@westbayberry/dg 2.0.7 → 2.0.10

package/dist/verify/preflight.js

@@ -1,14 +1,16 @@
 import { existsSync, readFileSync } from "node:fs";
-import { basename, relative, resolve, sep } from "node:path";
+import { basename, dirname, isAbsolute, relative, resolve, sep } from "node:path";
 import { loadUserConfig } from "../config/settings.js";
 import { evaluatePackagePolicy, resolveEffectivePolicy } from "../policy/evaluate.js";
 const LOCKFILE_NAMES = new Set([
     "Cargo.lock",
     "Pipfile.lock",
+    "npm-shrinkwrap.json",
     "package-lock.json",
     "pnpm-lock.yaml",
     "poetry.lock",
     "requirements.txt",
+    "uv.lock",
     "yarn.lock"
 ]);
 const REMOTE_SPEC_PREFIXES = [
@@ -22,6 +24,10 @@ const REMOTE_SPEC_PREFIXES = [
 export function isSupportedLockfilePath(target) {
     return LOCKFILE_NAMES.has(basename(target));
 }
+export function isRemotePackageSpec(spec) {
+    const lowered = spec.trim().toLowerCase();
+    return REMOTE_SPEC_PREFIXES.some((prefix) => lowered.startsWith(prefix)) || lowered.startsWith("file:");
+}
 export function verifyPackageSpec(spec, options = {}) {
     const parsed = parsePackageSpec(spec);
     const observations = parsed
@@ -68,7 +74,7 @@ export function verifyLockfile(targetPath, options = {}) {
             errors: [`could not read lockfile: ${error instanceof Error ? error.message : "unknown read error"}`]
         });
     }
-    const observations = parseLockfile(basename(absoluteTarget), text);
+    const observations = parseLockfile(text, createParseContext(basename(absoluteTarget), absoluteTarget));
     return preflightReport({
         target: displayTarget,
         inputKind: "lockfile",
@@ -77,6 +83,50 @@ export function verifyLockfile(targetPath, options = {}) {
         options
     });
 }
+export function parseLockfilePackages(targetPath) {
+    const absoluteTarget = resolve(targetPath);
+    const fileName = basename(absoluteTarget);
+    let text;
+    try {
+        text = readFileSync(absoluteTarget, "utf8");
+    }
+    catch (error) {
+        return {
+            packages: [],
+            skipped: [],
+            parseError: {
+                file: fileName,
+                reason: error instanceof Error ? error.message : "could not read lockfile"
+            }
+        };
+    }
+    const context = createParseContext(fileName, absoluteTarget);
+    const observations = parseLockfile(text, context);
+    return {
+        packages: observations
+            .filter((observation) => observation.verdict !== "block" && observation.identity.sourceKind === "lockfile")
+            .map((observation) => observation.identity),
+        skipped: context.skipped,
+        parseError: context.errors[0] ?? null
+    };
+}
+function createParseContext(fileName, filePath) {
+    return {
+        fileName,
+        filePath,
+        skipped: [],
+        errors: []
+    };
+}
+function recordSkip(context, name, reason, location) {
+    context.skipped.push({ name, reason, location });
+}
+function recordParseError(context, file, error) {
+    context.errors.push({
+        file,
+        reason: error instanceof Error ? error.message : String(error)
+    });
+}
 function preflightReport(input) {
     const policy = resolveEffectivePolicy({
         userConfig: loadUserConfig()
@@ -128,99 +178,38 @@ function parsePackageSpec(spec) {
     if (trimmed.length === 0 || /[\u0000-\u001f\u007f]/u.test(trimmed)) {
         return null;
     }
-    const lowered = trimmed.toLowerCase();
-    if (REMOTE_SPEC_PREFIXES.some((prefix) => lowered.startsWith(prefix)) || lowered.startsWith("file:")) {
-        return packageObservation({
-            ecosystem: "unknown",
-            name: trimmed,
-            version: null,
-            requested: spec,
-            sourceKind: "package-spec",
-            resolvedUrl: trimmed,
-            integrity: null,
-            license: null
-        }, "block", {
-            id: "unverified-network-spec",
-            title: "Unverified network package spec",
-            message: "direct URL, git, and file package specs require artifact verification before install",
-            location: spec
-        });
-    }
-    if (lowered.startsWith("npm:")) {
-        return parseNpmSpec(trimmed.slice(4), spec);
-    }
-    if (lowered.startsWith("pypi:")) {
-        return parsePypiSpec(trimmed.slice(5), spec);
-    }
-    if (lowered.startsWith("cargo:")) {
-        return parseCargoSpec(trimmed.slice(6), spec);
-    }
-    if (trimmed.includes("==")) {
-        return parsePypiSpec(trimmed, spec);
-    }
-    return parseNpmSpec(trimmed, spec);
-}
-function parseNpmSpec(value, requested) {
-    const parsed = splitNameVersion(value);
-    if (!parsed || !isValidPackageName(parsed.name)) {
-        return null;
-    }
-    return packageObservation({
-        ecosystem: "npm",
-        name: parsed.name,
-        version: parsed.version,
-        requested,
-        sourceKind: "package-spec",
-        resolvedUrl: null,
-        integrity: null,
-        license: null
-    }, exactVersionVerdict(parsed.version), exactVersionFinding(parsed.name, parsed.version, requested));
-}
-function parsePypiSpec(value, requested) {
-    const match = /^([A-Za-z0-9_.-]+)(?:==([^<>=!~\s]+))?$/.exec(value.trim());
-    if (!match?.[1]) {
-        return null;
-    }
-    const version = match[2] ?? null;
-    return packageObservation({
-        ecosystem: "pypi",
-        name: match[1],
-        version,
-        requested,
-        sourceKind: "package-spec",
-        resolvedUrl: null,
-        integrity: null,
-        license: null
-    }, exactVersionVerdict(version), exactVersionFinding(match[1], version, requested));
-}
-function parseCargoSpec(value, requested) {
-    const parsed = splitNameVersion(value);
-    if (!parsed || !/^[A-Za-z0-9_-]+$/.test(parsed.name)) {
+    if (!isRemotePackageSpec(trimmed)) {
         return null;
     }
     return packageObservation({
-        ecosystem: "cargo",
-        name: parsed.name,
-        version: parsed.version,
-        requested,
+        ecosystem: "unknown",
+        name: trimmed,
+        version: null,
+        requested: spec,
         sourceKind: "package-spec",
-        resolvedUrl: null,
+        resolvedUrl: trimmed,
         integrity: null,
         license: null
-    }, exactVersionVerdict(parsed.version), exactVersionFinding(parsed.name, parsed.version, requested));
+    }, "block", {
+        id: "unverified-network-spec",
+        title: "Unverified network package spec",
+        message: "direct URL, git, and file package specs require artifact verification before install",
+        location: spec
+    });
 }
-function parseLockfile(name, text) {
-    if (name === "package-lock.json") {
-        return parsePackageLock(text);
+function parseLockfile(text, context) {
+    const name = context.fileName;
+    if (name === "package-lock.json" || name === "npm-shrinkwrap.json") {
+        return parsePackageLock(text, context);
     }
     if (name === "yarn.lock") {
-        return parseYarnLock(text);
+        return parseYarnLock(text, context);
     }
     if (name === "pnpm-lock.yaml") {
-        return parsePnpmLock(text);
+        return parsePnpmLock(text, context);
     }
     if (name === "requirements.txt") {
-        return parseRequirements(text);
+        return parseRequirements(text, context);
     }
     if (name === "Cargo.lock") {
         return parseCargoLock(text);
@@ -228,42 +217,111 @@ function parseLockfile(name, text) {
     if (name === "poetry.lock") {
         return parsePoetryLock(text);
     }
+    if (name === "uv.lock") {
+        return parseUvLock(text, context);
+    }
     if (name === "Pipfile.lock") {
-        return parsePipfileLock(text);
+        return parsePipfileLock(text, context);
     }
     return [];
 }
-function parsePackageLock(text) {
+function specSourceKind(spec) {
+    const lower = spec.trim().toLowerCase();
+    if (lower.startsWith("workspace:")) {
+        return "workspace";
+    }
+    if (lower.startsWith("portal:") || lower.startsWith("link:") || lower.startsWith("file:")) {
+        return "local";
+    }
+    if (lower.startsWith("git+") || lower.startsWith("git://") || lower.startsWith("github:") || lower.startsWith("ssh://")) {
+        return "git";
+    }
+    if (lower.startsWith("http://") || lower.startsWith("https://")) {
+        return lower.includes(".git") ? "git" : "direct-url";
+    }
+    return null;
+}
+const NPM_LOCK_DEPENDENCY_SECTIONS = ["dependencies", "devDependencies", "optionalDependencies", "peerDependencies"];
+function npmLockSpecKinds(packages) {
+    const kinds = new Map();
+    for (const rawPackage of Object.values(packages)) {
+        if (!isRecord(rawPackage)) {
+            continue;
+        }
+        for (const section of NPM_LOCK_DEPENDENCY_SECTIONS) {
+            const dependencies = isRecord(rawPackage[section]) ? rawPackage[section] : {};
+            for (const [name, spec] of Object.entries(dependencies)) {
+                if (typeof spec !== "string") {
+                    continue;
+                }
+                const kind = specSourceKind(spec);
+                if (kind) {
+                    kinds.set(name, kind);
+                }
+            }
+        }
+    }
+    return kinds;
+}
+function parsePackageLock(text, context) {
     let parsed;
     try {
         parsed = JSON.parse(text);
     }
     catch (error) {
-        return [malformedLockfileObservation("package-lock.json", error)];
+        recordParseError(context, context.fileName, error);
+        return [malformedLockfileObservation(context.fileName, error)];
     }
     if (!isRecord(parsed)) {
-        return [malformedLockfileObservation("package-lock.json", new Error("root must be an object"))];
+        const error = new Error("root must be an object");
+        recordParseError(context, context.fileName, error);
+        return [malformedLockfileObservation(context.fileName, error)];
     }
     const observations = [];
     if (isRecord(parsed.packages)) {
-        for (const [path, rawPackage] of Object.entries(parsed.packages)) {
-            if (path.length === 0 || !isRecord(rawPackage) || rawPackage.link === true) {
+        const packagesMap = parsed.packages;
+        const specKinds = npmLockSpecKinds(packagesMap);
+        for (const [path, rawPackage] of Object.entries(packagesMap)) {
+            if (path.length === 0 || !isRecord(rawPackage)) {
                 continue;
             }
             const declaredName = typeof rawPackage.name === "string" ? rawPackage.name : packageNameFromNodeModulesPath(path);
+            const resolved = stringOrNull(rawPackage.resolved);
+            if (rawPackage.link === true) {
+                if (!(resolved && isRecord(packagesMap[resolved]))) {
+                    recordSkip(context, declaredName ?? packageNameFromWorkspacePath(path), "local", path);
+                }
+                continue;
+            }
+            if (!path.includes("node_modules")) {
+                recordSkip(context, declaredName ?? packageNameFromWorkspacePath(path), "workspace", path);
+                continue;
+            }
             const alias = npmAliasVersion(stringOrNull(rawPackage.version));
             const name = alias?.name ?? declaredName;
             const version = alias?.version ?? (typeof rawPackage.version === "string" ? rawPackage.version : null);
             if (!name) {
                 continue;
             }
+            const resolvedIsGit = resolved !== null && isUnsafeResolvedUrl(resolved);
+            const skipReason = resolvedIsGit
+                ? "git"
+                : resolved?.toLowerCase().startsWith("file:")
+                    ? "local"
+                    : specKinds.get(name) ?? null;
+            if (skipReason) {
+                recordSkip(context, name, skipReason, path);
+                if (!resolvedIsGit) {
+                    continue;
+                }
+            }
             observations.push(lockfileObservation({
                 ecosystem: "npm",
                 name,
                 version,
                 requested: path,
                 sourceKind: "lockfile",
-                resolvedUrl: stringOrNull(rawPackage.resolved),
+                resolvedUrl: resolved,
                 integrity: stringOrNull(rawPackage.integrity),
                 license: stringOrNull(rawPackage.license)
             }));
@@ -271,20 +329,28 @@ function parsePackageLock(text) {
         return observations;
     }
     if (isRecord(parsed.dependencies)) {
-        walkLegacyDependencies(parsed.dependencies, observations, new Set());
+        walkLegacyDependencies(parsed.dependencies, observations, new Set(), context);
     }
     return observations;
 }
-function walkLegacyDependencies(dependencies, observations, seen) {
+function walkLegacyDependencies(dependencies, observations, seen, context) {
     for (const [name, rawPackage] of Object.entries(dependencies)) {
         if (!isRecord(rawPackage) || rawPackage.bundled === true) {
             continue;
         }
-        const alias = npmAliasVersion(stringOrNull(rawPackage.version));
+        const rawVersion = stringOrNull(rawPackage.version);
+        const resolved = stringOrNull(rawPackage.resolved);
+        const resolvedIsGit = resolved !== null && isUnsafeResolvedUrl(resolved);
+        const versionKind = rawVersion && !rawVersion.startsWith("npm:") ? specSourceKind(rawVersion) : null;
+        const skipReason = resolvedIsGit ? "git" : versionKind;
+        const alias = npmAliasVersion(rawVersion);
         const resolvedName = alias?.name ?? name;
-        const version = alias?.version ?? stringOrNull(rawPackage.version);
+        const version = alias?.version ?? rawVersion;
         const key = `${resolvedName}@${version ?? ""}`;
-        if (!seen.has(key)) {
+        if (skipReason) {
+            recordSkip(context, resolvedName, skipReason, name);
+        }
+        if (!seen.has(key) && (!skipReason || resolvedIsGit)) {
             seen.add(key);
             observations.push(lockfileObservation({
                 ecosystem: "npm",
@@ -292,13 +358,13 @@ function walkLegacyDependencies(dependencies, observations, seen) {
                 version,
                 requested: name,
                 sourceKind: "lockfile",
-                resolvedUrl: stringOrNull(rawPackage.resolved),
+                resolvedUrl: resolved,
                 integrity: stringOrNull(rawPackage.integrity),
                 license: stringOrNull(rawPackage.license)
             }));
         }
         if (isRecord(rawPackage.dependencies)) {
-            walkLegacyDependencies(rawPackage.dependencies, observations, seen);
+            walkLegacyDependencies(rawPackage.dependencies, observations, seen, context);
         }
     }
 }
@@ -313,7 +379,7 @@ function npmAliasVersion(version) {
     }
     return { name: spec.slice(0, at), version: spec.slice(at + 1) || null };
 }
-function parseYarnLock(text) {
+function parseYarnLock(text, context) {
     const observations = [];
     const blocks = text.split(/\n(?=(?:"?@?[^"\s].*"?):\n)/u);
     for (const block of blocks) {
@@ -327,6 +393,14 @@ function parseYarnLock(text) {
         }
         const requested = header.split(",")[0]?.trim().replace(/^"|"$/gu, "") ?? header;
         const name = packageNameFromYarnDescriptor(requested);
+        const resolved = quotedValue(lines, "resolved");
+        const skipReason = specSourceKind(yarnDescriptorSpec(requested));
+        if (skipReason) {
+            recordSkip(context, name ?? requested, skipReason, requested);
+            if (!(resolved && isUnsafeResolvedUrl(resolved))) {
+                continue;
+            }
+        }
         const version = quotedValue(lines, "version");
         if (!name || !version) {
             continue;
@@ -337,14 +411,14 @@ function parseYarnLock(text) {
             version,
             requested,
             sourceKind: "lockfile",
-            resolvedUrl: quotedValue(lines, "resolved"),
+            resolvedUrl: resolved,
             integrity: quotedValue(lines, "integrity") ?? quotedValue(lines, "checksum"),
             license: null
         }));
     }
     return observations;
 }
-function parsePnpmLock(text) {
+function parsePnpmLock(text, context) {
     const observations = [];
     const lines = text.split(/\r?\n/u);
     let inPackages = false;
@@ -373,7 +447,15 @@ function parsePnpmLock(text) {
         const keyMatch = /^\s{2}(\S.*?):\s*$/u.exec(line);
         if (keyMatch?.[1]) {
             flush();
-            current = parsePnpmPackageKey(keyMatch[1]);
+            const key = stripQuotes(keyMatch[1].trim());
+            const skipReason = pnpmKeySkipReason(key);
+            if (skipReason) {
+                recordSkip(context, pnpmKeyName(key), skipReason, key);
+                current = null;
+            }
+            else {
+                current = parsePnpmPackageKey(key);
+            }
             continue;
         }
         if (!current) {
@@ -397,29 +479,45 @@ function parsePnpmLock(text) {
     flush();
     return observations;
 }
-function parsePnpmPackageKey(rawKey) {
-    const key = stripQuotes(rawKey.trim());
-    if (/(?:file|link|workspace|git\+|git:|https?):/u.test(key)) {
+const PNPM_NON_REGISTRY_MARKER = /(?:file|link|workspace|git\+|git:|ssh|https?):/u;
+function pnpmKeySkipReason(key) {
+    if (!PNPM_NON_REGISTRY_MARKER.test(key)) {
         return null;
     }
+    if (key.includes("workspace:")) {
+        return "workspace";
+    }
+    if (/git\+|git:/u.test(key)) {
+        return "git";
+    }
+    if (/file:|link:/u.test(key)) {
+        return "local";
+    }
+    return "direct-url";
+}
+function pnpmKeyName(key) {
+    const named = /^\/?((?:@[^/\s]+\/)?[^@\s/]+)@/u.exec(key);
+    return named?.[1] ?? key;
+}
+function parsePnpmPackageKey(key) {
     const hadSlash = key.startsWith("/");
     const body = hadSlash ? key.slice(1) : key;
+    const parenStart = body.indexOf("(");
+    const core = parenStart === -1 ? body : body.slice(0, parenStart);
     let name = null;
     let version = null;
-    if (hadSlash) {
-        // lockfileVersion 5.x keys are /<name>/<version>[_peer]; the version
-        // follows the final slash and the name may itself be scoped (two slashes).
-        const lastSlash = body.lastIndexOf("/");
+    // lockfileVersion 5.x keys are /<name>/<version>[_peer]; 6.0 keys are
+    // /<name>@<version>[(peer)]; 9.0 keys drop the leading slash.
+    const atForm = /^((?:@[^/\s]+\/)?[^/@\s]+)@([^/\s]+)$/u.exec(core);
+    if (atForm?.[1] && atForm[2]) {
+        name = atForm[1];
+        version = stripPnpmPeerSuffix(atForm[2]);
+    }
+    else if (hadSlash) {
+        const lastSlash = core.lastIndexOf("/");
         if (lastSlash > 0) {
-            name = body.slice(0, lastSlash);
-            version = stripPnpmPeerSuffix(body.slice(lastSlash + 1));
-        }
-    }
-    else {
-        const atForm = /^((?:@[^/\s]+\/)?[^@\s]+)@(.+)$/u.exec(body);
-        if (atForm?.[1] && atForm[2]) {
-            name = atForm[1];
-            version = stripPnpmPeerSuffix(atForm[2]);
+            name = core.slice(0, lastSlash);
+            version = stripPnpmPeerSuffix(core.slice(lastSlash + 1));
         }
     }
     if (!name || !version) {
@@ -440,16 +538,32 @@ function stripPnpmPeerSuffix(version) {
     const peerStart = version.search(/[(_]/u);
     return peerStart === -1 ? version : version.slice(0, peerStart);
 }
-function parseRequirements(text) {
+function parseRequirements(text, context) {
     const observations = [];
+    const baseDir = context.filePath ? dirname(context.filePath) : null;
+    const state = {
+        rootDir: baseDir,
+        visited: new Set(context.filePath ? [resolve(context.filePath)] : []),
+        seen: new Set()
+    };
+    collectRequirements(text, baseDir, state, context, observations);
+    return observations;
+}
+function collectRequirements(text, baseDir, state, context, observations) {
     for (const logical of joinRequirementContinuations(text.split(/\r?\n/u))) {
         const line = logical.trim();
         if (line.length === 0 || line.startsWith("#")) {
             continue;
         }
+        const include = /^(?:-r|--requirement|-c|--constraint)[=\s]+(\S+)/u.exec(line);
+        if (include?.[1]) {
+            followRequirementInclude(include[1], baseDir, state, context, observations);
+            continue;
+        }
         const editable = /^(?:-e|--editable)[=\s]+(.+)$/u.exec(line);
         const target = (editable?.[1] ?? line).trim();
         if (REMOTE_SPEC_PREFIXES.some((prefix) => target.toLowerCase().startsWith(prefix))) {
+            recordSkip(context, target, specSourceKind(target) ?? "direct-url", line);
             observations.push(packageObservation({
                 ecosystem: "pypi",
                 name: target,
@@ -467,16 +581,25 @@ function parseRequirements(text) {
             }));
             continue;
         }
-        if (line.startsWith("-") || /^\.{0,2}\//u.test(target)) {
+        if (editable !== null || /^\.{0,2}\//u.test(target)) {
+            recordSkip(context, target, "local", line);
+            continue;
+        }
+        if (line.startsWith("-")) {
             continue;
         }
         const hash = /--hash=([A-Za-z0-9:_-]+)/u.exec(line)?.[1] ?? null;
         const requirement = line.replace(/\s*--hash=[^\s]+/gu, "").trim();
-        const match = /^([A-Za-z0-9._-]+)(?:\[[^\]]*\])?(?:\s*==\s*([^;\s]+))?/u.exec(requirement);
+        const match = /^([A-Za-z0-9._-]+)(?:\[[^\]]*\])?(?:\s*={2,3}\s*([^;\s]+))?/u.exec(requirement);
         if (!match?.[1]) {
             observations.push(blockedUnknownSpec(line));
             continue;
         }
+        const pinKey = `${match[1].toLowerCase()}@${match[2] ?? ""}`;
+        if (state.seen.has(pinKey)) {
+            continue;
+        }
+        state.seen.add(pinKey);
         observations.push(lockfileObservation({
             ecosystem: "pypi",
             name: match[1],
@@ -488,7 +611,30 @@ function parseRequirements(text) {
             license: null
         }));
     }
-    return observations;
+}
+function followRequirementInclude(target, baseDir, state, context, observations) {
+    if (!baseDir || !state.rootDir) {
+        return;
+    }
+    const includePath = resolve(baseDir, target);
+    const containment = relative(state.rootDir, includePath);
+    if (containment.startsWith("..") || isAbsolute(containment)) {
+        recordParseError(context, target, new Error("requirements include escapes the project directory"));
+        return;
+    }
+    if (state.visited.has(includePath)) {
+        return;
+    }
+    state.visited.add(includePath);
+    let text;
+    try {
+        text = readFileSync(includePath, "utf8");
+    }
+    catch (error) {
+        recordParseError(context, target, error);
+        return;
+    }
+    collectRequirements(text, dirname(includePath), state, context, observations);
 }
 function joinRequirementContinuations(lines) {
     const joined = [];
@@ -538,15 +684,62 @@ function parsePoetryLock(text) {
         });
     }).filter((observation) => observation.identity.name !== "unknown");
 }
-function parsePipfileLock(text) {
+function parseUvLock(text, context) {
+    const observations = [];
+    for (const block of lockBlocks(text, "[[package]]")) {
+        const name = tomlString(block, "name");
+        if (!name) {
+            continue;
+        }
+        const version = tomlString(block, "version");
+        const source = /^source\s*=\s*\{([^}]*)\}/mu.exec(block)?.[1] ?? "";
+        const skipReason = uvSourceSkipReason(source);
+        if (skipReason) {
+            recordSkip(context, name, skipReason, `${name}${version ? `==${version}` : ""}`);
+            continue;
+        }
+        observations.push(lockfileObservation({
+            ecosystem: "pypi",
+            name,
+            version,
+            requested: `${name}==${version ?? "unknown"}`,
+            sourceKind: "lockfile",
+            resolvedUrl: null,
+            integrity: /hash\s*=\s*"([^"]+)"/u.exec(block)?.[1] ?? null,
+            license: null
+        }));
+    }
+    return observations;
+}
+function uvSourceSkipReason(source) {
+    if (source.length === 0 || /\bregistry\s*=/u.test(source)) {
+        return null;
+    }
+    if (/\bgit\s*=/u.test(source)) {
+        return "git";
+    }
+    if (/\burl\s*=/u.test(source)) {
+        return "direct-url";
+    }
+    if (/\b(?:editable|virtual)\s*=/u.test(source)) {
+        return "workspace";
+    }
+    if (/\b(?:path|directory)\s*=/u.test(source)) {
+        return "local";
+    }
+    return null;
+}
+function parsePipfileLock(text, context) {
     let parsed;
     try {
         parsed = JSON.parse(text);
     }
     catch (error) {
-        return [malformedLockfileObservation("Pipfile.lock", error)];
+        recordParseError(context, context.fileName, error);
+        return [malformedLockfileObservation(context.fileName, error)];
     }
     if (!isRecord(parsed)) {
+        recordParseError(context, context.fileName, new Error("root must be an object"));
         return [];
     }
     return ["default", "develop"].flatMap((section) => {
@@ -594,20 +787,6 @@ function integrityPolicyFinding(identity) {
         location: identity.requested
     };
 }
-function exactVersionFinding(name, version, location) {
-    if (version && isExactVersion(version)) {
-        return null;
-    }
-    return {
-        id: "unpinned-package-spec",
-        title: "Unpinned package spec",
-        message: `${name} is not pinned to an exact package version`,
-        location
-    };
-}
-function exactVersionVerdict(version) {
-    return version && isExactVersion(version) ? "pass" : "warn";
-}
 function deniedLicenseFinding(identity, deniedLicenses) {
     if (!identity.license || !deniedLicenses.has(normalizeLicense(identity.license))) {
         return null;
@@ -660,41 +839,8 @@ function packageObservation(identity, verdict, finding) {
         finding
     };
 }
-function splitNameVersion(value) {
-    const trimmed = value.trim();
-    if (trimmed.startsWith("@")) {
-        const index = trimmed.lastIndexOf("@");
-        if (index <= 0) {
-            return {
-                name: trimmed,
-                version: null
-            };
-        }
-        return {
-            name: trimmed.slice(0, index),
-            version: trimmed.slice(index + 1) || null
-        };
-    }
-    const index = trimmed.lastIndexOf("@");
-    if (index > 0) {
-        return {
-            name: trimmed.slice(0, index),
-            version: trimmed.slice(index + 1) || null
-        };
-    }
-    return {
-        name: trimmed,
-        version: null
-    };
-}
-function isValidPackageName(name) {
-    return /^(?:@[a-z0-9_.-]+\/)?[a-z0-9_.-]+$/iu.test(name) && !/[\\\s]/u.test(name);
-}
-function isExactVersion(version) {
-    return /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/u.test(version);
-}
 function isSupportedIntegrity(value) {
-    return /^(?:sha256|sha384|sha512)-[A-Za-z0-9+/=]+$/u.test(value)
+    return /^(?:sha1|sha256|sha384|sha512)-[A-Za-z0-9+/=]+$/u.test(value)
         || /^(?:sha256:)?[a-f0-9]{64}$/iu.test(value)
         || /^[0-9a-f]+\/[0-9a-f]{64,}$/iu.test(value);
 }
@@ -749,6 +895,12 @@ function packageDisplayName(identity) {
     const version = identity.version ? `@${identity.version}` : "";
     return `${identity.ecosystem}:${identity.name}${version}`;
 }
+function packageNameFromWorkspacePath(path) {
+    const parts = path.split("/").filter((part) => part.length > 0);
+    const last = parts[parts.length - 1] ?? path;
+    const prior = parts[parts.length - 2];
+    return prior?.startsWith("@") ? `${prior}/${last}` : last;
+}
 function packageNameFromNodeModulesPath(path) {
     const parts = path.split("/");
     const nodeModulesIndex = parts.lastIndexOf("node_modules");
@@ -764,6 +916,12 @@ function packageNameFromNodeModulesPath(path) {
     }
     return first;
 }
+function yarnDescriptorSpec(descriptor) {
+    const scoped = descriptor.startsWith("@");
+    const body = scoped ? descriptor.slice(1) : descriptor;
+    const at = body.indexOf("@");
+    return at === -1 ? "" : body.slice(at + 1);
+}
 function packageNameFromYarnDescriptor(descriptor) {
     const scoped = descriptor.startsWith("@");
     const body = scoped ? descriptor.slice(1) : descriptor;