@vltpkg/query 1.0.0-rc.22 → 1.0.0-rc.24

package/dist/index.js

@@ -0,0 +1,410 @@
+import { error } from '@vltpkg/error-cause';
+import { joinDepIDTuple } from '@vltpkg/dep-id/browser';
+import { parse, isPostcssNodeWithChildren, asPostcssNodeWithChildren, isSelectorNode, isPseudoNode, isIdentifierNode, isAttributeNode, } from '@vltpkg/dss-parser';
+import { attribute } from "./attribute.js";
+import { combinator } from "./combinator.js";
+import { id } from "./id.js";
+import { pseudo } from "./pseudo.js";
+export * from "./types.js";
+const noopFn = async (state) => state;
+const selectors = {
+    attribute,
+    /* c8 ignore start */
+    class: async (state) => {
+        throw error('Unsupported selector', { found: state.current });
+    },
+    /* c8 ignore end */
+    combinator,
+    comment: async (state) => {
+        if (state.current.value && !state.comment) {
+            const commentValue = state.current.value;
+            const cleanComment = commentValue
+                .replace(/^\/\*/, '')
+                .replace(/\*\/$/, '')
+                .trim();
+            state.comment = cleanComment;
+        }
+        return state;
+    },
+    id,
+    nesting: noopFn,
+    pseudo,
+    root: noopFn,
+    selector: async (state) => {
+        state.partial.nodes = new Set(state.initial.nodes);
+        state.partial.edges = new Set(state.initial.edges);
+        return state;
+    },
+    string: async (state) => {
+        throw error('Unsupported selector', { found: state.current });
+    },
+    tag: async (state) => {
+        if (state.current.value !== '{' && state.current.value !== '}') {
+            throw error('Unsupported selector', { found: state.current });
+        }
+        return state;
+    },
+    universal: noopFn,
+};
+const selectorsMap = new Map(Object.entries(selectors));
+export const walk = async (state) => {
+    await state.cancellable();
+    const parserFn = selectorsMap.get(state.current.type);
+    if (!parserFn) {
+        if (state.loose) {
+            return state;
+        }
+        throw error(`Missing parser for query node: ${state.current.type}`, {
+            found: state.current,
+        });
+    }
+    state = await parserFn(state);
+    // pseudo selectors handle their own sub selectors
+    if (isPostcssNodeWithChildren(state.current) &&
+        state.current.type !== 'pseudo') {
+        const node = asPostcssNodeWithChildren(state.current);
+        if (node.nodes.length) {
+            for (let i = 0; i < node.nodes.length; i++) {
+                const current = node.nodes[i];
+                /* c8 ignore next -- impossible but TS doesn't know that */
+                if (!current)
+                    continue;
+                const childState = {
+                    ...state,
+                    current,
+                    next: node.nodes[i + 1],
+                    prev: node.nodes[i - 1],
+                };
+                state = await walk(childState);
+            }
+        }
+        if (isSelectorNode(node)) {
+            for (const edge of state.partial.edges) {
+                state.collect.edges.add(edge);
+            }
+            for (const node of state.partial.nodes) {
+                state.collect.nodes.add(node);
+            }
+        }
+    }
+    return state;
+};
+// A list of known security selectors that rely on
+// data from the security-archive in order to work
+const securitySelectors = new Set([
+    ':abandoned',
+    ':confused',
+    ':cve',
+    ':cwe',
+    ':debug',
+    ':deprecated',
+    ':dynamic',
+    ':entropic',
+    ':env',
+    ':eval',
+    ':fs',
+    ':license',
+    ':malware',
+    ':minified',
+    ':native',
+    ':network',
+    ':obfuscated',
+    ':scanned',
+    ':score',
+    ':sev',
+    ':severity',
+    ':shell',
+    ':shrinkwrap',
+    ':squat',
+    ':suspicious',
+    ':tracker',
+    ':trivial',
+    ':undesirable',
+    ':unknown',
+    ':unmaintained',
+    ':unpopular',
+    ':unstable',
+]);
+const setMethodToJSON = (node) => {
+    const { toJSON } = node;
+    const insights = node.insights;
+    node.toJSON = () => ({
+        ...toJSON.call(node),
+        insights,
+    });
+};
+/**
+ * The Query class is used to search the graph for nodes and edges
+ * using the Dependency Selector Syntax (DSS).
+ */
+export class Query {
+    #cache;
+    #diffFiles;
+    #edges;
+    #nodes;
+    #importers;
+    #retries;
+    #securityArchive;
+    #hostContexts;
+    /**
+     * Helper method to determine if a given query string is using any of
+     * the known security selectors. This is useful so that operations can
+     * skip hydrating the security archive if it's not needed.
+     */
+    static hasSecuritySelectors(query) {
+        for (const selector of securitySelectors) {
+            if (query.includes(selector)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Sorts an array of QueryResponse objects by specificity. Objects with
+     * higher idCounter values come first, if idCounter values are equal,
+     * then objects with higher commonCounter values come first. Otherwise,
+     * the original order is preserved.
+     */
+    static specificitySort(responses) {
+        return [...responses].sort((a, b) => {
+            // First compare by idCounter (higher comes first)
+            if (a.specificity.idCounter !== b.specificity.idCounter) {
+                return b.specificity.idCounter - a.specificity.idCounter;
+            }
+            // If idCounter values are equal, compare by commonCounter
+            if (a.specificity.commonCounter !== b.specificity.commonCounter) {
+                return (b.specificity.commonCounter - a.specificity.commonCounter);
+            }
+            // If both counters are equal, preserve original order
+            return 0;
+        });
+    }
+    constructor({ edges, nodes, importers, retries, securityArchive, hostContexts, diffFiles, }) {
+        this.#cache = new Map();
+        this.#diffFiles = diffFiles;
+        this.#edges = edges;
+        this.#nodes = nodes;
+        this.#importers = importers;
+        this.#retries = retries ?? 3;
+        this.#securityArchive = securityArchive;
+        this.#hostContexts = hostContexts;
+    }
+    #getQueryResponseEdges(_edges) {
+        return Array.from(_edges);
+    }
+    #getQueryResponseNodes(_nodes) {
+        const nodes = Array.from(_nodes);
+        for (const node of nodes) {
+            const securityArchiveEntry = this.#securityArchive?.get(node.id);
+            // if a security archive entry is not found then the insights object
+            // should just be empty with scanned=false
+            if (!securityArchiveEntry) {
+                node.insights = {
+                    scanned: false,
+                };
+                setMethodToJSON(node);
+                continue;
+            }
+            // if a security archive entry is found then we can populate the insights
+            node.insights = {
+                scanned: true,
+                score: securityArchiveEntry.score,
+                abandoned: securityArchiveEntry.alerts.some(i => i.type === 'missingAuthor'),
+                confused: securityArchiveEntry.alerts.some(i => i.type === 'manifestConfusion'),
+                cve: securityArchiveEntry.alerts
+                    .map(i => i.props?.cveId)
+                    .filter(i => i !== undefined),
+                cwe: Array.from(new Set(securityArchiveEntry.alerts
+                    .filter(i => i.props?.cveId)
+                    .flatMap(i => i.props?.cwes?.map(j => j.id)))),
+                debug: securityArchiveEntry.alerts.some(i => i.type === 'debugAccess'),
+                deprecated: securityArchiveEntry.alerts.some(i => i.type === 'deprecated'),
+                dynamic: securityArchiveEntry.alerts.some(i => i.type === 'dynamicRequire'),
+                entropic: securityArchiveEntry.alerts.some(i => i.type === 'highEntropyStrings'),
+                env: securityArchiveEntry.alerts.some(i => i.type === 'envVars'),
+                eval: securityArchiveEntry.alerts.some(i => i.type === 'usesEval'),
+                fs: securityArchiveEntry.alerts.some(i => i.type === 'filesystemAccess'),
+                license: {
+                    unlicensed: securityArchiveEntry.alerts.some(i => i.type === 'explicitlyUnlicensedItem'),
+                    misc: securityArchiveEntry.alerts.some(i => i.type === 'miscLicenseIssues'),
+                    restricted: securityArchiveEntry.alerts.some(i => i.type === 'nonpermissiveLicense'),
+                    ambiguous: securityArchiveEntry.alerts.some(i => i.type === 'ambiguousClassifier'),
+                    copyleft: securityArchiveEntry.alerts.some(i => i.type === 'copyleftLicense'),
+                    unknown: securityArchiveEntry.alerts.some(i => i.type === 'unidentifiedLicense'),
+                    none: securityArchiveEntry.alerts.some(i => i.type === 'noLicenseFound'),
+                    exception: securityArchiveEntry.alerts.some(i => i.type === 'licenseException'),
+                },
+                malware: {
+                    low: securityArchiveEntry.alerts.some(i => i.type === 'gptAnomaly'),
+                    medium: securityArchiveEntry.alerts.some(i => i.type === 'gptSecurity'),
+                    high: securityArchiveEntry.alerts.some(i => i.type === 'gptMalware'),
+                    critical: securityArchiveEntry.alerts.some(i => i.type === 'malware'),
+                },
+                minified: securityArchiveEntry.alerts.some(i => i.type === 'minifiedFile'),
+                native: securityArchiveEntry.alerts.some(i => i.type === 'hasNativeCode'),
+                network: securityArchiveEntry.alerts.some(i => i.type === 'networkAccess'),
+                obfuscated: securityArchiveEntry.alerts.some(i => i.type === 'obfuscatedFile'),
+                scripts: securityArchiveEntry.alerts.some(i => i.type === 'installScripts'),
+                severity: {
+                    low: securityArchiveEntry.alerts.some(i => i.type === 'mildCVE'),
+                    medium: securityArchiveEntry.alerts.some(i => i.type === 'potentialVulnerability'),
+                    high: securityArchiveEntry.alerts.some(i => i.type === 'cve'),
+                    critical: securityArchiveEntry.alerts.some(i => i.type === 'criticalCVE'),
+                },
+                shell: securityArchiveEntry.alerts.some(i => i.type === 'shellAccess'),
+                shrinkwrap: securityArchiveEntry.alerts.some(i => i.type === 'shrinkwrap'),
+                squat: {
+                    medium: securityArchiveEntry.alerts.some(i => i.type === 'gptDidYouMean'),
+                    critical: securityArchiveEntry.alerts.some(i => i.type === 'didYouMean'),
+                },
+                suspicious: securityArchiveEntry.alerts.some(i => i.type === 'suspiciousStarActivity'),
+                tracker: securityArchiveEntry.alerts.some(i => i.type === 'telemetry'),
+                trivial: securityArchiveEntry.alerts.some(i => i.type === 'trivialPackage'),
+                undesirable: securityArchiveEntry.alerts.some(i => i.type === 'troll'),
+                unknown: securityArchiveEntry.alerts.some(i => i.type === 'newAuthor'),
+                unmaintained: securityArchiveEntry.alerts.some(i => i.type === 'unmaintained'),
+                unpopular: securityArchiveEntry.alerts.some(i => i.type === 'unpopularPackage'),
+                unstable: securityArchiveEntry.alerts.some(i => i.type === 'unstableOwnership'),
+            };
+            setMethodToJSON(node);
+        }
+        return nodes;
+    }
+    /**
+     * Search the graph for nodes and edges that match the given query.
+     */
+    async search(query, { signal, scopeIDs = [joinDepIDTuple(['file', '.'])], }) {
+        if (!query)
+            return {
+                edges: [],
+                nodes: [],
+                importers: [],
+                comment: '',
+                specificity: { idCounter: 0, commonCounter: 0 },
+            };
+        const cachedResult = this.#cache.get(query);
+        if (cachedResult) {
+            return cachedResult;
+        }
+        const nodes = this.#nodes;
+        const edges = this.#edges;
+        const importers = this.#importers;
+        // includes virtual workspace edges in the searched edges
+        for (const importer of importers) {
+            if (!importer.workspaces)
+                continue;
+            for (const edge of importer.workspaces.values()) {
+                edges.add(edge);
+            }
+        }
+        // parse the query string into AST
+        const current = parse(query);
+        // set loose mode for the entire parse in case there are multiple selectors
+        // so that using invalid pseudo selectors or other query language parser
+        // errors won't throw an error,
+        // e.g: `:root > *, #a, :foo` still returns results for `:root > ` and `#a`
+        // while :foo is ignored
+        const loose = asPostcssNodeWithChildren(current).nodes.length > 1;
+        // builds initial state and walks over it,
+        // retrieving the collected result
+        const { collect, comment, importers: stateResultImporters, specificity, } = await walk({
+            cancellable: async () => {
+                await new Promise(resolve => {
+                    setTimeout(resolve, 0);
+                });
+                signal.throwIfAborted();
+            },
+            current,
+            initial: {
+                nodes: new Set(nodes),
+                edges: new Set(edges),
+            },
+            collect: {
+                nodes: new Set(),
+                edges: new Set(),
+            },
+            comment: '',
+            diffFiles: this.#diffFiles,
+            loose,
+            importers,
+            partial: { nodes, edges },
+            retries: this.#retries,
+            signal,
+            securityArchive: this.#securityArchive,
+            scopeIDs,
+            walk,
+            specificity: { idCounter: 0, commonCounter: 0 },
+            hostContexts: this.#hostContexts,
+        });
+        const res = {
+            edges: this.#getQueryResponseEdges(collect.edges),
+            nodes: this.#getQueryResponseNodes(collect.nodes),
+            importers: this.#getQueryResponseNodes(stateResultImporters),
+            comment,
+            specificity,
+        };
+        this.#cache.set(query, res);
+        return res;
+    }
+    /**
+     * Parses a query string in order to retrieve an array of tokens.
+     */
+    static getQueryTokens(query) {
+        if (!query)
+            return [];
+        const tokens = [];
+        const ast = (q) => {
+            try {
+                return parse(q);
+            }
+            catch (_e) {
+                return ast(q.slice(0, -1));
+            }
+        };
+        const processNode = (node) => {
+            for (const key of selectorsMap.keys()) {
+                if (node.type === key && node.type !== 'root') {
+                    let token = `${node.spaces.before}${node.value}${node.spaces.after}`;
+                    if (isIdentifierNode(node)) {
+                        token = `${node.spaces.before}#${node.value}${node.spaces.after}`;
+                    }
+                    else if (isSelectorNode(node)) {
+                        token = `${node.spaces.before},${node.spaces.after}`;
+                    }
+                    else if (isAttributeNode(node)) {
+                        token = String(node.source?.start?.column &&
+                            node.source.end?.column &&
+                            `${node.spaces.before}${query.slice(node.source.start.column - 1, node.source.end.column)}${node.spaces.after}`);
+                    }
+                    if (isPostcssNodeWithChildren(node) &&
+                        isPseudoNode(node) &&
+                        node.nodes.length) {
+                        token = String(token.split('(')[0]);
+                        token += '(';
+                    }
+                    if (!isSelectorNode(node) ||
+                        node.parent?.nodes.indexOf(node) !== 0) {
+                        tokens.push({
+                            ...node,
+                            token,
+                        });
+                    }
+                }
+            }
+            if (isPostcssNodeWithChildren(node)) {
+                for (const child of node.nodes) {
+                    processNode(child);
+                }
+                if (isPseudoNode(node) && node.nodes.length) {
+                    tokens.push({
+                        ...node,
+                        token: ')' + node.spaces.after,
+                        type: 'pseudo',
+                    });
+                }
+            }
+        };
+        processNode(ast(query));
+        return tokens;
+    }
+}

package/dist/parser.d.ts

@@ -0,0 +1,14 @@
+import type { Root } from 'postcss-selector-parser';
+/**
+ * Escapes forward slashes in specific patterns matching @scoped/name paths
+ * This will allow usage of unescaped forward slashes necessary for scoped
+ * package names in the id selector.
+ */
+export declare const escapeScopedNamesSlashes: (query: string) => string;
+export declare const escapeDots: (query: string) => string;
+export declare const unescapeDots: (query: string) => string;
+/**
+ * Parses a CSS selector string into an AST
+ * Handles escaping of forward slashes in specific patterns
+ */
+export declare const parse: (query: string) => Root;

package/dist/parser.js

@@ -0,0 +1,92 @@
+import postcssSelectorParser from 'postcss-selector-parser';
+import { asSelectorNode, isCombinatorNode, isPseudoNode, isTagNode, } from '@vltpkg/dss-parser';
+/**
+ * Escapes forward slashes in specific patterns matching @scoped/name paths
+ * This will allow usage of unescaped forward slashes necessary for scoped
+ * package names in the id selector.
+ */
+export const escapeScopedNamesSlashes = (query) => query.replace(/(#@(\w|-|\.)+)\//gm, (_, scope) => `${scope}\\/`);
+export const escapeDots = (query) => query.replaceAll('.', '\\.');
+export const unescapeDots = (query) => query.replaceAll('\\.', '.');
+const pseudoCleanUpNeeded = new Set([
+    ':published',
+    ':score',
+    ':malware',
+    ':severity',
+    ':sev',
+    ':squat',
+    ':semver',
+    ':v',
+    ':path',
+]);
+const hasParamsToEscape = (node) => pseudoCleanUpNeeded.has(node.value);
+/**
+ * Parses a CSS selector string into an AST
+ * Handles escaping of forward slashes in specific patterns
+ */
+export const parse = (query) => {
+    const escapedQuery = escapeDots(escapeScopedNamesSlashes(query));
+    const transformAst = (root) => {
+        root.walk((node) => {
+            // clean up the escaped dots
+            if (node.value && typeof node.value === 'string') {
+                node.value = unescapeDots(node.value);
+            }
+            if (isPseudoNode(node) && hasParamsToEscape(node)) {
+                // these are pseudo nodes that should only take strings as
+                // parameters, so in this preparse step we clean up anything
+                // that was recognized as a postcss node and transform that
+                // into something that can be most likely parsed as a string
+                for (const n of node.nodes) {
+                    // the parameters have a selector node that wraps them up
+                    const selector = asSelectorNode(n);
+                    selector.nodes.forEach((currentNode, index, arr) => {
+                        // get the next node, we'll update it later
+                        const nextNode = arr[index + 1];
+                        // if the current node is a combinator node, we'll need to
+                        // escape it, we do so by removing the node entirely and
+                        // updating the contents of the next node with its value
+                        if (isCombinatorNode(currentNode) &&
+                            isTagNode(nextNode)) {
+                            nextNode.value = `${currentNode.spaces.before}${currentNode.value}${currentNode.spaces.after}${nextNode.value}`;
+                            // make sure to also update the source position
+                            // references, those are used by the syntax highlighter
+                            if (nextNode.source?.start?.line &&
+                                currentNode.source?.start?.line) {
+                                nextNode.source.start.line =
+                                    currentNode.source.start.line;
+                            }
+                            if (nextNode.source?.start?.column &&
+                                currentNode.source?.start?.column) {
+                                nextNode.source.start.column =
+                                    currentNode.source.start.column;
+                            }
+                            // removes the current node from the selector node
+                            arr.splice(index, 1);
+                        }
+                    });
+                    // after removing combinator nodes, if we end up with multiple
+                    // tags in the selector node, we need to smush them together
+                    selector.nodes.reduce((acc, currentNode) => {
+                        if (currentNode === acc)
+                            return acc;
+                        acc.value = `${acc.value}${currentNode.spaces.before}${currentNode.value}${currentNode.spaces.after}`;
+                        // make sure to also update the source position refs
+                        if (currentNode.source?.end?.line &&
+                            acc.source?.end?.line) {
+                            acc.source.end.line = currentNode.source.end.line;
+                        }
+                        if (currentNode.source?.end?.column &&
+                            acc.source?.end?.column) {
+                            acc.source.end.column = currentNode.source.end.column;
+                        }
+                        return acc;
+                    }, selector.first);
+                    // the selector wrapper node should have a single node
+                    selector.nodes.length = 1;
+                }
+            }
+        });
+    };
+    return postcssSelectorParser(transformAst).astSync(escapedQuery);
+};

package/dist/pseudo/abandoned.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **missingAuthor** report alert.
+ */
+export declare const abandoned: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/abandoned.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **missingAuthor** report alert.
+ */
+export const abandoned = createSecuritySelectorFilter('abandoned', 'missingAuthor');

package/dist/pseudo/attr.d.ts

@@ -0,0 +1,18 @@
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type AttrInternals = {
+    attribute: string;
+    insensitive: boolean;
+    operator?: string;
+    value?: string;
+    properties: string[];
+};
+/**
+ * Parses the internal / nested selectors of a `:attr` selector.
+ */
+export declare const parseInternals: (nodes: PostcssNode[]) => AttrInternals;
+/**
+ * :attr Pseudo-Selector, allows for retrieving nodes based on nested
+ * properties of the `package.json` metadata.
+ */
+export declare const attr: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/attr.js

@@ -0,0 +1,57 @@
+import { error } from '@vltpkg/error-cause';
+import { asAttributeNode, asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, } from '@vltpkg/dss-parser';
+import { attributeSelectorsMap, filterAttributes, } from "../attribute.js";
+import { removeQuotes } from "./helpers.js";
+/**
+ * Parses the internal / nested selectors of a `:attr` selector.
+ */
+export const parseInternals = (nodes) => {
+    // the last part is the attribute selector
+    const attributeSelector = asAttributeNode(asPostcssNodeWithChildren(nodes.pop()).nodes[0]);
+    // all preppending selectors are naming nested properties
+    const properties = [];
+    for (const selector of nodes) {
+        const selectorNode = asPostcssNodeWithChildren(selector).nodes[0];
+        // Handle both quoted string and tag nodes
+        if (isStringNode(selectorNode)) {
+            properties.push(removeQuotes(asStringNode(selectorNode).value));
+        }
+        else {
+            properties.push(asTagNode(selectorNode).value);
+        }
+    }
+    // include the attribute selector as the last part of the property lookup
+    properties.push(attributeSelector.attribute);
+    return {
+        attribute: attributeSelector.attribute,
+        insensitive: attributeSelector.insensitive || false,
+        operator: attributeSelector.operator,
+        value: attributeSelector.value,
+        properties,
+    };
+};
+/**
+ * :attr Pseudo-Selector, allows for retrieving nodes based on nested
+ * properties of the `package.json` metadata.
+ */
+export const attr = async (state) => {
+    // Parses and retrieves the values for the nested selectors
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        throw error('Failed to parse :attr selector', {
+            cause: err,
+        });
+    }
+    // reuses the attribute selector logic to filter the nodes
+    const comparator = internals.operator ?
+        attributeSelectorsMap.get(internals.operator)
+        : undefined;
+    const value = internals.value || '';
+    const propertyName = internals.attribute;
+    const insensitive = internals.insensitive;
+    const prefixProperties = internals.properties;
+    return filterAttributes(state, comparator, value, propertyName, insensitive, prefixProperties);
+};

package/dist/pseudo/built.d.ts

@@ -0,0 +1,7 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :built Pseudo-Selector will only match packages that have
+ * a `buildState` property set to 'built', indicating they have
+ * been successfully built during the reify process.
+ */
+export declare const built: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/built.js

@@ -0,0 +1,15 @@
+import { removeNode, removeDanglingEdges } from "./helpers.js";
+/**
+ * :built Pseudo-Selector will only match packages that have
+ * a `buildState` property set to 'built', indicating they have
+ * been successfully built during the reify process.
+ */
+export const built = async (state) => {
+    for (const node of state.partial.nodes) {
+        if (node.buildState !== 'built') {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/confused.d.ts

@@ -0,0 +1,8 @@
+import type { ParserState } from '../types.js';
+/**
+ * Filters out any node that does not have a **manifestConfusion** report alert.
+ * Also includes any node that has been marked as **confused**.
+ */
+export declare const confused: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/confused.js

@@ -0,0 +1,18 @@
+import { assertSecurityArchive, removeDanglingEdges, removeNode, } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **manifestConfusion** report alert.
+ * Also includes any node that has been marked as **confused**.
+ */
+export const confused = async (state) => {
+    assertSecurityArchive(state, 'confused');
+    for (const node of state.partial.nodes) {
+        const report = state.securityArchive.get(node.id);
+        const exclude = !node.confused &&
+            !report?.alerts.some(alert => alert.type === 'manifestConfusion');
+        if (exclude) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/cve.d.ts

@@ -0,0 +1,12 @@
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type CveInternals = {
+    cveId: string;
+};
+export declare const parseInternals: (nodes: PostcssNode[]) => CveInternals;
+/**
+ * Filters out any node that does not have a CVE alert with the specified CVE ID.
+ */
+export declare const cve: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;