@westbayberry/dg 1.0.53 → 1.0.56

package/dist/packages/cli/src/lockfile.js

@@ -0,0 +1,303 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverChanges = discoverChanges;
+exports.parsePythonDepFile = parsePythonDepFile;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const MAX_LOCKFILE_BYTES = 50 * 1024 * 1024; // 50 MB
+const SELF_PACKAGE = "@westbayberry/dg"; // skip scanning ourselves
+function readFileSafe(path) {
+    const size = (0, node_fs_1.statSync)(path).size;
+    if (size > MAX_LOCKFILE_BYTES) {
+        throw new Error(`Lockfile too large (${(size / 1024 / 1024).toFixed(0)} MB, max 50 MB): ${path}`);
+    }
+    return (0, node_fs_1.readFileSync)(path, "utf-8");
+}
+// Shared with the GitHub App & root scanner — parsers live at dependency-guardian/src/lockfile/
+// esbuild bundles these at build time; runtime artifact is self-contained.
+const parse_package_lock_1 = require("../../../src/lockfile/parse_package_lock");
+const parse_yarn_lock_1 = require("../../../src/lockfile/parse_yarn_lock");
+const parse_pnpm_lock_1 = require("../../../src/lockfile/parse_pnpm_lock");
+const diff_1 = require("../../../src/lockfile/diff");
+const parse_package_json_1 = require("../../../src/lockfile/parse_package_json");
+/**
+ * Discover changed (or all) packages by reading the local lockfile
+ * and comparing against a base.
+ */
+function discoverChanges(cwd, config) {
+    if (config.workspace) {
+        cwd = (0, node_path_1.join)(cwd, config.workspace);
+    }
+    const lockfileInfo = findLockfile(cwd);
+    // Discover Python packages from requirements.txt / Pipfile.lock / poetry.lock
+    const pythonDepFiles = ["requirements.txt", "Pipfile.lock", "poetry.lock"];
+    let pythonPackages = [];
+    for (const pyFile of pythonDepFiles) {
+        if ((0, node_fs_1.existsSync)((0, node_path_1.join)(cwd, pyFile))) {
+            const pyPkgs = parsePythonDepFile(cwd, pyFile);
+            for (const p of pyPkgs) {
+                if (p.version === "latest")
+                    continue; // skip unpinned
+                pythonPackages.push({ name: p.name, version: p.version, previousVersion: null, isNew: true });
+            }
+            break; // use first found
+        }
+    }
+    if (!lockfileInfo) {
+        // No npm lockfile — return Python packages only if found
+        if (pythonPackages.length > 0) {
+            const skipped = [];
+            if (pythonPackages.length > config.maxPackages) {
+                skipped.push(...pythonPackages.slice(config.maxPackages).map((p) => `${p.name}@${p.version}`));
+                pythonPackages = pythonPackages.slice(0, config.maxPackages);
+            }
+            return { packages: [], pythonPackages, method: "scan-all", skipped };
+        }
+        throw new Error("No lockfile found (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements.txt, Pipfile.lock, or poetry.lock). Run from your project root or use --base-lockfile.");
+    }
+    const headContent = readFileSafe(lockfileInfo.path);
+    const headParsed = parseLockfileByType(headContent, lockfileInfo.type);
+    const directDeps = getDirectDeps(cwd);
+    // 1. --base-lockfile: explicit diff (wins over scanAll default)
+    if (config.baseLockfile) {
+        if (!(0, node_fs_1.existsSync)(config.baseLockfile)) {
+            throw new Error(`Base lockfile not found: ${config.baseLockfile}`);
+        }
+        const baseContent = readFileSafe(config.baseLockfile);
+        const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
+        const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
+        return {
+            packages: diff.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+            pythonPackages,
+            method: "base-lockfile",
+            skipped: diff.skipped,
+        };
+    }
+    // 2. --changed-only: diff against git history
+    if (!config.scanAll) {
+        const baseContent = getGitBaseLockfile(cwd);
+        if (baseContent !== null) {
+            const baseParsed = (0, parse_package_lock_1.parseLockfile)(baseContent);
+            const diff = (0, diff_1.diffLockfiles)(baseParsed, headParsed, config.maxPackages, directDeps);
+            return {
+                packages: diff.changes.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+                pythonPackages,
+                method: "git-diff",
+                skipped: diff.skipped,
+            };
+        }
+        const pkgJsonPath = (0, node_path_1.join)(cwd, "package.json");
+        if ((0, node_fs_1.existsSync)(pkgJsonPath)) {
+            const headPkgJson = readFileSafe(pkgJsonPath);
+            const basePkgJson = getGitBaseFile(cwd, "package.json");
+            if (basePkgJson !== null) {
+                const diff = (0, parse_package_json_1.diffPackageJsons)(basePkgJson, headPkgJson, config.maxPackages);
+                const resolved = diff.changes.map((change) => {
+                    const lockEntry = headParsed.packages.get(change.name);
+                    return {
+                        ...change,
+                        newVersion: lockEntry?.version ?? change.newVersion,
+                    };
+                });
+                return {
+                    packages: resolved.map(toPackageInput).filter((p) => p.name !== SELF_PACKAGE),
+                    pythonPackages,
+                    method: "fallback",
+                    skipped: [],
+                };
+            }
+        }
+    }
+    // 3. Default: scan everything in the lockfile
+    const packages = [];
+    for (const [name, entry] of headParsed.packages) {
+        if (packages.length >= config.maxPackages)
+            break;
+        if (entry.optional && entry.hasPlatformRestriction)
+            continue;
+        if (name === SELF_PACKAGE)
+            continue;
+        packages.push({
+            name,
+            version: entry.version,
+            previousVersion: null,
+            isNew: true,
+        });
+    }
+    return { packages, pythonPackages, method: "scan-all", skipped: [] };
+}
+function findLockfile(cwd) {
+    const candidates = [
+        ["package-lock.json", "npm"],
+        ["npm-shrinkwrap.json", "npm"],
+        ["yarn.lock", "yarn"],
+        ["pnpm-lock.yaml", "pnpm"],
+    ];
+    for (const [name, type] of candidates) {
+        const p = (0, node_path_1.join)(cwd, name);
+        if ((0, node_fs_1.existsSync)(p))
+            return { path: p, type };
+    }
+    return null;
+}
+function parseLockfileByType(content, type) {
+    switch (type) {
+        case "npm": return (0, parse_package_lock_1.parseLockfile)(content);
+        case "yarn": return (0, parse_yarn_lock_1.parseYarnLock)(content);
+        case "pnpm": return (0, parse_pnpm_lock_1.parsePnpmLock)(content);
+    }
+}
+function getDirectDeps(cwd) {
+    try {
+        const content = readFileSafe((0, node_path_1.join)(cwd, "package.json"));
+        const pkg = JSON.parse(content);
+        return new Set([
+            ...Object.keys(pkg.dependencies ?? {}),
+            ...Object.keys(pkg.devDependencies ?? {}),
+        ]);
+    }
+    catch {
+        return new Set();
+    }
+}
+// Resolve the default branch with a three-step fallback:
+// 1. Ask git what origin's HEAD points at (works for main, master, develop, etc.)
+// 2. Try master explicitly — some repos don't have origin/HEAD set
+// 3. Last resort: main
+function getDefaultBranch(cwd) {
+    try {
+        const ref = (0, node_child_process_1.execFileSync)("git", ["symbolic-ref", "refs/remotes/origin/HEAD"], {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        const branch = ref.replace(/^refs\/remotes\/origin\//, "");
+        if (branch)
+            return branch;
+    }
+    catch { /* fall through */ }
+    try {
+        (0, node_child_process_1.execFileSync)("git", ["rev-parse", "--verify", "refs/remotes/origin/master"], {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        return "master";
+    }
+    catch { /* fall through */ }
+    return "main";
+}
+function getGitBaseLockfile(cwd) {
+    try {
+        const defaultBranch = getDefaultBranch(cwd);
+        const mergeBase = (0, node_child_process_1.execFileSync)("git", ["merge-base", "HEAD", defaultBranch], {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        if (!mergeBase)
+            return null;
+        for (const name of ["package-lock.json", "yarn.lock", "pnpm-lock.yaml"]) {
+            try {
+                return (0, node_child_process_1.execFileSync)("git", ["show", `${mergeBase}:${name}`], {
+                    cwd,
+                    encoding: "utf-8",
+                    stdio: ["pipe", "pipe", "pipe"],
+                });
+            }
+            catch {
+                continue;
+            }
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+function getGitBaseFile(cwd, filename) {
+    try {
+        const defaultBranch = getDefaultBranch(cwd);
+        const mergeBase = (0, node_child_process_1.execFileSync)("git", ["merge-base", "HEAD", defaultBranch], {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        }).trim();
+        if (!mergeBase)
+            return null;
+        return (0, node_child_process_1.execFileSync)("git", ["show", `${mergeBase}:${filename}`], {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+    }
+    catch {
+        return null;
+    }
+}
+function toPackageInput(change) {
+    return {
+        name: change.name,
+        version: change.newVersion,
+        previousVersion: change.oldVersion,
+        isNew: change.oldVersion === null,
+    };
+}
+function parsePythonDepFile(projectDir, depFile) {
+    const content = readFileSafe((0, node_path_1.join)(projectDir, depFile));
+    if (depFile === "Pipfile.lock") {
+        try {
+            const parsed = JSON.parse(content);
+            const packages = [];
+            for (const section of ["default", "develop"]) {
+                const deps = parsed[section];
+                if (!deps)
+                    continue;
+                for (const [name, info] of Object.entries(deps)) {
+                    const entry = info;
+                    const version = entry?.version?.replace(/^==/, "") ?? "0.0.0";
+                    packages.push({ name, version });
+                }
+            }
+            return packages;
+        }
+        catch {
+            return [];
+        }
+    }
+    if (depFile === "poetry.lock") {
+        const packages = [];
+        const blocks = content.split(/^\[\[package\]\]/gm);
+        for (const block of blocks) {
+            const nameMatch = block.match(/^name\s*=\s*"([^"]+)"/m);
+            const versionMatch = block.match(/^version\s*=\s*"([^"]+)"/m);
+            if (nameMatch && versionMatch) {
+                packages.push({ name: nameMatch[1], version: versionMatch[1] });
+            }
+        }
+        return packages;
+    }
+    // requirements.txt
+    const packages = [];
+    for (const raw of content.split("\n")) {
+        const line = raw.trim();
+        if (!line || line.startsWith("#") || line.startsWith("-"))
+            continue;
+        // Strip environment markers (e.g. ; python_version >= "3.6")
+        const withoutMarker = line.split(";")[0].trim();
+        // Strip extras (e.g. package[extra1,extra2])
+        const withoutExtras = withoutMarker.replace(/\[.*?\]/, "");
+        const eqMatch = withoutExtras.match(/^([a-zA-Z0-9_.-]+)\s*==\s*([^\s,]+)/);
+        if (eqMatch) {
+            packages.push({ name: eqMatch[1], version: eqMatch[2] });
+        }
+        else {
+            const nameMatch = withoutExtras.match(/^([a-zA-Z0-9_.-]+)/);
+            if (nameMatch) {
+                packages.push({ name: nameMatch[1], version: "latest" });
+            }
+        }
+    }
+    return packages;
+}

package/dist/packages/cli/src/npm-wrapper.js

@@ -0,0 +1,218 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseNpmArgs = parseNpmArgs;
+exports.parsePackageSpec = parsePackageSpec;
+exports.resolveVersion = resolveVersion;
+exports.resolvePackages = resolvePackages;
+exports.runNpm = runNpm;
+exports.readBareInstallPackages = readBareInstallPackages;
+exports.handleWrapCommand = handleWrapCommand;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+/** npm commands that install packages and should trigger a scan */
+const INSTALL_COMMANDS = new Set(["install", "i", "add", "update", "up"]);
+/**
+ * Parse the argv after `dg npm ...` to extract the npm command and package specifiers.
+ */
+function parseNpmArgs(args) {
+    let dgForce = false;
+    const filtered = [];
+    // Extract dg-specific flags before passing to npm
+    for (const arg of args) {
+        if (arg === "--dg-force") {
+            dgForce = true;
+        }
+        else {
+            filtered.push(arg);
+        }
+    }
+    const command = filtered[0] ?? "";
+    const shouldScan = INSTALL_COMMANDS.has(command);
+    // Extract package specifiers: anything that's not a flag and not the command itself
+    const packages = [];
+    if (shouldScan) {
+        for (let i = 1; i < filtered.length; i++) {
+            const arg = filtered[i];
+            // Skip flags and their values
+            if (arg.startsWith("-")) {
+                // Flags that take a value: skip next arg too
+                if (flagTakesValue(arg)) {
+                    i++;
+                }
+                continue;
+            }
+            packages.push(arg);
+        }
+    }
+    return {
+        command,
+        packages,
+        rawArgs: filtered,
+        dgForce,
+        shouldScan,
+    };
+}
+/** npm flags that consume the next argument as a value */
+function flagTakesValue(flag) {
+    const valueFlagPrefixes = [
+        "--save-prefix",
+        "--tag",
+        "--registry",
+        "--cache",
+        "--prefix",
+        "--fund",
+        "--omit",
+        "--install-strategy",
+        "--workspace",
+    ];
+    // Short flags that take values
+    if (flag === "-w")
+        return true;
+    for (const prefix of valueFlagPrefixes) {
+        if (flag === prefix)
+            return true;
+    }
+    // --flag=value style doesn't consume next arg
+    return false;
+}
+/**
+ * Parse a package specifier like "express", "@scope/pkg@^2.0.0", "pkg@latest"
+ * into { name, versionSpec }.
+ */
+function parsePackageSpec(spec) {
+    // Scoped: @scope/pkg@version
+    if (spec.startsWith("@")) {
+        const slashIdx = spec.indexOf("/");
+        if (slashIdx === -1) {
+            return { name: spec, versionSpec: null };
+        }
+        const afterSlash = spec.slice(slashIdx + 1);
+        const atIdx = afterSlash.indexOf("@");
+        if (atIdx === -1) {
+            return { name: spec, versionSpec: null };
+        }
+        return {
+            name: spec.slice(0, slashIdx + 1 + atIdx),
+            versionSpec: afterSlash.slice(atIdx + 1),
+        };
+    }
+    // Unscoped: pkg@version
+    const atIdx = spec.indexOf("@");
+    if (atIdx === -1 || atIdx === 0) {
+        return { name: spec, versionSpec: null };
+    }
+    return {
+        name: spec.slice(0, atIdx),
+        versionSpec: spec.slice(atIdx + 1),
+    };
+}
+/**
+ * Resolve what version npm would install for a given package specifier.
+ * Uses `npm view <spec> version` to get the resolved version.
+ */
+async function resolveVersion(spec) {
+    return new Promise((resolve) => {
+        const child = (0, node_child_process_1.spawn)("npm", ["view", spec, "version"], {
+            stdio: ["pipe", "pipe", "pipe"],
+        });
+        let stdout = "";
+        child.stdout.on("data", (chunk) => { stdout += chunk.toString(); });
+        const timer = setTimeout(() => { child.kill(); resolve(null); }, 15000);
+        child.on("close", (code) => {
+            clearTimeout(timer);
+            if (code !== 0) {
+                resolve(null);
+                return;
+            }
+            const version = stdout.trim();
+            resolve(version || null);
+        });
+        child.on("error", () => { clearTimeout(timer); resolve(null); });
+    });
+}
+/**
+ * Build PackageInput[] from package specifiers by resolving versions in parallel.
+ */
+async function resolvePackages(specs) {
+    const results = await Promise.allSettled(specs.map(async (spec) => {
+        const { name, versionSpec } = parsePackageSpec(spec);
+        const querySpec = versionSpec ? `${name}@${versionSpec}` : name;
+        const version = await resolveVersion(querySpec);
+        return { spec, name, version };
+    }));
+    const resolved = [];
+    const failed = [];
+    for (const result of results) {
+        if (result.status === "rejected") {
+            failed.push("unknown");
+            continue;
+        }
+        const { spec, name, version } = result.value;
+        if (version) {
+            resolved.push({
+                name,
+                version,
+                previousVersion: null,
+                isNew: true,
+            });
+        }
+        else {
+            failed.push(spec);
+        }
+    }
+    return { resolved, failed };
+}
+/**
+ * Run the actual npm command, inheriting stdio.
+ * Returns the npm exit code.
+ */
+function runNpm(args) {
+    return new Promise((resolve) => {
+        const child = (0, node_child_process_1.spawn)("npm", args, {
+            stdio: "inherit",
+            shell: false,
+        });
+        child.on("close", (code) => resolve(code ?? 1));
+        child.on("error", () => resolve(1));
+    });
+}
+/**
+ * Read package.json dependencies for bare `npm install` scanning.
+ */
+function readBareInstallPackages(cwd) {
+    const pkgPath = (0, node_path_1.join)(cwd, "package.json");
+    if (!(0, node_fs_1.existsSync)(pkgPath))
+        return [];
+    try {
+        const pkg = JSON.parse((0, node_fs_1.readFileSync)(pkgPath, "utf-8"));
+        const specs = [];
+        for (const [name, range] of Object.entries(pkg.dependencies ?? {})) {
+            if (typeof range === "string")
+                specs.push(`${name}@${range}`);
+        }
+        for (const [name, range] of Object.entries(pkg.devDependencies ?? {})) {
+            if (typeof range === "string")
+                specs.push(`${name}@${range}`);
+        }
+        return specs;
+    }
+    catch {
+        return [];
+    }
+}
+const WRAP_USAGE = `
+  Set up dg as your npm wrapper:
+
+  Option 1 — Shell alias (recommended):
+    Add to your ~/.zshrc or ~/.bashrc:
+      alias npm='dg npm'
+
+  Option 2 — Per-project .npmrc:
+    Not yet supported.
+
+  Once set up, every \`npm install\` will be scanned automatically.
+`.trimStart();
+function handleWrapCommand() {
+    process.stdout.write(WRAP_USAGE);
+}