@vltpkg/query 1.0.0-rc.31 → 1.0.0-rc.32

package/dist/pseudo/cve.d.ts

@@ -1,11 +1,15 @@
 import type { ParserState } from '../types.ts';
 import type { PostcssNode } from '@vltpkg/dss-parser';
 export type CveInternals = {
-    cveId: string;
+    cveId: string | undefined;
 };
 export declare const parseInternals: (nodes: PostcssNode[]) => CveInternals;
 /**
- * Filters out any node that does not have a CVE alert with the specified CVE ID.
+ * Filters out any node that does not have a CVE alert.
+ *
+ * Usage:
+ * - :cve - matches any package with at least one CVE alert
+ * - :cve(CVE-2023-1234) - matches only the specific CVE ID
  */
 export declare const cve: (state: ParserState) => Promise<ParserState & {
     securityArchive: NonNullable<ParserState["securityArchive"]>;

package/dist/pseudo/cve.js

@@ -2,23 +2,35 @@ import { error } from '@vltpkg/error-cause';
 import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
 import { assertSecurityArchive, removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
 export const parseInternals = (nodes) => {
+    if (!nodes[0]) {
+        return { cveId: undefined };
+    }
+    const selectorNode = asPostcssNodeWithChildren(nodes[0]);
+    if (!selectorNode.nodes[0]) {
+        return { cveId: undefined };
+    }
     let cveId = '';
-    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
-        cveId = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
-            .value);
+    if (isStringNode(selectorNode.nodes[0])) {
+        cveId = removeQuotes(asStringNode(selectorNode.nodes[0]).value);
     }
-    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
-        cveId = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]).value;
+    else if (isTagNode(selectorNode.nodes[0])) {
+        cveId = asTagNode(selectorNode.nodes[0]).value;
     }
+    /* c8 ignore start - unreachable via normal parser */
     if (!cveId) {
         throw error('Expected a CVE ID', {
-            found: asPostcssNodeWithChildren(nodes[0]).nodes[0],
+            found: selectorNode.nodes[0],
         });
     }
+    /* c8 ignore stop */
     return { cveId };
 };
 /**
- * Filters out any node that does not have a CVE alert with the specified CVE ID.
+ * Filters out any node that does not have a CVE alert.
+ *
+ * Usage:
+ * - :cve - matches any package with at least one CVE alert
+ * - :cve(CVE-2023-1234) - matches only the specific CVE ID
  */
 export const cve = async (state) => {
     assertSecurityArchive(state, 'cve');
@@ -26,14 +38,20 @@ export const cve = async (state) => {
     try {
         internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
     }
-    catch (err) {
+    catch (err) /* c8 ignore start */ {
         throw error('Failed to parse :cve selector', { cause: err });
-    }
+    } /* c8 ignore stop */
     const { cveId } = internals;
     for (const node of state.partial.nodes) {
         const report = state.securityArchive.get(node.id);
-        const exclude = !report?.alerts.some(alert => alert.props?.cveId?.trim().toLowerCase() ===
-            cveId.trim().toLowerCase());
+        let exclude;
+        if (cveId === undefined) {
+            exclude = !report?.alerts.some(alert => alert.props?.cveId);
+        }
+        else {
+            exclude = !report?.alerts.some(alert => alert.props?.cveId?.trim().toLowerCase() ===
+                cveId.trim().toLowerCase());
+        }
         if (exclude) {
             removeNode(state, node);
         }

package/dist/pseudo/cwe.d.ts

@@ -1,11 +1,15 @@
 import type { ParserState } from '../types.ts';
 import type { PostcssNode } from '@vltpkg/dss-parser';
 export type CweInternals = {
-    cweId: string;
+    cweId: string | undefined;
 };
 export declare const parseInternals: (nodes: PostcssNode[]) => CweInternals;
 /**
- * Filters out any node that does not have a CWE alert with the specified CWE ID.
+ * Filters out any node that does not have a CWE alert.
+ *
+ * Usage:
+ * - :cwe - matches any package with at least one CWE alert
+ * - :cwe(CWE-79) - matches only the specific CWE ID
  */
 export declare const cwe: (state: ParserState) => Promise<ParserState & {
     securityArchive: NonNullable<ParserState["securityArchive"]>;

package/dist/pseudo/cwe.js

@@ -2,23 +2,35 @@ import { error } from '@vltpkg/error-cause';
 import { asPostcssNodeWithChildren, asStringNode, asTagNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
 import { assertSecurityArchive, removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
 export const parseInternals = (nodes) => {
+    if (!nodes[0]) {
+        return { cweId: undefined };
+    }
+    const selectorNode = asPostcssNodeWithChildren(nodes[0]);
+    if (!selectorNode.nodes[0]) {
+        return { cweId: undefined };
+    }
     let cweId = '';
-    if (isStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
-        cweId = removeQuotes(asStringNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])
-            .value);
+    if (isStringNode(selectorNode.nodes[0])) {
+        cweId = removeQuotes(asStringNode(selectorNode.nodes[0]).value);
     }
-    else if (isTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0])) {
-        cweId = asTagNode(asPostcssNodeWithChildren(nodes[0]).nodes[0]).value;
+    else if (isTagNode(selectorNode.nodes[0])) {
+        cweId = asTagNode(selectorNode.nodes[0]).value;
     }
+    /* c8 ignore start - unreachable via normal parser */
     if (!cweId) {
         throw error('Expected a CWE ID', {
-            found: asPostcssNodeWithChildren(nodes[0]).nodes[0],
+            found: selectorNode.nodes[0],
         });
     }
+    /* c8 ignore stop */
     return { cweId };
 };
 /**
- * Filters out any node that does not have a CWE alert with the specified CWE ID.
+ * Filters out any node that does not have a CWE alert.
+ *
+ * Usage:
+ * - :cwe - matches any package with at least one CWE alert
+ * - :cwe(CWE-79) - matches only the specific CWE ID
  */
 export const cwe = async (state) => {
     assertSecurityArchive(state, 'cwe');
@@ -26,13 +38,20 @@ export const cwe = async (state) => {
     try {
         internals = parseInternals(asPostcssNodeWithChildren(state.current).nodes);
     }
-    catch (err) {
+    catch (err) /* c8 ignore start */ {
         throw error('Failed to parse :cwe selector', { cause: err });
-    }
+    } /* c8 ignore stop */
     const { cweId } = internals;
     for (const node of state.partial.nodes) {
         const report = state.securityArchive.get(node.id);
-        const exclude = !report?.alerts.some(alert => alert.props?.cwes?.some(cwe => cwe.id.trim().toLowerCase() === cweId.trim().toLowerCase()));
+        let exclude;
+        if (cweId === undefined) {
+            exclude = !report?.alerts.some(alert => alert.props?.cwes && alert.props.cwes.length > 0);
+        }
+        else {
+            exclude = !report?.alerts.some(alert => alert.props?.cwes?.some(cwe => cwe.id.trim().toLowerCase() ===
+                cweId.trim().toLowerCase()));
+        }
         if (exclude) {
             removeNode(state, node);
         }

package/dist/pseudo/dist.d.ts

@@ -0,0 +1,22 @@
+import type { NodeLike } from '@vltpkg/types';
+import type { ParserState } from '../types.ts';
+/**
+ * Fetches the dist-tags of a package from the registry.
+ */
+export declare const retrieveDistTags: (node: NodeLike, signal?: AbortSignal) => Promise<Record<string, string>>;
+/**
+ * Checks whether a node's installed version matches the version
+ * associated with the given dist-tag. Returns the node if it should
+ * be removed (does NOT match), or undefined if it matches.
+ */
+export declare const queueNode: (state: ParserState, node: NodeLike, tagName: string) => Promise<NodeLike | undefined>;
+/**
+ * :dist(tag) Pseudo-Selector, matches only nodes whose installed
+ * version corresponds to the given dist-tag in the registry.
+ *
+ * Examples:
+ * - :dist(latest) — matches packages at the `latest` dist-tag version
+ * - :dist(nightly) — matches packages at the `nightly` dist-tag version
+ * - :not(:dist(nightly)) — excludes nightly-tagged versions
+ */
+export declare const dist: (state: ParserState) => Promise<ParserState>;

package/dist/pseudo/dist.js

@@ -0,0 +1,110 @@
+import pRetry, { AbortError } from 'p-retry';
+import { hydrate, splitDepID } from '@vltpkg/dep-id/browser';
+import { error } from '@vltpkg/error-cause';
+import { asPostcssNodeWithChildren, asTagNode, asStringNode, isTagNode, } from '@vltpkg/dss-parser';
+import { removeDanglingEdges, removeNode, removeQuotes, } from "./helpers.js";
+/**
+ * Fetches the dist-tags of a package from the registry.
+ */
+export const retrieveDistTags = async (node, signal) => {
+    const spec = hydrate(node.id, String(node.name), node.options);
+    if (!spec.registry || !node.name) {
+        return {};
+    }
+    const url = new URL(spec.registry);
+    url.pathname = `/${node.name}`;
+    const response = await fetch(String(url), {
+        headers: {
+            Accept: 'application/vnd.npm.install-v1+json',
+        },
+        signal,
+    });
+    if (response.status === 404) {
+        throw new AbortError('Missing API');
+    }
+    if (!response.ok) {
+        throw error('Failed to fetch packument', {
+            name: node.name,
+            spec,
+            response,
+        });
+    }
+    const packument = (await response.json());
+    return packument['dist-tags'];
+};
+/**
+ * Checks whether a node's installed version matches the version
+ * associated with the given dist-tag. Returns the node if it should
+ * be removed (does NOT match), or undefined if it matches.
+ */
+export const queueNode = async (state, node, tagName) => {
+    if (!node.name || !node.version) {
+        return node;
+    }
+    let distTags;
+    try {
+        distTags = await pRetry(() => retrieveDistTags(node, state.signal), {
+            retries: state.retries,
+            signal: state.signal,
+        });
+    }
+    catch (err) {
+        // eslint-disable-next-line no-console
+        console.warn(error('Could not retrieve dist-tags', {
+            name: node.name,
+            cause: err,
+        }));
+        return node;
+    }
+    const tagVersion = distTags[tagName];
+    if (tagVersion !== node.version) {
+        return node;
+    }
+    return undefined;
+};
+/**
+ * :dist(tag) Pseudo-Selector, matches only nodes whose installed
+ * version corresponds to the given dist-tag in the registry.
+ *
+ * Examples:
+ * - :dist(latest) — matches packages at the `latest` dist-tag version
+ * - :dist(nightly) — matches packages at the `nightly` dist-tag version
+ * - :not(:dist(nightly)) — excludes nightly-tagged versions
+ */
+export const dist = async (state) => {
+    const top = asPostcssNodeWithChildren(state.current);
+    const selector = asPostcssNodeWithChildren(top.nodes[0]);
+    const firstChild = selector.nodes[0];
+    let tagName;
+    try {
+        tagName = removeQuotes(asStringNode(firstChild).value);
+    }
+    catch {
+        if (isTagNode(firstChild)) {
+            tagName = asTagNode(firstChild).value;
+            /* c8 ignore start */
+        }
+        else {
+            throw error('Failed to parse :dist selector', {
+                found: firstChild,
+            });
+        }
+        /* c8 ignore stop */
+    }
+    const queue = [];
+    for (const node of state.partial.nodes) {
+        if (splitDepID(node.id)[0] !== 'registry') {
+            removeNode(state, node);
+            continue;
+        }
+        queue.push(queueNode(state, node, tagName));
+    }
+    const removeNodeQueue = await Promise.all(queue);
+    for (const node of removeNodeQueue) {
+        if (node) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo/semver.d.ts

@@ -5,10 +5,12 @@ import type { PostcssNode } from '@vltpkg/dss-parser';
 export type SemverInternals = {
     semverValue: string;
     semverFunction: SemverComparatorFn;
+    semverRangeFunction: SemverRangeComparatorFn | undefined;
     compareAttribute: SemverCompareAttribute;
 };
-export type SemverFunctionNames = 'satisfies' | 'gt' | 'gte' | 'lt' | 'lte' | 'eq' | 'neq';
+export type SemverFunctionNames = 'satisfies' | 'gt' | 'gte' | 'lt' | 'lte' | 'eq' | 'neq' | 'intersects' | 'subset';
 export type SemverComparatorFn = (version: Version | string, range: string) => boolean;
+export type SemverRangeComparatorFn = (r1: string, r2: string) => boolean;
 export type SemverCompareAttribute = Pick<AttrInternals, 'attribute' | 'properties'> | undefined;
 export declare const isSemverFunctionName: (name: string) => name is SemverFunctionNames;
 export declare const asSemverFunctionName: (name: string) => SemverFunctionNames;

package/dist/pseudo/semver.js

@@ -1,10 +1,10 @@
-import { satisfies, gt, gte, lt, lte, eq, neq, parse, parseRange, } from '@vltpkg/semver';
+import { satisfies, gt, gte, lt, lte, eq, neq, intersects, subset, parse, parseRange, } from '@vltpkg/semver';
 import { error } from '@vltpkg/error-cause';
 import { asError } from '@vltpkg/types';
 import { parseInternals as parseAttrInternals } from "./attr.js";
 import { getManifestPropertyValues } from "../attribute.js";
 import { asAttributeNode, asPostcssNodeWithChildren, asPseudoNode, asStringNode, asTagNode, isAttributeNode, isPseudoNode, isStringNode, isTagNode, } from '@vltpkg/dss-parser';
-import { removeNode, removeQuotes } from "./helpers.js";
+import { removeEdge, removeNode, removeQuotes, removeUnlinkedNodes, } from "./helpers.js";
 const semverFunctionNames = new Set([
     'satisfies',
     'gt',
@@ -13,6 +13,8 @@ const semverFunctionNames = new Set([
     'lte',
     'eq',
     'neq',
+    'intersects',
+    'subset',
 ]);
 export const isSemverFunctionName = (name) => semverFunctionNames.has(name);
 export const asSemverFunctionName = (name) => {
@@ -33,6 +35,10 @@ const semverFunctions = new Map([
     ['eq', eq],
     ['neq', neq],
 ]);
+const semverRangeFunctions = new Map([
+    ['intersects', intersects],
+    ['subset', subset],
+]);
 export const parseInternals = (nodes, loose) => {
     // tries to parse the first param as a string node, otherwise defaults
     // to reading all postcss nodes as just strings, since it just means
@@ -82,13 +88,17 @@ export const parseInternals = (nodes, loose) => {
         }
     }
     const semverFunction = semverFunctions.get(fnName);
+    const semverRangeFunction = semverRangeFunctions.get(fnName);
     // the following should never happen as long as the semver function names
     // type and Set are correctly mirroring each other values
     /* c8 ignore start */
-    if (!semverFunction) {
+    if (!semverFunction && !semverRangeFunction) {
         throw error('Invalid semver function name', {
             found: fnName,
-            validOptions: Array.from(semverFunctions.keys()),
+            validOptions: [
+                ...Array.from(semverFunctions.keys()),
+                ...Array.from(semverRangeFunctions.keys()),
+            ],
         });
     }
     /* c8 ignore stop */
@@ -117,7 +127,8 @@ export const parseInternals = (nodes, loose) => {
     }
     return {
         semverValue,
-        semverFunction,
+        semverFunction: semverFunction ?? satisfies,
+        semverRangeFunction,
         compareAttribute,
     };
 };
@@ -131,7 +142,33 @@ export const semverParser = async (state) => {
             cause: err,
         });
     }
-    const { semverValue, semverFunction, compareAttribute } = internals;
+    const { semverValue, semverFunction, semverRangeFunction, compareAttribute, } = internals;
+    // Range-vs-range functions (subset, intersects) operate on edges by default
+    if (semverRangeFunction) {
+        if (compareAttribute) {
+            // Compare the semverValue against a manifest property value as ranges
+            for (const node of state.partial.nodes) {
+                const compareValues = getManifestPropertyValues(node, compareAttribute.properties, compareAttribute.attribute);
+                const compareValue = compareValues?.[0];
+                if (!compareValue ||
+                    !semverRangeFunction(compareValue, semverValue)) {
+                    removeNode(state, node);
+                }
+            }
+        }
+        else {
+            // Default: operate on edges using bareSpec
+            for (const edge of state.partial.edges) {
+                const edgeRange = edge.spec.semver ?? edge.spec.bareSpec;
+                if (!edgeRange ||
+                    !semverRangeFunction(edgeRange, semverValue)) {
+                    removeEdge(state, edge);
+                }
+            }
+            removeUnlinkedNodes(state);
+        }
+        return state;
+    }
     for (const node of state.partial.nodes) {
         if (compareAttribute) {
             const compareValues = getManifestPropertyValues(node, compareAttribute.properties, compareAttribute.attribute);

package/dist/pseudo/vulnerable.d.ts

@@ -0,0 +1,8 @@
+import type { ParserState } from '../types.ts';
+/**
+ * :vulnerable / :vuln Pseudo-Selector matches any package version
+ * that has at least one CVE associated with it.
+ */
+export declare const vulnerable: (state: ParserState) => Promise<ParserState & {
+    securityArchive: NonNullable<ParserState["securityArchive"]>;
+}>;

package/dist/pseudo/vulnerable.js

@@ -0,0 +1,17 @@
+import { assertSecurityArchive, removeDanglingEdges, removeNode, } from "./helpers.js";
+/**
+ * :vulnerable / :vuln Pseudo-Selector matches any package version
+ * that has at least one CVE associated with it.
+ */
+export const vulnerable = async (state) => {
+    assertSecurityArchive(state, 'vulnerable');
+    for (const node of state.partial.nodes) {
+        const report = state.securityArchive.get(node.id);
+        const hasCve = report?.alerts.some(alert => alert.props?.cveId);
+        if (!hasCve) {
+            removeNode(state, node);
+        }
+    }
+    removeDanglingEdges(state);
+    return state;
+};

package/dist/pseudo.js

@@ -12,6 +12,7 @@ import { debug } from "./pseudo/debug.js";
 import { deprecated } from "./pseudo/deprecated.js";
 import { dev } from "./pseudo/dev.js";
 import { diff } from "./pseudo/diff.js";
+import { dist } from "./pseudo/dist.js";
 import { dynamic } from "./pseudo/dynamic.js";
 import { empty } from "./pseudo/empty.js";
 import { entropic } from "./pseudo/entropic.js";
@@ -57,6 +58,7 @@ import { unknown } from "./pseudo/unknown.js";
 import { unmaintained } from "./pseudo/unmaintained.js";
 import { unpopular } from "./pseudo/unpopular.js";
 import { unstable } from "./pseudo/unstable.js";
+import { vulnerable } from "./pseudo/vulnerable.js";
 import { workspace } from "./pseudo/workspace.js";
 /**
  * :has Pseudo-Selector, matches only nodes that have valid results
@@ -286,6 +288,7 @@ const pseudoSelectors = new Map(Object.entries({
     deprecated,
     dev,
     diff,
+    dist,
     dynamic,
     eval: evalParser,
     empty,
@@ -338,6 +341,8 @@ const pseudoSelectors = new Map(Object.entries({
     unpopular,
     unstable,
     v: semver,
+    vuln: vulnerable,
+    vulnerable,
     workspace,
 }));
 /**

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vltpkg/query",
   "description": "Query syntax parser that retrieves items from a graph",
-  "version": "1.0.0-rc.31",
+  "version": "1.0.0-rc.32",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/vltpkg/vltpkg.git",
@@ -13,12 +13,12 @@
     "url": "http://vlt.sh"
   },
   "dependencies": {
-    "@vltpkg/dep-id": "1.0.0-rc.31",
-    "@vltpkg/dss-parser": "1.0.0-rc.31",
-    "@vltpkg/error-cause": "1.0.0-rc.31",
-    "@vltpkg/security-archive": "1.0.0-rc.31",
-    "@vltpkg/semver": "1.0.0-rc.31",
-    "@vltpkg/types": "1.0.0-rc.31",
+    "@vltpkg/dep-id": "1.0.0-rc.32",
+    "@vltpkg/dss-parser": "1.0.0-rc.32",
+    "@vltpkg/error-cause": "1.0.0-rc.32",
+    "@vltpkg/security-archive": "1.0.0-rc.32",
+    "@vltpkg/semver": "1.0.0-rc.32",
+    "@vltpkg/types": "1.0.0-rc.32",
     "minimatch": "^10.1.1",
     "p-retry": "^7.1.1",
     "postcss-selector-parser": "^7.1.1"
@@ -26,7 +26,7 @@
   "devDependencies": {
     "@eslint/js": "^9.39.1",
     "@types/node": "^22.19.2",
-    "@vltpkg/spec": "1.0.0-rc.31",
+    "@vltpkg/spec": "1.0.0-rc.32",
     "eslint": "^9.39.1",
     "prettier": "^3.7.4",
     "tap": "^21.5.0",