHSA-")?`https://github.com/advisories/${e}`:`https://osv.dev/vulnerability/${e}`,"advisoryUri"),hr=Ue(e=>typeof e.cvssScore=="number"&&Number.isFinite(e.cvssScore)?e.cvssScore.toFixed(1):fr[e.severity]??"0.0","securitySeverity"),vr=Ue(e=>{const t=new Map,a=[],r=e.artifactUri??(ga(e.workspaceRoot,fa(e.workspaceRoot,"package.json"))||"package.json");for(const n of e.findings){const{acknowledged:l,packageName:g,packageVersion:v,vulnerability:h}=n,u=gr[h.severity]??"none",m=ur[h.severity]??"none";t.has(h.id)||t.set(h.id,{defaultConfiguration:{level:u},fullDescription:{text:h.summary||`Advisory ${h.id}`},helpUri:mr(h.id),id:h.id,name:h.id,properties:{precision:"very-high","security-severity":hr(h),"severity-label":m,tags:["security","vulnerability","supply-chain",`severity:${m}`]},shortDescription:{text:(h.summary.split(`
260
+ `)[0]??h.id).slice(0,200)}}),a.push({level:u,locations:[{logicalLocations:[{kind:"package",name:`${g}@${v}`}],physicalLocation:{artifactLocation:{uri:r}}}],message:{text:`${h.id}: ${g}@${v} — ${h.summary||"no summary"}${h.fixedVersions.length>0?` (fix: ${h.fixedVersions.join(", ")})`:""}`},partialFingerprints:{advisoryId:h.id,package:g,version:v},properties:{...l?{acknowledged:!0}:{},...h.aliases&&h.aliases.length>0?{aliases:h.aliases}:{},...typeof h.cvssScore=="number"?{cvssScore:h.cvssScore}:{},...h.fixedVersions.length>0?{fixedVersions:h.fixedVersions}:{},packageName:g,packageVersion:v,severityLabel:m},ruleId:h.id})}const i={block:"error",info:"note",warn:"warning"},o={block:"high",info:"none",warn:"medium"};for(const n of e.policyDecisions??[]){if(n.policy==="vulnerability")continue;const l=`vis.policy.${n.policy}`,g=i[n.severity],v=o[n.severity];t.has(l)||t.set(l,{defaultConfiguration:{level:g},fullDescription:{text:`vis policy '${n.policy}' (Socket.dev-style supply-chain gate)`},helpUri:`https://visulima.com/packages/vis/commands/audit#policy-${n.policy}`,id:l,name:l,properties:{precision:"high","security-severity":n.severity==="block"?"8.0":n.severity==="warn"?"5.5":"0.0","severity-label":v,tags:["security","supply-chain","policy",`policy:${n.policy}`]},shortDescription:{text:`vis policy: ${n.policy}`}}),a.push({level:g,locations:[{logicalLocations:[{kind:"package",name:`${n.packageName}@${n.version}`}],physicalLocation:{artifactLocation:{uri:r}}}],message:{text:n.reason},partialFingerprints:{package:n.packageName,policy:n.policy,version:n.version},properties:{...n.acceptedRisk?{acknowledged:!0}:{},packageName:n.packageName,packageVersion:n.version,severityLabel:v},ruleId:l})}return{$schema:"https://json.schemastore.org/sarif-2.1.0.json",runs:[{results:a,tool:{driver:{informationUri:e.tool.informationUri,name:e.tool.name,rules:[...t.values()],version:e.tool.version}}}],version:"2.1.0"}},"emitSarif");var wr=Object.defineProperty,X=R((e,t)=>wr(e,"name",{value:t,configurable:!0}),"c$1");const br=["dependencies","devDependencies","optionalDependencies","peerDependencies"],st=X(e=>{try{return{path:e,pkg:ft(e)}}catch{return}},"readPackageJsonSafe"),yr=X(e=>{const t=[],a=st(z(e,"package.json"));a&&t.push({path:a.path,pkg:a.pkg,workspaceName:a.pkg.name});const r=Ht(e);let i;if(r?i=r:a?.pkg.workspaces&&(Array.isArray(a.pkg.workspaces)?i=a.pkg.workspaces:a.pkg.workspaces.packages&&(i=a.pkg.workspaces.packages)),!i)return t;for(const o of _t(e,i)){const n=st(z(e,o,"package.json"));n&&t.push({path:n.path,pkg:n.pkg,workspaceName:n.pkg.name})}return t},"collectWorkspaceManifests"),xr=X((e,t)=>{const a=[];for(const r of e)for(const i of br){const o=r.pkg[i]?.[t];typeof o=="string"&&a.push({field:i,manifest:r,range:o})}return a},"findDeclarations"),vt=X(e=>{const t=yr(e.workspaceRoot),a=[],r=[],i=[],o=new Set;for(const n of e.findings){const l=n.vulnerability.fixedVersions[0];if(!l){i.push({packageName:n.packageName,reason:"no-fixed-version"});continue}const g=xr(t,n.packageName);if(g.length===0){i.push({packageName:n.packageName,reason:"transitive-only"});continue}const v=G.coerce(l),h=v?`^${v.version}`:l,u=v?v.version:l;for(const m of g){const x=`${m.manifest.path}::${m.field}::${n.packageName}::${u}`;if(o.has(x))continue;o.add(x);const b=$r(u,m.range),y={currentRange:m.range,field:m.field,inRange:b,manifestPath:m.manifest.path,packageName:n.packageName,targetSpec:h,targetVersion:u,workspaceName:m.manifest.workspaceName};b||e.allowMajor===!0?a.push(y):r.push(y)}}return{apply:a,skippedMajor:r,unmatched:i}},"buildDirectApplyPlan"),kr=/^(?:workspace|file|link|portal|patch|git\+|git:|github:|npm:|catalog|jsr|http|https):/i,$r=X((e,t)=>{if(kr.test(t))return!0;const a=G.coerce(e)?.version??e;try{return G.satisfies(a,t)}catch{return!0}},"satisfiesRange"),Sr=X(e=>{const t=[];if(e.apply.length>0){t.push(`Apply (${String(e.apply.length)}):`);for(const a of e.apply){const r=a.workspaceName?` [${a.workspaceName}]`:"";t.push(` + ${a.packageName}: ${a.currentRange} → ${a.targetSpec}${r}`)}}if(e.skippedMajor.length>0){t.push(`Skipped — major bump (${String(e.skippedMajor.length)}, requires --allow-major):`);for(const a of e.skippedMajor){const r=a.workspaceName?` [${a.workspaceName}]`:"";t.push(` ! ${a.packageName}: ${a.currentRange} → ${a.targetSpec}${r}`)}}if(e.unmatched.length>0){const a=e.unmatched.filter(i=>i.reason==="transitive-only"),r=e.unmatched.filter(i=>i.reason==="no-fixed-version");if(a.length>0){t.push(`Transitive only (${String(a.length)}, requires --fix-transitive):`);for(const i of a)t.push(` · ${i.packageName}`)}if(r.length>0){t.push(`No fixed version available (${String(r.length)}):`);for(const i of r)t.push(` · ${i.packageName}`)}}return t.length===0?"No direct-dep fixes to apply.":t.join(`
261
+ `)},"formatDirectApplyPlan");var Ar=Object.defineProperty,L=R((e,t)=>Ar(e,"name",{value:t,configurable:!0}),"i");const Nr={"crates.io":["Cargo.lock"],Go:["go.sum"],Maven:["gradle.lockfile","pom.xml"],PyPI:["uv.lock","poetry.lock","Pipfile.lock"],RubyGems:["Gemfile.lock"]},Cr={cargo:"crates.io","crates.io":"crates.io",go:"Go",maven:"Maven",npm:"npm",pypi:"PyPI",rubygems:"RubyGems"},wt=L(e=>Cr[e.toLowerCase()]??e,"canonicalEcosystem"),Ir=L((e,t)=>{const a=wt(t),r=Nr[a]??[];for(const i of r){const o=z(e,i);if(ct(o))return o}},"findEcosystemLockfile"),Er=L(e=>{const t=new Set,a=[];for(const r of e){const i=`${r.name}@${r.version}`;t.has(i)||(t.add(i),a.push(r))}return a},"dedupe"),Rr=/\[\[package\]\]([\s\S]*?)(?=\[\[|$)/g,jr=/^\s*name\s*=\s*"([^"]+)"\s*$/m,Or=/^\s*version\s*=\s*"([^"]+)"\s*$/m,Pr=L(e=>{const t=[];for(const a of e.matchAll(Rr)){const r=a[1]??"",i=jr.exec(r)?.[1],o=Or.exec(r)?.[1];i&&o&&t.push({isDev:!1,name:i,version:o})}return t},"parseTomlPackages"),Lr=L(e=>{let t;try{t=JSON.parse(e)}catch{return[]}if(typeof t!="object"||t===null)return[];const a=[];for(const r of["default","develop"]){const i=t[r];if(!(typeof i!="object"||i===null))for(const[o,n]of Object.entries(i)){if(typeof n!="object"||n===null)continue;const l=n.version;if(typeof l!="string")continue;const g=l.replace(/^==/,"").trim();g.length>0&&a.push({isDev:!1,name:o,version:g})}}return a},"parsePipfileLock"),Dr=/<dependency>([\s\S]*?)<\/dependency>/g,Mr=/<groupId>\s*([^<\s]+)\s*<\/groupId>/,Wr=/<artifactId>\s*([^<\s]+)\s*<\/artifactId>/,Tr=/<version>\s*([^<\s]+)\s*<\/version>/,zr=L(e=>{const t=[];for(const a of e.matchAll(Dr)){const r=a[1]??"",i=Mr.exec(r)?.[1],o=Wr.exec(r)?.[1],n=Tr.exec(r)?.[1];!i||!o||!n||n.startsWith("${")||t.push({isDev:!1,name:`${i}:${o}`,version:n})}return t},"parsePomXml"),Vr=L(e=>{const t=[];for(const a of e.split(/\r?\n/)){const r=a.trim();if(r.length===0||r.startsWith("#"))continue;const i=r.indexOf("="),o=(i===-1?r:r.slice(0,i)).split(":");if(o.length<3)continue;const[n,l,g]=o;!n||!l||!g||t.push({isDev:!1,name:`${n}:${l}`,version:g})}return t},"parseGradleLockfile"),Fr=L(e=>{const t=[];for(const a of e.split(/\r?\n/)){const r=a.trim();if(r.length===0)continue;const i=r.split(/\s+/);if(i.length<3)continue;const[o,n]=i;if(!o||!n?.endsWith("/go.mod"))continue;const l=n.slice(0,-7);l.length!==0&&t.push({isDev:!1,name:o,version:l})}return t},"parseGoSum"),Hr=/^ {4}([^ ()]+) \(([^()]+)\)\s*$/,_r=L(e=>{const t=[];let a=!1,r=!1;for(const i of e.split(/\r?\n/)){if(i.startsWith("GEM")){a=!0,r=!1;continue}if(a&&/^[A-Z]/.test(i)){a=!1,r=!1;continue}if(a&&i.trim()==="specs:"){r=!0;continue}if(r){const o=Hr.exec(i);if(o){const[,n,l]=o;n&&l&&t.push({isDev:!1,name:n,version:l})}}}return t},"parseGemfileLock"),Ur=L((e,t)=>{const a=Ir(e,t);if(!a)return[];let r;try{r=lt(a,"utf8")}catch{return[]}const i=a.split(/[/\\]/).pop()??"";let o;switch(i){case"Cargo.lock":case"poetry.lock":case"uv.lock":{o=Pr(r);break}case"Gemfile.lock":{o=_r(r);break}case"go.sum":{o=Fr(r);break}case"gradle.lockfile":{o=Vr(r);break}case"Pipfile.lock":{o=Lr(r);break}case"pom.xml":{o=zr(r);break}default:return[]}return Er(o)},"lockedPackagesForEcosystem");var Gr=Object.defineProperty,ne=R((e,t)=>Gr(e,"name",{value:t,configurable:!0}),"c");const Br=["ts","tsx","js","jsx","mjs","cjs","mts","cts"],Kr=[/node_modules/,/\.git/,/\.next/,/\.cache/,/dist/,/build/,/coverage/,/\.turbo/,/\.nx/,/\.parcel-cache/],qr=["dependencies","devDependencies","peerDependencies","optionalDependencies"],Jr=/(?:import|export)\s+(?:[\s\S]*?from\s+)?["']([^"'\n]+)["']/g,Yr=/(?:^|[^.\w$])require\s*\(\s*["']([^"'\n]+)["']\s*\)/g,Xr=/\bimport\s*\(\s*["']([^"'\n]+)["']\s*\)/g,Zr=ne(e=>{if(e.startsWith(".")||e.startsWith("/")||/^[a-z][a-z0-9+.-]*:/i.test(e))return;const t=e.trim();if(t.length!==0){if(t.startsWith("@")){const a=t.split("/");return a.length<2?void 0:`${a[0]}/${a[1]}`}return t.split("/")[0]}},"normalizePackageName"),Qr=ne(e=>{const t=new Set,a=e.replaceAll(/\/\*[\s\S]*?\*\//g,"").replaceAll(/(^|[^:])\/\/.*$/gm,"$1"),r=ne(i=>{i.lastIndex=0;let o;for(;(o=i.exec(a))!==null;){const n=Zr(o[1]);n&&t.add(n)}},"collect");return r(Jr),r(Yr),r(Xr),t},"extractImportedNames"),ei=ne(e=>{const t=new Set;try{const a=ft(e);for(const r of qr){const i=a[r];if(i&&typeof i=="object"&&!Array.isArray(i))for(const o of Object.keys(i))t.add(o)}}catch{}return t},"extractPackageJsonNames"),ti=ne(e=>{const t=e.skip??Kr,a=e.extensions??Br,r=new Set;let i=0;const o=it(e.workspaceRoot,{extensions:a,includeDirs:!1,skip:t});for(const g of o){i+=1;try{const v=lt(g,"utf8");for(const h of Qr(v))r.add(h)}catch{}}const n=it(e.workspaceRoot,{extensions:["json"],includeDirs:!1,skip:t}).filter(g=>g.endsWith("/package.json")||g.endsWith(String.raw`\package.json`)||g.endsWith("package.json"));for(const g of n)for(const v of ei(g))r.add(v);if(e.alwaysAssumeUsed)for(const g of e.alwaysAssumeUsed)r.add(g);const l=new Set;for(const g of e.vulnerablePackages)r.has(g)&&l.add(g);return{filesScanned:i,importedTotal:r,reachable:l}},"computeReachableVulnerablePackages");var ai=Object.defineProperty,D=R((e,t)=>ai(e,"name",{value:t,configurable:!0}),"o");const ri=D(e=>{const t=G.coerce(e)?.major;return t!==void 0&&t>=10},"PNPM_V10_PLUS"),ii=D(e=>Object.fromEntries(Object.entries(e).sort(([t],[a])=>t.localeCompare(a))),"sortByKey"),ni=D((e,t)=>`${JSON.stringify(e,void 0,t)}
262
+ `,"stringifyJson"),bt=D((e,t)=>{if(t.name==="pnpm"&&ri(t.version))return{filePath:z(e,"pnpm-workspace.yaml"),surface:"pnpm-workspace.yaml"};const a=z(e,"package.json");return t.name==="pnpm"?{filePath:a,surface:"package.json#pnpm.overrides"}:t.name==="yarn"?{filePath:a,surface:"package.json#resolutions"}:{filePath:a,surface:"package.json#overrides"}},"resolveOverrideSurface"),oi=D((e,t)=>{const{filePath:a,surface:r}=bt(e,t);if(!Y(a))return{};if(r==="pnpm-workspace.yaml")try{return _e(a)?.overrides??{}}catch{return{}}try{const i=JSON.parse($e(a));return r==="package.json#pnpm.overrides"?(i.pnpm??{}).overrides??{}:r==="package.json#resolutions"?i.resolutions??{}:i.overrides??{}}catch{return{}}},"readExistingOverrides"),si=D((e,t)=>{const a=Object.keys(t).sort();if(a.length===0&&!/^overrides\s*:/m.test(e))return e;const r=`overrides:
263
+ ${a.map(i=>` '${i}': '${t[i]}'`).join(`
194
264
  `)}
195
- `;if(e.length===0)return r;if(/^overrides\s*:/m.test(e)){const o=e.replace(/^overrides\s*:[^\n]*\n(?:[ \t][^\n]*\n)*/m,r);return o.endsWith(`
196
- `)?o:`${o}
265
+ `;if(e.length===0)return r;if(/^overrides\s*:/m.test(e)){const i=e.replace(/^overrides\s*:[^\n]*\n(?:[ \t][^\n]*\n)*/m,r);return i.endsWith(`
266
+ `)?i:`${i}
197
267
  `}return`${e.endsWith(`
198
268
  `)?e:`${e}
199
269
  `}
200
- ${r}`},"renderPnpmWorkspaceOverrides"),Nr=L((e,t,s,r)=>{const o=Ot(e,t.length>0?t:void 0),a=t.length>0?JSON.parse(t):{};if(s==="package.json#pnpm.overrides"){const n=a.pnpm??{};n.overrides=r,a.pnpm=n}else s==="package.json#resolutions"?a.resolutions=r:a.overrides=r;return xr(a,o)},"renderPackageJsonWithOverrides"),Cr=L((e,t,s)=>{const{filePath:r,surface:o}=lt(e,s),a=Sr(e,s),n=B(r)?me(r):"",l=[],p={...a};for(const v of t.entries){const $=a[v.packageName];if($===v.spec){l.push({...v,previousSpec:$,status:"unchanged"});continue}$===void 0?l.push({...v,status:"added"}):l.push({...v,previousSpec:$,status:"updated"}),p[v.packageName]=v.spec}const u=wr(p),g=l.some(v=>v.status!=="unchanged"),b=o==="pnpm-workspace.yaml"?Ar(n,u):Nr(r,n,o,u);return{changed:g,entries:l,filePath:r,nextContent:b,previousContent:n,surface:o}},"planOverrideWrite"),Rr=L(e=>{if(!e.changed)return e;if(e.surface==="pnpm-workspace.yaml"&&e.previousContent.length===0)throw new Error(`${e.filePath} not found. Run \`pnpm init\` or create pnpm-workspace.yaml before applying overrides for pnpm v10+.`);const t=`${e.filePath}.tmp`;try{tt(t,e.nextContent),xt(t,e.filePath)}catch(s){try{St(t)}catch{}throw s}return e},"applyOverridePlan"),Or=L(e=>{const t=new Map;for(const s of e){const r=s.vulnerability.fixedVersions[0];if(!r)continue;const o=G.coerce(r),a=o?`^${o.version}`:r;t.set(s.packageName,a)}return{entries:[...t.entries()].sort(([s],[r])=>s.localeCompare(r)).map(([s,r])=>({packageName:s,spec:r}))}},"buildOverridePlanFromFindings");var Er=Object.defineProperty,A=O((e,t)=>Er(e,"name",{value:t,configurable:!0}),"m");const Ir={critical:ge,high:rt,low:st,medium:fe},Pe=new Set(["cargo","crates.io","go","maven","npm","pypi","rubygems"]),jr=A(e=>{const t=(e??"npm").split(",").map(o=>o.trim()).filter(o=>o.length>0),s=t.length>0?t:["npm"],r=s.filter(o=>!Pe.has(o.toLowerCase()));return{all:s,unsupported:r}},"parseEcosystems"),Pr={CRITICAL:ge,HIGH:rt,LOW:st,MODERATE:fe,UNKNOWN:j},Dr=A((e,t,s,r)=>{const o=Pr[s.severity]??j,a=r?` ${j("[acknowledged]")}`:"",n=s.fixedVersions??[],l=n.length>0?` (fix: ${n.join(", ")})`:"";return` ${o(s.severity)} ${s.id} — ${e}@${t}${a}
201
- ${s.summary}${l}`},"formatVulnLine"),Lr=A((e,t)=>{const s=Et(e),r=`${String(Math.round(e.score.overall*100))}%`,o=t?` ${j("[acknowledged]")}`:"",a=e.alerts.length>0?`, ${String(e.alerts.length)} alert${e.alerts.length===1?"":"s"}`:"";return` ${r} ${s}@${e.version} (${It(e.score.overall)}${a})${o}`},"formatSocketLine"),Wr=new Set(["aube","auto","vis"]),Q=A(e=>e!==void 0&&Wr.has(e),"isAuditBackend"),Mr=A((e,t,s)=>{if(e!==void 0&&!Q(e))throw new Error(`Invalid --backend value '${e}'. Expected one of: aube, auto, vis.`);const r=process.env.VIS_AUDIT_BACKEND;if(r!==void 0&&r!==""&&!Q(r))throw new Error(`Invalid VIS_AUDIT_BACKEND value '${r}'. Expected one of: aube, auto, vis.`);const o=Q(r)?r:void 0,a=Q(t)?t:void 0,n=(Q(e)?e:void 0)??o??a??"auto";return n==="aube"?"aube":n==="vis"?"vis":(s?.install?.backend??process.env.VIS_INSTALLER)==="aube"&&Ft("aube")!==null?"aube":"vis"},"resolveAuditBackend"),Tr=A(e=>{if(e!==void 0)switch(e){case"critical":return"critical";case"high":return"high";case"low":return"low";case"medium":return"moderate";default:return e}},"mapSeverityToAube"),Hr=A((e,t,s)=>{const r=["audit"],o=Tr(t.severity);o!==void 0&&r.push("--audit-level",o),(t.prodOnly===!0||t.prod===!0)&&r.push("--prod"),(t.json===!0||t.format==="json")&&r.push("--json");const a=t.fix===!0;t["fix-transitive"]===!0||t.fixTransitive===!0?r.push("--fix=override"):a&&r.push("--fix=update");const n=[];t.offline===!0&&n.push("--offline (aube has its own offline cache)"),(t.format==="sarif"||t.format==="csaf"||t.format==="cyclonedx"||t.format==="cyclonedx-vex")&&n.push(`--format=${String(t.format)} (only json/text is forwarded to aube)`),n.length>0&&d.warn(`Delegating to 'aube audit'. Skipping vis-only flags: ${n.join(", ")}`);const l=wt("aube",r,{cwd:e,stdio:"inherit"});if(l.error){const{code:p}=l.error;return p==="ENOENT"?d.error("Backend 'aube' selected but the 'aube' binary was not found on PATH. Install aube or run with --backend vis."):d.error(`Failed to spawn aube: ${l.error.message}`),1}return l.status??1},"runAubeAudit"),Vr=A(async(e,t,s,r)=>{if(Mr(t.backend,s?.security?.audit?.backend,s)==="aube"){process.exitCode=Hr(e,t,s);return}const o=t.severity??"low",a=t.format??"table",n=a==="sarif",l=a==="csaf",p=a==="cyclonedx-vex"||a==="cyclonedx",u=a==="json"||!!t.json,g=t.report,b=s?.security?.audit,v=s?.security?.policies,$=t.offline===void 0?!!b?.offlineByDefault:!!t.offline,y=t.db,k=jr(t.ecosystem),w=!!t.prodOnly,W=t.failOn??v?.vulnerability?.failOn,ut=!!t.showFixes,re=!!t.showAccepted,ke=s?.security?.acceptedRisks,Me=v?.vulnerability?.usage,ft=t.noUsage?!1:t.usage===void 0?!!Me?.enabled:!!t.usage,R=u||n||l||p,P=jt(e),N=ds(e,P.name);if($){const i=y??Kt(e);if(!Qe(i)){const c=new qe(i);R?process.stderr.write(`${c.message}
202
- `):d.error(c.message),process.exitCode=1;return}}!R&&(N.ignoredAdvisories.length>0||N.excludedPackages.length>0)&&d.info(`Loaded ${String(N.ignoredAdvisories.length)} ignored advisor${N.ignoredAdvisories.length===1?"y":"ies"} and ${String(N.excludedPackages.length)} excluded package${N.excludedPackages.length===1?"":"s"} from ${P.name} config.`),!R&&k.unsupported.length>0&&d.warn(`Ecosystems ${k.unsupported.map(i=>`'${i}'`).join(", ")} are not yet supported by the audit matcher. Supported: npm, pypi, crates.io, cargo, maven, go, rubygems.`);const M=zt(e,P.name,{includeDev:!w});if(M.length===0){d.info(`No ${P.name} lockfile entries found. Run ${P.name} install first.`);return}if(!R){const i=w?"production-only packages":"installed packages";d.info(`Scanning ${String(M.length)} ${i}${$?" (offline)":""}…`)}const oe=M.map(i=>({name:i.name,version:i.version})),ne=s?.security?.audit?.advisories?.bloom?.mode??"off";let V=[];if(ne!=="off")try{const i=await Zt(e,{softFail:ne==="on"});if(i){if(V=Xt(i,oe).map(c=>({name:c.name,version:c.version})),!R&&V.length>0){d.warn(`osv-bloom prefilter flagged ${String(V.length)} package${V.length===1?"":"s"} as possibly malicious (MAL-*). Confirming via the advisory query path…`);const c=10;for(const f of V.slice(0,c))d.warn(` ${ge("[bloom]")} ${f.name}@${f.version}`);V.length>c&&d.warn(` …and ${String(V.length-c)} more (full list in --format json output)`)}}else R||d.info(j("osv-bloom cache absent — skipping prefilter (run `vis advisories bloom sync` to enable)."))}catch(i){if(i instanceof Qt&&ne==="required"){const f=`${i.message} (security.audit.advisories.bloom.mode = "required")`;R?process.stderr.write(`${f}
203
- `):d.error(f),process.exitCode=1;return}const c=i instanceof Error?i.message:String(i);if(ne==="required"){R?process.stderr.write(`osv-bloom prefilter failed: ${c}
204
- `):d.error(`osv-bloom prefilter failed: ${c}`),process.exitCode=1;return}R||d.warn(`osv-bloom prefilter failed (continuing): ${c}`)}const ae=new Set;$?ae.add("socket").add("deps-dev"):(_e("socket")&&ae.add("socket"),_e("depsDev")&&ae.add("deps-dev"));const be=Pt(s?.security,{disabled:ae,minimumScore:v?.score?.minimum}),$e=be.length>0,gt=be.map(i=>i.displayName).join(" + "),ie=v?.score?.minimum??Tt,F=Jt(e,P.name),mt=[{id:"vulnerabilities",label:$?"Known vulnerabilities (offline OSV cache)":"Known vulnerabilities (OSV)"},...$e?[{id:"security",label:`Supply-chain reports (${gt})`}]:[]],T=qt(mt,{live:!R}),vt=Date.now(),U=A(i=>{const c=Date.now()-i;return c>=1e3?`${(c/1e3).toFixed(1)}s`:`${String(Math.round(c))}ms`},"fmtElapsed");let we,xe;try{const i=Date.now(),c=Date.now();T.start("vulnerabilities"),$e&&T.start("security");const f=$?Promise.resolve().then(()=>Ke(oe,{dbPath:y,ecosystem:k.all.find(m=>Pe.has(m.toLowerCase()))??"npm",workspaceRoot:e})).then(m=>{let h=0;for(const x of m.values())h+=x.length;return T.finish("vulnerabilities",h>0?"warn":"ok",h>0?`${String(h)} found · ${U(i)}`:`none found · ${U(i)}`),m}).catch(m=>{const h=m instanceof Error?m.message:String(m);if(T.finish("vulnerabilities","error",h),m instanceof qe)throw m;return new Map}):Dt(oe).then(m=>{let h=0;for(const x of m.values())h+=x.length;return T.finish("vulnerabilities",h>0?"warn":"ok",h>0?`${String(h)} found · ${U(i)}`:`none found · ${U(i)}`),m}).catch(m=>{const h=m instanceof Error?m.message:String(m);return T.finish("vulnerabilities","error",h),new Map});[we,xe]=await Promise.all([f,$e?Lt(be,oe).then(m=>{let h=0,x=0;for(const Z of m.values())h+=Z.alerts.length,Z.score.overall<ie&&(x+=1);const I=h+x;return T.finish("security",I>0?"warn":"ok",I>0?`${String(h)} alert${h===1?"":"s"}, ${String(x)} low-score · ${U(c)}`:`clean · ${U(c)}`),m}).catch(m=>{const h=m instanceof Error?m.message:String(m);return T.finish("security","error",h),new Map}):Promise.resolve(new Map)])}finally{T.stop()}u||d.info(j(`Scan completed in ${U(vt)}`));const ce=[];for(const i of M){if(ps(i.name,N))continue;const c=we.get(i.name)??[],f=xe.get(`${i.name}@${i.version}`),m=Ue(i.name,i.version,ke),h=c.length>0,x=f?f.score.overall<ie:!1,I=f?f.alerts.length>0:!1;(h||x||I)&&ce.push({acceptedRisk:m,name:i.name,socketReport:f,version:i.version,vulnerabilities:c})}if($){const i=k.all.filter(c=>Pe.has(c.toLowerCase())&&c.toLowerCase()!=="npm");for(const c of i){const f=ct(c),m=cr(e,f);if(m.length!==0){R||d.info(j(`Scanning ${String(m.length)} ${f} packages…`));try{const h=Ke(m.map(x=>({name:x.name,version:x.version})),{dbPath:y,ecosystem:f,workspaceRoot:e});for(const x of m){const I=h.get(x.name)??[];I.length!==0&&ce.push({acceptedRisk:Ue(x.name,x.version,ke),name:x.name,version:x.version,vulnerabilities:I})}}catch(h){const x=h instanceof Error?h.message:String(h);d.warn(`Failed to scan ${f}: ${x}`)}}}}let C=ce.filter(i=>{const c=i.vulnerabilities.some(h=>ue(h.severity,o)),f=i.socketReport?.alerts.some(h=>ue(h.severity==="medium"?"MODERATE":h.severity.toUpperCase(),o)),m=i.socketReport&&i.socketReport.score.overall<ie;return c||f||m});const ht=t.policies,Se=[],E=await(async()=>{const i=es().map(I=>`'${I}'`).join(", "),c=ts(ht,I=>{Se.push(I);const Z=`Unknown policy '${I}' — ignoring. Available: ${i}.`;R?process.stderr.write(`vis audit: ${Z}
205
- `):d.warn(Z)});if(c?.size===0)return[];const f=s?.security?.policies?.license,m=!!(f&&((f.allow?.length??0)>0||(f.deny?.length??0)>0)),h=c===void 0||c.has("license"),x=m&&h?Yt(e):void 0;return ss({manifestData:x,offline:$,osvFindings:we,packageManager:P.name,packages:M,socketReports:xe,workspaceRoot:e},"audit",{enabledPolicies:c,visConfig:s??{}})})();if(ft){const i=new Set(C.filter(f=>f.vulnerabilities.length>0).map(f=>f.name)),c=kr({alwaysAssumeUsed:Me?.alwaysAssumeUsed,vulnerablePackages:i,workspaceRoot:e});C=C.filter(f=>f.vulnerabilities.length===0?!0:c.reachable.has(f.name)),R||d.info(j(`Reachability filter: ${String(c.reachable.size)}/${String(i.size)} vulnerable packages reachable (${String(c.filesScanned)} files scanned).`))}const z=A(()=>C.flatMap(i=>i.vulnerabilities.map(c=>({acknowledged:!!i.acceptedRisk||ee(c.id,N,c.aliases),packageName:i.name,packageVersion:i.version,vulnerability:c}))),"findingsForReport"),Te=!!t.fix,He=!!t.fixTransitive,Ve=!!t.yes,yt=!!t.allowMajor;if(Te||He){const i=z().filter(c=>!c.acknowledged);if(Te){const c=await Gr({actionableFindings:i,allowMajor:yt,pm:P,visConfig:s,workspaceRoot:e,yes:Ve});if(c!==void 0){process.exitCode=c;return}}if(He){const c=await _r({actionableFindings:i,pm:P,visConfig:s,workspaceRoot:e,yes:Ve});if(c!==void 0){process.exitCode=c;return}}}if(n){const i=Ls({findings:z(),policyDecisions:E,tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(i,void 0,2)}
206
- `),Ee(C,N,t.exitCode,W,E);return}if(l){const i=xs({findings:z(),tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(i,void 0,2)}
207
- `),Ee(C,N,t.exitCode,W,E);return}if(p){const{packageJsons:i,workspace:c}=Wt(e,s),f=Mt(e,c,i),m=_t({includeDev:!w,projectGraph:f,workspace:c,workspaceRoot:e}),h=Rs({bom:m,findings:z()});process.stdout.write(`${JSON.stringify(h,void 0,2)}
208
- `),Ee(C,N,t.exitCode,W,E);return}if(g){const i=ys({findings:z(),packagesScanned:M.length,policyDecisions:E,tool:{name:"vis-audit",version:"alpha"},workspaceRoot:e}),c=Vt(e,g);tt(c,i,"utf8"),R||d.success(`HTML report written to ${c}`)}if(u){const i={bloomHits:V,duplicates:F.map(c=>({name:c.name,versionCount:c.versions.length,versions:c.versions})),packages:M.length,policies:E.map(c=>({acceptedRisk:c.acceptedRisk??null,data:c.data??null,packageName:c.packageName,policy:c.policy,reason:c.reason,severity:c.severity,version:c.version})),results:C.map(c=>({acceptedRisk:c.acceptedRisk??null,name:c.name,socketAlerts:c.socketReport?.alerts??[],socketScore:c.socketReport?.score.overall??null,version:c.version,vulnerabilities:c.vulnerabilities})),summary:{accepted:C.filter(c=>c.acceptedRisk).length,duplicatePackages:F.length,issues:C.filter(c=>!c.acceptedRisk).length,policyBlocks:E.filter(c=>c.severity==="block"&&!c.acceptedRisk).length,policyDecisions:E.length,total:C.length},warnings:Se.length>0?Se.map(c=>({kind:"unknown-policy",token:c})):[]};process.stdout.write(`${JSON.stringify(i,void 0,2)}
209
- `),t.exitCode&&(i.summary.issues>0||i.summary.policyBlocks>0)&&(process.exitCode=1),De(C,N,W,E);return}if(C.length===0){d.success(`No security issues found across ${String(M.length)} packages.`);return}const J={CRITICAL:[],HIGH:[],LOW:[],MODERATE:[]};for(const i of C)for(const c of i.vulnerabilities)if(ue(c.severity,o)){const f=c.severity==="UNKNOWN"?"LOW":c.severity;J[f]?.push({entry:i,vuln:c})}let le=0,Ae=0;for(const i of["CRITICAL","HIGH","MODERATE","LOW"]){const c=J[i];if(!(!c||c.length===0)){d.info(`
210
- ── ${i} (${String(c.length)}) ──`);for(const{entry:f,vuln:m}of c){const h=!!f.acceptedRisk||ee(m.id,N,m.aliases);h&&(Ae++,!re)||(le++,d.info(Dr(f.name,f.version,m,h)),ut&&(m.fixedVersions??[]).length>0&&d.notice(` Fix: update to ${m.fixedVersions.at(-1)}`))}}}const Y=C.filter(i=>i.socketReport&&(i.socketReport.score.overall<ie||i.socketReport.alerts.length>0));if(Y.length>0){d.info(`
211
- ── Socket.dev Supply Chain (${String(Y.length)}) ──`);for(const i of Y){if(!i.socketReport)continue;const c=!!i.acceptedRisk;if(!(c&&!re)){d.info(Lr(i.socketReport,c));for(const f of i.socketReport.alerts){const m=Ir[f.severity]??j;d.info(` ${m(`[${f.severity.toUpperCase()}]`)} ${f.type} — ${f.category}`)}}}}if(F.length>0){d.info(`
212
- ── Duplicate Dependencies (${String(F.length)}) ──`);for(const i of F){const c=i.versions.join(", ");d.info(` ${i.name} — ${String(i.versions.length)} versions: ${fe(c)}`)}}const Fe=new Set;for(const i of["CRITICAL","HIGH","MODERATE","LOW"]){const c=J[i];if(c)for(const{vuln:f}of c)Fe.add(f.id)}const Ne=E.filter(i=>{if(i.policy!=="vulnerability")return!0;const c=typeof i.data?.advisoryId=="string"?i.data.advisoryId:void 0;return i.severity==="block"&&c!==void 0&&!Fe.has(c)});if(Ne.length>0){d.info(`
213
- ── Policy Decisions (${String(Ne.length)}) ──`);for(const i of Ne){const c=!!i.acceptedRisk;if(c&&!re)continue;const f=i.severity==="block"?ge:i.severity==="warn"?fe:j,m=c?` ${j("[acknowledged]")}`:"";d.info(` ${f(`[${i.severity}]`)} ${i.policy} ${i.reason}${m}`)}}const de=A(i=>!!i.acceptedRisk||i.vulnerabilities.length>0&&i.vulnerabilities.every(c=>ee(c.id,N,c.aliases)),"isEntryExcluded"),Ge=C.filter(i=>!de(i)).length;if(d.info(""),d.info("─ Audit Summary"),d.info(` ${String(M.length)} packages scanned`),N.ignoredAdvisories.length>0&&d.info(` ${String(N.ignoredAdvisories.length)} ${P.name} audit exclusion${N.ignoredAdvisories.length===1?"":"s"} applied`),le>0){const i=J.CRITICAL?.filter(f=>!de(f.entry)).length??0,c=J.HIGH?.filter(f=>!de(f.entry)).length??0;d.error(` ${String(le)} vulnerabilit${le===1?"y":"ies"} found`),i>0&&d.error(` ${String(i)} critical`),c>0&&d.warn(` ${String(c)} high`)}else d.success(" No vulnerabilities found");if(Y.length>0){const i=Y.filter(c=>!de(c)).length;d.warn(` ${String(i)} package${i===1?"":"s"} with Socket.dev supply chain issues`)}F.length>0&&(d.warn(` ${String(F.length)} package${F.length===1?"":"s"} with duplicate versions`),d.notice(" Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates."));const pe=E.filter(i=>i.severity==="block"&&!i.acceptedRisk);if(pe.length>0&&d.error(` ${String(pe.length)} policy block${pe.length===1?"":"s"}`),Ae>0&&(d.info(` ${String(Ae)} acknowledged (accepted risks)`),re||d.notice(" Use --show-accepted to see acknowledged issues.")),Ge===0&&d.success(`
214
- All issues are acknowledged. No action required.`),t.sync&&ke){const i=new Set;for(const f of ce)if(f.acceptedRisk){for(const m of f.vulnerabilities)if((m.id.startsWith("CVE-")||m.id.startsWith("GHSA-"))&&i.add(m.id),m.aliases)for(const h of m.aliases)(h.startsWith("CVE-")||h.startsWith("GHSA-"))&&i.add(h)}const c=[...i];if(c.length>0){d.info("");const f=us(P.name,e,c);for(const m of f)d.success(` ${m}`)}else d.info(`
215
- No advisory IDs to sync to native PM config.`)}t.exitCode&&(Ge>0||pe.length>0)&&(process.exitCode=1),De(C,N,W,E)},"executeAudit"),dt=A(e=>!e||e.length===0?!1:e.some(t=>t.severity==="block"&&!t.acceptedRisk),"hasBlockingPolicy"),De=A((e,t,s,r)=>{dt(r)&&(process.exitCode=1),s&&e.some(o=>o.vulnerabilities.some(a=>o.acceptedRisk||ee(a.id,t,a.aliases)?!1:ue(a.severity,s)))&&(process.exitCode=1)},"applyFailOnGate"),Ee=A((e,t,s,r,o)=>{s&&(e.filter(a=>!a.acceptedRisk&&a.vulnerabilities.some(n=>!ee(n.id,t,n.aliases))).length>0||dt(o))&&(process.exitCode=1),De(e,t,r,o)},"applyExitGate"),pt=A(async(e,t)=>{if(!process.stdin.isTTY)return t;const s=At({input:process.stdin,output:process.stderr});try{const r=t?"[Y/n]":"[y/N]",o=await new Promise(a=>{s.question(`${e} ${j(r)} `,n=>{a(n.trim())})});return o.length===0?t:o.toLowerCase().startsWith("y")}finally{s.close()}},"promptYesNo"),Fr=A(e=>e==="pnpm"||e==="npm"||e==="yarn"||e==="bun","isTransitiveOnlyPm"),Gr=A(async e=>{const t=it({allowMajor:e.allowMajor,findings:e.actionableFindings,workspaceRoot:e.workspaceRoot});if(d.info(""),d.info("─ Apply (direct deps)"),d.info(Gs(t)),t.apply.length===0){d.info("Nothing to apply for direct deps.");return}if(Ie&&!e.yes)return d.error("Refusing to run --fix in CI without --yes. Re-run with --yes once the plan above looks right."),1;if(!e.yes&&!await pt("Apply these direct-dep upgrades?",!1))return d.info("Aborted — no changes made."),0;const s=new Map;for(const r of t.apply){const o=r.workspaceName??"",a=s.get(o);a?a.push(r):s.set(o,[r])}for(const[r,o]of s){const a=o.map(p=>`${p.packageName}@${p.targetSpec}`),n=r.length>0?[r]:[];d.info(`Running ${e.pm.name} add ${a.join(" ")}${r.length>0?` --filter ${r}`:""}`);const l=Ht(e.pm,{exact:!1,filter:n,global:!1,optional:!1,packages:a,peer:!1,saveDev:!1,workspace:!1,workspaceRoot:!1},e.workspaceRoot,console);if(l!==0)return d.error(`${e.pm.name} add exited ${String(l)} — aborting before rescan.`),l}return d.success("Direct-dep upgrades applied. Re-run `vis audit` to confirm the fixes landed."),0},"runApplyDirect"),_r=A(async e=>{if(!Fr(e.pm.name))return d.error(`--fix-transitive is not supported for package manager "${e.pm.name}". Use pnpm, npm, yarn, or bun.`),1;const t=!!e.visConfig?.security?.audit?.apply?.transitive?.enabled;if(Ie&&(!e.yes||!t))return d.error("Refusing to run --fix-transitive in CI without both --yes and security.audit.apply.transitive.enabled = true. Overrides have a higher blast radius than direct bumps — gate on config."),1;const s=new Set(it({findings:e.actionableFindings,workspaceRoot:e.workspaceRoot}).apply.map(n=>n.packageName)),r=e.actionableFindings.filter(n=>!s.has(n.packageName)),o=Or(r);if(o.entries.length===0){d.info(""),d.info("─ Apply transitive (overrides)"),d.info("Nothing to override — all vulnerable packages are direct deps or have no fixed version.");return}const a=Cr(e.workspaceRoot,o,{name:e.pm.name,version:e.pm.version});d.info(""),d.info("─ Apply transitive (overrides)"),d.info(`Target: ${a.filePath} (${a.surface})`);for(const n of a.entries){const l=n.status==="added"?"+":n.status==="updated"?"~":"·",p=n.previousSpec?` (was ${n.previousSpec})`:"";d.info(` ${l} ${n.packageName}: ${n.spec}${p}`)}if(!a.changed){d.info("No changes — overrides already match the plan.");return}if(!e.yes){if(Ie)return 1;if(!await pt("Write these overrides?",!1))return d.info("Aborted — no changes made."),0}try{Rr(a)}catch(n){const l=n instanceof Error?n.message:String(n);return d.error(`Failed to write overrides: ${l}`),1}return d.success(`Wrote ${String(a.entries.filter(n=>n.status!=="unchanged").length)} override${a.entries.length===1?"":"s"}. Run \`${e.pm.name} install\` then re-run \`vis audit\` to confirm the fixes landed.`),0},"runApplyTransitive"),so=A(async({logger:e,options:t,visConfig:s,workspaceRoot:r})=>{if(!r)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await Vr(r,t,s,e)},"execute");export{so as default,Tr as mapSeverityToAube,Mr as resolveAuditBackend};
270
+ ${r}`},"renderPnpmWorkspaceOverrides"),ci=D((e,t,a,r)=>{const i=Ut(e,t.length>0?t:void 0),o=t.length>0?JSON.parse(t):{};if(a==="package.json#pnpm.overrides"){const n=o.pnpm??{};n.overrides=r,o.pnpm=n}else a==="package.json#resolutions"?o.resolutions=r:o.overrides=r;return ni(o,i)},"renderPackageJsonWithOverrides"),li=D((e,t,a)=>{const{filePath:r,surface:i}=bt(e,a),o=oi(e,a),n=Y(r)?$e(r):"",l=[],g={...o};for(const m of t.entries){const x=o[m.packageName];if(x===m.spec){l.push({...m,previousSpec:x,status:"unchanged"});continue}x===void 0?l.push({...m,status:"added"}):l.push({...m,previousSpec:x,status:"updated"}),g[m.packageName]=m.spec}const v=ii(g),h=l.some(m=>m.status!=="unchanged"),u=i==="pnpm-workspace.yaml"?si(n,v):ci(r,n,i,v);return{changed:h,entries:l,filePath:r,nextContent:u,previousContent:n,surface:i}},"planOverrideWrite"),pi=D(e=>{if(!e.changed)return e;if(e.surface==="pnpm-workspace.yaml"&&e.previousContent.length===0)throw new Error(`${e.filePath} not found. Run \`pnpm init\` or create pnpm-workspace.yaml before applying overrides for pnpm v10+.`);const t=`${e.filePath}.tmp`;try{pt(t,e.nextContent),Pt(t,e.filePath)}catch(a){try{Lt(t)}catch{}throw a}return e},"applyOverridePlan"),di=D(e=>{const t=new Map;for(const a of e){const r=a.vulnerability.fixedVersions[0];if(!r)continue;const i=G.coerce(r),o=i?`^${i.version}`:r;t.set(a.packageName,o)}return{entries:[...t.entries()].sort(([a],[r])=>a.localeCompare(r)).map(([a,r])=>({packageName:a,spec:r}))}},"buildOverridePlanFromFindings");var gi=Object.defineProperty,A=R((e,t)=>gi(e,"name",{value:t,configurable:!0}),"m");const fi={critical:ke,high:gt,low:dt,medium:xe},Fe=new Set(["cargo","crates.io","go","maven","npm","pypi","rubygems"]),ui=A(e=>{const t=(e??"npm").split(",").map(i=>i.trim()).filter(i=>i.length>0),a=t.length>0?t:["npm"],r=a.filter(i=>!Fe.has(i.toLowerCase()));return{all:a,unsupported:r}},"parseEcosystems"),mi={CRITICAL:ke,HIGH:gt,LOW:dt,MODERATE:xe,UNKNOWN:O},hi=A((e,t,a,r)=>{const i=mi[a.severity]??O,o=r?` ${O("[acknowledged]")}`:"",n=a.fixedVersions??[],l=n.length>0?` (fix: ${n.join(", ")})`:"";return` ${i(a.severity)} ${a.id} — ${e}@${t}${o}
271
+ ${a.summary}${l}`},"formatVulnLine"),vi=A((e,t)=>{const a=Gt(e),r=`${String(Math.round(e.score.overall*100))}%`,i=t?` ${O("[acknowledged]")}`:"",o=e.alerts.length>0?`, ${String(e.alerts.length)} alert${e.alerts.length===1?"":"s"}`:"";return` ${r} ${a}@${e.version} (${Bt(e.score.overall)}${o})${i}`},"formatSocketLine"),wi=new Set(["aube","auto","vis"]),re=A(e=>e!==void 0&&wi.has(e),"isAuditBackend"),bi=A((e,t,a)=>{if(e!==void 0&&!re(e))throw new Error(`Invalid --backend value '${e}'. Expected one of: aube, auto, vis.`);const r=process.env.VIS_AUDIT_BACKEND;if(r!==void 0&&r!==""&&!re(r))throw new Error(`Invalid VIS_AUDIT_BACKEND value '${r}'. Expected one of: aube, auto, vis.`);const i=re(r)?r:void 0,o=re(t)?t:void 0,n=(re(e)?e:void 0)??i??o??"auto";return n==="aube"?"aube":n==="vis"?"vis":(a?.install?.backend??process.env.VIS_INSTALLER)==="aube"&&Qt("aube")!==null?"aube":"vis"},"resolveAuditBackend"),yi=A(e=>{if(e!==void 0)switch(e){case"critical":return"critical";case"high":return"high";case"low":return"low";case"medium":return"moderate";default:return e}},"mapSeverityToAube"),xi=A((e,t,a)=>{const r=["audit"],i=yi(t.severity);i!==void 0&&r.push("--audit-level",i),(t.prodOnly===!0||t.prod===!0)&&r.push("--prod"),(t.json===!0||t.format==="json")&&r.push("--json");const o=t.fix===!0;t["fix-transitive"]===!0||t.fixTransitive===!0?r.push("--fix=override"):o&&r.push("--fix=update");const n=[];t.offline===!0&&n.push("--offline (aube has its own offline cache)"),(t.format==="sarif"||t.format==="csaf"||t.format==="cyclonedx"||t.format==="cyclonedx-vex")&&n.push(`--format=${String(t.format)} (only json/text is forwarded to aube)`),n.length>0&&d.warn(`Delegating to 'aube audit'. Skipping vis-only flags: ${n.join(", ")}`);const l=Ot("aube",r,{cwd:e,stdio:"inherit"});if(l.error){const{code:g}=l.error;return g==="ENOENT"?d.error("Backend 'aube' selected but the 'aube' binary was not found on PATH. Install aube or run with --backend vis."):d.error(`Failed to spawn aube: ${l.error.message}`),1}return l.status??1},"runAubeAudit"),ki=A(async(e,t,a,r)=>{if(bi(t.backend,a?.security?.audit?.backend,a)==="aube"){process.exitCode=xi(e,t,a);return}const i=t.severity??"low",o=t.format??"table",n=o==="sarif",l=o==="csaf",g=o==="cyclonedx-vex"||o==="cyclonedx",v=o==="json"||!!t.json,h=t.report,u=a?.security?.audit,m=a?.security?.policies,x=t.offline===void 0?!!u?.offlineByDefault:!!t.offline,b=t.db,y=ui(t.ecosystem),$=!!t.prodOnly,M=t.failOn??m?.vulnerability?.failOn,kt=!!t.showFixes,ce=!!t.showAccepted,Ne=a?.security?.acceptedRisks,Ge=m?.vulnerability?.usage,$t=t.noUsage?!1:t.usage===void 0?!!Ge?.enabled:!!t.usage,I=v||n||l||g,Be=t.explain,Ce=Be!==void 0,Ke=Ce&&!n&&!l&&!g;if(Ce&&x){d.error("`--explain` needs network access and cannot run in offline mode (--offline or security.audit.offlineByDefault)."),process.exitCode=1;return}Ce&&!Ke&&d.warn(`\`--explain\` has no effect with --format=${o}; explanations are only rendered in table, json, and HTML output.`);const P=ia(e),N=za(e,P.name);if(x){const c=b??ma(e);if(!ct(c)){const s=new at(c);I?process.stderr.write(`${s.message}
272
+ `):d.error(s.message),process.exitCode=1;return}}!I&&(N.ignoredAdvisories.length>0||N.excludedPackages.length>0)&&d.info(`Loaded ${String(N.ignoredAdvisories.length)} ignored advisor${N.ignoredAdvisories.length===1?"y":"ies"} and ${String(N.excludedPackages.length)} excluded package${N.excludedPackages.length===1?"":"s"} from ${P.name} config.`),!I&&y.unsupported.length>0&&d.warn(`Ecosystems ${y.unsupported.map(c=>`'${c}'`).join(", ")} are not yet supported by the audit matcher. Supported: npm, pypi, crates.io, cargo, maven, go, rubygems.`);const W=ha(e,P.name,{includeDev:!$});if(W.length===0){d.info(`No ${P.name} lockfile entries found. Run ${P.name} install first.`);return}if(!I){const c=$?"production-only packages":"installed packages";d.info(`Scanning ${String(W.length)} ${c}${x?" (offline)":""}…`)}const le=W.map(c=>({name:c.name,version:c.version})),pe=a?.security?.audit?.advisories?.bloom?.mode??"off";let F=[];if(pe!=="off")try{const c=await ba(e,{softFail:pe==="on"});if(c){if(F=ya(c,le).map(s=>({name:s.name,version:s.version})),!I&&F.length>0){d.warn(`osv-bloom prefilter flagged ${String(F.length)} package${F.length===1?"":"s"} as possibly malicious (MAL-*). Confirming via the advisory query path…`);const s=10;for(const p of F.slice(0,s))d.warn(` ${ke("[bloom]")} ${p.name}@${p.version}`);F.length>s&&d.warn(` …and ${String(F.length-s)} more (full list in --format json output)`)}}else I||d.info(O("osv-bloom cache absent — skipping prefilter (run `vis advisories bloom sync` to enable)."))}catch(c){if(c instanceof xa&&pe==="required"){const p=`${c.message} (security.audit.advisories.bloom.mode = "required")`;I?process.stderr.write(`${p}
273
+ `):d.error(p),process.exitCode=1;return}const s=c instanceof Error?c.message:String(c);if(pe==="required"){I?process.stderr.write(`osv-bloom prefilter failed: ${s}
274
+ `):d.error(`osv-bloom prefilter failed: ${s}`),process.exitCode=1;return}I||d.warn(`osv-bloom prefilter failed (continuing): ${s}`)}const de=new Set;x?de.add("socket").add("deps-dev"):(Qe("socket")&&de.add("socket"),Qe("depsDev")&&de.add("deps-dev"));const Ie=Kt(a?.security,{disabled:de,minimumScore:m?.score?.minimum}),Ee=Ie.length>0,St=Ie.map(c=>c.displayName).join(" + "),ge=m?.score?.minimum??Zt,H=va(e,P.name),At=[{id:"vulnerabilities",label:x?"Known vulnerabilities (offline OSV cache)":"Known vulnerabilities (OSV)"},...Ee?[{id:"security",label:`Supply-chain reports (${St})`}]:[]],T=ua(At,{live:!I}),Nt=Date.now(),K=A(c=>{const s=Date.now()-c;return s>=1e3?`${(s/1e3).toFixed(1)}s`:`${String(Math.round(s))}ms`},"fmtElapsed");let Re,je;try{const c=Date.now(),s=Date.now();T.start("vulnerabilities"),Ee&&T.start("security");const p=x?Promise.resolve().then(()=>rt(le,{dbPath:b,ecosystem:y.all.find(f=>Fe.has(f.toLowerCase()))??"npm",workspaceRoot:e})).then(f=>{let w=0;for(const S of f.values())w+=S.length;return T.finish("vulnerabilities",w>0?"warn":"ok",w>0?`${String(w)} found · ${K(c)}`:`none found · ${K(c)}`),f}).catch(f=>{const w=f instanceof Error?f.message:String(f);if(T.finish("vulnerabilities","error",w),f instanceof at)throw f;return new Map}):qt(le).then(f=>{let w=0;for(const S of f.values())w+=S.length;return T.finish("vulnerabilities",w>0?"warn":"ok",w>0?`${String(w)} found · ${K(c)}`:`none found · ${K(c)}`),f}).catch(f=>{const w=f instanceof Error?f.message:String(f);return T.finish("vulnerabilities","error",w),new Map});[Re,je]=await Promise.all([p,Ee?Jt(Ie,le).then(f=>{let w=0,S=0;for(const ee of f.values())w+=ee.alerts.length,ee.score.overall<ge&&(S+=1);const E=w+S;return T.finish("security",E>0?"warn":"ok",E>0?`${String(w)} alert${w===1?"":"s"}, ${String(S)} low-score · ${K(s)}`:`clean · ${K(s)}`),f}).catch(f=>{const w=f instanceof Error?f.message:String(f);return T.finish("security","error",w),new Map}):Promise.resolve(new Map)])}finally{T.stop()}v||d.info(O(`Scan completed in ${K(Nt)}`));const fe=[];for(const c of W){if(Va(c.name,N))continue;const s=Re.get(c.name)??[],p=je.get(`${c.name}@${c.version}`),f=et(c.name,c.version,Ne),w=s.length>0,S=p?p.score.overall<ge:!1,E=p?p.alerts.length>0:!1;(w||S||E)&&fe.push({acceptedRisk:f,name:c.name,socketReport:p,version:c.version,vulnerabilities:s})}if(x){const c=y.all.filter(s=>Fe.has(s.toLowerCase())&&s.toLowerCase()!=="npm");for(const s of c){const p=wt(s),f=Ur(e,p);if(f.length!==0){I||d.info(O(`Scanning ${String(f.length)} ${p} packages…`));try{const w=rt(f.map(S=>({name:S.name,version:S.version})),{dbPath:b,ecosystem:p,workspaceRoot:e});for(const S of f){const E=w.get(S.name)??[];E.length!==0&&fe.push({acceptedRisk:et(S.name,S.version,Ne),name:S.name,version:S.version,vulnerabilities:E})}}catch(w){const S=w instanceof Error?w.message:String(w);d.warn(`Failed to scan ${p}: ${S}`)}}}}let C=fe.filter(c=>{const s=c.vulnerabilities.some(w=>be(w.severity,i)),p=c.socketReport?.alerts.some(w=>be(w.severity==="medium"?"MODERATE":w.severity.toUpperCase(),i)),f=c.socketReport&&c.socketReport.score.overall<ge;return s||p||f});const Ct=t.policies,Oe=[],j=await(async()=>{const c=oa().map(E=>`'${E}'`).join(", "),s=sa(Ct,E=>{Oe.push(E);const ee=`Unknown policy '${E}' — ignoring. Available: ${c}.`;I?process.stderr.write(`vis audit: ${ee}
275
+ `):d.warn(ee)});if(s?.size===0)return[];const p=a?.security?.policies?.license,f=!!(p&&((p.allow?.length??0)>0||(p.deny?.length??0)>0)),w=s===void 0||s.has("license"),S=f&&w?wa(e):void 0;return ca({manifestData:S,offline:x,osvFindings:Re,packageManager:P.name,packages:W,socketReports:je,workspaceRoot:e},"audit",{enabledPolicies:s,visConfig:a??{}})})();if($t){const c=new Set(C.filter(p=>p.vulnerabilities.length>0).map(p=>p.name)),s=ti({alwaysAssumeUsed:Ge?.alwaysAssumeUsed,vulnerablePackages:c,workspaceRoot:e});C=C.filter(p=>p.vulnerabilities.length===0?!0:s.reachable.has(p.name)),I||d.info(O(`Reachability filter: ${String(s.reachable.size)}/${String(c.size)} vulnerable packages reachable (${String(s.filesScanned)} files scanned).`))}const J=A(()=>C.flatMap(c=>c.vulnerabilities.map(s=>({acknowledged:!!c.acceptedRisk||ie(s.id,N,s.aliases),packageName:c.name,packageVersion:c.version,vulnerability:s}))),"findingsForReport"),qe=!!t.fix,Je=!!t.fixTransitive,Ye=!!t.yes,It=!!t.allowMajor;if(qe||Je){const c=J().filter(s=>!s.acknowledged);if(qe){const s=await Si({actionableFindings:c,allowMajor:It,pm:P,visConfig:a,workspaceRoot:e,yes:Ye});if(s!==void 0){process.exitCode=s;return}}if(Je){const s=await Ai({actionableFindings:c,pm:P,visConfig:a,workspaceRoot:e,yes:Ye});if(s!==void 0){process.exitCode=s;return}}}const ue=new Map;if(Ke){const c=Ra(J().filter(p=>!p.acknowledged).map(p=>({packageName:p.packageName,packageVersion:p.packageVersion,vulnerability:p.vulnerability})).sort(ut),Be),s=await Wa(c,a?.ai,{info:A(p=>{d.info(p)},"info"),warn:A(p=>{d.warn(p)},"warn")});for(const[p,f]of s)ue.set(p,f)}if(n){const c=vr({findings:J(),policyDecisions:j,tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(c,void 0,2)}
276
+ `),Te(C,N,t.exitCode,M,j);return}if(l){const c=nr({findings:J(),tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:e});process.stdout.write(`${JSON.stringify(c,void 0,2)}
277
+ `),Te(C,N,t.exitCode,M,j);return}if(g){const{packageJsons:c,workspace:s}=Yt(e,a),p=Xt(e,s,c),f=da({includeDev:!$,projectGraph:p,workspace:s,workspaceRoot:e}),w=pr({bom:f,findings:J()});process.stdout.write(`${JSON.stringify(w,void 0,2)}
278
+ `),Te(C,N,t.exitCode,M,j);return}if(h){const c=er({findings:J().map(p=>{const f=ue.get(ye({packageName:p.packageName,packageVersion:p.packageVersion,vulnerability:p.vulnerability}));return f?{...p,explanation:f}:p}),packagesScanned:W.length,policyDecisions:j,tool:{name:"vis-audit",version:"alpha"},workspaceRoot:e}),s=Mt(e,h);pt(s,c,"utf8"),I||d.success(`HTML report written to ${s}`)}if(v){const c={bloomHits:F,duplicates:H.map(s=>({name:s.name,versionCount:s.versions.length,versions:s.versions})),packages:W.length,policies:j.map(s=>({acceptedRisk:s.acceptedRisk??null,data:s.data??null,packageName:s.packageName,policy:s.policy,reason:s.reason,severity:s.severity,version:s.version})),results:C.map(s=>({acceptedRisk:s.acceptedRisk??null,name:s.name,socketAlerts:s.socketReport?.alerts??[],socketScore:s.socketReport?.score.overall??null,version:s.version,vulnerabilities:s.vulnerabilities.map(p=>{const f=ue.get(ye({packageName:s.name,packageVersion:s.version,vulnerability:p}));return f?{...p,explanation:f}:p})})),summary:{accepted:C.filter(s=>s.acceptedRisk).length,duplicatePackages:H.length,issues:C.filter(s=>!s.acceptedRisk).length,policyBlocks:j.filter(s=>s.severity==="block"&&!s.acceptedRisk).length,policyDecisions:j.length,total:C.length},warnings:Oe.length>0?Oe.map(s=>({kind:"unknown-policy",token:s})):[]};process.stdout.write(`${JSON.stringify(c,void 0,2)}
279
+ `),t.exitCode&&(c.summary.issues>0||c.summary.policyBlocks>0)&&(process.exitCode=1),He(C,N,M,j);return}if(C.length===0){d.success(`No security issues found across ${String(W.length)} packages.`);return}const Z={CRITICAL:[],HIGH:[],LOW:[],MODERATE:[]};for(const c of C)for(const s of c.vulnerabilities)if(be(s.severity,i)){const p=s.severity==="UNKNOWN"?"LOW":s.severity;Z[p]?.push({entry:c,vuln:s})}let me=0,Pe=0;for(const c of["CRITICAL","HIGH","MODERATE","LOW"]){const s=Z[c];if(!(!s||s.length===0)){d.info(`
280
+ ── ${c} (${String(s.length)}) ──`);for(const{entry:p,vuln:f}of s){const w=!!p.acceptedRisk||ie(f.id,N,f.aliases);if(w&&(Pe++,!ce))continue;me++,d.info(hi(p.name,p.version,f,w)),kt&&(f.fixedVersions??[]).length>0&&d.notice(` Fix: update to ${f.fixedVersions.at(-1)}`);const S=ue.get(ye({packageName:p.name,packageVersion:p.version,vulnerability:f}));if(S)for(const E of S.split(`
281
+ `))d.info(` ${E}`)}}}const Q=C.filter(c=>c.socketReport&&(c.socketReport.score.overall<ge||c.socketReport.alerts.length>0));if(Q.length>0){d.info(`
282
+ ── Socket.dev Supply Chain (${String(Q.length)}) ──`);for(const c of Q){if(!c.socketReport)continue;const s=!!c.acceptedRisk;if(!(s&&!ce)){d.info(vi(c.socketReport,s));for(const p of c.socketReport.alerts){const f=fi[p.severity]??O;d.info(` ${f(`[${p.severity.toUpperCase()}]`)} ${p.type} ${p.category}`)}}}}if(H.length>0){d.info(`
283
+ ── Duplicate Dependencies (${String(H.length)}) ──`);for(const c of H){const s=c.versions.join(", ");d.info(` ${c.name} ${String(c.versions.length)} versions: ${xe(s)}`)}}const Xe=new Set;for(const c of["CRITICAL","HIGH","MODERATE","LOW"]){const s=Z[c];if(s)for(const{vuln:p}of s)Xe.add(p.id)}const Le=j.filter(c=>{if(c.policy!=="vulnerability")return!0;const s=typeof c.data?.advisoryId=="string"?c.data.advisoryId:void 0;return c.severity==="block"&&s!==void 0&&!Xe.has(s)});if(Le.length>0){d.info(`
284
+ ── Policy Decisions (${String(Le.length)}) ──`);for(const c of Le){const s=!!c.acceptedRisk;if(s&&!ce)continue;const p=c.severity==="block"?ke:c.severity==="warn"?xe:O,f=s?` ${O("[acknowledged]")}`:"";d.info(` ${p(`[${c.severity}]`)} ${c.policy} ${c.reason}${f}`)}}const he=A(c=>!!c.acceptedRisk||c.vulnerabilities.length>0&&c.vulnerabilities.every(s=>ie(s.id,N,s.aliases)),"isEntryExcluded"),Ze=C.filter(c=>!he(c)).length;if(d.info(""),d.info("─ Audit Summary"),d.info(` ${String(W.length)} packages scanned`),N.ignoredAdvisories.length>0&&d.info(` ${String(N.ignoredAdvisories.length)} ${P.name} audit exclusion${N.ignoredAdvisories.length===1?"":"s"} applied`),me>0){const c=Z.CRITICAL?.filter(p=>!he(p.entry)).length??0,s=Z.HIGH?.filter(p=>!he(p.entry)).length??0;d.error(` ${String(me)} vulnerabilit${me===1?"y":"ies"} found`),c>0&&d.error(` ${String(c)} critical`),s>0&&d.warn(` ${String(s)} high`)}else d.success(" No vulnerabilities found");if(Q.length>0){const c=Q.filter(s=>!he(s)).length;d.warn(` ${String(c)} package${c===1?"":"s"} with Socket.dev supply chain issues`)}H.length>0&&(d.warn(` ${String(H.length)} package${H.length===1?"":"s"} with duplicate versions`),d.notice(" Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates."));const ve=j.filter(c=>c.severity==="block"&&!c.acceptedRisk);if(ve.length>0&&d.error(` ${String(ve.length)} policy block${ve.length===1?"":"s"}`),Pe>0&&(d.info(` ${String(Pe)} acknowledged (accepted risks)`),ce||d.notice(" Use --show-accepted to see acknowledged issues.")),Ze===0&&d.success(`
285
+ All issues are acknowledged. No action required.`),t.sync&&Ne){const c=new Set;for(const p of fe)if(p.acceptedRisk){for(const f of p.vulnerabilities)if((f.id.startsWith("CVE-")||f.id.startsWith("GHSA-"))&&c.add(f.id),f.aliases)for(const w of f.aliases)(w.startsWith("CVE-")||w.startsWith("GHSA-"))&&c.add(w)}const s=[...c];if(s.length>0){d.info("");const p=Fa(P.name,e,s);for(const f of p)d.success(` ${f}`)}else d.info(`
286
+ No advisory IDs to sync to native PM config.`)}t.exitCode&&(Ze>0||ve.length>0)&&(process.exitCode=1),He(C,N,M,j)},"executeAudit"),yt=A(e=>!e||e.length===0?!1:e.some(t=>t.severity==="block"&&!t.acceptedRisk),"hasBlockingPolicy"),He=A((e,t,a,r)=>{yt(r)&&(process.exitCode=1),a&&e.some(i=>i.vulnerabilities.some(o=>i.acceptedRisk||ie(o.id,t,o.aliases)?!1:be(o.severity,a)))&&(process.exitCode=1)},"applyFailOnGate"),Te=A((e,t,a,r,i)=>{a&&(e.filter(o=>!o.acceptedRisk&&o.vulnerabilities.some(n=>!ie(n.id,t,n.aliases))).length>0||yt(i))&&(process.exitCode=1),He(e,t,r,i)},"applyExitGate"),xt=A(async(e,t)=>{if(!process.stdin.isTTY)return t;const a=Dt({input:process.stdin,output:process.stderr});try{const r=t?"[Y/n]":"[y/N]",i=await new Promise(o=>{a.question(`${e} ${O(r)} `,n=>{o(n.trim())})});return i.length===0?t:i.toLowerCase().startsWith("y")}finally{a.close()}},"promptYesNo"),$i=A(e=>e==="pnpm"||e==="npm"||e==="yarn"||e==="bun","isTransitiveOnlyPm"),Si=A(async e=>{const t=vt({allowMajor:e.allowMajor,findings:e.actionableFindings,workspaceRoot:e.workspaceRoot});if(d.info(""),d.info("─ Apply (direct deps)"),d.info(Sr(t)),t.apply.length===0){d.info("Nothing to apply for direct deps.");return}if(ze&&!e.yes)return d.error("Refusing to run --fix in CI without --yes. Re-run with --yes once the plan above looks right."),1;if(!e.yes&&!await xt("Apply these direct-dep upgrades?",!1))return d.info("Aborted — no changes made."),0;const a=new Map;for(const r of t.apply){const i=r.workspaceName??"",o=a.get(i);o?o.push(r):a.set(i,[r])}for(const[r,i]of a){const o=i.map(g=>`${g.packageName}@${g.targetSpec}`),n=r.length>0?[r]:[];d.info(`Running ${e.pm.name} add ${o.join(" ")}${r.length>0?` --filter ${r}`:""}`);const l=na(e.pm,{exact:!1,filter:n,global:!1,optional:!1,packages:o,peer:!1,saveDev:!1,workspace:!1,workspaceRoot:!1},e.workspaceRoot,console);if(l!==0)return d.error(`${e.pm.name} add exited ${String(l)} — aborting before rescan.`),l}return d.success("Direct-dep upgrades applied. Re-run `vis audit` to confirm the fixes landed."),0},"runApplyDirect"),Ai=A(async e=>{if(!$i(e.pm.name))return d.error(`--fix-transitive is not supported for package manager "${e.pm.name}". Use pnpm, npm, yarn, or bun.`),1;const t=!!e.visConfig?.security?.audit?.apply?.transitive?.enabled;if(ze&&(!e.yes||!t))return d.error("Refusing to run --fix-transitive in CI without both --yes and security.audit.apply.transitive.enabled = true. Overrides have a higher blast radius than direct bumps — gate on config."),1;const a=new Set(vt({findings:e.actionableFindings,workspaceRoot:e.workspaceRoot}).apply.map(n=>n.packageName)),r=e.actionableFindings.filter(n=>!a.has(n.packageName)),i=di(r);if(i.entries.length===0){d.info(""),d.info("─ Apply transitive (overrides)"),d.info("Nothing to override — all vulnerable packages are direct deps or have no fixed version.");return}const o=li(e.workspaceRoot,i,{name:e.pm.name,version:e.pm.version});d.info(""),d.info("─ Apply transitive (overrides)"),d.info(`Target: ${o.filePath} (${o.surface})`);for(const n of o.entries){const l=n.status==="added"?"+":n.status==="updated"?"~":"·",g=n.previousSpec?` (was ${n.previousSpec})`:"";d.info(` ${l} ${n.packageName}: ${n.spec}${g}`)}if(!o.changed){d.info("No changes — overrides already match the plan.");return}if(!e.yes){if(ze)return 1;if(!await xt("Write these overrides?",!1))return d.info("Aborted — no changes made."),0}try{pi(o)}catch(n){const l=n instanceof Error?n.message:String(n);return d.error(`Failed to write overrides: ${l}`),1}return d.success(`Wrote ${String(o.entries.filter(n=>n.status!=="unchanged").length)} override${o.entries.length===1?"":"s"}. Run \`${e.pm.name} install\` then re-run \`vis audit\` to confirm the fixes landed.`),0},"runApplyTransitive"),_i=A(async({logger:e,options:t,visConfig:a,workspaceRoot:r})=>{if(!r)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await ki(r,t,a,e)},"execute");export{_i as default,yi as mapSeverityToAube,bi as resolveAuditBackend};