@vltpkg/query 1.0.0-rc.22 → 1.0.0-rc.24

package/dist/pseudo/cve.js

@@ -0,0 +1,43 @@
+import { error } from '@vltpkg/error-cause';
+import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { assertSecurityArchive, removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
+export const parseInternals = (nodes) => {
+    let cveId = '';
+    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        cveId = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        cveId = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]).value;
+    }
+    if (!cveId) {
+        throw error('Expected a CVE ID', {
+            found: asPostcssNodeWithChildren(nodes[0]).nodes[0],
+        });
+    }
+    return { cveId };
+};
+/**
+ * Filters out any node that does not have a CVE alert with the specified CVE ID.
+ */
+export const cve = async (state) => {
+    assertSecurityArchive(state, 'cve');
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        throw error('Failed to parse :cve selector', { cause: err });
+    }
+    const { cveId } = internals;
+    for (const node of state.partial.nodes) {
+        const report = state.securityArchive.get(node.id);
+        const exclude = !report?.alerts.some(alert => alert.props?.cveId?.trim().toLowerCase() ===
+            cveId.trim().toLowerCase());
+        if (exclude) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/cwe.d.ts

@@ -0,0 +1,12 @@
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type CweInternals = {
+    cweId: string;
+};
+export declare const parseInternals: (nodes: PostcssNode[]) => CweInternals;
+/**
+ * Filters out any node that does not have a CWE alert with the specified CWE ID.
+ */
+export declare const cwe: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/cwe.js

@@ -0,0 +1,42 @@
+import { error } from '@vltpkg/error-cause';
+import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { assertSecurityArchive, removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
+export const parseInternals = (nodes) => {
+    let cweId = '';
+    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        cweId = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        cweId = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]).value;
+    }
+    if (!cweId) {
+        throw error('Expected a CWE ID', {
+            found: asPostcssNodeWithChildren(nodes[0]).nodes[0],
+        });
+    }
+    return { cweId };
+};
+/**
+ * Filters out any node that does not have a CWE alert with the specified CWE ID.
+ */
+export const cwe = async (state) => {
+    assertSecurityArchive(state, 'cwe');
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        throw error('Failed to parse :cwe selector', { cause: err });
+    }
+    const { cweId } = internals;
+    for (const node of state.partial.nodes) {
+        const report = state.securityArchive.get(node.id);
+        const exclude = !report?.alerts.some(alert => alert.props?.cwes?.some(cwe => cwe.id.trim().toLowerCase() === cweId.trim().toLowerCase()));
+        if (exclude) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/debug.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **debugAccess** report alert.
+ */
+export declare const debug: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/debug.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **debugAccess** report alert.
+ */
+export const debug = createSecuritySelectorFilter('debug', 'debugAccess');

package/dist/pseudo/deprecated.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **deprecated** report alert.
+ */
+export declare const deprecated: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/deprecated.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **deprecated** report alert.
+ */
+export const deprecated = createSecuritySelectorFilter('deprecated', 'deprecated');

package/dist/pseudo/dev.d.ts

@@ -0,0 +1,5 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :dev Pseudo-Selector will only match devDependencies.
+ */
+export declare const dev: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/dev.js

@@ -0,0 +1,14 @@
+import { removeEdge, removeUnlinkedNodes } from "./helpers.js";
+/**
+ * :dev Pseudo-Selector will only match devDependencies.
+ */
+export const dev = async (state) => {
+    // filter edges that don't have type 'dev'
+    for (const edge of state.partial.edges) {
+        if (edge.type !== 'dev') {
+            removeEdge(state, edge);
+        }
+    }
+    removeUnlinkedNodes(state);
+    return state;
+};

package/dist/pseudo/diff.d.ts

@@ -0,0 +1,26 @@
+import type { ParserState } from '../types.ts';
+/**
+ * Given a set of changed file paths and a package location
+ * (relative to the project root), returns true if any changed
+ * file belongs to that package.
+ */
+export declare const packageHasChanges: (changedFiles: Set<string>, packageLocation: string) => boolean;
+/**
+ * :diff(<commitish>) Pseudo-Selector, matches only nodes
+ * whose files have changed between the current state and
+ * the specified commitish reference.
+ *
+ * Requires a `diffFiles` provider to be set on the
+ * {@link ParserState}. The provider is a callback that
+ * takes a commitish string and returns a Set of changed
+ * file paths relative to the project root.
+ *
+ * When called with no argument, defaults to HEAD (uncommitted changes).
+ *
+ * Examples:
+ * - :diff() — packages with uncommitted changes (defaults to HEAD)
+ * - :diff(main) — packages changed since main branch
+ * - :diff(HEAD~1) — packages changed since last commit
+ * - :diff("v1.0.0") — packages changed since tag v1.0.0
+ */
+export declare const diff: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/diff.js

@@ -0,0 +1,75 @@
+import { error } from '@vltpkg/error-cause';
+import { asPostcssNodeWithChildren } from '@vltpkg/dss-parser';
+import { removeDanglingEdges, removeNode } from "./helpers.js";
+import { parseInternals } from "./spec.js";
+/**
+ * Given a set of changed file paths and a package location
+ * (relative to the project root), returns true if any changed
+ * file belongs to that package.
+ */
+export const packageHasChanges = (changedFiles, packageLocation) => {
+    // Normalize the package location — remove leading './'
+    const normalized = packageLocation.startsWith('./') ?
+        packageLocation.slice(2)
+        : packageLocation;
+    // Root package — check if any file at root level changed
+    // (not inside a subdirectory that is another package)
+    if (!normalized || normalized === '.') {
+        // Any changed file means the root package changed
+        return changedFiles.size > 0;
+    }
+    // Check if any changed file starts with the package path
+    for (const file of changedFiles) {
+        if (file === normalized || file.startsWith(normalized + '/')) {
+            return true;
+        }
+    }
+    return false;
+};
+/**
+ * :diff(<commitish>) Pseudo-Selector, matches only nodes
+ * whose files have changed between the current state and
+ * the specified commitish reference.
+ *
+ * Requires a `diffFiles` provider to be set on the
+ * {@link ParserState}. The provider is a callback that
+ * takes a commitish string and returns a Set of changed
+ * file paths relative to the project root.
+ *
+ * When called with no argument, defaults to HEAD (uncommitted changes).
+ *
+ * Examples:
+ * - :diff() — packages with uncommitted changes (defaults to HEAD)
+ * - :diff(main) — packages changed since main branch
+ * - :diff(HEAD~1) — packages changed since last commit
+ * - :diff("v1.0.0") — packages changed since tag v1.0.0
+ */
+export const diff = async (state) => {
+    const currentNodes = asPostcssNodeWithChildren(state.current).nodes;
+    const hasArg = currentNodes.length > 0 &&
+        asPostcssNodeWithChildren(currentNodes[0]).nodes.length > 0;
+    let commitish = 'HEAD';
+    if (hasArg) {
+        try {
+            commitish = parseInternals(currentNodes).specValue;
+        }
+        catch (err) {
+            throw error('Failed to parse :diff selector', {
+                cause: err,
+            });
+        }
+    }
+    if (!state.diffFiles) {
+        throw error('The :diff() selector requires a diffFiles provider');
+    }
+    const changedFiles = state.diffFiles(commitish);
+    for (const node of state.partial.nodes) {
+        /* c8 ignore next -- location is always set on real nodes */
+        const location = node.location ?? '';
+        if (!packageHasChanges(changedFiles, location)) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/dynamic.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **dynamicRequire** report alert.
+ */
+export declare const dynamic: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/dynamic.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **dynamicRequire** report alert.
+ */
+export const dynamic = createSecuritySelectorFilter('dynamic', 'dynamicRequire');

package/dist/pseudo/empty.d.ts

@@ -0,0 +1,6 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :empty Pseudo-Selector, matches only nodes that have no children.
+ * It filters out any node that has edges out, i.e., has dependencies.
+ */
+export declare const empty: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/empty.js

@@ -0,0 +1,13 @@
+import { removeNode } from "./helpers.js";
+/**
+ * :empty Pseudo-Selector, matches only nodes that have no children.
+ * It filters out any node that has edges out, i.e., has dependencies.
+ */
+export const empty = async (state) => {
+    for (const node of state.partial.nodes) {
+        if (node.edgesOut.size > 0) {
+            removeNode(state, node);
+        }
+    }
+    return state;
+};

package/dist/pseudo/entropic.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **highEntropyStrings** report alert.
+ */
+export declare const entropic: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/entropic.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **highEntropyStrings** report alert.
+ */
+export const entropic = createSecuritySelectorFilter('entropic', 'highEntropyStrings');

package/dist/pseudo/env.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **envVars** report alert.
+ */
+export declare const env: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/env.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **envVars** report alert.
+ */
+export const env = createSecuritySelectorFilter('env', 'envVars');

package/dist/pseudo/eval.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **usesEval** report alert.
+ */
+export declare const evalParser: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/eval.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **usesEval** report alert.
+ */
+export const evalParser = createSecuritySelectorFilter('eval', 'usesEval');

package/dist/pseudo/fs.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Filters out any node that does not have a **filesystemAccess** report alert.
+ */
+export declare const fs: (state: import("../types.ts").ParserState) => Promise<import("../types.ts").ParserState & {
+    securityArchive: NonNullable<import("../types.ts").ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/fs.js

@@ -0,0 +1,5 @@
+import { createSecuritySelectorFilter } from "./helpers.js";
+/**
+ * Filters out any node that does not have a **filesystemAccess** report alert.
+ */
+export const fs = createSecuritySelectorFilter('fs', 'filesystemAccess');

package/dist/pseudo/helpers.d.ts

@@ -0,0 +1,38 @@
+import type { EdgeLike, NodeLike } from '@vltpkg/types';
+import type { ParserState } from '../types.js';
+/**
+ * Removes a node and its incoming edges from the results.
+ */
+export declare const removeNode: (state: ParserState, node: NodeLike) => void;
+/**
+ * Removes an edge and its outgoing node from the results.
+ */
+export declare const removeEdge: (state: ParserState, edge: EdgeLike) => void;
+/**
+ * Removes any edges that have no destination node from the results.
+ */
+export declare const removeDanglingEdges: (state: ParserState) => void;
+/**
+ * Removes any nodes that have no incoming edges from the results.
+ */
+export declare const removeUnlinkedNodes: (state: ParserState) => void;
+/**
+ * Removes quotes from a string value.
+ */
+export declare const removeQuotes: (value: string) => string;
+/**
+ * Asserts that the security archive is present.
+ */
+export declare const assertSecurityArchive: (state: ParserState, name: string) => asserts state is ParserState & {
+    securityArchive: NonNullable<ParserState['securityArchive']>;
+};
+/**
+ * Clears all nodes and edges from the results.
+ */
+export declare const clear: (state: ParserState) => ParserState;
+/**
+ * Reusable security selector alert filter.
+ */
+export declare const createSecuritySelectorFilter: (name: string, type: string) => (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/helpers.js

@@ -0,0 +1,79 @@
+import { error } from '@vltpkg/error-cause';
+/**
+ * Removes a node and its incoming edges from the results.
+ */
+export const removeNode = (state, node) => {
+    for (const edge of node.edgesIn) {
+        state.partial.edges.delete(edge);
+    }
+    state.partial.nodes.delete(node);
+};
+/**
+ * Removes an edge and its outgoing node from the results.
+ */
+export const removeEdge = (state, edge) => {
+    state.partial.edges.delete(edge);
+    if (edge.to?.edgesIn.size === 1) {
+        state.partial.nodes.delete(edge.to);
+    }
+};
+/**
+ * Removes any edges that have no destination node from the results.
+ */
+export const removeDanglingEdges = (state) => {
+    for (const edge of state.partial.edges) {
+        if (!edge.to || !state.partial.nodes.has(edge.to)) {
+            state.partial.edges.delete(edge);
+        }
+    }
+};
+/**
+ * Removes any nodes that have no incoming edges from the results.
+ */
+export const removeUnlinkedNodes = (state) => {
+    nodeLoop: for (const node of state.partial.nodes) {
+        for (const edge of state.partial.edges) {
+            if (edge.to === node) {
+                continue nodeLoop;
+            }
+        }
+        state.partial.nodes.delete(node);
+    }
+};
+/**
+ * Removes quotes from a string value.
+ */
+export const removeQuotes = (value) => value.replace(/^"(.*?)"$/, '$1');
+/**
+ * Asserts that the security archive is present.
+ */
+export const assertSecurityArchive = (state, name) => {
+    if (!state.securityArchive) {
+        throw error(`Missing security archive while trying to parse the :${name} selector`, { found: state });
+    }
+};
+/**
+ * Clears all nodes and edges from the results.
+ */
+export const clear = (state) => {
+    state.partial.nodes.clear();
+    state.partial.edges.clear();
+    return state;
+};
+/**
+ * Reusable security selector alert filter.
+ */
+export const createSecuritySelectorFilter = (name, type) => {
+    return async (state) => {
+        assertSecurityArchive(state, name);
+        for (const node of state.partial.nodes) {
+            const report = state.securityArchive.get(node.id);
+            const exclude = !report?.alerts.some(alert => alert.type === type);
+            if (exclude) {
+                removeNode(state, node);
+            }
+        }
+        removeDanglingEdges(state);
+        return state;
+    };
+};

package/dist/pseudo/host.d.ts

@@ -0,0 +1,19 @@
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+/**
+ * Parses the internal parameters of the :host() pseudo selector.
+ * Returns the context key that should be used to look up the host context function.
+ */
+export declare const parseInternals: (nodes: PostcssNode[]) => string;
+/**
+ * :host Pseudo-Selector, switches the current graph context to a new
+ * set of graphs loaded from a specific host context.
+ *
+ * This selector accepts a single parameter that specifies which host context
+ * to use. The host context must be defined in the hostContexts map provided
+ * to the Query constructor.
+ *
+ * Example:
+ * - :host(local) - Switches to graphs loaded from the local context
+ */
+export declare const hostContext: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/host.js

@@ -0,0 +1,79 @@
+import { error } from '@vltpkg/error-cause';
+import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { removeQuotes } from "./helpers.js";
+/**
+ * Parses the internal parameters of the :host() pseudo selector.
+ * Returns the context key that should be used to look up the host context function.
+ */
+export const parseInternals = (nodes) => {
+    let contextKey = '';
+    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        contextKey = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        const tagNode = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]);
+        contextKey = tagNode.value;
+    }
+    if (!contextKey) {
+        throw error('Expected a context key parameter for :host selector');
+    }
+    return contextKey;
+};
+/**
+ * :host Pseudo-Selector, switches the current graph context to a new
+ * set of graphs loaded from a specific host context.
+ *
+ * This selector accepts a single parameter that specifies which host context
+ * to use. The host context must be defined in the hostContexts map provided
+ * to the Query constructor.
+ *
+ * Example:
+ * - :host(local) - Switches to graphs loaded from the local context
+ */
+export const hostContext = async (state) => {
+    if (!state.hostContexts) {
+        throw error('No host contexts available for :host selector');
+    }
+    let contextKey;
+    try {
+        contextKey = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        throw error('Failed to parse :host selector', {
+            cause: err,
+        });
+    }
+    const contextFunction = state.hostContexts.get(contextKey);
+    if (!contextFunction) {
+        throw error(`Unknown host context: ${contextKey}`, {
+            validOptions: Array.from(state.hostContexts.keys()),
+        });
+    }
+    // Get the graphs from the host context function
+    const { initialEdges, initialNodes, edges, nodes, securityArchive, } = await contextFunction();
+    // Clear current nodes and edges
+    state.securityArchive = securityArchive;
+    state.initial.nodes.clear();
+    state.initial.edges.clear();
+    state.partial.nodes.clear();
+    state.partial.edges.clear();
+    state.importers.clear();
+    // Reset the initial state
+    for (const node of initialNodes) {
+        state.initial.nodes.add(node);
+    }
+    for (const edge of initialEdges) {
+        state.initial.edges.add(edge);
+    }
+    // Populate with nodes and edges from all returned graphs
+    for (const node of nodes) {
+        state.partial.nodes.add(node);
+        // use the current selected nodes by the context function as importers
+        state.importers.add(node);
+    }
+    for (const edge of edges) {
+        state.partial.edges.add(edge);
+    }
+    return state;
+};

package/dist/pseudo/hostname.d.ts

@@ -0,0 +1,11 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :hostname(str) Pseudo-Selector, matches only nodes whose
+ * upstream hostname matches the provided domain string.
+ *
+ * Examples:
+ * - :hostname("registry.npmjs.org") — default npm registry deps
+ * - :hostname("github.com") — github git deps
+ * - :hostname("example.com") — custom registry deps
+ */
+export declare const hostname: (state: ParserState) => Promise<ParserState>;