@visulima/vis 1.0.0-alpha.41 → 1.0.0-alpha.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (199) hide show
  1. package/CHANGELOG.md +14 -0
  2. package/LICENSE.md +265 -35
  3. package/dist/bin.js +1 -1
  4. package/dist/binx.js +2 -2
  5. package/dist/config/index.d.ts +1 -1
  6. package/dist/config/index.js +1 -1
  7. package/dist/packem_chunks/bloom-status.js +1 -1
  8. package/dist/packem_chunks/bloom-sync.js +1 -1
  9. package/dist/packem_chunks/cli-exec.js +1 -0
  10. package/dist/packem_chunks/{bin.js → cli-main.js} +282 -274
  11. package/dist/packem_chunks/config.js +8 -11
  12. package/dist/packem_chunks/devtools.js +1 -78
  13. package/dist/packem_chunks/dispatch.js +4 -0
  14. package/dist/packem_chunks/doctor-probe.js +1 -1
  15. package/dist/packem_chunks/fix.js +1 -1
  16. package/dist/packem_chunks/handler.js +1 -1
  17. package/dist/packem_chunks/handler10.js +1 -1
  18. package/dist/packem_chunks/handler11.js +1 -1
  19. package/dist/packem_chunks/handler12.js +1 -1
  20. package/dist/packem_chunks/handler13.js +3 -3
  21. package/dist/packem_chunks/handler14.js +1 -1
  22. package/dist/packem_chunks/handler15.js +1 -1
  23. package/dist/packem_chunks/handler16.js +1 -1
  24. package/dist/packem_chunks/handler17.js +1 -1
  25. package/dist/packem_chunks/handler18.js +1 -1
  26. package/dist/packem_chunks/handler19.js +1 -1
  27. package/dist/packem_chunks/handler2.js +1 -4
  28. package/dist/packem_chunks/handler20.js +1 -1
  29. package/dist/packem_chunks/handler21.js +1 -1
  30. package/dist/packem_chunks/handler22.js +2 -2
  31. package/dist/packem_chunks/handler23.js +5 -1
  32. package/dist/packem_chunks/handler24.js +1 -1
  33. package/dist/packem_chunks/handler25.js +1 -1
  34. package/dist/packem_chunks/handler26.js +1 -5
  35. package/dist/packem_chunks/handler27.js +5 -1
  36. package/dist/packem_chunks/handler28.js +1 -3
  37. package/dist/packem_chunks/handler29.js +3 -1
  38. package/dist/packem_chunks/handler3.js +1 -4
  39. package/dist/packem_chunks/handler30.js +1 -1
  40. package/dist/packem_chunks/handler31.js +1 -2
  41. package/dist/packem_chunks/handler32.js +2 -2
  42. package/dist/packem_chunks/handler33.js +2 -2
  43. package/dist/packem_chunks/handler34.js +2 -3
  44. package/dist/packem_chunks/handler35.js +3 -6
  45. package/dist/packem_chunks/handler36.js +6 -1
  46. package/dist/packem_chunks/handler37.js +1 -42
  47. package/dist/packem_chunks/handler38.js +42 -8
  48. package/dist/packem_chunks/handler39.js +8 -9
  49. package/dist/packem_chunks/handler4.js +4 -6
  50. package/dist/packem_chunks/handler40.js +9 -75
  51. package/dist/packem_chunks/handler41.js +75 -5
  52. package/dist/packem_chunks/handler42.js +5 -4
  53. package/dist/packem_chunks/handler43.js +4 -3
  54. package/dist/packem_chunks/handler44.js +3 -2
  55. package/dist/packem_chunks/handler45.js +2 -1
  56. package/dist/packem_chunks/handler46.js +1 -1
  57. package/dist/packem_chunks/handler47.js +1 -1
  58. package/dist/packem_chunks/handler48.js +1 -3
  59. package/dist/packem_chunks/handler49.js +3 -1
  60. package/dist/packem_chunks/handler5.js +4 -8
  61. package/dist/packem_chunks/handler50.js +1 -7
  62. package/dist/packem_chunks/handler51.js +6 -32
  63. package/dist/packem_chunks/handler52.js +33 -3
  64. package/dist/packem_chunks/handler53.js +3 -8
  65. package/dist/packem_chunks/handler54.js +6 -2
  66. package/dist/packem_chunks/handler55.js +4 -1
  67. package/dist/packem_chunks/handler56.js +1 -12
  68. package/dist/packem_chunks/handler57.js +11 -6
  69. package/dist/packem_chunks/handler58.js +3 -3
  70. package/dist/packem_chunks/handler59.js +5 -5
  71. package/dist/packem_chunks/handler6.js +6 -1
  72. package/dist/packem_chunks/handler60.js +2 -2
  73. package/dist/packem_chunks/handler61.js +1 -1
  74. package/dist/packem_chunks/handler62.js +4 -4
  75. package/dist/packem_chunks/handler63.js +3 -3
  76. package/dist/packem_chunks/handler64.js +4 -4
  77. package/dist/packem_chunks/handler65.js +9 -708
  78. package/dist/packem_chunks/handler66.js +6 -6
  79. package/dist/packem_chunks/handler67.js +4 -4
  80. package/dist/packem_chunks/handler68.js +1 -1
  81. package/dist/packem_chunks/handler69.js +5 -5
  82. package/dist/packem_chunks/handler7.js +8 -1
  83. package/dist/packem_chunks/handler70.js +6 -6
  84. package/dist/packem_chunks/handler71.js +9 -9
  85. package/dist/packem_chunks/handler72.js +708 -48
  86. package/dist/packem_chunks/handler73.js +48 -27
  87. package/dist/packem_chunks/handler74.js +27 -3
  88. package/dist/packem_chunks/handler75.js +3 -190
  89. package/dist/packem_chunks/handler76.js +189 -37
  90. package/dist/packem_chunks/handler77.js +38 -0
  91. package/dist/packem_chunks/handler8.js +1 -1
  92. package/dist/packem_chunks/handler9.js +1 -1
  93. package/dist/packem_chunks/heal-accept.js +1 -1
  94. package/dist/packem_chunks/heal.js +1 -1
  95. package/dist/packem_chunks/help-command.js +4 -4
  96. package/dist/packem_chunks/index2.js +1 -1
  97. package/dist/packem_chunks/index3.js +135 -0
  98. package/dist/packem_chunks/index4.js +74 -0
  99. package/dist/packem_chunks/keys-refresh.js +1 -1
  100. package/dist/packem_chunks/lean.js +4 -0
  101. package/dist/packem_chunks/list.js +1 -1
  102. package/dist/packem_chunks/loader.js +1 -1
  103. package/dist/packem_chunks/loader2.js +1 -1
  104. package/dist/packem_chunks/orchestrator.js +3 -3
  105. package/dist/packem_chunks/prompts.js +1 -1
  106. package/dist/packem_chunks/prune.js +1 -1
  107. package/dist/packem_chunks/registry.js +2 -2
  108. package/dist/packem_chunks/run.js +1 -1
  109. package/dist/packem_chunks/shell-runner.js +1 -1
  110. package/dist/packem_chunks/status.js +1 -1
  111. package/dist/packem_chunks/sync.js +1 -1
  112. package/dist/packem_chunks/sync2.js +1 -1
  113. package/dist/packem_chunks/tar.js +1 -1
  114. package/dist/packem_chunks/tripwire.js +1 -1
  115. package/dist/packem_chunks/ts-loader.js +2 -0
  116. package/dist/packem_chunks/verify-lockfile.js +1 -1
  117. package/dist/packem_chunks/version-resolver.js +2 -2
  118. package/dist/packem_shared/CONFIG_FILES-MsOntfYT.js +1 -0
  119. package/dist/packem_shared/{Table-CcVkyULl-B_ef6zfS.js → Table-CcVkyULl-DLWu6XHL.js} +25 -26
  120. package/dist/packem_shared/{advisories-DLeO5KMN.js → advisories-aiDtubZQ.js} +1 -1
  121. package/dist/packem_shared/{affected-shas-cVnX8-zs.js → affected-shas-C1XuRlvo.js} +1 -1
  122. package/dist/packem_shared/{ai-analysis-BUeX2J2H.js → ai-analysis-CubpCxZJ.js} +4 -4
  123. package/dist/packem_shared/{ai-fix-9Vzlp6XU.js → ai-fix-Btd5AnSr.js} +2 -2
  124. package/dist/packem_shared/augment-8fIWWGSc.js +3 -0
  125. package/dist/packem_shared/bin-CnDBuLh3.js +2 -0
  126. package/dist/packem_shared/build-scripts-Doxce2VM.js +1 -0
  127. package/dist/packem_shared/command-runtime-RiCMa2C8.js +1 -0
  128. package/dist/packem_shared/compile-cache-B_Vf_WxT.js +3 -0
  129. package/dist/packem_shared/{cyclonedx-Cadls41z.js → cyclonedx-NUJ9R2GQ.js} +1 -1
  130. package/dist/packem_shared/dependency-scan-B0HV_qeB.js +1 -0
  131. package/dist/packem_shared/{docker-BMLrNtWm.js → docker-DKlF-gk3.js} +1 -1
  132. package/dist/packem_shared/failure-log-C7r6UZLP.js +2 -0
  133. package/dist/packem_shared/{giget-DHY1sQZC.js → giget-DVTFJlbR.js} +2 -2
  134. package/dist/packem_shared/glob-fqg4KepW-7Bs2kZuM.js +1 -0
  135. package/dist/packem_shared/index-BKFEWXU_.js +1 -0
  136. package/dist/packem_shared/index-CPhv-r4c.js +28 -0
  137. package/dist/packem_shared/{index-DGSsjmpV.js → index-Cb4x6lWY.js} +1 -1
  138. package/dist/packem_shared/index-DjTWo3sH.js +1 -0
  139. package/dist/packem_shared/{index-BDmTbWX1.js → index-OQZQyN5R.js} +1 -1
  140. package/dist/packem_shared/index.server-J83sowC4.js +2 -0
  141. package/dist/packem_shared/{lifecycle-4z9hHE5b.js → lifecycle-D5roTh0a.js} +2 -2
  142. package/dist/packem_shared/{lockfile-C8Q1_4KK.js → lockfile-DIGyLfmF.js} +1 -1
  143. package/dist/packem_shared/main-B3juSU5z.js +1 -0
  144. package/dist/packem_shared/manifests-pLwnVmCN.js +1 -0
  145. package/dist/packem_shared/{min-release-age-D1alDE3K.js → min-release-age-pUAqTiv3.js} +3 -3
  146. package/dist/packem_shared/missing-package-json-DhYzuKhD.js +1 -0
  147. package/dist/packem_shared/{native-config-sync-BEkJW7g3.js → native-config-sync-4K9wWTj5.js} +1 -1
  148. package/dist/packem_shared/{osv-bloom-B03tUWf3.js → osv-bloom-OuTfu_LE.js} +1 -1
  149. package/dist/packem_shared/{pm-runner-BKZQo7Ts.js → pm-runner-Dws_Bw1y.js} +1 -1
  150. package/dist/packem_shared/provenance-C0P-UYOM.js +1 -0
  151. package/dist/packem_shared/readJsonSync-CvkZyKmL-CY7PZob_.js +4 -0
  152. package/dist/packem_shared/registry-keys-D4chF-Wj.js +1 -0
  153. package/dist/packem_shared/{resolve-explicit-C6WM-I2u.js → resolve-explicit-Cgheka3B.js} +3 -3
  154. package/dist/packem_shared/resolve-runtime-CJSWV-K8.js +1 -0
  155. package/dist/packem_shared/run-file-B4TqKa0X.js +1 -0
  156. package/dist/packem_shared/runtime-check-0lUJvgKt.js +1 -0
  157. package/dist/packem_shared/runtime-process-Dmz0vCJy-DUwTvH1J.js +1 -0
  158. package/dist/packem_shared/s1ngularity-Du1NnSFP.js +1 -0
  159. package/dist/packem_shared/scan-progress-CN9ONR0y.js +2 -0
  160. package/dist/packem_shared/{selectors-GCJIe342.js → selectors-UmnAuc26.js} +1 -1
  161. package/dist/packem_shared/{signatures-Xpd6HjG_.js → signatures-BOUhghTv.js} +1 -1
  162. package/dist/packem_shared/{spinner-CV3WVJLv.js → spinner-lhXugSx3.js} +1 -1
  163. package/dist/packem_shared/tabs-DTiU3usb.js +1 -0
  164. package/dist/packem_shared/target-options-ChWcK60i.js +1 -0
  165. package/dist/packem_shared/toolchain-DyCKnGch.js +5 -0
  166. package/dist/packem_shared/typosquats-DBOvXwph.js +1 -0
  167. package/dist/packem_shared/use-measured-height-CK2Co3XI.js +1 -0
  168. package/dist/packem_shared/verify-CVPYlUrF.js +1 -0
  169. package/dist/packem_shared/vis-update-app-DtHkwBca.js +1 -0
  170. package/dist/packem_shared/watch-Bkp_AAbc.js +1 -0
  171. package/dist/packem_shared/watch-loop-D9zbXzRd.js +11 -0
  172. package/dist/runtime/preload.d.ts +1 -0
  173. package/dist/runtime/preload.js +1 -0
  174. package/index.d.ts +215 -201
  175. package/index.js +28 -27
  176. package/package.json +17 -26
  177. package/dist/packem_shared/CONFIG_FILES-BfaR0jKT.js +0 -1
  178. package/dist/packem_shared/build-scripts-CCCi8U66.js +0 -1
  179. package/dist/packem_shared/command-runtime-CR70qSUM.js +0 -1
  180. package/dist/packem_shared/dependency-scan-DnTgYleU.js +0 -1
  181. package/dist/packem_shared/failure-log-CEWP3bP0.js +0 -2
  182. package/dist/packem_shared/glob-fqg4KepW-B7EjLRvw.js +0 -1
  183. package/dist/packem_shared/index-3jMNqQom.js +0 -1
  184. package/dist/packem_shared/index-Bt521H5J.js +0 -30
  185. package/dist/packem_shared/manifests-Dj3pRKBT.js +0 -1
  186. package/dist/packem_shared/missing-package-json-8vNHwbqw.js +0 -1
  187. package/dist/packem_shared/provenance-BFEwKgI3.js +0 -1
  188. package/dist/packem_shared/registry-keys-BfFto6vI.js +0 -1
  189. package/dist/packem_shared/runtime-check-Stc9AI78.js +0 -1
  190. package/dist/packem_shared/s1ngularity-DCPmPE5M.js +0 -1
  191. package/dist/packem_shared/scan-progress-CFhc0CMj.js +0 -2
  192. package/dist/packem_shared/tabs-BuTy5gPV.js +0 -1
  193. package/dist/packem_shared/toolchain-pR7AJ-tB.js +0 -5
  194. package/dist/packem_shared/typosquats-DN78xx1x.js +0 -1
  195. package/dist/packem_shared/use-measured-height-_eVGWtWt.js +0 -1
  196. package/dist/packem_shared/verify-6WCmFmy8.js +0 -1
  197. package/dist/packem_shared/vis-update-app-k3fDxech.js +0 -1
  198. package/dist/packem_shared/watch-BvIwLG4N.js +0 -1
  199. package/dist/packem_shared/watch-loop-DWkvv2tK.js +0 -11
@@ -1,4 +1,4 @@
1
- import{createRequire as Et}from"node:module";import{V as we,E as D,s as ye,q as pt,Q as dt}from"../packem_shared/Table-CcVkyULl-B_ef6zfS.js";import{I as Lt,m as z,f as J,v as be,T as Ze,B as Tt}from"../packem_shared/index-BDmTbWX1.js";import{ad as Pt,ab as Vt,ac as zt,aC as Wt,u as Ve,i as _t,W as Ht,aR as Ut,p as u,l as Qe,c as Ft,N as Gt,f as Bt,Z as Xe,b as Kt,O as qt,r as De,a3 as Jt,a0 as Yt,a2 as Zt}from"./bin.js";import{whichBin as Qt}from"#native";import{r as ei,R as ti,b as ii}from"../packem_shared/ai-analysis-BUeX2J2H.js";import"../packem_shared/public-api-WqUCiyIe.js";import{w as ai,M as ni}from"../packem_shared/pm-runner-BKZQo7Ts.js";import{s as L}from"../packem_shared/index-DGSsjmpV.js";import{c as gt,s as he,p as ri,e as oi,g as si}from"../packem_shared/index-3jMNqQom.js";import{d as ci}from"../packem_shared/anolilab-text-CAM_E6uK.js";import{t as li,b as pi}from"../packem_shared/cyclonedx-Cadls41z.js";import{s as fi}from"../packem_shared/scan-progress-CFhc0CMj.js";import{r as ui,A as et,q as tt}from"../packem_shared/advisories-DLeO5KMN.js";import{a as ut}from"./config.js";import{l as mi,f as hi,a as vi}from"../packem_shared/dependency-scan-DnTgYleU.js";import{r as wi}from"../packem_shared/manifests-Dj3pRKBT.js";import{l as $i,p as Si,O as Ni}from"../packem_shared/osv-bloom-B03tUWf3.js";const Ot=Et(import.meta.url),ee=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,Y=e=>{if(typeof ee<"u"&&ee.versions&&ee.versions.node){const[t,i]=ee.versions.node.split(".").map(Number);if(t>22||t===22&&i>=3||t===20&&i>=16)return ee.getBuiltinModule(e)}return Ot(e)},{spawnSync:Dt}=Y("node:child_process"),{createInterface:Mt}=Y("node:readline"),{stripVTControlCharacters:Xt}=Y("node:util"),{createHash:di}=Y("node:crypto"),{relative:ft,join:gi}=Y("node:path"),{readFileSync:mt,existsSync:yi,writeFileSync:bi,renameSync:xi,unlinkSync:ki}=Y("node:fs"),it=(e,t={})=>{Array.isArray(t.extensions)||(t.extensions=["js","mjs","cjs","ts"]);const i=[];for(const a of Lt(e,t))i.push(a.path);return i},xe=e=>`${e.packageName}@${e.packageVersion}:${e.vulnerability.id}`,Ai=e=>e==null||e===!0||e===""||e==="true"||e.toString().toLowerCase()==="all",Ci=(e,t)=>{if(Ai(t))return e;const i=String(t).trim();if(/^\d+$/.test(i)){const n=Number.parseInt(i,10)-1,o=e[n];return o?[o]:[]}const a=i.toLowerCase();return e.filter(n=>{const{aliases:o,id:r}=n.vulnerability;return r.toLowerCase()===a||(o??[]).some(c=>c.toLowerCase()===a)})},Ri=e=>{const{packageName:t,packageVersion:i,vulnerability:a}=e,n=(a.aliases??[]).join(", ")||"none",o=(a.fixedVersions??[]).join(", ")||"no fixed version published";return`You are a security engineer. Explain this dependency vulnerability for a developer triaging it.
1
+ import{createRequire as Et}from"node:module";import{V as we,E as D,s as ye,q as pt,Q as dt}from"../packem_shared/index.server-J83sowC4.js";import{I as Lt,m as z,f as J,v as be,T as Ze,B as Tt}from"../packem_shared/index-OQZQyN5R.js";import{I as De}from"../packem_shared/bin-CnDBuLh3.js";import{whichBin as Pt}from"#native";import{r as zt,R as Wt,b as _t}from"../packem_shared/ai-analysis-CubpCxZJ.js";import{aa as Ht,a8 as Ut,a9 as Ft,az as Gt,u as Ve,i as Bt,W as Kt,aO as qt,p as u,l as Qe,c as Jt,N as Yt,f as Zt,S as Xe,b as Qt,O as Xt,a0 as ei,Y as ti,_ as ii}from"./cli-main.js";import"../packem_shared/public-api-WqUCiyIe.js";import{w as ai,M as ni}from"../packem_shared/pm-runner-Dws_Bw1y.js";import{s as L}from"../packem_shared/index-Cb4x6lWY.js";import{c as gt,s as he,p as ri,e as oi,g as si}from"../packem_shared/index-BKFEWXU_.js";import{d as ci}from"../packem_shared/anolilab-text-CAM_E6uK.js";import{t as li,b as pi}from"../packem_shared/cyclonedx-NUJ9R2GQ.js";import{s as fi}from"../packem_shared/scan-progress-CN9ONR0y.js";import{r as ui,A as et,q as tt}from"../packem_shared/advisories-aiDtubZQ.js";import{a as ut}from"../packem_shared/readJsonSync-CvkZyKmL-CY7PZob_.js";import{l as mi,f as hi,a as vi}from"../packem_shared/dependency-scan-B0HV_qeB.js";import{r as wi}from"../packem_shared/manifests-pLwnVmCN.js";import{l as $i,p as Si,O as Ni}from"../packem_shared/osv-bloom-OuTfu_LE.js";const Ot=Et(import.meta.url),ee=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,Y=e=>{if(typeof ee<"u"&&ee.versions&&ee.versions.node){const[t,i]=ee.versions.node.split(".").map(Number);if(t>22||t===22&&i>=3||t===20&&i>=16)return ee.getBuiltinModule(e)}return Ot(e)},{spawnSync:Dt}=Y("node:child_process"),{createInterface:Mt}=Y("node:readline"),{stripVTControlCharacters:Vt}=Y("node:util"),{createHash:di}=Y("node:crypto"),{relative:ft,join:gi}=Y("node:path"),{readFileSync:mt,existsSync:yi,writeFileSync:bi,renameSync:xi,unlinkSync:ki}=Y("node:fs"),it=(e,t={})=>{Array.isArray(t.extensions)||(t.extensions=["js","mjs","cjs","ts"]);const i=[];for(const a of Lt(e,t))i.push(a.path);return i},xe=e=>`${e.packageName}@${e.packageVersion}:${e.vulnerability.id}`,Ai=e=>e==null||e===!0||e===""||e==="true"||e.toString().toLowerCase()==="all",Ci=(e,t)=>{if(Ai(t))return e;const i=String(t).trim();if(/^\d+$/.test(i)){const n=Number.parseInt(i,10)-1,o=e[n];return o?[o]:[]}const a=i.toLowerCase();return e.filter(n=>{const{aliases:o,id:r}=n.vulnerability;return r.toLowerCase()===a||(o??[]).some(c=>c.toLowerCase()===a)})},Ri=e=>{const{packageName:t,packageVersion:i,vulnerability:a}=e,n=(a.aliases??[]).join(", ")||"none",o=(a.fixedVersions??[]).join(", ")||"no fixed version published";return`You are a security engineer. Explain this dependency vulnerability for a developer triaging it.
2
2
 
3
3
  Package: ${t}@${i}
4
4
  Advisory: ${a.id} (aliases: ${n})
@@ -11,9 +11,9 @@ Respond ONLY with valid JSON in this exact structure, each value 1-3 plain sente
11
11
  "whatItIs": "what the vulnerability is and how it is exploited",
12
12
  "areYouAtRisk": "what usage pattern makes an app actually exposed; be honest that lockfile presence alone is not exploitation",
13
13
  "whatToDo": "the concrete remediation step"
14
- }`},me=e=>Xt(e).replaceAll(/[\u0000-\u0008\u000B-\u001F\u007F]/gu,"").trim(),Ii=e=>`What it is: ${e.whatItIs}
14
+ }`},me=e=>Vt(e).replaceAll(/[\u0000-\u0008\u000B-\u001F\u007F]/gu,"").trim(),Ii=e=>`What it is: ${e.whatItIs}
15
15
  Are you at risk: ${e.areYouAtRisk}
16
- What to do: ${e.whatToDo}`,ji=e=>{const t=ii(e);if(t&&typeof t=="object"){const i=t,a=typeof i.whatItIs=="string"?me(i.whatItIs):"",n=typeof i.areYouAtRisk=="string"?me(i.areYouAtRisk):"",o=typeof i.whatToDo=="string"?me(i.whatToDo):"";if(a||n||o)return Ii({areYouAtRisk:n,whatItIs:a,whatToDo:o})}return me(e)},Ei=async(e,t,i)=>{let a=0;const n=Array.from({length:Math.min(t,e.length)},async()=>{for(;a<e.length;){const o=a;a+=1;const r=e[o];r!==void 0&&await i(r)}});await Promise.all(n)},Oi=3,Di={resolveProvider:ti,runWithRetry:ei},Mi=async(e,t,i,a=Di)=>{const n=new Map;if(e.length===0)return n;const o=a.resolveProvider(t);if(!o)return i?.info?.("No AI CLI provider found on PATH — skipping --explain."),n;const r=Wt("security",t?.cacheTtl);return await Ei(e,Oi,async c=>{const l=xe(c),d=Pt({id:c.vulnerability.id,kind:"audit-explain",name:c.packageName,provider:o.name,version:c.packageVersion}),m=Vt(d);if(typeof m=="string"){n.set(l,m);return}try{const b=await a.runWithRetry(o,Ri(c)),h=ji(b);h&&(n.set(l,h),zt(d,h,r))}catch(b){const h=b instanceof Error?b.message:String(b);i?.warn?.(`Explain failed for ${c.vulnerability.id} (${h}).`)}}),n},ke=e=>Array.isArray(e)?e.filter(t=>typeof t=="string"):[],Me=(e,t)=>{for(const i of t)if(i===e||i.endsWith("*")&&e.startsWith(i.slice(0,-1)))return!0;return!1},ht=e=>{const t=z(e,"pnpm-workspace.yaml");if(!J(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const i=Ve(t);return{excludedPackages:[],ignoredAdvisories:[...ke(i?.auditConfig?.ignoreCves),...ke(i?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},vt=e=>{const t=z(e,".yarnrc.yml");if(!J(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const i=Ve(t);return{excludedPackages:ke(i?.npmAuditExcludePackages),ignoredAdvisories:ke(i?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},Li=(e,t)=>{switch(t){case"pnpm":return ht(e);case"yarn":return vt(e);default:return{excludedPackages:[],ignoredAdvisories:[]}}},ae=(e,t,i)=>{if(Me(e,t.ignoredAdvisories))return!0;if(i){for(const a of i)if(Me(a,t.ignoredAdvisories))return!0}return!1},Ti=(e,t)=>Me(e,t.excludedPackages),Pi=(e,t,i)=>{if(i.length===0)return["No advisory IDs to sync."];const a=[];switch(e){case"bun":{a.push(`bun has no audit config file. Use CLI flags: bun audit ${i.map(n=>`--ignore ${n}`).join(" ")}`);break}case"npm":{a.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const n=z(t,"pnpm-workspace.yaml");if(!J(n)){a.push("pnpm-workspace.yaml not found. Cannot sync.");break}const o=ht(t),r=new Set(o.ignoredAdvisories.filter(g=>g.startsWith("CVE-"))),c=new Set(o.ignoredAdvisories.filter(g=>g.startsWith("GHSA-"))),l=i.filter(g=>g.startsWith("CVE-")),d=i.filter(g=>g.startsWith("GHSA-")),m=[...new Set([...r,...l])],b=[...new Set([...c,...d])],h=l.filter(g=>!r.has(g)).length,v=d.filter(g=>!c.has(g)).length;if(h===0&&v===0){a.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let y=be(n);if(m.length>0){const g=` ignoreCves:
16
+ What to do: ${e.whatToDo}`,ji=e=>{const t=_t(e);if(t&&typeof t=="object"){const i=t,a=typeof i.whatItIs=="string"?me(i.whatItIs):"",n=typeof i.areYouAtRisk=="string"?me(i.areYouAtRisk):"",o=typeof i.whatToDo=="string"?me(i.whatToDo):"";if(a||n||o)return Ii({areYouAtRisk:n,whatItIs:a,whatToDo:o})}return me(e)},Ei=async(e,t,i)=>{let a=0;const n=Array.from({length:Math.min(t,e.length)},async()=>{for(;a<e.length;){const o=a;a+=1;const r=e[o];r!==void 0&&await i(r)}});await Promise.all(n)},Oi=3,Di={resolveProvider:Wt,runWithRetry:zt},Mi=async(e,t,i,a=Di)=>{const n=new Map;if(e.length===0)return n;const o=a.resolveProvider(t);if(!o)return i?.info?.("No AI CLI provider found on PATH — skipping --explain."),n;const r=Gt("security",t?.cacheTtl);return await Ei(e,Oi,async c=>{const l=xe(c),d=Ht({id:c.vulnerability.id,kind:"audit-explain",name:c.packageName,provider:o.name,version:c.packageVersion}),m=Ut(d);if(typeof m=="string"){n.set(l,m);return}try{const b=await a.runWithRetry(o,Ri(c)),h=ji(b);h&&(n.set(l,h),Ft(d,h,r))}catch(b){const h=b instanceof Error?b.message:String(b);i?.warn?.(`Explain failed for ${c.vulnerability.id} (${h}).`)}}),n},ke=e=>Array.isArray(e)?e.filter(t=>typeof t=="string"):[],Me=(e,t)=>{for(const i of t)if(i===e||i.endsWith("*")&&e.startsWith(i.slice(0,-1)))return!0;return!1},ht=e=>{const t=z(e,"pnpm-workspace.yaml");if(!J(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const i=Ve(t);return{excludedPackages:[],ignoredAdvisories:[...ke(i?.auditConfig?.ignoreCves),...ke(i?.auditConfig?.ignoreGhsas)]}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},vt=e=>{const t=z(e,".yarnrc.yml");if(!J(t))return{excludedPackages:[],ignoredAdvisories:[]};try{const i=Ve(t);return{excludedPackages:ke(i?.npmAuditExcludePackages),ignoredAdvisories:ke(i?.npmAuditIgnoreAdvisories)}}catch{return{excludedPackages:[],ignoredAdvisories:[]}}},Li=(e,t)=>{switch(t){case"pnpm":return ht(e);case"yarn":return vt(e);default:return{excludedPackages:[],ignoredAdvisories:[]}}},ae=(e,t,i)=>{if(Me(e,t.ignoredAdvisories))return!0;if(i){for(const a of i)if(Me(a,t.ignoredAdvisories))return!0}return!1},Ti=(e,t)=>Me(e,t.excludedPackages),Pi=(e,t,i)=>{if(i.length===0)return["No advisory IDs to sync."];const a=[];switch(e){case"bun":{a.push(`bun has no audit config file. Use CLI flags: bun audit ${i.map(n=>`--ignore ${n}`).join(" ")}`);break}case"npm":{a.push("npm has no native audit exclusion config. vis accepted risks are the only layer.");break}case"pnpm":{const n=z(t,"pnpm-workspace.yaml");if(!J(n)){a.push("pnpm-workspace.yaml not found. Cannot sync.");break}const o=ht(t),r=new Set(o.ignoredAdvisories.filter(g=>g.startsWith("CVE-"))),c=new Set(o.ignoredAdvisories.filter(g=>g.startsWith("GHSA-"))),l=i.filter(g=>g.startsWith("CVE-")),d=i.filter(g=>g.startsWith("GHSA-")),m=[...new Set([...r,...l])],b=[...new Set([...c,...d])],h=l.filter(g=>!r.has(g)).length,v=d.filter(g=>!c.has(g)).length;if(h===0&&v===0){a.push("All advisory IDs already present in pnpm-workspace.yaml.");break}let y=be(n);if(m.length>0){const g=` ignoreCves:
17
17
  ${m.map($=>` - ${$}`).join(`
18
18
  `)}
19
19
  `;/auditConfig:/.test(y)?y=/ignoreCves:/.test(y)?y.replace(/ignoreCves:\s*\n(?:\s+-\s+(?:\S.*|[\t\v\f \u00A0\u1680\u2000-\u200A\u202F\u205F\u3000\uFEFF])\n)*/,g):y.replace(/auditConfig:\s*\n/,`auditConfig:
@@ -292,7 +292,7 @@ ${v.summary||`Advisory ${v.id}`}${y}`,failureType:Le(v.severity).toUpperCase(),n
292
292
  <testsuites name="${K(i)}" tests="${String(o)}" failures="${String(r)}" skipped="${String(c)}" errors="0" time="0">
293
293
  `;return l+=ct("vulnerabilities",a,t),n.length>0&&(l+=ct("policies",n,t)),l+=`</testsuites>
294
294
  `,l},ha=e=>{const t=new Map,i=[],a=e.artifactUri??(ft(e.workspaceRoot,gi(e.workspaceRoot,"package.json"))||"package.json");for(const r of e.findings){const{acknowledged:c,packageName:l,packageVersion:d,vulnerability:m}=r,b=Fi(m.severity),h=Le(m.severity);t.has(m.id)||t.set(m.id,{defaultConfiguration:{level:b},fullDescription:{text:m.summary||`Advisory ${m.id}`},helpUri:T(m.id),id:m.id,name:m.id,properties:{precision:"very-high","security-severity":Bi(m),"severity-label":h,tags:["security","vulnerability","supply-chain",`severity:${h}`]},shortDescription:{text:(m.summary.split(`
295
- `)[0]??m.id).slice(0,200)}}),i.push({level:b,locations:[{logicalLocations:[{kind:"package",name:`${l}@${d}`}],physicalLocation:{artifactLocation:{uri:a}}}],message:{text:`${m.id}: ${l}@${d} — ${m.summary||"no summary"}${m.fixedVersions.length>0?` (fix: ${m.fixedVersions.join(", ")})`:""}`},partialFingerprints:{advisoryId:m.id,package:l,version:d},properties:{...c?{acknowledged:!0}:{},...m.aliases&&m.aliases.length>0?{aliases:m.aliases}:{},...typeof m.cvssScore=="number"?{cvssScore:m.cvssScore}:{},...m.fixedVersions.length>0?{fixedVersions:m.fixedVersions}:{},packageName:l,packageVersion:d,severityLabel:h},ruleId:m.id})}const n={block:"error",info:"note",warn:"warning"},o={block:"high",info:"none",warn:"medium"};for(const r of e.policyDecisions??[]){if(r.policy==="vulnerability")continue;const c=`vis.policy.${r.policy}`,l=n[r.severity],d=o[r.severity];t.has(c)||t.set(c,{defaultConfiguration:{level:l},fullDescription:{text:`vis policy '${r.policy}' (Socket.dev-style supply-chain gate)`},helpUri:`https://visulima.com/packages/vis/commands/audit#policy-${r.policy}`,id:c,name:c,properties:{precision:"high","security-severity":r.severity==="block"?"8.0":r.severity==="warn"?"5.5":"0.0","severity-label":d,tags:["security","supply-chain","policy",`policy:${r.policy}`]},shortDescription:{text:`vis policy: ${r.policy}`}}),i.push({level:l,locations:[{logicalLocations:[{kind:"package",name:`${r.packageName}@${r.version}`}],physicalLocation:{artifactLocation:{uri:a}}}],message:{text:r.reason},partialFingerprints:{package:r.packageName,policy:r.policy,version:r.version},properties:{...r.acceptedRisk?{acknowledged:!0}:{},packageName:r.packageName,packageVersion:r.version,severityLabel:d},ruleId:c})}return{$schema:"https://json.schemastore.org/sarif-2.1.0.json",runs:[{results:i,tool:{driver:{informationUri:e.tool.informationUri,name:e.tool.name,rules:[...t.values()],version:e.tool.version}}}],version:"2.1.0"}},va=["dependencies","devDependencies","optionalDependencies","peerDependencies"],lt=e=>{try{return{path:e,pkg:ut(e)}}catch{return}},wa=e=>{const t=[],i=lt(z(e,"package.json"));i&&t.push({path:i.path,pkg:i.pkg,workspaceName:i.pkg.name});const a=_t(e);let n;if(a?n=a:i?.pkg.workspaces&&(Array.isArray(i.pkg.workspaces)?n=i.pkg.workspaces:i.pkg.workspaces.packages&&(n=i.pkg.workspaces.packages)),!n)return t;for(const o of Ht(e,n)){const r=lt(z(e,o,"package.json"));r&&t.push({path:r.path,pkg:r.pkg,workspaceName:r.pkg.name})}return t},ya=(e,t)=>{const i=[];for(const a of e)for(const n of va){const o=a.pkg[n]?.[t];typeof o=="string"&&i.push({field:n,manifest:a,range:o})}return i},yt=e=>{const t=wa(e.workspaceRoot),i=[],a=[],n=[],o=new Set;for(const r of e.findings){const c=r.vulnerability.fixedVersions[0];if(!c){n.push({packageName:r.packageName,reason:"no-fixed-version"});continue}const l=ya(t,r.packageName);if(l.length===0){n.push({packageName:r.packageName,reason:"transitive-only"});continue}const d=L.coerce(c),m=d?`^${d.version}`:c,b=d?d.version:c;for(const h of l){const v=`${h.manifest.path}::${h.field}::${r.packageName}::${b}`;if(o.has(v))continue;o.add(v);const y=xa(b,h.range),g={currentRange:h.range,field:h.field,inRange:y,manifestPath:h.manifest.path,packageName:r.packageName,targetSpec:m,targetVersion:b,workspaceName:h.manifest.workspaceName};y||e.allowMajor===!0?i.push(g):a.push(g)}}return{apply:i,skippedMajor:a,unmatched:n}},ba=/^(?:workspace|file|link|portal|patch|git\+|git:|github:|npm:|catalog|jsr|http|https):/i,xa=(e,t)=>{if(ba.test(t))return!0;const i=L.coerce(e)?.version??e;try{return L.satisfies(i,t)}catch{return!0}},ka=e=>{const t=[];if(e.apply.length>0){t.push(`Apply (${String(e.apply.length)}):`);for(const i of e.apply){const a=i.workspaceName?` [${i.workspaceName}]`:"";t.push(` + ${i.packageName}: ${i.currentRange} → ${i.targetSpec}${a}`)}}if(e.skippedMajor.length>0){t.push(`Skipped — major bump (${String(e.skippedMajor.length)}, requires --allow-major):`);for(const i of e.skippedMajor){const a=i.workspaceName?` [${i.workspaceName}]`:"";t.push(` ! ${i.packageName}: ${i.currentRange} → ${i.targetSpec}${a}`)}}if(e.unmatched.length>0){const i=e.unmatched.filter(n=>n.reason==="transitive-only"),a=e.unmatched.filter(n=>n.reason==="no-fixed-version");if(i.length>0){t.push(`Transitive only (${String(i.length)}, requires --fix-transitive):`);for(const n of i)t.push(` · ${n.packageName}`)}if(a.length>0){t.push(`No fixed version available (${String(a.length)}):`);for(const n of a)t.push(` · ${n.packageName}`)}}return t.length===0?"No direct-dep fixes to apply.":t.join(`
295
+ `)[0]??m.id).slice(0,200)}}),i.push({level:b,locations:[{logicalLocations:[{kind:"package",name:`${l}@${d}`}],physicalLocation:{artifactLocation:{uri:a}}}],message:{text:`${m.id}: ${l}@${d} — ${m.summary||"no summary"}${m.fixedVersions.length>0?` (fix: ${m.fixedVersions.join(", ")})`:""}`},partialFingerprints:{advisoryId:m.id,package:l,version:d},properties:{...c?{acknowledged:!0}:{},...m.aliases&&m.aliases.length>0?{aliases:m.aliases}:{},...typeof m.cvssScore=="number"?{cvssScore:m.cvssScore}:{},...m.fixedVersions.length>0?{fixedVersions:m.fixedVersions}:{},packageName:l,packageVersion:d,severityLabel:h},ruleId:m.id})}const n={block:"error",info:"note",warn:"warning"},o={block:"high",info:"none",warn:"medium"};for(const r of e.policyDecisions??[]){if(r.policy==="vulnerability")continue;const c=`vis.policy.${r.policy}`,l=n[r.severity],d=o[r.severity];t.has(c)||t.set(c,{defaultConfiguration:{level:l},fullDescription:{text:`vis policy '${r.policy}' (Socket.dev-style supply-chain gate)`},helpUri:`https://visulima.com/packages/vis/commands/audit#policy-${r.policy}`,id:c,name:c,properties:{precision:"high","security-severity":r.severity==="block"?"8.0":r.severity==="warn"?"5.5":"0.0","severity-label":d,tags:["security","supply-chain","policy",`policy:${r.policy}`]},shortDescription:{text:`vis policy: ${r.policy}`}}),i.push({level:l,locations:[{logicalLocations:[{kind:"package",name:`${r.packageName}@${r.version}`}],physicalLocation:{artifactLocation:{uri:a}}}],message:{text:r.reason},partialFingerprints:{package:r.packageName,policy:r.policy,version:r.version},properties:{...r.acceptedRisk?{acknowledged:!0}:{},packageName:r.packageName,packageVersion:r.version,severityLabel:d},ruleId:c})}return{$schema:"https://json.schemastore.org/sarif-2.1.0.json",runs:[{results:i,tool:{driver:{informationUri:e.tool.informationUri,name:e.tool.name,rules:[...t.values()],version:e.tool.version}}}],version:"2.1.0"}},va=["dependencies","devDependencies","optionalDependencies","peerDependencies"],lt=e=>{try{return{path:e,pkg:ut(e)}}catch{return}},wa=e=>{const t=[],i=lt(z(e,"package.json"));i&&t.push({path:i.path,pkg:i.pkg,workspaceName:i.pkg.name});const a=Bt(e);let n;if(a?n=a:i?.pkg.workspaces&&(Array.isArray(i.pkg.workspaces)?n=i.pkg.workspaces:i.pkg.workspaces.packages&&(n=i.pkg.workspaces.packages)),!n)return t;for(const o of Kt(e,n)){const r=lt(z(e,o,"package.json"));r&&t.push({path:r.path,pkg:r.pkg,workspaceName:r.pkg.name})}return t},ya=(e,t)=>{const i=[];for(const a of e)for(const n of va){const o=a.pkg[n]?.[t];typeof o=="string"&&i.push({field:n,manifest:a,range:o})}return i},yt=e=>{const t=wa(e.workspaceRoot),i=[],a=[],n=[],o=new Set;for(const r of e.findings){const c=r.vulnerability.fixedVersions[0];if(!c){n.push({packageName:r.packageName,reason:"no-fixed-version"});continue}const l=ya(t,r.packageName);if(l.length===0){n.push({packageName:r.packageName,reason:"transitive-only"});continue}const d=L.coerce(c),m=d?`^${d.version}`:c,b=d?d.version:c;for(const h of l){const v=`${h.manifest.path}::${h.field}::${r.packageName}::${b}`;if(o.has(v))continue;o.add(v);const y=xa(b,h.range),g={currentRange:h.range,field:h.field,inRange:y,manifestPath:h.manifest.path,packageName:r.packageName,targetSpec:m,targetVersion:b,workspaceName:h.manifest.workspaceName};y||e.allowMajor===!0?i.push(g):a.push(g)}}return{apply:i,skippedMajor:a,unmatched:n}},ba=/^(?:workspace|file|link|portal|patch|git\+|git:|github:|npm:|catalog|jsr|http|https):/i,xa=(e,t)=>{if(ba.test(t))return!0;const i=L.coerce(e)?.version??e;try{return L.satisfies(i,t)}catch{return!0}},ka=e=>{const t=[];if(e.apply.length>0){t.push(`Apply (${String(e.apply.length)}):`);for(const i of e.apply){const a=i.workspaceName?` [${i.workspaceName}]`:"";t.push(` + ${i.packageName}: ${i.currentRange} → ${i.targetSpec}${a}`)}}if(e.skippedMajor.length>0){t.push(`Skipped — major bump (${String(e.skippedMajor.length)}, requires --allow-major):`);for(const i of e.skippedMajor){const a=i.workspaceName?` [${i.workspaceName}]`:"";t.push(` ! ${i.packageName}: ${i.currentRange} → ${i.targetSpec}${a}`)}}if(e.unmatched.length>0){const i=e.unmatched.filter(n=>n.reason==="transitive-only"),a=e.unmatched.filter(n=>n.reason==="no-fixed-version");if(i.length>0){t.push(`Transitive only (${String(i.length)}, requires --fix-transitive):`);for(const n of i)t.push(` · ${n.packageName}`)}if(a.length>0){t.push(`No fixed version available (${String(a.length)}):`);for(const n of a)t.push(` · ${n.packageName}`)}}return t.length===0?"No direct-dep fixes to apply.":t.join(`
296
296
  `)},$a=5,Sa=64,Na=(e,t)=>{if(t.length===0)return[];const i=new Set;for(const a of e){if(t.includes(a)){i.add(a);continue}let n=!1;for(const o of t)try{L.satisfies(o,a)&&(i.add(o),n=!0)}catch{}!n&&t.length===1&&i.add(t[0])}return[...i]},Aa=e=>{const t=new Map;for(const n of e.entries){let o=t.get(n.name);o||(o=[],t.set(n.name,o)),o.includes(n.version)||o.push(n.version)}const i=new Map;for(const n of e.entries){const o=`${n.name}@${n.version}`;let r=i.get(o);r||(r=new Map,i.set(o,r));for(const c of[n.dependencies,n.peerDependencies,n.optionalDependencies])if(c)for(const[l,d]of Object.entries(c)){const m=t.get(l)??[],b=Na(d,m);for(const h of b){const v=`${l}@${h}`;r.has(v)||r.set(v,{name:l,version:h})}}}const a=new Map;for(const[n,o]of i)a.set(n,{children:[...o.values()]});return{adjacency:a,versionsByName:t}},Ca=(e,t)=>{const i=t.get(e.name);if(!(!i||i.length===0)){if(i.includes(e.version))return{name:e.name,version:e.version};for(const a of i)try{if(L.satisfies(a,e.version))return{name:e.name,version:a}}catch{}if(i.length===1)return{name:e.name,version:i[0]}}},Ra=(e,t,i={})=>{const a=i.maxPathsPerTarget??$a,n=i.maxDepth??Sa;if(a<=0)return[];const{adjacency:o,versionsByName:r}=Aa(e),c=`${t.name}@${t.version}`,l=[],d=[],m=new Set;for(const v of e.roots){const y=Ca(v,r);if(!y)continue;const g=`${y.name}@${y.version}`;m.has(g)||(m.add(g),d.push(y))}const b=[];for(const v of d){const y=`${v.name}@${v.version}`;if(y===c){if(l.push([v]),l.length>=a)return l;continue}b.push({node:v,path:[v],visited:new Set([y])})}let h=0;for(;h<b.length&&l.length<a;){const v=b[h];if(h+=1,v.path.length>=n)continue;const y=o.get(`${v.node.name}@${v.node.version}`)?.children??[];for(const g of y){const $=`${g.name}@${g.version}`;if(v.visited.has($))continue;const x=[...v.path,g];if($===c){if(l.push(x),l.length>=a)return l;continue}const A=new Set(v.visited);A.add($),b.push({node:g,path:x,visited:A})}}return l},Ia={"crates.io":["Cargo.lock"],Go:["go.sum"],Maven:["gradle.lockfile","pom.xml"],PyPI:["uv.lock","poetry.lock","Pipfile.lock"],RubyGems:["Gemfile.lock"]},ja={cargo:"crates.io","crates.io":"crates.io",go:"Go",maven:"Maven",npm:"npm",pypi:"PyPI",rubygems:"RubyGems"},bt=e=>ja[e.toLowerCase()]??e,Ea=(e,t)=>{const i=bt(t),a=Ia[i]??[];for(const n of a){const o=z(e,n);if(yi(o))return o}},Oa=e=>{const t=new Set,i=[];for(const a of e){const n=`${a.name}@${a.version}`;t.has(n)||(t.add(n),i.push(a))}return i},Da=/\[\[package\]\]([\s\S]*?)(?=\[\[|$)/g,Ma=/^\s*name\s*=\s*"([^"]+)"\s*$/m,La=/^\s*version\s*=\s*"([^"]+)"\s*$/m,Ta=e=>{const t=[];for(const i of e.matchAll(Da)){const a=i[1]??"",n=Ma.exec(a)?.[1],o=La.exec(a)?.[1];n&&o&&t.push({isDev:!1,name:n,version:o})}return t},Pa=e=>{let t;try{t=JSON.parse(e)}catch{return[]}if(typeof t!="object"||t===null)return[];const i=[];for(const a of["default","develop"]){const n=t[a];if(!(typeof n!="object"||n===null))for(const[o,r]of Object.entries(n)){if(typeof r!="object"||r===null)continue;const c=r.version;if(typeof c!="string")continue;const l=c.replace(/^==/,"").trim();l.length>0&&i.push({isDev:!1,name:o,version:l})}}return i},Va=/<dependency>([\s\S]*?)<\/dependency>/g,za=/<groupId>\s*([^<\s]+)\s*<\/groupId>/,Wa=/<artifactId>\s*([^<\s]+)\s*<\/artifactId>/,_a=/<version>\s*([^<\s]+)\s*<\/version>/,Ha=e=>{const t=[];for(const i of e.matchAll(Va)){const a=i[1]??"",n=za.exec(a)?.[1],o=Wa.exec(a)?.[1],r=_a.exec(a)?.[1];!n||!o||!r||r.startsWith("${")||t.push({isDev:!1,name:`${n}:${o}`,version:r})}return t},Ua=e=>{const t=[];for(const i of e.split(/\r?\n/)){const a=i.trim();if(a.length===0||a.startsWith("#"))continue;const n=a.indexOf("="),o=(n===-1?a:a.slice(0,n)).split(":");if(o.length<3)continue;const[r,c,l]=o;!r||!c||!l||t.push({isDev:!1,name:`${r}:${c}`,version:l})}return t},Fa=e=>{const t=[];for(const i of e.split(/\r?\n/)){const a=i.trim();if(a.length===0)continue;const n=a.split(/\s+/);if(n.length<3)continue;const[o,r]=n;if(!o||!r?.endsWith("/go.mod"))continue;const c=r.slice(0,-7);c.length!==0&&t.push({isDev:!1,name:o,version:c})}return t},Ga=/^ {4}([^ ()]+) \(([^()]+)\)\s*$/,Ba=e=>{const t=[];let i=!1,a=!1;for(const n of e.split(/\r?\n/)){if(n.startsWith("GEM")){i=!0,a=!1;continue}if(i&&/^[A-Z]/.test(n)){i=!1,a=!1;continue}if(i&&n.trim()==="specs:"){a=!0;continue}if(a){const o=Ga.exec(n);if(o){const[,r,c]=o;r&&c&&t.push({isDev:!1,name:r,version:c})}}}return t},Ka=(e,t)=>{const i=Ea(e,t);if(!i)return[];let a;try{a=mt(i,"utf8")}catch{return[]}const n=i.split(/[/\\]/).pop()??"";let o;switch(n){case"Cargo.lock":case"poetry.lock":case"uv.lock":{o=Ta(a);break}case"Gemfile.lock":{o=Ba(a);break}case"go.sum":{o=Fa(a);break}case"gradle.lockfile":{o=Ua(a);break}case"Pipfile.lock":{o=Pa(a);break}case"pom.xml":{o=Ha(a);break}default:return[]}return Oa(o)},qa=["ts","tsx","js","jsx","mjs","cjs","mts","cts"],Ja=[/node_modules/,/\.git/,/\.next/,/\.cache/,/dist/,/build/,/coverage/,/\.turbo/,/\.nx/,/\.parcel-cache/],Ya=["dependencies","devDependencies","peerDependencies","optionalDependencies"],Za=/(?:import|export)\s+(?:[\s\S]*?from\s+)?["']([^"'\n]+)["']/g,Qa=/(?:^|[^.\w$])require\s*\(\s*["']([^"'\n]+)["']\s*\)/g,Xa=/\bimport\s*\(\s*["']([^"'\n]+)["']\s*\)/g,en=e=>{if(e.startsWith(".")||e.startsWith("/")||/^[a-z][a-z0-9+.-]*:/i.test(e))return;const t=e.trim();if(t.length!==0){if(t.startsWith("@")){const i=t.split("/");return i.length<2?void 0:`${i[0]}/${i[1]}`}return t.split("/")[0]}},tn=e=>{const t=new Set,i=e.replaceAll(/\/\*[\s\S]*?\*\//g,"").replaceAll(/(^|[^:])\/\/.*$/gm,"$1"),a=n=>{n.lastIndex=0;let o;for(;(o=n.exec(i))!==null;){const r=en(o[1]);r&&t.add(r)}};return a(Za),a(Qa),a(Xa),t},an=e=>{const t=new Set;try{const i=ut(e);for(const a of Ya){const n=i[a];if(n&&typeof n=="object"&&!Array.isArray(n))for(const o of Object.keys(n))t.add(o)}}catch{}return t},nn=e=>{const t=e.skip??Ja,i=e.extensions??qa,a=new Set;let n=0;const o=it(e.workspaceRoot,{extensions:i,includeDirs:!1,skip:t});for(const l of o){n+=1;try{const d=mt(l,"utf8");for(const m of tn(d))a.add(m)}catch{}}const r=it(e.workspaceRoot,{extensions:["json"],includeDirs:!1,skip:t}).filter(l=>l.endsWith("/package.json")||l.endsWith(String.raw`\package.json`)||l.endsWith("package.json"));for(const l of r)for(const d of an(l))a.add(d);if(e.alwaysAssumeUsed)for(const l of e.alwaysAssumeUsed)a.add(l);const c=new Set;for(const l of e.vulnerablePackages)a.has(l)&&c.add(l);return{filesScanned:n,importedTotal:a,reachable:c}},rn=e=>{const t=L.coerce(e)?.major;return t!==void 0&&t>=10},on=e=>Object.fromEntries(Object.entries(e).sort(([t],[i])=>t.localeCompare(i))),sn=(e,t)=>`${JSON.stringify(e,void 0,t)}
297
297
  `,xt=(e,t)=>{if(t.name==="pnpm"&&rn(t.version))return{filePath:z(e,"pnpm-workspace.yaml"),surface:"pnpm-workspace.yaml"};const i=z(e,"package.json");return t.name==="pnpm"?{filePath:i,surface:"package.json#pnpm.overrides"}:t.name==="yarn"?{filePath:i,surface:"package.json#resolutions"}:{filePath:i,surface:"package.json#overrides"}},cn=(e,t)=>{const{filePath:i,surface:a}=xt(e,t);if(!J(i))return{};if(a==="pnpm-workspace.yaml")try{return Ve(i)?.overrides??{}}catch{return{}}try{const n=JSON.parse(be(i));return a==="package.json#pnpm.overrides"?(n.pnpm??{}).overrides??{}:a==="package.json#resolutions"?n.resolutions??{}:n.overrides??{}}catch{return{}}},ln=(e,t)=>{const i=Object.keys(t).sort();if(i.length===0&&!/^overrides\s*:/m.test(e))return e;const a=`overrides:
298
298
  ${i.map(n=>` '${n}': '${t[n]}'`).join(`
@@ -302,14 +302,14 @@ ${i.map(n=>` '${n}': '${t[n]}'`).join(`
302
302
  `}return`${e.endsWith(`
303
303
  `)?e:`${e}
304
304
  `}
305
- ${a}`},pn=(e,t,i,a)=>{const n=Ut(e,t.length>0?t:void 0),o=t.length>0?JSON.parse(t):{};if(i==="package.json#pnpm.overrides"){const r=o.pnpm??{};r.overrides=a,o.pnpm=r}else i==="package.json#resolutions"?o.resolutions=a:o.overrides=a;return sn(o,n)},dn=(e,t,i)=>{const{filePath:a,surface:n}=xt(e,i),o=cn(e,i),r=J(a)?be(a):"",c=[],l={...o};for(const h of t.entries){const v=o[h.packageName];if(v===h.spec){c.push({...h,previousSpec:v,status:"unchanged"});continue}v===void 0?c.push({...h,status:"added"}):c.push({...h,previousSpec:v,status:"updated"}),l[h.packageName]=h.spec}const d=on(l),m=c.some(h=>h.status!=="unchanged"),b=n==="pnpm-workspace.yaml"?ln(r,d):pn(a,r,n,d);return{changed:m,entries:c,filePath:a,nextContent:b,previousContent:r,surface:n}},gn=e=>{if(!e.changed)return e;if(e.surface==="pnpm-workspace.yaml"&&e.previousContent.length===0)throw new Error(`${e.filePath} not found. Run \`pnpm init\` or create pnpm-workspace.yaml before applying overrides for pnpm v10+.`);const t=`${e.filePath}.tmp`;try{bi(t,e.nextContent),xi(t,e.filePath)}catch(i){try{ki(t)}catch{}throw i}return e},fn=e=>{const t=new Map;for(const i of e){const a=i.vulnerability.fixedVersions[0];if(!a)continue;const n=L.coerce(a),o=n?`^${n.version}`:a;t.set(i.packageName,o)}return{entries:[...t.entries()].sort(([i],[a])=>i.localeCompare(a)).map(([i,a])=>({packageName:i,spec:a}))}},un={critical:we,high:dt,low:pt,medium:ye},Te=new Set(["cargo","crates.io","go","maven","npm","pypi","rubygems"]),mn=e=>{const t=(e??"npm").split(",").map(n=>n.trim()).filter(n=>n.length>0),i=t.length>0?t:["npm"],a=i.filter(n=>!Te.has(n.toLowerCase()));return{all:i,unsupported:a}},hn={CRITICAL:we,HIGH:dt,LOW:pt,MODERATE:ye,UNKNOWN:D},vn=(e,t,i,a)=>{const n=hn[i.severity]??D,o=a?` ${D("[acknowledged]")}`:"",r=i.fixedVersions??[],c=r.length>0?` (fix: ${r.join(", ")})`:"";return` ${n(i.severity)} ${i.id} — ${e}@${t}${o}
306
- ${i.summary}${c}`},wn=(e,t)=>{const i=Zt(e),a=`${String(Math.round(e.score.overall*100))}%`,n=t?` ${D("[acknowledged]")}`:"",o=e.alerts.length>0?`, ${String(e.alerts.length)} alert${e.alerts.length===1?"":"s"}`:"";return` ${a} ${i}@${e.version} (${Yt(e.score.overall)}${o})${n}`},yn=new Set(["aube","auto","vis"]),te=e=>e!==void 0&&yn.has(e),bn=(e,t,i)=>{if(e!==void 0&&!te(e))throw new Error(`Invalid --backend value '${e}'. Expected one of: aube, auto, vis.`);const a=process.env.VIS_AUDIT_BACKEND;if(a!==void 0&&a!==""&&!te(a))throw new Error(`Invalid VIS_AUDIT_BACKEND value '${a}'. Expected one of: aube, auto, vis.`);const n=te(a)?a:void 0,o=te(t)?t:void 0,r=(te(e)?e:void 0)??n??o??"auto";return r==="aube"?"aube":r==="vis"?"vis":(i?.install?.backend??process.env.VIS_INSTALLER)==="aube"&&Qt("aube")!==null?"aube":"vis"},xn=e=>{if(e!==void 0)switch(e){case"critical":return"critical";case"high":return"high";case"low":return"low";case"medium":return"moderate";default:return e}},kn=(e,t,i)=>{const a=["audit"],n=xn(t.severity);n!==void 0&&a.push("--audit-level",n),(t.prodOnly===!0||t.prod===!0)&&a.push("--prod"),(t.json===!0||t.format==="json")&&a.push("--json");const o=t.fix===!0;t["fix-transitive"]===!0||t.fixTransitive===!0?a.push("--fix=override"):o&&a.push("--fix=update");const r=[];t.offline===!0&&r.push("--offline (aube has its own offline cache)"),(t.format==="sarif"||t.format==="csaf"||t.format==="cyclonedx"||t.format==="cyclonedx-vex"||t.format==="gitlab"||t.format==="junit")&&r.push(`--format=${String(t.format)} (only json/text is forwarded to aube)`),r.length>0&&u.warn(`Delegating to 'aube audit'. Skipping vis-only flags: ${r.join(", ")}`);const c=Dt("aube",a,{cwd:e,stdio:"inherit"});if(c.error){const{code:l}=c.error;return l==="ENOENT"?u.error("Backend 'aube' selected but the 'aube' binary was not found on PATH. Install aube or run with --backend vis."):u.error(`Failed to spawn aube: ${c.error.message}`),1}return c.status??1},$n=async(e,t,i,a,n)=>{if(bn(i.backend,a?.security?.audit?.backend,a)==="aube"){process.exitCode=kn(t,i);return}const o=i.severity??"low",r=i.format??"table",c=r==="sarif",l=r==="csaf",d=r==="cyclonedx-vex"||r==="cyclonedx",m=r==="gitlab",b=r==="junit",h=r==="json"||!!i.json,v=i.report,y=a?.security?.audit,g=a?.security?.policies,$=i.offline===void 0?!!y?.offlineByDefault:!!i.offline,x=i.db,A=mn(i.ecosystem),q=!!i.prodOnly,M=i.failOn??g?.vulnerability?.failOn,St=!!i.showFixes,ne=!!i.showAccepted,$e=a?.security?.acceptedRisks,We=g?.vulnerability?.usage,Nt=i.noUsage?!1:i.usage===void 0?!!We?.enabled:!!i.usage,I=h||c||l||d||m||b,_e=i.explain,Se=_e!==void 0,He=Se&&!c&&!l&&!d&&!m&&!b;if(Se&&$){u.error("`--explain` needs network access and cannot run in offline mode (--offline or security.audit.offlineByDefault)."),process.exitCode=1;return}Se&&!He&&u.warn(`\`--explain\` has no effect with --format=${r}; explanations are only rendered in table, json, and HTML output.`);const O=ai(t),C=Li(t,O.name);if($){const s=x??ui(t);if(!await e.access(s).then(()=>!0).catch(()=>!1)){const p=new et(s);I?process.stderr.write(`${p.message}
305
+ ${a}`},pn=(e,t,i,a)=>{const n=qt(e,t.length>0?t:void 0),o=t.length>0?JSON.parse(t):{};if(i==="package.json#pnpm.overrides"){const r=o.pnpm??{};r.overrides=a,o.pnpm=r}else i==="package.json#resolutions"?o.resolutions=a:o.overrides=a;return sn(o,n)},dn=(e,t,i)=>{const{filePath:a,surface:n}=xt(e,i),o=cn(e,i),r=J(a)?be(a):"",c=[],l={...o};for(const h of t.entries){const v=o[h.packageName];if(v===h.spec){c.push({...h,previousSpec:v,status:"unchanged"});continue}v===void 0?c.push({...h,status:"added"}):c.push({...h,previousSpec:v,status:"updated"}),l[h.packageName]=h.spec}const d=on(l),m=c.some(h=>h.status!=="unchanged"),b=n==="pnpm-workspace.yaml"?ln(r,d):pn(a,r,n,d);return{changed:m,entries:c,filePath:a,nextContent:b,previousContent:r,surface:n}},gn=e=>{if(!e.changed)return e;if(e.surface==="pnpm-workspace.yaml"&&e.previousContent.length===0)throw new Error(`${e.filePath} not found. Run \`pnpm init\` or create pnpm-workspace.yaml before applying overrides for pnpm v10+.`);const t=`${e.filePath}.tmp`;try{bi(t,e.nextContent),xi(t,e.filePath)}catch(i){try{ki(t)}catch{}throw i}return e},fn=e=>{const t=new Map;for(const i of e){const a=i.vulnerability.fixedVersions[0];if(!a)continue;const n=L.coerce(a),o=n?`^${n.version}`:a;t.set(i.packageName,o)}return{entries:[...t.entries()].sort(([i],[a])=>i.localeCompare(a)).map(([i,a])=>({packageName:i,spec:a}))}},un={critical:we,high:dt,low:pt,medium:ye},Te=new Set(["cargo","crates.io","go","maven","npm","pypi","rubygems"]),mn=e=>{const t=(e??"npm").split(",").map(n=>n.trim()).filter(n=>n.length>0),i=t.length>0?t:["npm"],a=i.filter(n=>!Te.has(n.toLowerCase()));return{all:i,unsupported:a}},hn={CRITICAL:we,HIGH:dt,LOW:pt,MODERATE:ye,UNKNOWN:D},vn=(e,t,i,a)=>{const n=hn[i.severity]??D,o=a?` ${D("[acknowledged]")}`:"",r=i.fixedVersions??[],c=r.length>0?` (fix: ${r.join(", ")})`:"";return` ${n(i.severity)} ${i.id} — ${e}@${t}${o}
306
+ ${i.summary}${c}`},wn=(e,t)=>{const i=ii(e),a=`${String(Math.round(e.score.overall*100))}%`,n=t?` ${D("[acknowledged]")}`:"",o=e.alerts.length>0?`, ${String(e.alerts.length)} alert${e.alerts.length===1?"":"s"}`:"";return` ${a} ${i}@${e.version} (${ti(e.score.overall)}${o})${n}`},yn=new Set(["aube","auto","vis"]),te=e=>e!==void 0&&yn.has(e),bn=(e,t,i)=>{if(e!==void 0&&!te(e))throw new Error(`Invalid --backend value '${e}'. Expected one of: aube, auto, vis.`);const a=process.env.VIS_AUDIT_BACKEND;if(a!==void 0&&a!==""&&!te(a))throw new Error(`Invalid VIS_AUDIT_BACKEND value '${a}'. Expected one of: aube, auto, vis.`);const n=te(a)?a:void 0,o=te(t)?t:void 0,r=(te(e)?e:void 0)??n??o??"auto";return r==="aube"?"aube":r==="vis"?"vis":(i?.install?.backend??process.env.VIS_INSTALLER)==="aube"&&Pt("aube")!==null?"aube":"vis"},xn=e=>{if(e!==void 0)switch(e){case"critical":return"critical";case"high":return"high";case"low":return"low";case"medium":return"moderate";default:return e}},kn=(e,t,i)=>{const a=["audit"],n=xn(t.severity);n!==void 0&&a.push("--audit-level",n),(t.prodOnly===!0||t.prod===!0)&&a.push("--prod"),(t.json===!0||t.format==="json")&&a.push("--json");const o=t.fix===!0;t["fix-transitive"]===!0||t.fixTransitive===!0?a.push("--fix=override"):o&&a.push("--fix=update");const r=[];t.offline===!0&&r.push("--offline (aube has its own offline cache)"),(t.format==="sarif"||t.format==="csaf"||t.format==="cyclonedx"||t.format==="cyclonedx-vex"||t.format==="gitlab"||t.format==="junit")&&r.push(`--format=${String(t.format)} (only json/text is forwarded to aube)`),r.length>0&&u.warn(`Delegating to 'aube audit'. Skipping vis-only flags: ${r.join(", ")}`);const c=Dt("aube",a,{cwd:e,stdio:"inherit"});if(c.error){const{code:l}=c.error;return l==="ENOENT"?u.error("Backend 'aube' selected but the 'aube' binary was not found on PATH. Install aube or run with --backend vis."):u.error(`Failed to spawn aube: ${c.error.message}`),1}return c.status??1},$n=async(e,t,i,a,n)=>{if(bn(i.backend,a?.security?.audit?.backend,a)==="aube"){process.exitCode=kn(t,i);return}const o=i.severity??"low",r=i.format??"table",c=r==="sarif",l=r==="csaf",d=r==="cyclonedx-vex"||r==="cyclonedx",m=r==="gitlab",b=r==="junit",h=r==="json"||!!i.json,v=i.report,y=a?.security?.audit,g=a?.security?.policies,$=i.offline===void 0?!!y?.offlineByDefault:!!i.offline,x=i.db,A=mn(i.ecosystem),q=!!i.prodOnly,M=i.failOn??g?.vulnerability?.failOn,St=!!i.showFixes,ne=!!i.showAccepted,$e=a?.security?.acceptedRisks,We=g?.vulnerability?.usage,Nt=i.noUsage?!1:i.usage===void 0?!!We?.enabled:!!i.usage,I=h||c||l||d||m||b,_e=i.explain,Se=_e!==void 0,He=Se&&!c&&!l&&!d&&!m&&!b;if(Se&&$){u.error("`--explain` needs network access and cannot run in offline mode (--offline or security.audit.offlineByDefault)."),process.exitCode=1;return}Se&&!He&&u.warn(`\`--explain\` has no effect with --format=${r}; explanations are only rendered in table, json, and HTML output.`);const O=ai(t),C=Li(t,O.name);if($){const s=x??ui(t);if(!await e.access(s).then(()=>!0).catch(()=>!1)){const p=new et(s);I?process.stderr.write(`${p.message}
307
307
  `):u.error(p.message),process.exitCode=1;return}}!I&&(C.ignoredAdvisories.length>0||C.excludedPackages.length>0)&&u.info(`Loaded ${String(C.ignoredAdvisories.length)} ignored advisor${C.ignoredAdvisories.length===1?"y":"ies"} and ${String(C.excludedPackages.length)} excluded package${C.excludedPackages.length===1?"":"s"} from ${O.name} config.`),!I&&A.unsupported.length>0&&u.warn(`Ecosystems ${A.unsupported.map(s=>`'${s}'`).join(", ")} are not yet supported by the audit matcher. Supported: npm, pypi, crates.io, cargo, maven, go, rubygems.`);const P=mi(t,O.name,{includeDev:!q});if(P.length===0){u.info(`No ${O.name} lockfile entries found. Run ${O.name} install first.`);return}if(!I){const s=q?"production-only packages":"installed packages";u.info(`Scanning ${String(P.length)} ${s}${$?" (offline)":""}…`)}const re=P.map(s=>({name:s.name,version:s.version})),oe=a?.security?.audit?.advisories?.bloom?.mode??"off";let W=[];if(oe!=="off")try{const s=await $i(t,{softFail:oe==="on"});if(s){if(W=Si(s,re).map(p=>({name:p.name,version:p.version})),!I&&W.length>0){u.warn(`osv-bloom prefilter flagged ${String(W.length)} package${W.length===1?"":"s"} as possibly malicious (MAL-*). Confirming via the advisory query path…`);const p=10;for(const f of W.slice(0,p))u.warn(` ${we("[bloom]")} ${f.name}@${f.version}`);W.length>p&&u.warn(` …and ${String(W.length-p)} more (full list in --format json output)`)}}else I||u.info(D("osv-bloom cache absent — skipping prefilter (run `vis advisories bloom sync` to enable)."))}catch(s){if(s instanceof Ni&&oe==="required"){const f=`${s.message} (security.audit.advisories.bloom.mode = "required")`;I?process.stderr.write(`${f}
308
308
  `):u.error(f),process.exitCode=1;return}const p=s instanceof Error?s.message:String(s);if(oe==="required"){I?process.stderr.write(`osv-bloom prefilter failed: ${p}
309
- `):u.error(`osv-bloom prefilter failed: ${p}`),process.exitCode=1;return}I||u.warn(`osv-bloom prefilter failed (continuing): ${p}`)}const se=new Set;$?se.add("socket").add("deps-dev"):(Qe("socket")&&se.add("socket"),Qe("depsDev")&&se.add("deps-dev"));const Ne=Ft(a?.security,{disabled:se,minimumScore:g?.score?.minimum}),Ae=Ne.length>0,At=Ne.map(s=>s.displayName).join(" + "),ce=g?.score?.minimum??Jt,G=hi(t,O.name),Ct=[{id:"vulnerabilities",label:$?"Known vulnerabilities (offline OSV cache)":"Known vulnerabilities (OSV)"},...Ae?[{id:"security",label:`Supply-chain reports (${At})`}]:[]],V=fi(Ct,{live:!I}),Rt=Date.now(),B=s=>{const p=Date.now()-s;return p>=1e3?`${(p/1e3).toFixed(1)}s`:`${String(Math.round(p))}ms`};let Ce,Re;try{const s=Date.now(),p=Date.now();V.start("vulnerabilities"),Ae&&V.start("security");const f=$?Promise.resolve().then(()=>tt(re,{dbPath:x,ecosystem:A.all.find(w=>Te.has(w.toLowerCase()))??"npm",workspaceRoot:t})).then(w=>{let k=0;for(const N of w.values())k+=N.length;return V.finish("vulnerabilities",k>0?"warn":"ok",k>0?`${String(k)} found · ${B(s)}`:`none found · ${B(s)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);if(V.finish("vulnerabilities","error",k),w instanceof et)throw w;return new Map}):Gt(re).then(w=>{let k=0;for(const N of w.values())k+=N.length;return V.finish("vulnerabilities",k>0?"warn":"ok",k>0?`${String(k)} found · ${B(s)}`:`none found · ${B(s)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);return V.finish("vulnerabilities","error",k),new Map});[Ce,Re]=await Promise.all([f,Ae?Bt(Ne,re).then(w=>{let k=0,N=0;for(const X of w.values())k+=X.alerts.length,X.score.overall<ce&&(N+=1);const E=k+N;return V.finish("security",E>0?"warn":"ok",E>0?`${String(k)} alert${k===1?"":"s"}, ${String(N)} low-score · ${B(p)}`:`clean · ${B(p)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);return V.finish("security","error",k),new Map}):Promise.resolve(new Map)])}finally{V.stop()}h||u.info(D(`Scan completed in ${B(Rt)}`));const le=[];for(const s of P){if(Ti(s.name,C))continue;const p=Ce.get(s.name)??[],f=Re.get(`${s.name}@${s.version}`),w=Xe(s.name,s.version,$e),k=p.length>0,N=f?f.score.overall<ce:!1,E=f?f.alerts.length>0:!1;(k||N||E)&&le.push({acceptedRisk:w,name:s.name,socketReport:f,version:s.version,vulnerabilities:p})}if($){const s=A.all.filter(p=>Te.has(p.toLowerCase())&&p.toLowerCase()!=="npm");for(const p of s){const f=bt(p),w=Ka(t,f);if(w.length!==0){I||u.info(D(`Scanning ${String(w.length)} ${f} packages…`));try{const k=tt(w.map(N=>({name:N.name,version:N.version})),{dbPath:x,ecosystem:f,workspaceRoot:t});for(const N of w){const E=k.get(N.name)??[];E.length!==0&&le.push({acceptedRisk:Xe(N.name,N.version,$e),name:N.name,version:N.version,vulnerabilities:E})}}catch(k){const N=k instanceof Error?k.message:String(k);u.warn(`Failed to scan ${f}: ${N}`)}}}}let R=le.filter(s=>{const p=s.vulnerabilities.some(k=>he(k.severity,o)),f=s.socketReport?.alerts.some(k=>he(k.severity==="medium"?"MODERATE":k.severity.toUpperCase(),o)),w=s.socketReport&&s.socketReport.score.overall<ce;return p||f||w});const It=i.policies,Ue=[],j=await(async()=>{const s=si().map(E=>`'${E}'`).join(", "),p=ri(It,E=>{Ue.push(E);const X=`Unknown policy '${E}' — ignoring. Available: ${s}.`;I?process.stderr.write(`vis audit: ${X}
309
+ `):u.error(`osv-bloom prefilter failed: ${p}`),process.exitCode=1;return}I||u.warn(`osv-bloom prefilter failed (continuing): ${p}`)}const se=new Set;$?se.add("socket").add("deps-dev"):(Qe("socket")&&se.add("socket"),Qe("depsDev")&&se.add("deps-dev"));const Ne=Jt(a?.security,{disabled:se,minimumScore:g?.score?.minimum}),Ae=Ne.length>0,At=Ne.map(s=>s.displayName).join(" + "),ce=g?.score?.minimum??ei,G=hi(t,O.name),Ct=[{id:"vulnerabilities",label:$?"Known vulnerabilities (offline OSV cache)":"Known vulnerabilities (OSV)"},...Ae?[{id:"security",label:`Supply-chain reports (${At})`}]:[]],V=fi(Ct,{live:!I}),Rt=Date.now(),B=s=>{const p=Date.now()-s;return p>=1e3?`${(p/1e3).toFixed(1)}s`:`${String(Math.round(p))}ms`};let Ce,Re;try{const s=Date.now(),p=Date.now();V.start("vulnerabilities"),Ae&&V.start("security");const f=$?Promise.resolve().then(()=>tt(re,{dbPath:x,ecosystem:A.all.find(w=>Te.has(w.toLowerCase()))??"npm",workspaceRoot:t})).then(w=>{let k=0;for(const N of w.values())k+=N.length;return V.finish("vulnerabilities",k>0?"warn":"ok",k>0?`${String(k)} found · ${B(s)}`:`none found · ${B(s)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);if(V.finish("vulnerabilities","error",k),w instanceof et)throw w;return new Map}):Yt(re).then(w=>{let k=0;for(const N of w.values())k+=N.length;return V.finish("vulnerabilities",k>0?"warn":"ok",k>0?`${String(k)} found · ${B(s)}`:`none found · ${B(s)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);return V.finish("vulnerabilities","error",k),new Map});[Ce,Re]=await Promise.all([f,Ae?Zt(Ne,re).then(w=>{let k=0,N=0;for(const X of w.values())k+=X.alerts.length,X.score.overall<ce&&(N+=1);const E=k+N;return V.finish("security",E>0?"warn":"ok",E>0?`${String(k)} alert${k===1?"":"s"}, ${String(N)} low-score · ${B(p)}`:`clean · ${B(p)}`),w}).catch(w=>{const k=w instanceof Error?w.message:String(w);return V.finish("security","error",k),new Map}):Promise.resolve(new Map)])}finally{V.stop()}h||u.info(D(`Scan completed in ${B(Rt)}`));const le=[];for(const s of P){if(Ti(s.name,C))continue;const p=Ce.get(s.name)??[],f=Re.get(`${s.name}@${s.version}`),w=Xe(s.name,s.version,$e),k=p.length>0,N=f?f.score.overall<ce:!1,E=f?f.alerts.length>0:!1;(k||N||E)&&le.push({acceptedRisk:w,name:s.name,socketReport:f,version:s.version,vulnerabilities:p})}if($){const s=A.all.filter(p=>Te.has(p.toLowerCase())&&p.toLowerCase()!=="npm");for(const p of s){const f=bt(p),w=Ka(t,f);if(w.length!==0){I||u.info(D(`Scanning ${String(w.length)} ${f} packages…`));try{const k=tt(w.map(N=>({name:N.name,version:N.version})),{dbPath:x,ecosystem:f,workspaceRoot:t});for(const N of w){const E=k.get(N.name)??[];E.length!==0&&le.push({acceptedRisk:Xe(N.name,N.version,$e),name:N.name,version:N.version,vulnerabilities:E})}}catch(k){const N=k instanceof Error?k.message:String(k);u.warn(`Failed to scan ${f}: ${N}`)}}}}let R=le.filter(s=>{const p=s.vulnerabilities.some(k=>he(k.severity,o)),f=s.socketReport?.alerts.some(k=>he(k.severity==="medium"?"MODERATE":k.severity.toUpperCase(),o)),w=s.socketReport&&s.socketReport.score.overall<ce;return p||f||w});const It=i.policies,Ue=[],j=await(async()=>{const s=si().map(E=>`'${E}'`).join(", "),p=ri(It,E=>{Ue.push(E);const X=`Unknown policy '${E}' — ignoring. Available: ${s}.`;I?process.stderr.write(`vis audit: ${X}
310
310
  `):u.warn(X)});if(p?.size===0)return[];const f=a?.security?.policies?.license,w=!!(f&&((f.allow?.length??0)>0||(f.deny?.length??0)>0)),k=p===void 0||p.has("license"),N=w&&k?wi(t):void 0;return oi({manifestData:N,offline:$,osvFindings:Ce,packageManager:O.name,packages:P,socketReports:Re,workspaceRoot:t},"audit",{enabledPolicies:p,visConfig:a??{}})})();if(Nt){const s=new Set(R.filter(f=>f.vulnerabilities.length>0).map(f=>f.name)),p=nn({alwaysAssumeUsed:We?.alwaysAssumeUsed,vulnerablePackages:s,workspaceRoot:t});R=R.filter(f=>f.vulnerabilities.length===0?!0:p.reachable.has(f.name)),I||u.info(D(`Reachability filter: ${String(p.reachable.size)}/${String(s.size)} vulnerable packages reachable (${String(p.filesScanned)} files scanned).`))}const Fe=vi(t,O.name),Ge=Fe?R.map(s=>{const p=Ra(Fe,{name:s.name,version:s.version});return{...s,dependencyPaths:p}}):R.map(s=>({...s,dependencyPaths:[]})),_=()=>Ge.flatMap(s=>s.vulnerabilities.map(p=>({acknowledged:!!s.acceptedRisk||ae(p.id,C,p.aliases),dependencyPaths:s.dependencyPaths,packageName:s.name,packageVersion:s.version,vulnerability:p}))),Be=!!i.fix,Ke=!!i.fixTransitive,qe=!!i.yes,jt=!!i.allowMajor;if(Be||Ke){const s=_().filter(p=>!p.acknowledged);if(Be){const p=await Nn({actionableFindings:s,allowMajor:jt,pm:O,workspaceRoot:t,yes:qe});if(p!==void 0){process.exitCode=p;return}}if(Ke){const p=await An({actionableFindings:s,pm:O,visConfig:a,workspaceRoot:t,yes:qe});if(p!==void 0){process.exitCode=p;return}}}const pe=new Map;if(He){const s=Ci(_().filter(f=>!f.acknowledged).map(f=>({packageName:f.packageName,packageVersion:f.packageVersion,vulnerability:f.vulnerability})).sort(gt),_e),p=await Mi(s,a?.ai,{info:f=>{u.info(f)},warn:f=>{u.warn(f)}});for(const[f,w]of p)pe.set(f,w)}if(c){const s=ha({findings:_(),policyDecisions:j,tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:t});process.stdout.write(`${JSON.stringify(s,void 0,2)}
311
311
  `),ie(R,C,i.exitCode,M,j);return}if(l){const s=ra({findings:_(),tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"}});process.stdout.write(`${JSON.stringify(s,void 0,2)}
312
- `),ie(R,C,i.exitCode,M,j);return}if(d){const{packageJsons:s,workspace:p}=Kt(t,a),f=qt(t,p,s),w=pi({includeDev:!q,projectGraph:f,workspace:p,workspaceRoot:t}),k=ca({bom:w,findings:_()});process.stdout.write(`${JSON.stringify(k,void 0,2)}
312
+ `),ie(R,C,i.exitCode,M,j);return}if(d){const{packageJsons:s,workspace:p}=Qt(t,a),f=Xt(t,p,s),w=pi({includeDev:!q,projectGraph:f,workspace:p,workspaceRoot:t}),k=ca({bom:w,findings:_()});process.stdout.write(`${JSON.stringify(k,void 0,2)}
313
313
  `),ie(R,C,i.exitCode,M,j);return}if(m){const s=fa({findings:_(),policyDecisions:j,tool:{informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},workspaceRoot:t});process.stdout.write(`${JSON.stringify(s,void 0,2)}
314
314
  `),ie(R,C,i.exitCode,M,j);return}if(b){const s=ma({findings:_(),policyDecisions:j});process.stdout.write(s),ie(R,C,i.exitCode,M,j);return}const Ie={informationUri:"https://github.com/visulima/visulima",name:"vis-audit",version:"alpha"},de=zi({bloomHits:W,duplicates:G,explanations:pe,filtered:Ge,packagesScanned:P.length,policyDecisions:j,tool:Ie,unknownPolicyTokens:Ue,workspaceRoot:t});if(v){const s=aa({findings:_().map(f=>{const w=pe.get(xe({packageName:f.packageName,packageVersion:f.packageVersion,vulnerability:f.vulnerability}));return w?{...f,explanation:w}:f}),packagesScanned:P.length,policyDecisions:j,report:de,tool:{name:Ie.name,version:Ie.version}}),p=Tt(t,v);await e.writeFile(p,s,"utf8"),I||u.success(`HTML report written to ${p}`)}if(h){process.stdout.write(`${JSON.stringify(de,void 0,2)}
315
315
  `),i.exitCode&&(de.summary.issues>0||de.summary.policyBlocks>0)&&(process.exitCode=1),Pe(R,C,M,j);return}if(R.length===0){u.success(`No security issues found across ${String(P.length)} packages.`);return}const Z={CRITICAL:[],HIGH:[],LOW:[],MODERATE:[]};for(const s of R)for(const p of s.vulnerabilities)if(he(p.severity,o)){const f=p.severity==="UNKNOWN"?"LOW":p.severity;Z[f]?.push({entry:s,vuln:p})}let ge=0,je=0;for(const s of["CRITICAL","HIGH","MODERATE","LOW"]){const p=Z[s];if(!(!p||p.length===0)){u.info(`
@@ -319,4 +319,4 @@ ${a}`},pn=(e,t,i,a)=>{const n=Ut(e,t.length>0?t:void 0),o=t.length>0?JSON.parse(
319
319
  ── Duplicate Dependencies (${String(G.length)}) ──`);for(const s of G){const p=s.versions.join(", ");u.info(` ${s.name} — ${String(s.versions.length)} versions: ${ye(p)}`)}}const Je=new Set;for(const s of["CRITICAL","HIGH","MODERATE","LOW"]){const p=Z[s];if(p)for(const{vuln:f}of p)Je.add(f.id)}const Ee=j.filter(s=>{if(s.policy!=="vulnerability")return!0;const p=typeof s.data?.advisoryId=="string"?s.data.advisoryId:void 0;return s.severity==="block"&&p!==void 0&&!Je.has(p)});if(Ee.length>0){u.info(`
320
320
  ── Policy Decisions (${String(Ee.length)}) ──`);for(const s of Ee){const p=!!s.acceptedRisk;if(p&&!ne)continue;const f=s.severity==="block"?we:s.severity==="warn"?ye:D,w=p?` ${D("[acknowledged]")}`:"";u.info(` ${f(`[${s.severity}]`)} ${s.policy} — ${s.reason}${w}`)}}const fe=s=>!!s.acceptedRisk||s.vulnerabilities.length>0&&s.vulnerabilities.every(p=>ae(p.id,C,p.aliases)),Ye=R.filter(s=>!fe(s)).length;if(u.info(""),u.info("─ Audit Summary"),u.info(` ${String(P.length)} packages scanned`),C.ignoredAdvisories.length>0&&u.info(` ${String(C.ignoredAdvisories.length)} ${O.name} audit exclusion${C.ignoredAdvisories.length===1?"":"s"} applied`),ge>0){const s=Z.CRITICAL?.filter(f=>!fe(f.entry)).length??0,p=Z.HIGH?.filter(f=>!fe(f.entry)).length??0;u.error(` ${String(ge)} vulnerabilit${ge===1?"y":"ies"} found`),s>0&&u.error(` ${String(s)} critical`),p>0&&u.warn(` ${String(p)} high`)}else u.success(" No vulnerabilities found");if(Q.length>0){const s=Q.filter(p=>!fe(p)).length;u.warn(` ${String(s)} package${s===1?"":"s"} with Socket.dev supply chain issues`)}G.length>0&&(u.warn(` ${String(G.length)} package${G.length===1?"":"s"} with duplicate versions`),u.notice(" Run 'vis dedupe' or your package manager's dedupe command to reduce duplicates."));const ue=j.filter(s=>s.severity==="block"&&!s.acceptedRisk);if(ue.length>0&&u.error(` ${String(ue.length)} policy block${ue.length===1?"":"s"}`),je>0&&(u.info(` ${String(je)} acknowledged (accepted risks)`),ne||u.notice(" Use --show-accepted to see acknowledged issues.")),Ye===0&&u.success(`
321
321
  All issues are acknowledged. No action required.`),i.sync&&$e){const s=new Set;for(const f of le)if(f.acceptedRisk){for(const w of f.vulnerabilities)if((w.id.startsWith("CVE-")||w.id.startsWith("GHSA-"))&&s.add(w.id),w.aliases)for(const k of w.aliases)(k.startsWith("CVE-")||k.startsWith("GHSA-"))&&s.add(k)}const p=[...s];if(p.length>0){u.info("");const f=Pi(O.name,t,p);for(const w of f)u.success(` ${w}`)}else u.info(`
322
- No advisory IDs to sync to native PM config.`)}i.exitCode&&(Ye>0||ue.length>0)&&(process.exitCode=1),Pe(R,C,M,j)},kt=e=>!e||e.length===0?!1:e.some(t=>t.severity==="block"&&!t.acceptedRisk),Pe=(e,t,i,a)=>{kt(a)&&(process.exitCode=1),i&&e.some(n=>n.vulnerabilities.some(o=>n.acceptedRisk||ae(o.id,t,o.aliases)?!1:he(o.severity,i)))&&(process.exitCode=1)},ie=(e,t,i,a,n)=>{i&&(e.filter(o=>!o.acceptedRisk&&o.vulnerabilities.some(r=>!ae(r.id,t,r.aliases))).length>0||kt(n))&&(process.exitCode=1),Pe(e,t,a,n)},$t=async(e,t)=>{if(!process.stdin.isTTY)return t;const i=Mt({input:process.stdin,output:process.stderr});try{const a="[y/N]",n=await new Promise(o=>{i.question(`${e} ${D(a)} `,r=>{o(r.trim())})});return n.length===0?t:n.toLowerCase().startsWith("y")}finally{i.close()}},Sn=e=>e==="pnpm"||e==="npm"||e==="yarn"||e==="bun",Nn=async e=>{const t=yt({allowMajor:e.allowMajor,findings:e.actionableFindings,workspaceRoot:e.workspaceRoot});if(u.info(""),u.info("─ Apply (direct deps)"),u.info(ka(t)),t.apply.length===0){u.info("Nothing to apply for direct deps.");return}if(De&&!e.yes)return u.error("Refusing to run --fix in CI without --yes. Re-run with --yes once the plan above looks right."),1;if(!e.yes&&!await $t("Apply these direct-dep upgrades?",!1))return u.info("Aborted — no changes made."),0;const i=new Map;for(const a of t.apply){const n=a.workspaceName??"",o=i.get(n);o?o.push(a):i.set(n,[a])}for(const[a,n]of i){const o=n.map(l=>`${l.packageName}@${l.targetSpec}`),r=a.length>0?[a]:[];u.info(`Running ${e.pm.name} add ${o.join(" ")}${a.length>0?` --filter ${a}`:""}`);const c=ni(e.pm,{exact:!1,filter:r,global:!1,optional:!1,packages:o,peer:!1,saveDev:!1,workspace:!1,workspaceRoot:!1},e.workspaceRoot,console);if(c!==0)return u.error(`${e.pm.name} add exited ${String(c)} — aborting before rescan.`),c}return u.success("Direct-dep upgrades applied. Re-run `vis audit` to confirm the fixes landed."),0},An=async e=>{if(!Sn(e.pm.name))return u.error(`--fix-transitive is not supported for package manager "${e.pm.name}". Use pnpm, npm, yarn, or bun.`),1;const t=!!e.visConfig?.security?.audit?.apply?.transitive?.enabled;if(De&&(!e.yes||!t))return u.error("Refusing to run --fix-transitive in CI without both --yes and security.audit.apply.transitive.enabled = true. Overrides have a higher blast radius than direct bumps — gate on config."),1;const i=new Set(yt({findings:e.actionableFindings,workspaceRoot:e.workspaceRoot}).apply.map(r=>r.packageName)),a=e.actionableFindings.filter(r=>!i.has(r.packageName)),n=fn(a);if(n.entries.length===0){u.info(""),u.info("─ Apply transitive (overrides)"),u.info("Nothing to override — all vulnerable packages are direct deps or have no fixed version.");return}const o=dn(e.workspaceRoot,n,{name:e.pm.name,version:e.pm.version});u.info(""),u.info("─ Apply transitive (overrides)"),u.info(`Target: ${o.filePath} (${o.surface})`);for(const r of o.entries){const c=r.status==="added"?"+":r.status==="updated"?"~":"·",l=r.previousSpec?` (was ${r.previousSpec})`:"";u.info(` ${c} ${r.packageName}: ${r.spec}${l}`)}if(!o.changed){u.info("No changes — overrides already match the plan.");return}if(!e.yes){if(De)return 1;if(!await $t("Write these overrides?",!1))return u.info("Aborted — no changes made."),0}try{gn(o)}catch(r){const c=r instanceof Error?r.message:String(r);return u.error(`Failed to write overrides: ${c}`),1}return u.success(`Wrote ${String(o.entries.filter(r=>r.status!=="unchanged").length)} override${o.entries.length===1?"":"s"}. Run \`${e.pm.name} install\` then re-run \`vis audit\` to confirm the fixes landed.`),0},Gn=async({fs:e,logger:t,options:i,visConfig:a,workspaceRoot:n})=>{if(!n)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await $n(e,n,i,a)};export{Gn as default,xn as mapSeverityToAube,bn as resolveAuditBackend};
322
+ No advisory IDs to sync to native PM config.`)}i.exitCode&&(Ye>0||ue.length>0)&&(process.exitCode=1),Pe(R,C,M,j)},kt=e=>!e||e.length===0?!1:e.some(t=>t.severity==="block"&&!t.acceptedRisk),Pe=(e,t,i,a)=>{kt(a)&&(process.exitCode=1),i&&e.some(n=>n.vulnerabilities.some(o=>n.acceptedRisk||ae(o.id,t,o.aliases)?!1:he(o.severity,i)))&&(process.exitCode=1)},ie=(e,t,i,a,n)=>{i&&(e.filter(o=>!o.acceptedRisk&&o.vulnerabilities.some(r=>!ae(r.id,t,r.aliases))).length>0||kt(n))&&(process.exitCode=1),Pe(e,t,a,n)},$t=async(e,t)=>{if(!process.stdin.isTTY)return t;const i=Mt({input:process.stdin,output:process.stderr});try{const a="[y/N]",n=await new Promise(o=>{i.question(`${e} ${D(a)} `,r=>{o(r.trim())})});return n.length===0?t:n.toLowerCase().startsWith("y")}finally{i.close()}},Sn=e=>e==="pnpm"||e==="npm"||e==="yarn"||e==="bun",Nn=async e=>{const t=yt({allowMajor:e.allowMajor,findings:e.actionableFindings,workspaceRoot:e.workspaceRoot});if(u.info(""),u.info("─ Apply (direct deps)"),u.info(ka(t)),t.apply.length===0){u.info("Nothing to apply for direct deps.");return}if(De&&!e.yes)return u.error("Refusing to run --fix in CI without --yes. Re-run with --yes once the plan above looks right."),1;if(!e.yes&&!await $t("Apply these direct-dep upgrades?",!1))return u.info("Aborted — no changes made."),0;const i=new Map;for(const a of t.apply){const n=a.workspaceName??"",o=i.get(n);o?o.push(a):i.set(n,[a])}for(const[a,n]of i){const o=n.map(l=>`${l.packageName}@${l.targetSpec}`),r=a.length>0?[a]:[];u.info(`Running ${e.pm.name} add ${o.join(" ")}${a.length>0?` --filter ${a}`:""}`);const c=ni(e.pm,{exact:!1,filter:r,global:!1,optional:!1,packages:o,peer:!1,saveDev:!1,workspace:!1,workspaceRoot:!1},e.workspaceRoot,console);if(c!==0)return u.error(`${e.pm.name} add exited ${String(c)} — aborting before rescan.`),c}return u.success("Direct-dep upgrades applied. Re-run `vis audit` to confirm the fixes landed."),0},An=async e=>{if(!Sn(e.pm.name))return u.error(`--fix-transitive is not supported for package manager "${e.pm.name}". Use pnpm, npm, yarn, or bun.`),1;const t=!!e.visConfig?.security?.audit?.apply?.transitive?.enabled;if(De&&(!e.yes||!t))return u.error("Refusing to run --fix-transitive in CI without both --yes and security.audit.apply.transitive.enabled = true. Overrides have a higher blast radius than direct bumps — gate on config."),1;const i=new Set(yt({findings:e.actionableFindings,workspaceRoot:e.workspaceRoot}).apply.map(r=>r.packageName)),a=e.actionableFindings.filter(r=>!i.has(r.packageName)),n=fn(a);if(n.entries.length===0){u.info(""),u.info("─ Apply transitive (overrides)"),u.info("Nothing to override — all vulnerable packages are direct deps or have no fixed version.");return}const o=dn(e.workspaceRoot,n,{name:e.pm.name,version:e.pm.version});u.info(""),u.info("─ Apply transitive (overrides)"),u.info(`Target: ${o.filePath} (${o.surface})`);for(const r of o.entries){const c=r.status==="added"?"+":r.status==="updated"?"~":"·",l=r.previousSpec?` (was ${r.previousSpec})`:"";u.info(` ${c} ${r.packageName}: ${r.spec}${l}`)}if(!o.changed){u.info("No changes — overrides already match the plan.");return}if(!e.yes){if(De)return 1;if(!await $t("Write these overrides?",!1))return u.info("Aborted — no changes made."),0}try{gn(o)}catch(r){const c=r instanceof Error?r.message:String(r);return u.error(`Failed to write overrides: ${c}`),1}return u.success(`Wrote ${String(o.entries.filter(r=>r.status!=="unchanged").length)} override${o.entries.length===1?"":"s"}. Run \`${e.pm.name} install\` then re-run \`vis audit\` to confirm the fixes landed.`),0},Bn=async({fs:e,logger:t,options:i,visConfig:a,workspaceRoot:n})=>{if(!n)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");await $n(e,n,i,a)};export{Bn as default,xn as mapSeverityToAube,bn as resolveAuditBackend};