@vyuhlabs/dxkit 2.6.0 → 2.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +103 -13
- package/README.md +208 -459
- package/dist/analyzers/bom/discovery.d.ts +3 -4
- package/dist/analyzers/bom/discovery.d.ts.map +1 -1
- package/dist/analyzers/bom/discovery.js +3 -4
- package/dist/analyzers/bom/discovery.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +42 -5
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +9 -9
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts +8 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +43 -10
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.js +3 -3
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts +8 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +14 -1
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +12 -3
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts +8 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +26 -7
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tools/cloc.js +5 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/exclusions.d.ts +12 -12
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +27 -13
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +52 -14
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +28 -3
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +39 -5
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +609 -45
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +1 -1
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +2 -1
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/nuget-package-reference.d.ts +4 -4
- package/dist/analyzers/tools/nuget-package-reference.js +4 -4
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +4 -5
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +7 -0
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/runner.d.ts +35 -2
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +112 -3
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +3 -1
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +18 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +140 -53
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-config.d.ts +46 -0
- package/dist/analyzers/tools/tools-config.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-config.js +129 -0
- package/dist/analyzers/tools/tools-config.js.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.js +3 -4
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -1
- package/dist/analyzers/tools/walk-source-files.d.ts +8 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
- package/dist/analyzers/tools/walk-source-files.js +49 -4
- package/dist/analyzers/tools/walk-source-files.js.map +1 -1
- package/dist/analyzers/xlsx/licenses.d.ts +7 -7
- package/dist/analyzers/xlsx/licenses.js +7 -7
- package/dist/baseline/baseline-file.d.ts +8 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +10 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +7 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +2 -0
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/coverage.d.ts +57 -0
- package/dist/baseline/coverage.d.ts.map +1 -0
- package/dist/baseline/coverage.js +62 -0
- package/dist/baseline/coverage.js.map +1 -0
- package/dist/baseline/create.d.ts +13 -0
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +21 -0
- package/dist/baseline/create.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +123 -4
- package/dist/cli.js.map +1 -1
- package/dist/dashboard/graph-adapter.d.ts +151 -0
- package/dist/dashboard/graph-adapter.d.ts.map +1 -0
- package/dist/dashboard/graph-adapter.js +415 -0
- package/dist/dashboard/graph-adapter.js.map +1 -0
- package/dist/dashboard/graph-tab.d.ts +109 -0
- package/dist/dashboard/graph-tab.d.ts.map +1 -0
- package/dist/dashboard/graph-tab.js +297 -0
- package/dist/dashboard/graph-tab.js.map +1 -0
- package/dist/dashboard/vendor/vis-network.min.js +34 -0
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +6 -7
- package/dist/doctor.js.map +1 -1
- package/dist/explore/cli/api-surface.d.ts +12 -0
- package/dist/explore/cli/api-surface.d.ts.map +1 -0
- package/dist/explore/cli/api-surface.js +57 -0
- package/dist/explore/cli/api-surface.js.map +1 -0
- package/dist/explore/cli/communities.d.ts +10 -0
- package/dist/explore/cli/communities.d.ts.map +1 -0
- package/dist/explore/cli/communities.js +47 -0
- package/dist/explore/cli/communities.js.map +1 -0
- package/dist/explore/cli/context.d.ts +16 -0
- package/dist/explore/cli/context.d.ts.map +1 -0
- package/dist/explore/cli/context.js +118 -0
- package/dist/explore/cli/context.js.map +1 -0
- package/dist/explore/cli/entry-points.d.ts +12 -0
- package/dist/explore/cli/entry-points.d.ts.map +1 -0
- package/dist/explore/cli/entry-points.js +85 -0
- package/dist/explore/cli/entry-points.js.map +1 -0
- package/dist/explore/cli/feature.d.ts +16 -0
- package/dist/explore/cli/feature.d.ts.map +1 -0
- package/dist/explore/cli/feature.js +89 -0
- package/dist/explore/cli/feature.js.map +1 -0
- package/dist/explore/cli/file.d.ts +12 -0
- package/dist/explore/cli/file.d.ts.map +1 -0
- package/dist/explore/cli/file.js +139 -0
- package/dist/explore/cli/file.js.map +1 -0
- package/dist/explore/cli/hot-files.d.ts +11 -0
- package/dist/explore/cli/hot-files.d.ts.map +1 -0
- package/dist/explore/cli/hot-files.js +63 -0
- package/dist/explore/cli/hot-files.js.map +1 -0
- package/dist/explore/context-hook.d.ts +42 -0
- package/dist/explore/context-hook.d.ts.map +1 -0
- package/dist/explore/context-hook.js +131 -0
- package/dist/explore/context-hook.js.map +1 -0
- package/dist/explore/finding-context.d.ts +69 -0
- package/dist/explore/finding-context.d.ts.map +1 -0
- package/dist/explore/finding-context.js +102 -0
- package/dist/explore/finding-context.js.map +1 -0
- package/dist/explore/format.d.ts +64 -0
- package/dist/explore/format.d.ts.map +1 -0
- package/dist/explore/format.js +99 -0
- package/dist/explore/format.js.map +1 -0
- package/dist/explore/load.d.ts +50 -0
- package/dist/explore/load.d.ts.map +1 -0
- package/dist/explore/load.js +197 -0
- package/dist/explore/load.js.map +1 -0
- package/dist/explore/queries.d.ts +413 -0
- package/dist/explore/queries.d.ts.map +1 -0
- package/dist/explore/queries.js +855 -0
- package/dist/explore/queries.js.map +1 -0
- package/dist/explore/types.d.ts +130 -0
- package/dist/explore/types.d.ts.map +1 -0
- package/dist/explore/types.js +28 -0
- package/dist/explore/types.js.map +1 -0
- package/dist/explore-cli.d.ts +45 -0
- package/dist/explore-cli.d.ts.map +1 -0
- package/dist/explore-cli.js +213 -0
- package/dist/explore-cli.js.map +1 -0
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +19 -0
- package/dist/generator.js.map +1 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +58 -26
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +17 -14
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +27 -0
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +35 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +13 -10
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +13 -10
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +31 -20
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +30 -16
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +16 -13
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +54 -0
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +22 -19
- package/dist/languages/typescript.js.map +1 -1
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +10 -4
- package/dist/tools-cli.js.map +1 -1
- package/dist/upgrade.js +2 -2
- package/dist/upgrade.js.map +1 -1
- package/package.json +2 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +21 -1
- package/templates/.claude/skills/dxkit-config/SKILL.md +26 -0
- package/templates/.claude/skills/dxkit-fix/SKILL.md +10 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +3 -1
- package/templates/AGENTS.md.template +8 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,96 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.7.1] - 2026-05-31
|
|
11
|
+
|
|
12
|
+
Windows compatibility. Tool detection, the scanner toolchain, and source
|
|
13
|
+
enumeration now work on native Windows (cmd.exe / PowerShell), not only
|
|
14
|
+
on POSIX shells. Previously a Windows user could capture a baseline that
|
|
15
|
+
silently omitted whole finding categories because the underlying tools
|
|
16
|
+
were never detected or run; dxkit now detects them correctly and, when
|
|
17
|
+
something genuinely can't run, says so instead of recording an empty
|
|
18
|
+
result as clean.
|
|
19
|
+
|
|
20
|
+
### Fixed
|
|
21
|
+
|
|
22
|
+
- **Cross-platform tool detection.** Binary resolution now walks `PATH`
|
|
23
|
+
in pure Node, honoring `%PATHEXT%` on Windows, instead of shelling out
|
|
24
|
+
to `which`. Previously every external tool — and even `git`, `node`,
|
|
25
|
+
and `dotnet` — was reported missing on Windows even when installed,
|
|
26
|
+
which `doctor` now reflects accurately.
|
|
27
|
+
- **Scanners run on Windows.** gitleaks, semgrep, and jscpd write their
|
|
28
|
+
reports under the OS temp directory and gitleaks is invoked without a
|
|
29
|
+
shell, so a path with spaces or a non-POSIX shell no longer produces
|
|
30
|
+
an empty result.
|
|
31
|
+
- **Source enumeration is shell-free.** Per-language import discovery,
|
|
32
|
+
the directory count, README/manifest reads, and the developer-
|
|
33
|
+
experience probes use in-process file walkers instead of
|
|
34
|
+
`find` / `ls` / `wc` / `cat`, which returned nothing on Windows.
|
|
35
|
+
- **Graph context on Windows.** The graphify interpreter is resolved via
|
|
36
|
+
the platform venv layout (`Scripts\python.exe` vs `bin/python`), so
|
|
37
|
+
`explore`, `context`, and `--graph-context` work once graphify is
|
|
38
|
+
installed.
|
|
39
|
+
- **`tools install` on Windows** selects an available shell rather than
|
|
40
|
+
assuming `/bin/bash`.
|
|
41
|
+
|
|
42
|
+
### Added
|
|
43
|
+
|
|
44
|
+
- **Baseline coverage signal.** `baseline create` warns when an expected
|
|
45
|
+
scanner isn't available — prompting to install or continue
|
|
46
|
+
interactively, and requiring `--allow-incomplete` in non-interactive
|
|
47
|
+
runs rather than silently writing a partial baseline (`--force`
|
|
48
|
+
implies this opt-in, so the shipped baseline-refresh workflow keeps
|
|
49
|
+
working). The baseline file now records which scanners were available
|
|
50
|
+
at capture time, and `guardrail check` surfaces when that availability
|
|
51
|
+
has since changed.
|
|
52
|
+
- **Configurable tool locations.** A `.dxkit/tools.json` with
|
|
53
|
+
`probePaths` and `installDir` lets dxkit find tools in non-standard
|
|
54
|
+
locations and install them where you choose — useful on locked-down or
|
|
55
|
+
corporate-managed machines. Documented in the `dxkit-config` skill.
|
|
56
|
+
- **Windows CI job** that validates detection on a real Windows runner,
|
|
57
|
+
triggered only when detection-relevant files change.
|
|
58
|
+
|
|
59
|
+
## [2.7.0] - 2026-05-29
|
|
60
|
+
|
|
61
|
+
The "Repo Explore" release. dxkit now builds a deterministic code graph
|
|
62
|
+
of your repo and exposes it three ways: a CLI to query structure, an
|
|
63
|
+
interactive graph in the dashboard, and per-finding blast radius in
|
|
64
|
+
detailed reports. The throughline is helping a coding agent fix findings
|
|
65
|
+
by navigating structure instead of re-reading whole files.
|
|
66
|
+
|
|
67
|
+
### Added
|
|
68
|
+
|
|
69
|
+
- **`vyuh-dxkit explore`** with six subcommands (`entry-points`,
|
|
70
|
+
`hot-files`, `communities`, `file`, `feature`, `api-surface`) for
|
|
71
|
+
asking the code graph what the repo does, where a feature lives, which
|
|
72
|
+
files are load-bearing, and what the public API surface is.
|
|
73
|
+
- **`vyuh-dxkit context <query>`** returns a token-budgeted structural
|
|
74
|
+
slice for a query (an anchor symbol, its relevant neighbors, and the
|
|
75
|
+
blast radius), plus a fail-open Claude Code PreToolUse hook that feeds
|
|
76
|
+
it on Grep/Glob so agents need fewer follow-up whole-file reads.
|
|
77
|
+
Auto-installed with `--with-dxkit-agents`.
|
|
78
|
+
- **Interactive Graph tab** in `vyuh-dxkit dashboard`, embedding
|
|
79
|
+
graphify's code-graph viewer with the renderer bundled to work
|
|
80
|
+
offline. Large repos render a community-aggregated view.
|
|
81
|
+
- **`--graph-context`** on `vulnerabilities`, `test-gaps`, and `quality`
|
|
82
|
+
attaches each finding's module and blast radius (which files call into
|
|
83
|
+
it) to the detailed report, so a fixing agent gets the structural map
|
|
84
|
+
per finding without a separate lookup.
|
|
85
|
+
- **Per-language call-graph reliability.** Where the call graph cannot be
|
|
86
|
+
resolved (C#, which cannot follow `using` across assemblies), blast
|
|
87
|
+
radius reads "n/a" rather than a misleading "0 callers", so it is never
|
|
88
|
+
mistaken for "safe to change".
|
|
89
|
+
- **`dxkit-action`** now folds blast radius into prioritization as an
|
|
90
|
+
additive signal, and the generated `AGENTS.md` documents the new
|
|
91
|
+
commands.
|
|
92
|
+
|
|
93
|
+
### Changed
|
|
94
|
+
|
|
95
|
+
- `vyuh-dxkit health` writes the code graph to
|
|
96
|
+
`.dxkit/reports/graph.json` as a side effect, so a single run
|
|
97
|
+
populates the artifact the explore, context, dashboard, and
|
|
98
|
+
graph-context surfaces read.
|
|
99
|
+
|
|
10
100
|
## [2.6.0] - 2026-05-23
|
|
11
101
|
|
|
12
102
|
The "per-finding suppression + public-repo-safe baselines" release.
|
|
@@ -185,7 +275,7 @@ Tag: `create-dxkit@v0.2.0`. Run `npm init @vyuhlabs/dxkit` to get
|
|
|
185
275
|
the new combined experience.
|
|
186
276
|
|
|
187
277
|
Validated end-to-end with two cross-stack walkthroughs on 2026-05-22:
|
|
188
|
-
|
|
278
|
+
a polyglot Python+TypeScript reference repo and a .NET reference repo.
|
|
189
279
|
Both stacks: defect closures verified, per-pack devcontainer adapts
|
|
190
280
|
correctly, doctor's new tier-3 surfaces operational gaps with
|
|
191
281
|
actionable fix commands.
|
|
@@ -1621,9 +1711,9 @@ Four pieces shipped together:
|
|
|
1621
1711
|
The post-shipment audit's master bug + its direct cascade:
|
|
1622
1712
|
|
|
1623
1713
|
- **D055** — `.dxkit-ignore` multi-segment paths flatten to basenames
|
|
1624
|
-
in cloc / graphify / grep. `
|
|
1625
|
-
became `{
|
|
1626
|
-
directory named `
|
|
1714
|
+
in cloc / graphify / grep. `app/vendor/generated/` silently
|
|
1715
|
+
became `{app, vendor, generated}`, so cloc then excluded every
|
|
1716
|
+
directory named `app` in the tree, killing 90% of source visibility.
|
|
1627
1717
|
Fix: `getClocExcludeFlags` emits `--exclude-dir` (basenames) PLUS
|
|
1628
1718
|
`--fullpath --not-match-d` (Perl regex on full path).
|
|
1629
1719
|
`getPythonExcludeFilter` emits both a basename set AND a multi-
|
|
@@ -1825,7 +1915,7 @@ discipline.
|
|
|
1825
1915
|
(osv-scanner reads Gemfile.lock directly, no `bundle env`/`bundle
|
|
1826
1916
|
show` introspection ladder). Stays accepted-deferred.
|
|
1827
1917
|
- **D017** (NEW) — `dxkit bom <large-project> > file.json` produces
|
|
1828
|
-
0-byte output intermittently on
|
|
1918
|
+
0-byte output intermittently on a large reference repo (1700+ deps).
|
|
1829
1919
|
EXIT=0, no error. Workaround: pipe through `cat`. Hypothesis:
|
|
1830
1920
|
Node stdout buffer doesn't drain before process exit when output
|
|
1831
1921
|
is large + stdout is a regular file. NOT a 2.4.6 ship blocker —
|
|
@@ -1835,7 +1925,7 @@ discipline.
|
|
|
1835
1925
|
### Pre-ship regression — clean
|
|
1836
1926
|
|
|
1837
1927
|
Sequential dxkit reports captured against dxkit-on-dxkit and
|
|
1838
|
-
|
|
1928
|
+
a large reference repo; 12 reports each diffed against the 2.4.5-fixed
|
|
1839
1929
|
baseline. Zero code regressions detected. All deltas explained:
|
|
1840
1930
|
|
|
1841
1931
|
- dxkit/test-gaps 16 → 32 — better data (Istanbul vs import-graph
|
|
@@ -1887,7 +1977,7 @@ at every commit in the 10-commit branch.
|
|
|
1887
1977
|
`typescript`, etc.). `unfilteredTotalPackages` 22 → 353. The
|
|
1888
1978
|
analyzed project's own deps were missing from BoM whenever the
|
|
1889
1979
|
bug hit. Most repos that resolve peer-deps cleanly under
|
|
1890
|
-
`--legacy-peer-deps` weren't affected (
|
|
1980
|
+
`--legacy-peer-deps` weren't affected (the reference repo's BoM
|
|
1891
1981
|
stayed correct at 145 packages); repos with subtle peer-dep
|
|
1892
1982
|
issues silently lost root-dep enumeration.
|
|
1893
1983
|
|
|
@@ -2756,7 +2846,7 @@ unchanged — consumers can re-derive trivially if needed.
|
|
|
2756
2846
|
- 715 tests passing (+18 pm-signals cases: license class mapping,
|
|
2757
2847
|
compound expressions, staleness thresholds, effort semver deltas).
|
|
2758
2848
|
- Typecheck + lint + format + architecture + pre-push CI-mirror gate clean.
|
|
2759
|
-
-
|
|
2849
|
+
- reference-repo smoke: all 4 sheets render correctly, exec summary
|
|
2760
2850
|
surfaces 3 ship-blockers + 9 sprint-risk findings + pm2 flagged
|
|
2761
2851
|
copyleft-strong, `@loopback/rest` surfaces as highest-leverage upgrade
|
|
2762
2852
|
(27 transitive advisories, worst CRITICAL).
|
|
@@ -2764,7 +2854,7 @@ unchanged — consumers can re-derive trivially if needed.
|
|
|
2764
2854
|
## [2.3.1] - 2026-04-24
|
|
2765
2855
|
|
|
2766
2856
|
Patch release fixing three install-robustness issues reported on a
|
|
2767
|
-
real
|
|
2857
|
+
real reference-repo install:
|
|
2768
2858
|
|
|
2769
2859
|
### Fixed
|
|
2770
2860
|
|
|
@@ -2810,7 +2900,7 @@ real vyuhlabs-platform install:
|
|
|
2810
2900
|
Warnings only, no functional impact; would require either switching
|
|
2811
2901
|
xlsx libraries (breaking) or upstream archiver modernization.
|
|
2812
2902
|
|
|
2813
|
-
### Validation on
|
|
2903
|
+
### Validation on the polyglot reference repo
|
|
2814
2904
|
|
|
2815
2905
|
- `vyuh-dxkit tools` reports 12/13 tools found (vitest-coverage
|
|
2816
2906
|
correctly listed as missing since lb-mocha is in use)
|
|
@@ -2883,7 +2973,7 @@ merge → tag → CI-publishes without deviation.
|
|
|
2883
2973
|
unions the roots each package was found in; `isTopLevel`
|
|
2884
2974
|
OR-merges; vulns dedup on `(id, package, installedVersion)`.
|
|
2885
2975
|
Closes **D001a** — `bom platform/` previously missed
|
|
2886
|
-
|
|
2976
|
+
the product subdirectory entirely. Side-benefit: naturally
|
|
2887
2977
|
addresses **D003** (C# multi-project) since each `.csproj`
|
|
2888
2978
|
becomes its own root. (10h.5.0b)
|
|
2889
2979
|
|
|
@@ -3000,7 +3090,7 @@ bump required.
|
|
|
3000
3090
|
- **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
|
|
3001
3091
|
each root `dependencies` / `devDependencies` entry. Pure parser
|
|
3002
3092
|
`buildTsTopLevelDepIndex` unit-tested; benchmark on
|
|
3003
|
-
|
|
3093
|
+
reference repo: 71/71 findings attributed across 31 vulnerable
|
|
3004
3094
|
packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
|
|
3005
3095
|
|
|
3006
3096
|
- **Python pack** — BFS over `pip show` graph from packages with empty
|
|
@@ -3066,7 +3156,7 @@ bump required.
|
|
|
3066
3156
|
`obj/project.assets.json`. Findings still emit; `topLevelDep` stays
|
|
3067
3157
|
unset.
|
|
3068
3158
|
|
|
3069
|
-
- Release validated against
|
|
3159
|
+
- Release validated against the TypeScript reference benchmark.
|
|
3070
3160
|
Python/Go/Rust/C# packs exercised via fixture-based unit tests
|
|
3071
3161
|
(+53 new tests across the 4 non-TS language test files); real-world
|
|
3072
3162
|
validation lands with 2.3.0's cross-ecosystem benchmark fixtures.
|