npm - @yawlabs/npmjs-mcp - Versions diffs - 0.11.9 → 0.11.12 - Mend

@yawlabs/npmjs-mcp 0.11.9 → 0.11.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +65 -39
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -31233,7 +31233,7 @@ function parseSingleConstraint(r) {
     if (patch === null) {
       return { min: [major, minor, 0], max: [major, minor + 1, 0] };
     }
-    return null;
+    return { min: [major, minor, patch], max: [major, minor, patch + 1] };
   }
   return null;
 }
@@ -31453,46 +31453,60 @@ var analysisTools = [
       packages: external_exports.array(external_exports.string()).min(2).max(5).describe("Package names to compare")
     }),
     handler: async (input) => {
-      const results = await Promise.all(
+      const partials = await Promise.all(
         input.packages.map(async (name) => {
           const [pkgRes, dlRes] = await Promise.all([
             registryGet(`/${encPkg(name)}`),
             downloadsGet(`/downloads/point/last-week/${encPkg(name)}`)
           ]);
-          if (!pkgRes.ok) {
-            return { name, error: pkgRes.error };
-          }
-          const pkg = pkgRes.data;
-          const latest = pkg["dist-tags"]?.latest;
-          const latestVersion = latest ? pkg.versions[latest] : void 0;
-          const versionKeys = Object.keys(pkg.versions);
-          let vulnerabilities = 0;
-          if (latest) {
-            const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", {
-              [name]: [latest]
-            });
-            if (auditRes.ok && auditRes.data?.[name]) {
-              vulnerabilities = auditRes.data[name].length;
-            }
-          }
-          return {
-            name,
-            description: pkg.description,
-            latest,
-            license: pkg.license ?? latestVersion?.license,
-            maintainers: pkg.maintainers?.map((m) => m.name),
-            weeklyDownloads: dlRes.ok ? dlRes.data.downloads : null,
-            versionCount: versionKeys.length,
-            created: pkg.time.created,
-            lastPublish: latest ? pkg.time[latest] : void 0,
-            deprecated: latestVersion?.deprecated ?? false,
-            hasReadme: !!(pkg.readme && pkg.readme.length > 0),
-            repository: pkg.repository,
-            homepage: pkg.homepage,
-            vulnerabilities
-          };
+          return { name, pkgRes, dlRes };
         })
       );
+      const auditMap = {};
+      for (const { name, pkgRes } of partials) {
+        if (!pkgRes.ok) continue;
+        const latest = pkgRes.data["dist-tags"]?.latest;
+        if (latest) auditMap[name] = [latest];
+      }
+      let auditData = {};
+      let auditSucceeded = false;
+      if (Object.keys(auditMap).length > 0) {
+        const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", auditMap);
+        if (auditRes.ok && auditRes.data) {
+          auditData = auditRes.data;
+          auditSucceeded = true;
+        }
+      }
+      const results = partials.map(({ name, pkgRes, dlRes }) => {
+        if (!pkgRes.ok) {
+          const translated = translateError(pkgRes, { pkg: name, op: "compare" });
+          return { name, error: translated.error };
+        }
+        const pkg = pkgRes.data;
+        const latest = pkg["dist-tags"]?.latest;
+        const latestVersion = latest ? pkg.versions[latest] : void 0;
+        const versionKeys = Object.keys(pkg.versions);
+        const wasAudited = auditSucceeded && name in auditMap;
+        const advisories = auditData[name];
+        const vulnerabilities = wasAudited ? Array.isArray(advisories) ? advisories.length : 0 : null;
+        return {
+          name,
+          description: pkg.description,
+          latest,
+          license: pkg.license ?? latestVersion?.license,
+          maintainers: pkg.maintainers?.map((m) => m.name),
+          weeklyDownloads: dlRes.ok ? dlRes.data.downloads : null,
+          versionCount: versionKeys.length,
+          created: pkg.time.created,
+          lastPublish: latest ? pkg.time[latest] : void 0,
+          deprecated: latestVersion?.deprecated ?? false,
+          hasReadme: !!(pkg.readme && pkg.readme.length > 0),
+          repository: pkg.repository,
+          homepage: pkg.homepage,
+          vulnerabilities,
+          auditReliable: wasAudited
+        };
+      });
       return { ok: true, status: 200, data: { comparison: results } };
     }
   },
@@ -31521,6 +31535,7 @@ var analysisTools = [
       const latestVersion = latest ? pkg.versions[latest] : void 0;
       const versionKeys = Object.keys(pkg.versions);
       let vulnerabilityCount = null;
+      let auditReliable = true;
       if (latest) {
         const auditRes = await registryPost("/-/npm/v1/security/advisories/bulk", {
           [input.name]: [latest]
@@ -31528,7 +31543,11 @@ var analysisTools = [
         if (auditRes.ok) {
           const advisories = auditRes.data?.[input.name];
           vulnerabilityCount = Array.isArray(advisories) ? advisories.length : 0;
+        } else {
+          auditReliable = false;
         }
+      } else {
+        auditReliable = false;
       }
       const publishDates = versionKeys.map((v) => pkg.time[v]).filter(Boolean).map((d) => new Date(d).getTime()).sort((a, b) => b - a);
       const now = Date.now();
@@ -31562,6 +31581,7 @@ var analysisTools = [
             daysSinceLastPublish,
             avgDaysBetweenReleases,
             vulnerabilityCount,
+            auditReliable,
             hasLicense,
             hasReadme,
             hasRepo,
@@ -31572,8 +31592,11 @@ var analysisTools = [
           // Holistic single-string verdict layered priority-first: a deprecated
           // package supersedes everything (don't use it), a vulnerable package
           // supersedes maintenance signals (active development doesn't undo a
-          // CVE), then staleness, recency, and the catch-all.
-          assessment: isDeprecated ? "DEPRECATED" : vulnerabilityCount !== null && vulnerabilityCount > 0 ? "VULNERABLE" : isStale ? "STALE" : daysSinceLastPublish !== null && daysSinceLastPublish < 90 ? "ACTIVE" : "MAINTENANCE"
+          // CVE), then AUDIT_UNKNOWN when we couldn't verify vuln status (a 5xx
+          // on the audit endpoint or a packument with no `latest` to audit) --
+          // better to flag the unknown than confidently report ACTIVE on
+          // unverified data. Then staleness, recency, and the catch-all.
+          assessment: isDeprecated ? "DEPRECATED" : vulnerabilityCount !== null && vulnerabilityCount > 0 ? "VULNERABLE" : !auditReliable ? "AUDIT_UNKNOWN" : isStale ? "STALE" : daysSinceLastPublish !== null && daysSinceLastPublish < 90 ? "ACTIVE" : "MAINTENANCE"
         }
       };
     }
@@ -31937,7 +31960,10 @@ var dependencyTools = [
         if (tree[resolvedKey]) return;
         const versionData = pkg.versions[resolvedVersion];
         if (!versionData) {
-          tree[resolvedKey] = { version: resolvedVersion, dependencies: {} };
+          if (!failedPackages.has(name)) {
+            failedPackages.add(name);
+            tree[resolvedKey] = { version: resolvedVersion, dependencies: {}, failed: true };
+          }
           return;
         }
         const deps = versionData.dependencies ?? {};
@@ -33475,7 +33501,7 @@ var writeTools = [
   // via the packument (step 3 succeeded), so we report success with a warning.
   {
     name: "npm_unpublish_version",
-    description: "Unpublish a specific version of a package. IRREVERSIBLE: once unpublished, the version cannot be re-published and will be blocked for 72 hours. Only works within 72 hours of the original publish for most packages. Requires explicit confirm: true to prevent accidents. Follows the npm CLI flow (mutate packument + delete tarball). For full-package unpublish use npm_unpublish_package.",
+    description: "Unpublish a specific version of a package. IRREVERSIBLE: once unpublished, the version cannot be re-published and will be blocked for 72 hours. Only works within 72 hours of the original publish for most packages. Requires explicit confirm: true to prevent accidents. Follows the npm CLI flow (mutate packument + delete tarball). For full-package unpublish use npm_unpublish_package. Dist-tag handling: any dist-tag that pointed at the unpublished version is removed. Only `latest` is auto-reassigned (to the highest remaining stable version). Other tags like `next`/`beta` are left unset \u2014 reassign them explicitly with npm_dist_tag_set if needed.",
     annotations: {
       title: "Unpublish version",
       readOnlyHint: false,
@@ -34221,7 +34247,7 @@ var writeTools = [
 ];
 // src/index.ts
-var version2 = true ? "0.11.9" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "0.11.12" : (await null).createRequire(import.meta.url)("../package.json").version;
 var subcommand = process.argv[2];
 if (subcommand === "version" || subcommand === "--version" || subcommand === "-v" || subcommand === "-V") {
   console.log(version2);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yawlabs/npmjs-mcp",
-  "version": "0.11.9",
+  "version": "0.11.12",
   "mcpName": "io.github.YawLabs/npmjs-mcp",
   "description": "npm registry MCP server — package intelligence, security audits, and dependency analysis for AI assistants",
   "license": "MIT",