aislop 0.5.0 → 0.6.0

package/dist/index.js

@@ -1,4 +1,4 @@
-import { n as ENGINE_INFO, r as getEngineLabel, t as APP_VERSION } from "./version-CxBRws3M.js";
+import { n as ENGINE_INFO, r as getEngineLabel, t as APP_VERSION } from "./version-C2lM_2fE.js";
 import { n as runSubprocess, t as isToolInstalled } from "./subprocess-CQUJDGgn.js";
 import { r as runGenericLinter, t as fixRubyLint } from "./generic-BrcWMW7E.js";
 import { n as runExpoDoctor } from "./expo-doctor-Bz0LZhQ6.js";
@@ -1568,7 +1568,7 @@ const detectSwallowedExceptions = async (context) => {
 };
 
 //#endregion
-//#region src/engines/ai-slop/narrative-comments.ts
+//#region src/engines/ai-slop/narrative-comments-patterns.ts
 const DECORATIVE_SEPARATOR = /^[-=─━~_*#]{6,}$/;
 const DECORATIVE_SECTION_HEADER = /^[-=─━~_*#]{3,}[\s\S]+?[-=─━~_*#]{3,}$/;
 const SECTION_HEADER = /^(Phase|Step|Section|Part)\s+\d+[:.-]/i;
@@ -1611,7 +1611,49 @@ const MEANINGFUL_JSDOC_TAGS = new Set([
 	"todo",
 	"link",
 	"license",
-	"preserve"
+	"preserve",
+	"swagger",
+	"openapi",
+	"route",
+	"group",
+	"summary",
+	"description",
+	"operationid",
+	"response",
+	"responses",
+	"request",
+	"requestbody",
+	"security",
+	"tag",
+	"tags",
+	"path",
+	"body",
+	"query",
+	"queryparam",
+	"header",
+	"headers",
+	"produces",
+	"accept",
+	"middleware",
+	"api",
+	"apiname",
+	"apidefine",
+	"apigroup",
+	"apiparam",
+	"apiquery",
+	"apibody",
+	"apiheader",
+	"apisuccess",
+	"apierror",
+	"apiexample",
+	"apiversion",
+	"apidescription",
+	"apipermission",
+	"apiuse",
+	"apiignore",
+	"apiprivate",
+	"namespace",
+	"category"
 ]);
 const SUPPORTED_EXTS = new Set([
 	".ts",
@@ -1627,6 +1669,19 @@ const SUPPORTED_EXTS = new Set([
 	".java",
 	".php"
 ]);
+const DECL_START = /^(\s*)(export\s+)?(async\s+)?(const|let|var|function|class|type|interface|enum|abstract\s+class)\s+/;
+const EXPORT_DEFAULT = /^\s*export\s+default\b/;
+const TS_MEMBER_DECL_START = /^\s*(?:readonly\s+|static\s+|public\s+|private\s+|protected\s+|abstract\s+|override\s+)*[\w$]+\??\s*:/;
+const PY_DECL_START = /^\s*(async\s+def|def|class)\s+/;
+const GO_DECL_START = /^\s*(func|type|var|const)\s+/;
+const RUST_DECL_START = /^\s*(pub\s+)?(async\s+)?(fn|struct|enum|trait|impl|const|static|type|mod)\s+/;
+const RUBY_DECL_START = /^\s*(class|module|def)\s+/;
+const JAVA_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|sealed|non-sealed|\s)+(?:class|interface|enum|record|@interface|\w[^(){};=]*\s+\w+\s*\()/;
+const JAVA_DECL_START_FALLBACK = /^\s*(class|interface|enum|record|@interface)\s+/;
+const PHP_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|readonly\s+)*(function|class|interface|trait|enum|const)\s+/;
+
+//#endregion
+//#region src/engines/ai-slop/narrative-comments.ts
 const stripJsdocLine = (line) => line.replace(/^\s*\/\*\*+\s?/, "").replace(/\s*\*+\/\s*$/, "").replace(/^\s*\*\s?/, "").trim();
 const stripLineComment = (line) => line.replace(/^\s*(?:(?:\/\/)|#)\s?/, "");
 const getCommentSyntax = (ext) => {
@@ -1718,16 +1773,6 @@ const collectBlocks = (sourceLines, syntax) => {
 	}
 	return blocks;
 };
-const DECL_START = /^(\s*)(export\s+)?(async\s+)?(const|let|var|function|class|type|interface|enum|abstract\s+class)\s+/;
-const EXPORT_DEFAULT = /^\s*export\s+default\b/;
-const TS_MEMBER_DECL_START = /^\s*(?:readonly\s+|static\s+|public\s+|private\s+|protected\s+|abstract\s+|override\s+)*[\w$]+\??\s*:/;
-const PY_DECL_START = /^\s*(async\s+def|def|class)\s+/;
-const GO_DECL_START = /^\s*(func|type|var|const)\s+/;
-const RUST_DECL_START = /^\s*(pub\s+)?(async\s+)?(fn|struct|enum|trait|impl|const|static|type|mod)\s+/;
-const RUBY_DECL_START = /^\s*(class|module|def)\s+/;
-const JAVA_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|sealed|non-sealed|\s)+(?:class|interface|enum|record|@interface|\w[^(){};=]*\s+\w+\s*\()/;
-const JAVA_DECL_START_FALLBACK = /^\s*(class|interface|enum|record|@interface)\s+/;
-const PHP_DECL_START = /^\s*(?:public|private|protected|static|final|abstract|readonly\s+)*(function|class|interface|trait|enum|const)\s+/;
 const looksLikeDeclarationPreamble = (nextLine, ext) => {
 	if (nextLine === null) return false;
 	if (DECL_START.test(nextLine) || EXPORT_DEFAULT.test(nextLine)) return true;
@@ -2256,72 +2301,12 @@ const architectureEngine = {
 };
 
 //#endregion
-//#region src/engines/code-quality/complexity.ts
-const FUNCTION_PATTERNS = [
-	{
-		regex: /^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [
-			".js",
-			".ts",
-			".jsx",
-			".tsx",
-			".mjs",
-			".cjs"
-		]
-	},
-	{
-		regex: /^\s*(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:\s*\w)/,
-		langFilter: [
-			".js",
-			".ts",
-			".jsx",
-			".tsx",
-			".mjs",
-			".cjs"
-		]
-	},
-	{
-		regex: /^\s*def\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".py"]
-	},
-	{
-		regex: /^\s*func\s+(?:\([^)]*\)\s+)?(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".go"]
-	},
-	{
-		regex: /^\s*fn\s+(\w+)\s*\(([^)]*)\)/,
-		langFilter: [".rs"]
-	},
-	{
-		regex: /^\s*(?:public|private|protected)?\s*(?:static\s+)?(?:\w+\s+)(\w+)\s*\(([^)]*)\)/,
-		langFilter: [
-			".java",
-			".cs",
-			".cpp",
-			".c",
-			".php"
-		]
-	}
-];
-const countParams = (p) => p.trim() ? p.split(",").length : 0;
-const matchFunctionOnLine = (line, ext) => {
-	for (let i = 0; i < FUNCTION_PATTERNS.length; i++) {
-		const pattern = FUNCTION_PATTERNS[i];
-		if (!pattern.langFilter.includes(ext)) continue;
-		const match = line.match(pattern.regex);
-		if (match) return {
-			name: match[1],
-			params: match[2] ?? "",
-			patternIndex: i
-		};
-	}
-	return null;
-};
+//#region src/engines/code-quality/function-boundaries.ts
 const PYTHON_CONTROL_FLOW_RE = /^\s*(?:if|for|while|with|try|except|else|elif|finally|def|class)\b/;
-const findFunctionEnd = (lines, startIndex, isPython) => {
-	if (isPython) return findPythonFunctionEnd(lines, startIndex);
-	return findBraceFunctionEnd(lines, startIndex);
-};
+const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
+const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
+const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
+const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isControlFlowBrace = (lineText, braceIndex) => {
 	const before = lineText.substring(0, braceIndex).trimEnd();
 	if (before.endsWith(")")) return true;
@@ -2401,16 +2386,10 @@ const findPythonFunctionEnd = (lines, startIndex) => {
 		maxNesting
 	};
 };
-const isDataFile = (content) => {
-	const nonEmpty = content.split("\n").filter((l) => l.trim().length > 0);
-	if (nonEmpty.length === 0) return false;
-	const dataLinePattern = /^\s*[{}[\]"']/;
-	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
+const findFunctionEnd = (lines, startIndex, isPython) => {
+	if (isPython) return findPythonFunctionEnd(lines, startIndex);
+	return findBraceFunctionEnd(lines, startIndex);
 };
-const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
-const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
-const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
-const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
 const isBlockArrow = (lines, startIndex) => {
 	if (ARROW_BLOCK_RE.test(lines[startIndex])) return true;
 	if (ARROW_END_RE.test(lines[startIndex])) {
@@ -2446,6 +2425,75 @@ const countTemplateLines = (bodyLines) => {
 	}
 	return templateLineCount;
 };
+
+//#endregion
+//#region src/engines/code-quality/complexity.ts
+const FUNCTION_PATTERNS = [
+	{
+		regex: /^\s*(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [
+			".js",
+			".ts",
+			".jsx",
+			".tsx",
+			".mjs",
+			".cjs"
+		]
+	},
+	{
+		regex: /^\s*(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\(([^)]*)\)\s*(?:=>|:\s*\w)/,
+		langFilter: [
+			".js",
+			".ts",
+			".jsx",
+			".tsx",
+			".mjs",
+			".cjs"
+		]
+	},
+	{
+		regex: /^\s*def\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".py"]
+	},
+	{
+		regex: /^\s*func\s+(?:\([^)]*\)\s+)?(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".go"]
+	},
+	{
+		regex: /^\s*fn\s+(\w+)\s*\(([^)]*)\)/,
+		langFilter: [".rs"]
+	},
+	{
+		regex: /^\s*(?:public|private|protected)?\s*(?:static\s+)?(?:\w+\s+)(\w+)\s*\(([^)]*)\)/,
+		langFilter: [
+			".java",
+			".cs",
+			".cpp",
+			".c",
+			".php"
+		]
+	}
+];
+const countParams = (p) => p.trim() ? p.split(",").length : 0;
+const matchFunctionOnLine = (line, ext) => {
+	for (let i = 0; i < FUNCTION_PATTERNS.length; i++) {
+		const pattern = FUNCTION_PATTERNS[i];
+		if (!pattern.langFilter.includes(ext)) continue;
+		const match = line.match(pattern.regex);
+		if (match) return {
+			name: match[1],
+			params: match[2] ?? "",
+			patternIndex: i
+		};
+	}
+	return null;
+};
+const isDataFile = (content) => {
+	const nonEmpty = content.split("\n").filter((l) => l.trim().length > 0);
+	if (nonEmpty.length === 0) return false;
+	const dataLinePattern = /^\s*[{}[\]"']/;
+	return nonEmpty.filter((l) => dataLinePattern.test(l)).length / nonEmpty.length > .8;
+};
 const analyzeFunctions = (content, ext) => {
 	const lines = content.split("\n");
 	const functions = [];
@@ -2468,13 +2516,14 @@ const analyzeFunctions = (content, ext) => {
 	}
 	return functions;
 };
+const JSX_FILE_LOC_MULTIPLIER = 1.5;
 const checkFileDiagnostics = (relativePath, content, limits) => {
 	const results = [];
 	const lineCount = content.split("\n").length;
 	const ext = path.extname(relativePath).toLowerCase();
 	if (isDataFile(content)) return results;
-	const effectiveMax = ext === ".jsx" || ext === ".tsx" ? limits.maxFileLoc * 2 : limits.maxFileLoc;
-	if (lineCount > Math.ceil(effectiveMax * 1.1)) results.push({
+	const effectiveMax = ext === ".jsx" || ext === ".tsx" ? Math.ceil(limits.maxFileLoc * JSX_FILE_LOC_MULTIPLIER) : limits.maxFileLoc;
+	if (lineCount > effectiveMax) results.push({
 		filePath: relativePath,
 		engine: "code-quality",
 		rule: "complexity/file-too-large",
@@ -3957,6 +4006,216 @@ const runCargoAudit = async (rootDir, timeout) => {
 	}
 };
 
+//#endregion
+//#region src/utils/source-masker.ts
+const JS_EXTS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const PY_EXTS = new Set([".py"]);
+const RB_EXTS = new Set([".rb"]);
+const PHP_EXTS = new Set([".php"]);
+const familyForExt = (ext) => {
+	if (JS_EXTS.has(ext)) return "js";
+	if (PY_EXTS.has(ext)) return "py";
+	if (RB_EXTS.has(ext)) return "rb";
+	if (PHP_EXTS.has(ext)) return "php";
+	return "none";
+};
+const maskStringsAndComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content);
+	return maskSimple(content, family);
+};
+const maskJs = (content) => {
+	const out = content.split("");
+	const len = content.length;
+	const tplStack = [];
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (tplStack.length > 0) {
+			if (c === "{") {
+				tplStack[tplStack.length - 1]++;
+				i++;
+				continue;
+			}
+			if (c === "}") {
+				if (tplStack[tplStack.length - 1] === 0) {
+					tplStack.pop();
+					const scan = consumeTemplateString(content, i + 1);
+					mask(i + 1, scan.maskEnd);
+					if (scan.openedInterp) tplStack.push(0);
+					i = scan.resumeAt;
+					continue;
+				}
+				tplStack[tplStack.length - 1]--;
+				i++;
+				continue;
+			}
+			if (c === "\"" || c === "'") {
+				const strStart = i;
+				i = consumeQuotedString(content, i, c);
+				mask(strStart + 1, i - 1);
+				continue;
+			}
+			if (c === "`") {
+				const scan = consumeTemplateString(content, i + 1);
+				mask(i + 1, scan.maskEnd);
+				if (scan.openedInterp) tplStack.push(0);
+				i = scan.resumeAt;
+				continue;
+			}
+			if (c === "/" && next === "/") {
+				const strStart = i;
+				while (i < len && content[i] !== "\n") i++;
+				mask(strStart, i);
+				continue;
+			}
+			if (c === "/" && next === "*") {
+				const strStart = i;
+				i += 2;
+				while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+				if (i < len - 1) i += 2;
+				mask(strStart, i);
+				continue;
+			}
+			i++;
+			continue;
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			mask(strStart + 1, i - 1);
+			continue;
+		}
+		if (c === "`") {
+			const scan = consumeTemplateString(content, i + 1);
+			mask(i + 1, scan.maskEnd);
+			if (scan.openedInterp) tplStack.push(0);
+			i = scan.resumeAt;
+			continue;
+		}
+		if (c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+const consumeQuotedString = (content, start, quote) => {
+	const len = content.length;
+	let i = start + 1;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === quote) return i + 1;
+		if (c === "\n") return i;
+		i++;
+	}
+	return i;
+};
+const consumeTemplateString = (content, start) => {
+	const len = content.length;
+	let i = start;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === "`") return {
+			maskEnd: i,
+			resumeAt: i + 1,
+			openedInterp: false
+		};
+		if (c === "$" && content[i + 1] === "{") return {
+			maskEnd: i,
+			resumeAt: i + 2,
+			openedInterp: true
+		};
+		i++;
+	}
+	return {
+		maskEnd: i,
+		resumeAt: i,
+		openedInterp: false
+	};
+};
+const maskSimple = (content, family) => {
+	const out = content.split("");
+	const len = content.length;
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (family === "py" && (c === "\"" || c === "'")) {
+			if (content[i + 1] === c && content[i + 2] === c) {
+				const triple = c + c + c;
+				const end = content.indexOf(triple, i + 3);
+				const stop = end === -1 ? len : end + 3;
+				mask(i + 3, stop - 3);
+				i = stop;
+				continue;
+			}
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			mask(strStart + 1, i - 1);
+			continue;
+		}
+		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+
 //#endregion
 //#region src/engines/security/risky.ts
 const ev = "eval";
@@ -4086,12 +4345,13 @@ const detectRiskyConstructs = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		const normalizedPath = relativePath.split(path.sep).join("/");
 		const isMigrationOrSeeder = /(?:^|\/)(migrations|seeders|seeds|migrate)\//.test(normalizedPath);
+		const masked = maskStringsAndComments(content, ext);
 		for (const { pattern, extensions, name, message, help } of RISKY_PATTERNS) {
 			if (!extensions.includes(ext)) continue;
 			if (isMigrationOrSeeder && name === "sql-injection") continue;
 			const regex = new RegExp(pattern.source, pattern.flags);
 			let match;
-			while ((match = regex.exec(content)) !== null) {
+			while ((match = regex.exec(masked)) !== null) {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
@@ -4733,7 +4993,7 @@ const renderCleanRun = (input, deps = {}) => {
 //#region src/utils/git.ts
 const MAX_BUFFER = 50 * 1024 * 1024;
 const getChangedFiles = (cwd, base) => {
-	const result = spawnSync("git", [
+	const diff = spawnSync("git", [
 		"diff",
 		"--name-only",
 		"--diff-filter=ACMR",
@@ -4743,8 +5003,22 @@ const getChangedFiles = (cwd, base) => {
 		encoding: "utf-8",
 		maxBuffer: MAX_BUFFER
 	});
-	if (result.error || result.status !== 0) return [];
-	return result.stdout.split("\n").filter((f) => f.length > 0).map((f) => path.resolve(cwd, f));
+	if (diff.error || diff.status !== 0) return [];
+	const untracked = spawnSync("git", [
+		"ls-files",
+		"--others",
+		"--exclude-standard"
+	], {
+		cwd,
+		encoding: "utf-8",
+		maxBuffer: MAX_BUFFER
+	});
+	const names = /* @__PURE__ */ new Set();
+	for (const line of diff.stdout.split("\n")) if (line.length > 0) names.add(line);
+	if (!untracked.error && untracked.status === 0) {
+		for (const line of untracked.stdout.split("\n")) if (line.length > 0) names.add(line);
+	}
+	return Array.from(names).map((f) => path.resolve(cwd, f));
 };
 const getStagedFiles = (cwd) => {
 	const result = spawnSync("git", [
@@ -4915,7 +5189,7 @@ const scanCommand = async (directory, config, options) => {
 		});
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-BScQXSOX.js");
+		const { buildJsonOutput } = await import("./json-DcE9soYJ.js");
 		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return { exitCode };
@@ -5686,42 +5960,46 @@ const removeUnusedDeclarations = (rootDirectory, declarations) => {
 
 //#endregion
 //#region src/commands/fix-force.ts
-const getJsAuditFixCommand = (rootDirectory) => {
-	if (fs.existsSync(path.join(rootDirectory, "pnpm-lock.yaml"))) return {
-		command: "pnpm",
-		args: ["audit", "--fix"]
-	};
-	if (fs.existsSync(path.join(rootDirectory, "package-lock.json")) || fs.existsSync(path.join(rootDirectory, "package.json"))) return {
-		command: "npm",
-		args: ["audit", "fix"]
-	};
+const INSTALL_TIMEOUT = 1800 * 1e3;
+const AUDIT_TIMEOUT = 60 * 1e3;
+const detectPackageManager = (rootDirectory) => {
+	if (fs.existsSync(path.join(rootDirectory, "pnpm-lock.yaml"))) return "pnpm";
+	if (fs.existsSync(path.join(rootDirectory, "package-lock.json")) || fs.existsSync(path.join(rootDirectory, "package.json"))) return "npm";
 	return null;
 };
-const INSTALL_TIMEOUT = 1800 * 1e3;
 const fixDependencyAudit = async (context, onProgress) => {
-	const auditFix = getJsAuditFixCommand(context.rootDirectory);
-	if (!auditFix) return;
-	onProgress?.(`Dependency audit fixes · running ${auditFix.command} audit fix (can take a few minutes)`);
-	const result = await runSubprocess(auditFix.command, auditFix.args, {
-		cwd: context.rootDirectory,
+	const pm = detectPackageManager(context.rootDirectory);
+	if (!pm) return;
+	if (pm === "npm") {
+		await runNpmAuditFix(context.rootDirectory, onProgress);
+		await tryNpmOverrides(context.rootDirectory, onProgress);
+		return;
+	}
+	if (await tryPnpmOverrides(context.rootDirectory, onProgress)) return;
+	if (fs.existsSync(path.join(context.rootDirectory, "package-lock.json"))) {
+		await runNpmAuditFix(context.rootDirectory, onProgress);
+		await tryNpmOverrides(context.rootDirectory, onProgress);
+		return;
+	}
+	onProgress?.("Dependency audit fixes · skipping (pnpm audit unavailable and no package-lock.json for npm fallback)");
+};
+const runNpmAuditFix = async (rootDir, onProgress) => {
+	onProgress?.("Dependency audit fixes · running npm audit fix (can take a few minutes)");
+	const result = await runSubprocess("npm", ["audit", "fix"], {
+		cwd: rootDir,
 		timeout: INSTALL_TIMEOUT
 	});
-	if (result.exitCode !== 0 && !result.stdout && !result.stderr) throw new Error(`${auditFix.command} audit fix failed`);
-	onProgress?.(`Dependency audit fixes · running ${auditFix.command} install`);
-	const installResult = await runSubprocess(auditFix.command, ["install"], {
-		cwd: context.rootDirectory,
+	if (result.exitCode !== 0 && !result.stdout && !result.stderr) throw new Error("npm audit fix failed");
+	onProgress?.("Dependency audit fixes · running npm install");
+	const installResult = await runSubprocess("npm", ["install"], {
+		cwd: rootDir,
 		timeout: INSTALL_TIMEOUT
 	});
-	if (installResult.exitCode !== 0) throw new Error(installResult.stderr || installResult.stdout || `${auditFix.command} install failed after audit fix`);
-	if (auditFix.command === "npm") await tryNpmOverrides(context.rootDirectory, onProgress);
+	if (installResult.exitCode !== 0) throw new Error(installResult.stderr || installResult.stdout || "npm install failed after audit fix");
 };
-/**
-* For unresolvable transitive vulnerabilities, attempt to add npm overrides
-* in package.json. This forces a newer version of the vulnerable transitive dep.
-*/
-const fetchLatestVersion = async (rootDir, pkgName) => {
+const fetchLatestVersion = async (rootDir, pkgName, pm) => {
 	try {
-		const result = await runSubprocess("npm", [
+		const result = await runSubprocess(pm, [
 			"view",
 			pkgName,
 			"version",
@@ -5735,11 +6013,11 @@ const fetchLatestVersion = async (rootDir, pkgName) => {
 		return null;
 	}
 };
-const collectOverrides = async (rootDir, vulnerabilities) => {
+const collectOverrides = async (rootDir, vulnerabilities, pm) => {
 	const overrides = {};
 	for (const [pkgName, vuln] of Object.entries(vulnerabilities)) {
 		if (vuln.fixAvailable !== false || !vuln.range) continue;
-		const latest = await fetchLatestVersion(rootDir, pkgName);
+		const latest = await fetchLatestVersion(rootDir, pkgName, pm);
 		if (latest) overrides[pkgName] = latest;
 	}
 	return overrides;
@@ -5748,12 +6026,12 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 	try {
 		const auditResult = await runSubprocess("npm", ["audit", "--json"], {
 			cwd: rootDir,
-			timeout: 3e4
+			timeout: AUDIT_TIMEOUT
 		});
 		if (!auditResult.stdout) return;
 		const vulnerabilities = JSON.parse(auditResult.stdout).vulnerabilities;
 		if (!vulnerabilities) return;
-		const overrides = await collectOverrides(rootDir, vulnerabilities);
+		const overrides = await collectOverrides(rootDir, vulnerabilities, "npm");
 		if (Object.keys(overrides).length === 0) return;
 		const pkgPath = path.join(rootDir, "package.json");
 		const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -5761,7 +6039,7 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 			...pkg.overrides || {},
 			...overrides
 		};
-		fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + "\n");
+		fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
 		onProgress?.("Dependency audit fixes · applying npm overrides (npm install)");
 		await runSubprocess("npm", ["install"], {
 			cwd: rootDir,
@@ -5769,6 +6047,70 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 		});
 	} catch {}
 };
+const patchedRangeToVersion = (patched) => {
+	const match = patched.match(/^\s*>=?\s*([0-9]+\.[0-9]+\.[0-9]+[^\s]*)/);
+	return match ? `^${match[1]}` : null;
+};
+const overrideKey = (name, vulnerable, patched) => {
+	if (vulnerable && vulnerable.trim().length > 0 && !/^\*$/.test(vulnerable.trim())) return `${name}@${vulnerable.trim()}`;
+	const first = patched.match(/([0-9]+\.[0-9]+\.[0-9]+)/)?.[1];
+	return first ? `${name}@<${first}` : name;
+};
+const collectPnpmOverrides = (advisories) => {
+	const overrides = {};
+	for (const adv of Object.values(advisories)) {
+		if (!adv.module_name || !adv.patched_versions) continue;
+		const target = patchedRangeToVersion(adv.patched_versions);
+		if (!target) continue;
+		const key = overrideKey(adv.module_name, adv.vulnerable_versions, adv.patched_versions);
+		overrides[key] = target;
+	}
+	return overrides;
+};
+const isPnpmAuditRetired = (stdout, stderr) => {
+	const haystack = `${stdout}\n${stderr}`.toLowerCase();
+	return haystack.includes("410") || haystack.includes("gone") || haystack.includes("retired") || haystack.includes("endpoint") || haystack.includes("err_pnpm_audit") || haystack.includes("audit endpoint");
+};
+const tryPnpmOverrides = async (rootDir, onProgress) => {
+	onProgress?.("Dependency audit fixes · running pnpm audit");
+	const auditResult = await runSubprocess("pnpm", ["audit", "--json"], {
+		cwd: rootDir,
+		timeout: AUDIT_TIMEOUT
+	});
+	if (!auditResult.stdout) {
+		if (isPnpmAuditRetired(auditResult.stdout ?? "", auditResult.stderr ?? "")) return false;
+		return auditResult.exitCode === 0;
+	}
+	let parsed;
+	try {
+		parsed = JSON.parse(auditResult.stdout);
+	} catch {
+		if (auditResult.exitCode !== 0 || isPnpmAuditRetired(auditResult.stdout, auditResult.stderr ?? "")) return false;
+		return true;
+	}
+	const advisories = parsed.advisories;
+	if (!advisories || Object.keys(advisories).length === 0) return true;
+	const overrides = collectPnpmOverrides(advisories);
+	if (Object.keys(overrides).length === 0) return true;
+	const pkgPath = path.join(rootDir, "package.json");
+	const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
+	const pnpmBlock = pkg.pnpm ?? {};
+	const existing = pnpmBlock.overrides ?? {};
+	pkg.pnpm = {
+		...pnpmBlock,
+		overrides: {
+			...existing,
+			...overrides
+		}
+	};
+	fs.writeFileSync(pkgPath, `${JSON.stringify(pkg, null, 2)}\n`);
+	onProgress?.("Dependency audit fixes · applying pnpm overrides (pnpm install)");
+	await runSubprocess("pnpm", ["install"], {
+		cwd: rootDir,
+		timeout: INSTALL_TIMEOUT
+	});
+	return true;
+};
 const fixExpoDependencies = async (context, onProgress) => {
 	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
 	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
@@ -5883,8 +6225,9 @@ const runFormattingStep = async (deps) => {
 const runForceSteps = async (deps) => {
 	if (!deps.force) return;
 	if (deps.config.engines["code-quality"] && hasJsOrTs(deps.projectInfo)) await deps.runStep("Remove unused files", () => runKnipUnusedFiles(deps.resolvedDir), () => fixUnusedFiles(deps.resolvedDir));
-	if (deps.config.engines.security) await deps.runStep("Dependency audit fixes", () => runDependencyAudit(deps.context), () => fixDependencyAudit(deps.context, deps.rail.setActiveLabel));
-	if (deps.projectInfo.frameworks.includes("expo")) await deps.runStep("Expo dependency alignment", () => runExpoDoctor(deps.context), () => fixExpoDependencies(deps.context, deps.rail.setActiveLabel));
+	const railUpdate = (label) => deps.rail.setActiveLabel(label);
+	if (deps.config.engines.security) await deps.runStep("Dependency audit fixes", () => runDependencyAudit(deps.context), () => fixDependencyAudit(deps.context, railUpdate));
+	if (deps.projectInfo.frameworks.includes("expo")) await deps.runStep("Expo dependency alignment", () => runExpoDoctor(deps.context), () => fixExpoDependencies(deps.context, railUpdate));
 };
 
 //#endregion