@westbayberry/dg 1.0.53 → 1.0.56

package/dist/src/lockfile/diff.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.diffLockfiles = diffLockfiles;
+function diffLockfiles(base, head, maxPackages, directDeps) {
+    const allChanges = [];
+    for (const [name, headEntry] of head.packages) {
+        const baseEntry = base?.packages.get(name);
+        if (!baseEntry) {
+            allChanges.push({
+                name,
+                oldVersion: null,
+                newVersion: headEntry.version,
+                isDirect: directDeps?.has(name) ?? false,
+                isDev: headEntry.dev ?? false,
+            });
+        }
+        else if (baseEntry.version !== headEntry.version) {
+            allChanges.push({
+                name,
+                oldVersion: baseEntry.version,
+                newVersion: headEntry.version,
+                isDirect: directDeps?.has(name) ?? false,
+                isDev: headEntry.dev ?? false,
+            });
+        }
+    }
+    allChanges.sort((a, b) => {
+        if (a.isDirect !== b.isDirect)
+            return a.isDirect ? -1 : 1;
+        return a.name.localeCompare(b.name);
+    });
+    if (allChanges.length <= maxPackages) {
+        return { changes: allChanges, skipped: [] };
+    }
+    const changes = allChanges.slice(0, maxPackages);
+    const skipped = allChanges.slice(maxPackages).map((c) => c.name);
+    return { changes, skipped };
+}

package/dist/src/lockfile/parse_package_json.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.diffPackageJsons = diffPackageJsons;
+function diffPackageJsons(baseContent, headContent, maxPackages) {
+    const head = JSON.parse(headContent);
+    const headDeps = {
+        ...head.dependencies,
+        ...head.devDependencies,
+    };
+    let baseDeps = {};
+    if (baseContent) {
+        const base = JSON.parse(baseContent);
+        baseDeps = { ...base.dependencies, ...base.devDependencies };
+    }
+    const changes = [];
+    for (const [name, version] of Object.entries(headDeps)) {
+        if (changes.length >= maxPackages)
+            break;
+        const baseVersion = baseDeps[name];
+        const isDev = !!(head.devDependencies && head.devDependencies[name]);
+        if (!baseVersion) {
+            changes.push({
+                name,
+                oldVersion: null,
+                newVersion: version,
+                isDirect: true,
+                isDev,
+            });
+        }
+        else if (baseVersion !== version) {
+            changes.push({
+                name,
+                oldVersion: baseVersion,
+                newVersion: version,
+                isDirect: true,
+                isDev,
+            });
+        }
+    }
+    return { changes };
+}

package/dist/src/lockfile/parse_package_lock.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseLockfile = parseLockfile;
+function parseLockfile(content) {
+    const json = JSON.parse(content);
+    const lockfileVersion = json.lockfileVersion ?? 1;
+    const packages = new Map();
+    if (lockfileVersion >= 2 && json.packages) {
+        for (const [path, entry] of Object.entries(json.packages)) {
+            if (path === "")
+                continue;
+            const name = extractPackageName(path);
+            if (name && !packages.has(name)) {
+                const e = entry;
+                const deps = e.dependencies;
+                packages.set(name, {
+                    version: e.version ?? "",
+                    resolved: e.resolved,
+                    integrity: e.integrity,
+                    dev: e.dev,
+                    optional: e.optional,
+                    hasPlatformRestriction: !!(e.os || e.cpu),
+                    dependencies: deps && typeof deps === "object" ? deps : undefined,
+                });
+            }
+        }
+    }
+    else if (json.dependencies) {
+        parseLegacyDeps(json.dependencies, packages);
+    }
+    return { lockfileVersion, packages };
+}
+function extractPackageName(nodePath) {
+    const prefix = "node_modules/";
+    const lastIdx = nodePath.lastIndexOf(prefix);
+    if (lastIdx === -1)
+        return null;
+    const name = nodePath.slice(lastIdx + prefix.length);
+    return name || null;
+}
+function parseLegacyDeps(deps, packages, parentPrefix = "") {
+    for (const [name, value] of Object.entries(deps)) {
+        const fullName = parentPrefix ? `${parentPrefix}/${name}` : name;
+        const entry = value;
+        packages.set(fullName, {
+            version: entry.version ?? "",
+            resolved: entry.resolved,
+            integrity: entry.integrity,
+            dev: entry.dev,
+        });
+        if (entry.dependencies) {
+            parseLegacyDeps(entry.dependencies, packages);
+        }
+    }
+}

package/dist/src/lockfile/parse_pipfile_lock.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePipfileLock = parsePipfileLock;
+exports.diffPipfileLocks = diffPipfileLocks;
+/**
+ * Parse a Pipfile.lock (JSON format) into package entries.
+ * Pipfile.lock has two sections: "default" (production) and "develop" (dev).
+ * Each entry is keyed by package name with a "version" field like "==1.2.3".
+ */
+function parsePipfileLock(content) {
+    const packages = new Map();
+    const json = JSON.parse(content);
+    parsePipfileSection(json.default, false, packages);
+    parsePipfileSection(json.develop, true, packages);
+    return { packages };
+}
+function parsePipfileSection(section, isDev, packages) {
+    if (!section || typeof section !== "object")
+        return;
+    for (const [rawName, entry] of Object.entries(section)) {
+        if (!entry || typeof entry !== "object")
+            continue;
+        const entryObj = entry;
+        const rawVersion = entryObj.version;
+        if (typeof rawVersion !== "string")
+            continue;
+        const name = normalizePyName(rawName);
+        // Strip leading "==" from version
+        const version = rawVersion.replace(/^==/, "");
+        if (!packages.has(name)) {
+            packages.set(name, { name, version, isDev });
+        }
+    }
+}
+function diffPipfileLocks(base, head, maxPackages) {
+    const changes = [];
+    for (const [name, headEntry] of head.packages) {
+        const baseEntry = base?.packages.get(name);
+        if (!baseEntry) {
+            changes.push({
+                name,
+                oldVersion: null,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: headEntry.isDev,
+            });
+        }
+        else if (baseEntry.version !== headEntry.version) {
+            changes.push({
+                name,
+                oldVersion: baseEntry.version,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: headEntry.isDev,
+            });
+        }
+    }
+    changes.sort((a, b) => a.name.localeCompare(b.name));
+    if (changes.length <= maxPackages) {
+        return { changes, skipped: [] };
+    }
+    return {
+        changes: changes.slice(0, maxPackages),
+        skipped: changes.slice(maxPackages).map((c) => c.name),
+    };
+}
+function normalizePyName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+}

package/dist/src/lockfile/parse_pnpm_lock.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePnpmLock = parsePnpmLock;
+/**
+ * Parse a pnpm-lock.yaml file (v5, v6, v9 formats).
+ *
+ * Formats:
+ *   v5:  /package/version:           (under `packages:`)
+ *   v6+: /package@version:           (under `packages:`)
+ *   v9:  package@version:            (under `packages:`, no leading /)
+ *
+ * We only need package name + version for diffing — no YAML library needed.
+ */
+function parsePnpmLock(content) {
+    const packages = new Map();
+    const lines = content.split("\n");
+    let inPackages = false;
+    // v5 format: /pkg/1.0.0
+    const v5Re = /^\s+'?\/?(@?[^/]+\/[^/]+)\/([^:'(]+)/;
+    // v6+/v9 format: /pkg@1.0.0 or pkg@1.0.0
+    const v6Re = /^\s+'?\/?(@?[^@\s']+)@([^:'(\s]+)/;
+    let lockfileVersion = 0;
+    const versionMatch = content.match(/^lockfileVersion:\s*'?(\d+)/m);
+    if (versionMatch)
+        lockfileVersion = parseInt(versionMatch[1], 10);
+    for (const line of lines) {
+        // Detect the packages: section
+        if (/^packages:/.test(line)) {
+            inPackages = true;
+            continue;
+        }
+        // A new top-level key ends the packages section
+        if (inPackages && /^\S/.test(line) && !line.startsWith(" ") && !line.startsWith("'")) {
+            if (!line.startsWith("packages:"))
+                inPackages = false;
+            continue;
+        }
+        if (!inPackages)
+            continue;
+        // Try v6+/v9 format first (more common in modern pnpm)
+        let match = line.match(v6Re);
+        if (match) {
+            const [, name, version] = match;
+            if (!packages.has(name)) {
+                packages.set(name, { version });
+            }
+            continue;
+        }
+        // Try v5 format: /package/version
+        match = line.match(v5Re);
+        if (match) {
+            const rawName = match[1];
+            const version = match[2];
+            // v5 scoped packages: /@scope/name/version → name is @scope/name
+            // v5 unscoped: /name/version
+            if (!packages.has(rawName)) {
+                packages.set(rawName, { version });
+            }
+        }
+    }
+    return { lockfileVersion, packages };
+}

package/dist/src/lockfile/parse_poetry_lock.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePoetryLock = parsePoetryLock;
+exports.diffPoetryLocks = diffPoetryLocks;
+/**
+ * Parse a poetry.lock file (TOML format) into package entries.
+ * Uses a simple regex-based parser since poetry.lock has a predictable structure:
+ *
+ * [[package]]
+ * name = "package-name"
+ * version = "1.2.3"
+ * category = "main" | "dev"
+ *
+ * We don't need a full TOML parser — just extract package blocks.
+ */
+function parsePoetryLock(content) {
+    const packages = new Map();
+    // Split into [[package]] blocks
+    const blocks = content.split(/^\[\[package\]\]\s*$/m);
+    for (const block of blocks) {
+        const nameMatch = block.match(/^name\s*=\s*"([^"]+)"/m);
+        const versionMatch = block.match(/^version\s*=\s*"([^"]+)"/m);
+        if (!nameMatch || !versionMatch)
+            continue;
+        const name = normalizePyName(nameMatch[1]);
+        const version = versionMatch[1];
+        // Check category (poetry 1.x uses "category", poetry 2.x uses groups)
+        const categoryMatch = block.match(/^category\s*=\s*"([^"]+)"/m);
+        const category = categoryMatch?.[1] ?? "main";
+        const isDev = category === "dev";
+        if (!packages.has(name)) {
+            packages.set(name, { name, version, isDev, category });
+        }
+    }
+    return { packages };
+}
+function diffPoetryLocks(base, head, maxPackages) {
+    const changes = [];
+    for (const [name, headEntry] of head.packages) {
+        const baseEntry = base?.packages.get(name);
+        if (!baseEntry) {
+            changes.push({
+                name,
+                oldVersion: null,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: headEntry.isDev,
+            });
+        }
+        else if (baseEntry.version !== headEntry.version) {
+            changes.push({
+                name,
+                oldVersion: baseEntry.version,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: headEntry.isDev,
+            });
+        }
+    }
+    changes.sort((a, b) => a.name.localeCompare(b.name));
+    if (changes.length <= maxPackages) {
+        return { changes, skipped: [] };
+    }
+    return {
+        changes: changes.slice(0, maxPackages),
+        skipped: changes.slice(maxPackages).map((c) => c.name),
+    };
+}
+function normalizePyName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+}

package/dist/src/lockfile/parse_requirements.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseRequirements = parseRequirements;
+exports.diffRequirements = diffRequirements;
+/**
+ * Parse a requirements.txt file into package entries.
+ * Handles: name==version, name>=version, name~=version, name!=version,
+ * extras like name[extra1,extra2]==version, comments (#), -r includes (ignored),
+ * environment markers (;), and line continuations (\).
+ */
+function parseRequirements(content) {
+    const packages = new Map();
+    // Join line continuations
+    const joined = content.replace(/\\\n/g, "");
+    const lines = joined.split("\n");
+    for (const rawLine of lines) {
+        const line = rawLine.trim();
+        // Skip empty lines, comments, options, and -r/-c references
+        if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+            continue;
+        }
+        // Strip environment markers (everything after ;)
+        const withoutMarker = line.split(";")[0].trim();
+        if (!withoutMarker)
+            continue;
+        // Parse package name, extras, and version specifier
+        const match = withoutMarker.match(/^([a-zA-Z0-9][-a-zA-Z0-9_.]*(?:\[[^\]]*\])?)(?:\s*(==|>=|<=|~=|!=|>|<|===)\s*([^\s,;]+))?/);
+        if (!match)
+            continue;
+        const nameWithExtras = match[1];
+        const version = match[3] || "";
+        // Extract extras: name[extra1,extra2] -> name, [extra1, extra2]
+        const extrasMatch = nameWithExtras.match(/^([a-zA-Z0-9][-a-zA-Z0-9_.]*)(?:\[([^\]]*)\])?$/);
+        if (!extrasMatch)
+            continue;
+        const name = normalizePyName(extrasMatch[1]);
+        const extras = extrasMatch[2]
+            ? extrasMatch[2].split(",").map((e) => e.trim()).filter(Boolean)
+            : undefined;
+        if (!packages.has(name)) {
+            packages.set(name, { name, version, extras });
+        }
+    }
+    return { packages };
+}
+/**
+ * Diff two requirements.txt files to find added/changed packages.
+ */
+function diffRequirements(base, head, maxPackages) {
+    const changes = [];
+    for (const [name, headEntry] of head.packages) {
+        const baseEntry = base?.packages.get(name);
+        if (!baseEntry) {
+            changes.push({
+                name,
+                oldVersion: null,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: false,
+            });
+        }
+        else if (baseEntry.version !== headEntry.version) {
+            changes.push({
+                name,
+                oldVersion: baseEntry.version,
+                newVersion: headEntry.version,
+                isDirect: true,
+                isDev: false,
+            });
+        }
+    }
+    changes.sort((a, b) => a.name.localeCompare(b.name));
+    if (changes.length <= maxPackages) {
+        return { changes, skipped: [] };
+    }
+    return {
+        changes: changes.slice(0, maxPackages),
+        skipped: changes.slice(maxPackages).map((c) => c.name),
+    };
+}
+function normalizePyName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+}

package/dist/src/lockfile/parse_yarn_lock.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseYarnLock = parseYarnLock;
+/**
+ * Parse a yarn.lock v1 (classic) file.
+ *
+ * Format:
+ *   "package@^1.0.0", "package@~1.2.0":
+ *     version "1.2.3"
+ *     resolved "https://registry.yarnpkg.com/..."
+ *     integrity sha512-...
+ */
+function parseYarnLock(content) {
+    const packages = new Map();
+    const lines = content.split("\n");
+    let currentName = null;
+    let currentEntry = {};
+    for (const line of lines) {
+        // Skip comments and empty lines
+        if (line.startsWith("#") || line.trim() === "") {
+            if (currentName && currentEntry.version) {
+                packages.set(currentName, { version: currentEntry.version, resolved: currentEntry.resolved, integrity: currentEntry.integrity });
+                currentName = null;
+                currentEntry = {};
+            }
+            continue;
+        }
+        // Package header line — not indented, ends with ":"
+        if (!line.startsWith(" ") && !line.startsWith("\t") && line.endsWith(":")) {
+            // Flush previous entry
+            if (currentName && currentEntry.version) {
+                packages.set(currentName, { version: currentEntry.version, resolved: currentEntry.resolved, integrity: currentEntry.integrity });
+            }
+            // Extract package name from first specifier: "name@version" or name@version
+            const raw = line.slice(0, -1); // remove trailing ":"
+            const firstSpec = raw.split(",")[0].trim().replace(/^"/, "").replace(/"$/, "");
+            const atIdx = firstSpec.startsWith("@")
+                ? firstSpec.indexOf("@", 1)
+                : firstSpec.indexOf("@");
+            currentName = atIdx > 0 ? firstSpec.slice(0, atIdx) : null;
+            currentEntry = {};
+            continue;
+        }
+        // Indented property lines
+        const trimmed = line.trim();
+        const versionMatch = trimmed.match(/^version\s+"([^"]+)"/);
+        if (versionMatch) {
+            currentEntry.version = versionMatch[1];
+            continue;
+        }
+        const resolvedMatch = trimmed.match(/^resolved\s+"([^"]+)"/);
+        if (resolvedMatch) {
+            currentEntry.resolved = resolvedMatch[1];
+            continue;
+        }
+        const integrityMatch = trimmed.match(/^integrity\s+(\S+)/);
+        if (integrityMatch) {
+            currentEntry.integrity = integrityMatch[1];
+        }
+    }
+    // Flush last entry
+    if (currentName && currentEntry.version) {
+        packages.set(currentName, { version: currentEntry.version, resolved: currentEntry.resolved, integrity: currentEntry.integrity });
+    }
+    return { lockfileVersion: 1, packages };
+}

package/dist/src/logger.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.logger = void 0;
+exports.setLogger = setLogger;
+const consoleLogger = {
+    info: (msg) => console.log(`[INFO] ${msg}`),
+    warning: (msg) => console.warn(`[WARN] ${msg}`),
+    debug: (msg) => {
+        if (process.env.DEBUG)
+            console.log(`[DEBUG] ${msg}`);
+    },
+};
+let _logger = consoleLogger;
+function setLogger(logger) {
+    _logger = logger;
+}
+exports.logger = new Proxy({}, {
+    get(_, prop) {
+        return _logger[prop] ?? (() => { });
+    },
+});

package/dist/src/npm/h2pool.js

@@ -0,0 +1,161 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.h2pool = void 0;
+/**
+ * HTTP/2 connection pool for npm registry calls.
+ *
+ * Multiplexes all requests to the same origin over a single TCP+TLS connection.
+ * registry.npmjs.org supports 100 concurrent streams per connection (Cloudflare).
+ *
+ * Benchmarked: 152 requests via HTTP/2 = 179ms vs fetch() HTTP/1.1 = 895ms (5x faster).
+ */
+const http2_1 = __importDefault(require("http2"));
+const zlib_1 = require("zlib");
+const MAX_CONCURRENT_STREAMS = 100;
+class H2Pool {
+    constructor() {
+        this.sessions = new Map();
+    }
+    getSession(origin) {
+        let session = this.sessions.get(origin);
+        if (session && !session.closed && !session.destroyed)
+            return session;
+        session = http2_1.default.connect(origin);
+        session.on("error", () => {
+            this.sessions.delete(origin);
+        });
+        session.on("close", () => {
+            this.sessions.delete(origin);
+        });
+        // Note: NOT calling session.unref() — sessions must stay alive for the server process
+        this.sessions.set(origin, session);
+        return session;
+    }
+    request(url, options = {}) {
+        const parsed = new URL(url);
+        const origin = parsed.origin;
+        const session = this.getSession(origin);
+        return new Promise((resolve, reject) => {
+            const reqHeaders = {
+                ":path": parsed.pathname + parsed.search,
+                ":method": options.method || "GET",
+                "accept-encoding": "gzip",
+            };
+            if (options.headers) {
+                for (const [k, v] of Object.entries(options.headers)) {
+                    reqHeaders[k.toLowerCase()] = v;
+                }
+            }
+            let req;
+            try {
+                req = session.request(reqHeaders);
+            }
+            catch (err) {
+                // Session may have died — remove and reject
+                this.sessions.delete(origin);
+                reject(err);
+                return;
+            }
+            if (options.timeout) {
+                req.setTimeout(options.timeout, () => {
+                    req.close(http2_1.default.constants.NGHTTP2_CANCEL);
+                    reject(new Error(`H2 request timed out after ${options.timeout}ms`));
+                });
+            }
+            let status = 0;
+            let responseHeaders = {};
+            const chunks = [];
+            req.on("response", (h) => {
+                status = h[":status"];
+                responseHeaders = h;
+            });
+            req.on("data", (chunk) => chunks.push(chunk));
+            req.on("end", () => {
+                const raw = Buffer.concat(chunks);
+                const encoding = responseHeaders["content-encoding"];
+                let body;
+                try {
+                    body = encoding === "gzip" ? (0, zlib_1.gunzipSync)(raw).toString() : raw.toString();
+                }
+                catch {
+                    // Truncated gzip response from server — treat as empty/failed
+                    resolve({ status: 0, headers: responseHeaders, body: "" });
+                    return;
+                }
+                resolve({ status, headers: responseHeaders, body });
+            });
+            req.on("error", (err) => {
+                reject(err);
+            });
+            if (options.body) {
+                req.write(options.body);
+            }
+            req.end();
+        });
+    }
+    /**
+     * Send many requests in parallel over a single H2 connection.
+     * Automatically respects the server's max concurrent streams limit.
+     */
+    async requestAll(urls, options) {
+        if (urls.length === 0)
+            return [];
+        const results = new Array(urls.length);
+        let nextIdx = 0;
+        let completed = 0;
+        let inFlight = 0;
+        return new Promise((resolve, reject) => {
+            let failed = false;
+            const launch = () => {
+                while (nextIdx < urls.length && inFlight < MAX_CONCURRENT_STREAMS) {
+                    const idx = nextIdx++;
+                    inFlight++;
+                    this.request(urls[idx], options || {})
+                        .then((res) => {
+                        results[idx] = res;
+                    })
+                        .catch((err) => {
+                        // Store error as a failed response instead of rejecting everything
+                        results[idx] = { status: 0, headers: {}, body: "" };
+                    })
+                        .finally(() => {
+                        inFlight--;
+                        completed++;
+                        if (completed === urls.length) {
+                            resolve(results);
+                        }
+                        else {
+                            launch();
+                        }
+                    });
+                }
+            };
+            launch();
+        });
+    }
+    /** Close and remove the session for a specific origin, forcing a fresh connection next time. */
+    resetOrigin(origin) {
+        const session = this.sessions.get(origin);
+        if (session) {
+            try {
+                session.close();
+            }
+            catch { /* already closed */ }
+            this.sessions.delete(origin);
+        }
+    }
+    close() {
+        for (const session of this.sessions.values()) {
+            try {
+                session.close();
+            }
+            catch { /* already closed */ }
+        }
+        this.sessions.clear();
+    }
+}
+/** Shared global pool instance — reused across the process lifetime. */
+exports.h2pool = new H2Pool();