npm - arol-ai - Versions diffs - 0.1.9 → 0.2.0 - Mend

arol-ai 0.1.9 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/data.js +3 -0
package/dist/imports.js +111 -0
package/dist/scanner.js +37 -8
package/package.json +2 -2
package/src/data/deprecations.json +45 -2

package/dist/data.js CHANGED Viewed

@@ -80,6 +80,9 @@ function coerceDeprecation(raw) {
     if (!SEVERITIES.includes(r.severity))
         return null;
     const detect = r.detect;
+    // detect.sdk is now FUNCTIONAL for match:"pattern" entries (import-gating, see
+    // imports.ts): a non-empty sdk means the entry's patterns only run in files that
+    // import a matching package. Empty sdk = ungated (patterns run everywhere).
     const sdk = detect && isStringArray(detect.sdk) ? detect.sdk : [];
     const patterns = detect && isStringArray(detect.patterns) ? detect.patterns : [];
     const models = detect && isStringArray(detect.models) ? detect.models : [];

package/dist/imports.js ADDED Viewed

@@ -0,0 +1,111 @@
+"use strict";
+/**
+ * Import extraction for import-gating.
+ *
+ * A pattern entry with a non-empty detect.sdk only runs its patterns in a file
+ * that imports a matching package. We parse imports from the SAME preprocessed
+ * (comment-stripped, string-aware) text the patterns use, so comment/string
+ * handling stays consistent. Regex-based, one pass per file.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NO_IMPORTS = void 0;
+exports.isGateableLang = isGateableLang;
+exports.sdkMatchesImport = sdkMatchesImport;
+exports.importsSatisfySdk = importsSatisfySdk;
+exports.extractImports = extractImports;
+/** JS/TS extensions that get full import parsing. */
+const JS_EXTS = new Set(["js", "mjs", "cjs", "jsx", "ts", "mts", "cts", "tsx"]);
+/** A shared empty set for files we don't gate (avoids per-call allocation). */
+exports.NO_IMPORTS = new Set();
+/**
+ * Languages where import-gating applies. Go is a v1 fallback (not gated) and
+ * unknown extensions are never gated.
+ */
+function isGateableLang(ext) {
+    const e = ext.toLowerCase();
+    return JS_EXTS.has(e) || e === "py";
+}
+/**
+ * An import source matches an sdk name if it equals it, or is a subpath of it.
+ * So sdk:["ai"] matches 'ai' and 'ai/test', but NOT 'aimee' or 'ai-utils'.
+ * Scoped packages behave the same: '@ai-sdk/openai' matches '@ai-sdk/openai/sub'.
+ * (Intentionally stricter and case-sensitive — distinct from manifests.nameMatches.)
+ */
+function sdkMatchesImport(sdkName, source) {
+    return source === sdkName || source.startsWith(sdkName + "/");
+}
+/** True if any import source in the set matches any of the entry's sdk names. */
+function importsSatisfySdk(sdkNames, imports) {
+    for (const sdk of sdkNames) {
+        for (const source of imports) {
+            if (sdkMatchesImport(sdk, source))
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Extract the set of imported package sources from preprocessed source text.
+ * JS/TS returns raw import specifiers ('ai', 'ai/test', '@ai-sdk/openai').
+ * Python returns top-level module names ('openai', 'langchain').
+ * Other languages (incl. Go) return an empty set — the caller does not gate them.
+ */
+function extractImports(text, ext) {
+    const e = ext.toLowerCase();
+    if (e === "py")
+        return extractPythonImports(text);
+    if (JS_EXTS.has(e))
+        return extractJsImports(text);
+    return new Set(); // go / unknown — TODO: gate Go imports
+}
+function collect(text, re, group, out) {
+    re.lastIndex = 0;
+    let m;
+    while ((m = re.exec(text)) !== null) {
+        if (m.index === re.lastIndex)
+            re.lastIndex++; // guard zero-width
+        const src = m[group];
+        if (src)
+            out.add(src);
+    }
+}
+function extractJsImports(text) {
+    const out = new Set();
+    // `import ... from '<src>'` and `export ... from '<src>'` — covers named,
+    // default, namespace, aliased, `type`, and re-export. Multiline-safe: the
+    // binding span excludes ; ' " ` so it can't run across statements or quotes.
+    collect(text, /\b(?:import|export)\b[^;'"`]*?\bfrom\s*(['"`])([^'"`]+)\1/g, 2, out);
+    // Side-effect import: `import '<src>'` (import directly followed by a quote).
+    collect(text, /\bimport\s*(['"`])([^'"`]+)\1/g, 2, out);
+    // Dynamic import: `import('<src>')`.
+    collect(text, /\bimport\s*\(\s*(['"`])([^'"`]+)\1/g, 2, out);
+    // CommonJS: `require('<src>')`.
+    collect(text, /\brequire\s*\(\s*(['"`])([^'"`]+)\1/g, 2, out);
+    return out;
+}
+/** Top-level module of a dotted path ("openai.error" -> "openai"); "" for relative. */
+function topLevelModule(mod) {
+    return mod.trim().split(".")[0];
+}
+function extractPythonImports(text) {
+    const out = new Set();
+    let m;
+    // `from pkg[.sub] import ...`
+    const fromRe = /^[ \t]*from[ \t]+([.\w]+)[ \t]+import\b/gm;
+    while ((m = fromRe.exec(text)) !== null) {
+        const top = topLevelModule(m[1]);
+        if (top)
+            out.add(top); // skip relative imports ("from . import x")
+    }
+    // `import pkg`, `import pkg as p`, `import a, b`
+    const importRe = /^[ \t]*import[ \t]+(.+)$/gm;
+    while ((m = importRe.exec(text)) !== null) {
+        for (const part of m[1].split(",")) {
+            const name = part.trim().split(/[ \t]+as[ \t]+/)[0];
+            const top = topLevelModule(name);
+            if (top)
+                out.add(top);
+        }
+    }
+    return out;
+}

package/dist/scanner.js CHANGED Viewed

@@ -42,6 +42,7 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const fast_glob_1 = __importDefault(require("fast-glob"));
 const manifests_1 = require("./manifests");
+const imports_1 = require("./imports");
 /** Source file extensions that get the inline regex scan. */
 const SOURCE_EXTENSIONS = [
     "js",
@@ -103,22 +104,23 @@ function modelRegexSource(family) {
 }
 function compileDeprecations(deprecations) {
     return deprecations.map((deprecation) => {
-        const regexes = [];
+        const patternRegexes = [];
         // Raw patterns — code identifiers, endpoints, params.
         // `?? []` guards against entries not produced by the loader (e.g. tests).
         for (const pattern of deprecation.detect.patterns ?? []) {
             try {
                 // Global so we can iterate every match and derive line numbers.
-                regexes.push(new RegExp(pattern, "g"));
+                patternRegexes.push(new RegExp(pattern, "g"));
             }
             catch {
                 // A malformed pattern in the dataset must not crash the scan.
             }
         }
         // Model names — only matched inside string literals (quote-anchored).
+        const modelRegexes = [];
         for (const family of deprecation.detect.models ?? []) {
             try {
-                regexes.push(new RegExp(modelRegexSource(family), "g"));
+                modelRegexes.push(new RegExp(modelRegexSource(family), "g"));
             }
             catch {
                 // Defensive: a pathological family name must not crash the scan.
@@ -127,7 +129,13 @@ function compileDeprecations(deprecations) {
         // Missing/empty applies_to means "applies everywhere" (["*"]), preserved here.
         const declaredExts = deprecation.applies_to ?? [];
         const appliesTo = new Set((declaredExts.length > 0 ? declaredExts : ["*"]).map((e) => e.toLowerCase()));
-        return { deprecation, regexes, appliesTo };
+        return {
+            deprecation,
+            patternRegexes,
+            modelRegexes,
+            appliesTo,
+            sdkGate: deprecation.detect.sdk ?? [],
+        };
     });
 }
 /** True if a compiled entry should be tested against a file with this extension. */
@@ -256,10 +264,10 @@ function lineNumberAt(lineStarts, offset) {
     }
     return ans + 1;
 }
-/** Match every compiled deprecation against one file's contents. */
-function scanContent(content, relPath, compiled, sink) {
+/** Match the selected regexes for each deprecation against one file's contents. */
+function scanContent(content, relPath, runs, sink) {
     const lineStarts = computeLineStarts(content);
-    for (const { deprecation, regexes } of compiled) {
+    for (const { deprecation, regexes } of runs) {
         if (regexes.length === 0)
             continue;
         let recorded = sink.get(deprecation.id);
@@ -470,7 +478,28 @@ function scanRepo(root, deprecations, options = {}) {
         // comments don't count. Offsets are preserved, so line numbers stay correct.
         const cfg = commentConfig(ext);
         const scanText = cfg ? stripComments(content, cfg) : content;
-        scanContent(scanText, rel, applicable, patternSink);
+        // Import-gating: parse imports ONCE per file, reused across all entries.
+        // Only needed when some applicable entry actually gates (non-empty sdk) and
+        // the language supports gating (Go/unknown fall back to ungated). TODO: gate Go.
+        const gateable = (0, imports_1.isGateableLang)(ext);
+        const needImports = gateable && applicable.some((c) => c.sdkGate.length > 0);
+        const imports = needImports ? (0, imports_1.extractImports)(scanText, ext) : imports_1.NO_IMPORTS;
+        // For each entry: model regexes always run; pattern regexes run only when the
+        // gate is open (empty sdk → always; non-gateable lang → always; else the file
+        // must import a matching package).
+        const runs = [];
+        for (const c of applicable) {
+            const gateOpen = c.sdkGate.length === 0 ||
+                !gateable ||
+                (0, imports_1.importsSatisfySdk)(c.sdkGate, imports);
+            const regexes = gateOpen
+                ? [...c.modelRegexes, ...c.patternRegexes]
+                : c.modelRegexes;
+            if (regexes.length > 0)
+                runs.push({ deprecation: c.deprecation, regexes });
+        }
+        if (runs.length > 0)
+            scanContent(scanText, rel, runs, patternSink);
     }
     // 3. Build findings — one per deprecation, evaluated per its match mode.
     const findings = [];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "arol-ai",
-  "version": "0.1.9",
+  "version": "0.2.0",
   "description": "Scan a local repo for upcoming third-party API/SDK deprecations. Fully local — no network, no telemetry, your code never leaves the machine.",
   "keywords": [
     "deprecation",
@@ -34,7 +34,7 @@
     "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "arol-ai": "^0.1.8",
+    "arol-ai": "^0.1.10",
     "commander": "^12.1.0",
     "fast-glob": "^3.3.2"
   },

package/src/data/deprecations.json CHANGED Viewed

@@ -8,7 +8,7 @@
     "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2026-08-26",
     "detect": {
-      "sdk": ["openai"],
+      "sdk": [],
       "patterns": [
         "\\bbeta\\.assistants\\b",
         "\\bbeta\\.threads\\b",
@@ -286,7 +286,7 @@
     "applies_to": ["py", "js", "ts", "jsx", "tsx", "mjs"],
     "sunset_date": "2022-11-30",
     "detect": {
-      "sdk": ["@hubspot/api-client"],
+      "sdk": [],
       "patterns": ["hapikey\\s*=", "hapiKey\\s*="]
     },
     "migration_url": "https://developers.hubspot.com/changelog/upcoming-api-key-sunset",
@@ -474,5 +474,48 @@
     "migration_url": "https://platform.openai.com/docs/changelog",
     "summary": "The Realtime API beta was removed from the API on May 12, 2026. Migrate from the client.beta.realtime interface to the released (GA) Realtime API.",
     "source": "https://platform.openai.com/docs/changelog"
+  },
+  {
+    "id": "vercel-ai-sdk-v6-removed",
+    "vendor": "Vercel AI SDK",
+    "title": "AI SDK functions/classes removed in ai v6",
+    "severity": "medium",
+    "match": "pattern",
+    "applies_to": ["*"],
+    "status": "deprecated",
+    "detect": {
+      "sdk": ["ai"],
+      "patterns": [
+        "convertToCoreMessages",
+        "Experimental_Agent",
+        "MockLanguageModelV2",
+        "MockEmbeddingModelV2",
+        "MockImageModelV2",
+        "MockProviderV2",
+        "MockSpeechModelV2",
+        "MockTranscriptionModelV2"
+      ],
+      "models": []
+    },
+    "migration_url": "https://ai-sdk.dev/docs/migration-guides/migration-guide-6-0",
+    "summary": "Removed in ai v6. convertToCoreMessages → convertToModelMessages; Experimental_Agent → ToolLoopAgent; the V2 mock classes in ai/test → their V3 versions. Code using these breaks when you upgrade to ai@6.",
+    "source": "https://ai-sdk.dev/docs/migration-guides/migration-guide-6-0"
+  },
+  {
+    "id": "vercel-ai-sdk-v6-generateobject-deprecated",
+    "vendor": "Vercel AI SDK",
+    "title": "generateObject / streamObject deprecated in ai v6",
+    "severity": "low",
+    "match": "pattern",
+    "applies_to": ["*"],
+    "status": "deprecated",
+    "detect": {
+      "sdk": ["ai"],
+      "patterns": ["generateObject", "streamObject"],
+      "models": []
+    },
+    "migration_url": "https://ai-sdk.dev/docs/migration-guides/migration-guide-6-0",
+    "summary": "Deprecated in ai v6 (still works; removal planned for a later version). Use generateText / streamText with an output setting (Output.object) instead.",
+    "source": "https://ai-sdk.dev/docs/migration-guides/migration-guide-6-0"
   }
 ]