@vltpkg/query 1.0.0-rc.23 → 1.0.0-rc.24

package/dist/pseudo/published.js

@@ -0,0 +1,179 @@
+import pRetry, { AbortError } from 'p-retry';
+import { hydrate, splitDepID } from '@vltpkg/dep-id/browser';
+import { error } from '@vltpkg/error-cause';
+import { asError } from '@vltpkg/types';
+import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
+/**
+ * Fetches the published date of a package version from the npm registry.
+ */
+export const retrieveRemoteDate = async (node, signal) => {
+    const spec = hydrate(node.id, String(node.name), node.options);
+    if (!spec.registry || !node.name || !node.version) {
+        return undefined;
+    }
+    const url = new URL(spec.registry);
+    url.pathname = `/${node.name}`;
+    const response = await fetch(String(url), {
+        signal,
+    });
+    // on missing valid auth or API, it should abort the retry logic
+    if (response.status === 404) {
+        throw new AbortError('Missing API');
+    }
+    if (!response.ok) {
+        throw error('Failed to fetch packument', {
+            name: node.name,
+            spec,
+            response,
+        });
+    }
+    const packument = (await response.json());
+    const res = packument.time?.[node.version];
+    return res;
+};
+/**
+ * Retrieves what kind of check the :published selector should perform.
+ */
+export const parseInternals = (nodes) => {
+    let value = '';
+    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        value = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        const tagNode = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]);
+        value = tagNode.value;
+    }
+    // Check if the value starts with a comparator
+    let comparator;
+    let relativeDate = value;
+    if (value.startsWith('>=')) {
+        comparator = '>=';
+        relativeDate = value.slice(2);
+    }
+    else if (value.startsWith('<=')) {
+        comparator = '<=';
+        relativeDate = value.slice(2);
+    }
+    else if (value.startsWith('>')) {
+        comparator = '>';
+        relativeDate = value.slice(1);
+    }
+    else if (value.startsWith('<')) {
+        comparator = '<';
+        relativeDate = value.slice(1);
+    }
+    return { relativeDate, comparator };
+};
+/**
+ * Filter nodes by queueing up for removal those that don't match the date criteria.
+ */
+export const queueNode = async (state, node, relativeDate, comparator) => {
+    if (!node.name || !node.version) {
+        return node;
+    }
+    let publishedDate;
+    try {
+        publishedDate = await pRetry(() => retrieveRemoteDate(node, state.signal), {
+            retries: state.retries,
+            signal: state.signal,
+        });
+    }
+    catch (err) {
+        // eslint-disable-next-line no-console
+        console.warn(error('Could not retrieve registry publish date', {
+            name: node.name,
+            cause: err,
+        }));
+        return node;
+    }
+    if (!publishedDate) {
+        return node;
+    }
+    // only matches the same amount of date information
+    // as provided in the relative date
+    const nodeDate = new Date(publishedDate.slice(0, relativeDate.length));
+    const compareDate = new Date(relativeDate);
+    switch (comparator) {
+        case '>':
+            return nodeDate > compareDate ? undefined : node;
+        case '<':
+            return nodeDate < compareDate ? undefined : node;
+        case '>=':
+            return nodeDate >= compareDate ? undefined : node;
+        case '<=':
+            return nodeDate <= compareDate ? undefined : node;
+        default:
+            return nodeDate.getTime() === compareDate.getTime() ?
+                undefined
+                : node;
+    }
+};
+/**
+ * Filters out nodes that don't match the published date criteria.
+ *
+ * The :published() pseudo selector supports a date parameter that can be prefixed
+ * with a comparator (>, <, >=, <=). If no comparator is provided, it will match
+ * exact dates.
+ *
+ * Examples:
+ * - :published("2024-01-01") - Matches packages published exactly on January 1st, 2024
+ * - :published(">2024-01-01") - Matches packages published after January 1st, 2024
+ * - :published("<=2023-12-31") - Matches packages published on or before December 31st, 2023
+ */
+export const published = async (state) => {
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        if (asError(err).message === 'Expected a query node') {
+            // No parameters provided - pseudo state form: match ANY published metadata
+            for (const node of state.partial.nodes) {
+                // filter out nodes that are always ignored by the published selector
+                if (node.mainImporter ||
+                    node.manifest?.private ||
+                    splitDepID(node.id)[0] !== 'registry') {
+                    removeNode(state, node);
+                    continue;
+                }
+                // For pseudo state form, we just check if the node has published metadata
+                // This is equivalent to checking if it's a registry package with version info
+                if (!node.name || !node.version) {
+                    removeNode(state, node);
+                }
+            }
+            removeDanglingEdges(state);
+            return state;
+        }
+        else {
+            throw error('Failed to parse :published selector', {
+                cause: err,
+            });
+        }
+    }
+    const { relativeDate, comparator } = internals;
+    const queue = [];
+    for (const node of state.partial.nodes) {
+        // filter out nodes that are always ignored by the published selector
+        if (node.mainImporter ||
+            node.manifest?.private ||
+            splitDepID(node.id)[0] !== 'registry') {
+            removeNode(state, node);
+            continue;
+        }
+        // fetch published date info and perform checks to define
+        // whether or not a node should be filtered out
+        queue.push(queueNode(state, node, relativeDate, comparator));
+    }
+    // nodes queued for removal are then finally removed
+    const removeNodeQueue = await Promise.all(queue);
+    for (const node of removeNodeQueue) {
+        if (node) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/registry.d.ts

@@ -0,0 +1,10 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :registry(name) Pseudo-Selector, matches only nodes that
+ * belong to the specified registry configuration alias.
+ *
+ * For example, `:registry(npm)` matches deps from the default
+ * npm registry, and `:registry(custom)` matches deps from a
+ * custom-named registry.
+ */
+export declare const registry: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/registry.js

@@ -0,0 +1,24 @@
+import { splitDepID } from '@vltpkg/dep-id/browser';
+import { asPostcssNodeWithChildren, asTagNode, } from '@vltpkg/dss-parser';
+import { removeDanglingEdges, removeNode } from "./helpers.js";
+/**
+ * :registry(name) Pseudo-Selector, matches only nodes that
+ * belong to the specified registry configuration alias.
+ *
+ * For example, `:registry(npm)` matches deps from the default
+ * npm registry, and `:registry(custom)` matches deps from a
+ * custom-named registry.
+ */
+export const registry = async (state) => {
+    const top = asPostcssNodeWithChildren(state.current);
+    const selector = asPostcssNodeWithChildren(top.nodes[0]);
+    const name = asTagNode(selector.nodes[0]).value;
+    for (const node of state.partial.nodes) {
+        const tuple = splitDepID(node.id);
+        if (tuple[0] !== 'registry' || tuple[1] !== name) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/root.d.ts

@@ -0,0 +1,6 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :root Pseudo-Element will return the project root node for the graph.
+ * It matches only nodes marked as `mainImporter`.
+ */
+export declare const root: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/root.js

@@ -0,0 +1,17 @@
+/**
+ * :root Pseudo-Element will return the project root node for the graph.
+ * It matches only nodes marked as `mainImporter`.
+ */
+export const root = async (state) => {
+    for (const edge of state.partial.edges) {
+        if (!edge.to?.mainImporter) {
+            state.partial.edges.delete(edge);
+        }
+    }
+    for (const node of state.partial.nodes) {
+        if (!node.mainImporter) {
+            state.partial.nodes.delete(node);
+        }
+    }
+    return state;
+};

package/dist/pseudo/scanned.d.ts

@@ -0,0 +1,8 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :scanned pseudo selector.
+ *
+ * Remove all nodes that do not have available metadata
+ * in the security archive.
+ */
+export declare const scanned: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/scanned.js

@@ -0,0 +1,16 @@
+import { removeDanglingEdges, removeNode } from "./helpers.js";
+/**
+ * :scanned pseudo selector.
+ *
+ * Remove all nodes that do not have available metadata
+ * in the security archive.
+ */
+export const scanned = async (state) => {
+    for (const node of state.partial.nodes) {
+        if (!state.securityArchive?.has(node.id)) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/score.d.ts

@@ -0,0 +1,15 @@
+import type { PackageScore } from '@vltpkg/security-archive';
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type ScoreKinds = keyof PackageScore;
+export type ScoreComparator = '>' | '<' | '>=' | '<=' | '=' | undefined;
+export declare const isScoreKind: (value?: string) => value is ScoreKinds;
+export declare const asScoreKind: (value?: string) => ScoreKinds;
+export declare const parseInternals: (nodes: PostcssNode[]) => {
+    comparator: ScoreComparator;
+    rate: number;
+    kind: ScoreKinds;
+};
+export declare const score: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/score.js

@@ -0,0 +1,132 @@
+import { error } from '@vltpkg/error-cause';
+import { asError } from '@vltpkg/types';
+import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { assertSecurityArchive, removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
+const kinds = new Set([
+    'overall',
+    'license',
+    'maintenance',
+    'quality',
+    'supplyChain',
+    'vulnerability',
+    undefined,
+]);
+export const isScoreKind = (value) => kinds.has(value);
+export const asScoreKind = (value) => {
+    if (!isScoreKind(value)) {
+        throw error('Expected a valid score kind', {
+            found: value,
+            validOptions: Array.from(kinds),
+        });
+    }
+    return value;
+};
+export const parseInternals = (nodes) => {
+    let rateStr = '';
+    let comparator = '=';
+    let kind = 'overall';
+    // Parse the first parameter (rate with optional comparator)
+    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        rateStr = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+        const tagNode = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]);
+        rateStr = tagNode.value;
+    }
+    // Extract comparator if present
+    if (rateStr.startsWith('>=')) {
+        comparator = '>=';
+        rateStr = rateStr.substring(2);
+    }
+    else if (rateStr.startsWith('<=')) {
+        comparator = '<=';
+        rateStr = rateStr.substring(2);
+    }
+    else if (rateStr.startsWith('>')) {
+        comparator = '>';
+        rateStr = rateStr.substring(1);
+    }
+    else if (rateStr.startsWith('<')) {
+        comparator = '<';
+        rateStr = rateStr.substring(1);
+    }
+    // Parse rate as number
+    let rate = parseFloat(rateStr);
+    // Normalize to 0-1 range if needed
+    if (rate > 1) {
+        rate = rate / 100;
+    }
+    // Validate rate is in acceptable range
+    if (rate < 0 || rate > 1) {
+        throw error('Expected rate to be between 0 and 100', {
+            found: rateStr,
+        });
+    }
+    // Parse the second parameter (kind) if present
+    if (nodes.length > 1) {
+        if (isStringNode(asPostcssNodeWithChildren(nodes[1]).nodes[0])) {
+            kind = asScoreKind(removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[1]).nodes[0])
+                .value));
+        }
+        else if (isTagNode(asPostcssNodeWithChildren(nodes[1]).nodes[0])) {
+            kind = asScoreKind(asTagNode(asPostcssNodeWithChildren(nodes[1]).nodes[0]).value);
+        }
+    }
+    return { comparator, rate, kind };
+};
+export const score = async (state) => {
+    assertSecurityArchive(state, 'score');
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
+    }
+    catch (err) {
+        if (asError(err).message === 'Expected a query node') {
+            // No parameters provided - pseudo state form: match ANY score (scanned packages)
+            for (const node of state.partial.nodes) {
+                const report = state.securityArchive.get(node.id);
+                if (!report) {
+                    removeNode(state, node);
+                }
+            }
+            removeDanglingEdges(state);
+            return state;
+        }
+        else {
+            throw error('Failed to parse :score selector', { cause: err });
+        }
+    }
+    const { comparator, rate, kind } = internals;
+    for (const node of state.partial.nodes) {
+        const report = state.securityArchive.get(node.id);
+        if (!report) {
+            removeNode(state, node);
+            continue;
+        }
+        const scoreValue = report.score[kind];
+        let exclude = false;
+        switch (comparator) {
+            case '>':
+                exclude = scoreValue <= rate;
+                break;
+            case '<':
+                exclude = scoreValue >= rate;
+                break;
+            case '>=':
+                exclude = scoreValue < rate;
+                break;
+            case '<=':
+                exclude = scoreValue > rate;
+                break;
+            default: // '='
+                exclude = scoreValue !== rate;
+                break;
+        }
+        if (exclude) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/scripts.d.ts

@@ -0,0 +1,9 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :scripts Pseudo-Selector filters nodes based on whether they need to be built.
+ *
+ * A node needs to be built if it has:
+ * - Install lifecycle scripts (install, preinstall, postinstall)
+ * - Prepare scripts on importers or git dependencies (prepare, preprepare, postprepare)
+ */
+export declare const scripts: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/scripts.js

@@ -0,0 +1,43 @@
+import { removeNode, removeDanglingEdges } from "./helpers.js";
+/**
+ * Checks if a node needs to be built based on the conditions from the reify build process:
+ * 1. Has install lifecycle scripts (install, preinstall, postinstall)
+ * 2. Is an importer or git dependency with prepare scripts (prepare, preprepare, postprepare)
+ */
+const nodeNeedsBuild = (node) => {
+    const { manifest } = node;
+    /* c8 ignore next */
+    if (!manifest)
+        return false;
+    const { scripts = {} } = manifest;
+    // Check for install lifecycle scripts
+    const runInstall = !!(scripts.install ||
+        scripts.preinstall ||
+        scripts.postinstall);
+    if (runInstall)
+        return true;
+    // Check for prepare scripts on importers or git dependencies
+    const prepable = node.id.startsWith('git') || node.importer;
+    const runPrepare = !!((scripts.prepare || scripts.preprepare || scripts.postprepare)
+    /* c8 ignore next 2 */
+    ) && prepable;
+    if (runPrepare)
+        return true;
+    return false;
+};
+/**
+ * :scripts Pseudo-Selector filters nodes based on whether they need to be built.
+ *
+ * A node needs to be built if it has:
+ * - Install lifecycle scripts (install, preinstall, postinstall)
+ * - Prepare scripts on importers or git dependencies (prepare, preprepare, postprepare)
+ */
+export const scripts = async (state) => {
+    for (const node of state.partial.nodes) {
+        if (!nodeNeedsBuild(node)) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/semver.d.ts

@@ -0,0 +1,16 @@
+import type { Version } from '@vltpkg/semver';
+import type { AttrInternals } from './attr.ts';
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type SemverInternals = {
+    semverValue: string;
+    semverFunction: SemverComparatorFn;
+    compareAttribute: SemverCompareAttribute;
+};
+export type SemverFunctionNames = 'satisfies' | 'gt' | 'gte' | 'lt' | 'lte' | 'eq' | 'neq';
+export type SemverComparatorFn = (version: Version | string, range: string) => boolean;
+export type SemverCompareAttribute = Pick<AttrInternals, 'attribute' | 'properties'> | undefined;
+export declare const isSemverFunctionName: (name: string) => name is SemverFunctionNames;
+export declare const asSemverFunctionName: (name: string) => SemverFunctionNames;
+export declare const parseInternals: (nodes: PostcssNode[], loose: boolean) => SemverInternals;
+export declare const semverParser: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/semver.js

@@ -0,0 +1,166 @@
+import { satisfies, gt, gte, lt, lte, eq, neq, parse, parseRange, } from '@vltpkg/semver';
+import { error } from '@vltpkg/error-cause';
+import { asError } from '@vltpkg/types';
+import { parseInternals as parseAttrInternals } from "./attr.js";
+import { getManifestPropertyValues } from "../attribute.js";
+import { asAttributeNode, asPostcssNodeWithChildren, asPseudoNode, asStringNode, asTagNode, isAttributeNode, isPseudoNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { removeNode, removeQuotes } from "./helpers.js";
+const semverFunctionNames = new Set([
+    'satisfies',
+    'gt',
+    'gte',
+    'lt',
+    'lte',
+    'eq',
+    'neq',
+]);
+export const isSemverFunctionName = (name) => semverFunctionNames.has(name);
+export const asSemverFunctionName = (name) => {
+    if (!isSemverFunctionName(name)) {
+        throw error('Invalid semver function name', {
+            found: name,
+            validOptions: Array.from(semverFunctionNames),
+        });
+    }
+    return name;
+};
+const semverFunctions = new Map([
+    ['satisfies', satisfies],
+    ['gt', gt],
+    ['gte', gte],
+    ['lt', lt],
+    ['lte', lte],
+    ['eq', eq],
+    ['neq', neq],
+]);
+export const parseInternals = (nodes, loose) => {
+    // tries to parse the first param as a string node, otherwise defaults
+    // to reading all postcss nodes as just strings, since it just means
+    // the value was defined as an unquoted string
+    let semverValue = '';
+    try {
+        semverValue = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
+            .value);
+    }
+    catch (err) {
+        if (asError(err).message === 'Mismatching query node' &&
+            isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
+            // Handle tag node (unquoted values like >=2.0.0)
+            const tagNode = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]);
+            semverValue = tagNode.value;
+        }
+        else {
+            throw err;
+        }
+    }
+    // second param is the function name
+    let fnName = 'satisfies';
+    try {
+        // if there is a second node defined, try to parse it as a string node
+        // first and if that fails, then parse it as a tag node which just means
+        // it was defined as an unquoted string
+        if (nodes[1]) {
+            try {
+                fnName = asSemverFunctionName(removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[1]).nodes[0])
+                    .value));
+            }
+            catch (err) {
+                if (asError(err).message === 'Mismatching query node') {
+                    fnName = asSemverFunctionName(asTagNode(asPostcssNodeWithChildren(nodes[1]).nodes[0])
+                        .value);
+                }
+                else {
+                    throw err;
+                }
+            }
+        }
+    }
+    catch (e) {
+        // allow invalid semver function names in loose mode, defaults to satisfies
+        if (!loose) {
+            throw e;
+        }
+    }
+    const semverFunction = semverFunctions.get(fnName);
+    // the following should never happen as long as the semver function names
+    // type and Set are correctly mirroring each other values
+    /* c8 ignore start */
+    if (!semverFunction) {
+        throw error('Invalid semver function name', {
+            found: fnName,
+            validOptions: Array.from(semverFunctions.keys()),
+        });
+    }
+    /* c8 ignore stop */
+    // optional third param is the compare value
+    let compareAttribute;
+    if (nodes[2]) {
+        const parentNode = asPostcssNodeWithChildren(nodes[2]);
+        const currNode = parentNode.nodes[0];
+        if (isAttributeNode(currNode)) {
+            const { attribute } = asAttributeNode(currNode);
+            compareAttribute = {
+                attribute,
+                properties: [attribute],
+            };
+        }
+        else if (isPseudoNode(currNode)) {
+            compareAttribute = parseAttrInternals(asPseudoNode(currNode).nodes);
+        }
+        else if (isStringNode(currNode)) {
+            const attribute = removeQuotes(asStringNode(currNode).value);
+            compareAttribute = {
+                attribute,
+                properties: [attribute],
+            };
+        }
+    }
+    return {
+        semverValue,
+        semverFunction,
+        compareAttribute,
+    };
+};
+export const semverParser = async (state) => {
+    let internals;
+    try {
+        internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes, !!state.loose);
+    }
+    catch (err) {
+        throw error('Failed to parse :semver selector', {
+            cause: err,
+        });
+    }
+    const { semverValue, semverFunction, compareAttribute } = internals;
+    for (const node of state.partial.nodes) {
+        if (compareAttribute) {
+            const compareValues = getManifestPropertyValues(node, compareAttribute.properties, compareAttribute.attribute);
+            // if the provided semver value is a fixed semver version and the
+            // compare attribute is resolving to a range value, then we flip the
+            // order of comparison, in case it's a "satisfies" function check
+            const compareValue = compareValues?.[0];
+            const semverValueVersion = parse(semverValue);
+            const compareValueRange = compareValue && parseRange(compareValue);
+            if (semverFunction === satisfies &&
+                semverValueVersion &&
+                compareValueRange) {
+                if (!satisfies(semverValueVersion, compareValueRange)) {
+                    removeNode(state, node);
+                }
+                // otherwise just compares the read attribute to the semver value
+            }
+            else if (!compareValue ||
+                !semverFunction(compareValue, semverValue)) {
+                removeNode(state, node);
+            }
+        }
+        else {
+            const manifestVersion = node.manifest?.version;
+            if (!manifestVersion ||
+                !semverFunction(manifestVersion, semverValue)) {
+                removeNode(state, node);
+            }
+        }
+    }
+    return state;
+};

package/dist/pseudo/severity.d.ts

@@ -0,0 +1,14 @@
+import type { ParserState } from '../types.ts';
+import type { PostcssNode } from '@vltpkg/dss-parser';
+export type SeverityKinds = '0' | '1' | '2' | '3' | 'critical' | 'high' | 'medium' | 'low' | undefined;
+export type SeverityAlertTypes = 'criticalCVE' | 'cve' | 'potentialVulnerability' | 'mildCVE' | undefined;
+export type SeverityComparator = '>' | '<' | '>=' | '<=' | undefined;
+export declare const isSeverityKind: (value?: string) => value is SeverityKinds;
+export declare const asSeverityKind: (value?: string) => SeverityKinds;
+export declare const parseInternals: (nodes: PostcssNode[]) => {
+    kind: SeverityKinds;
+    comparator: SeverityComparator;
+};
+export declare const severity: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;