audit-trace 0.1.0

package/README.md

@@ -0,0 +1,101 @@
+# audit-trace
+
+`audit-trace` is a local-first CLI for **npm / pnpm / Yarn** projects. It combines **lockfile-aware dependency graphs** with **audit output** so you can see **which top-level dependencies introduce a vulnerable package**, short **remediation hints**, and **CI-friendly diagnostics** (structured `CiDiagnostic` codes for logs, job summaries, or PR comments).
+
+## Requirements
+
+- Node.js **18+**
+
+## Install
+
+```bash
+npm install -g audit-trace
+# or use npx
+npx audit-trace report
+```
+
+From source:
+
+```bash
+git clone <repo>
+cd audit-trace
+npm install
+npm run build
+node dist/cli.js --help
+```
+
+## Quick start
+
+```bash
+cd your-project
+audit-trace report
+audit-trace report --json
+audit-trace report --ci --fail-on high --prod-only
+```
+
+### Interactive UI (Ink)
+
+```bash
+audit-trace report --interactive
+```
+
+Use **↑/↓** to browse findings, **q** to quit.
+
+## Commands
+
+| Command | Description |
+|--------|-------------|
+| `report` (default) | Run package-manager audit + lockfile graph; print ownership paths & remediation hints |
+| `why <pkg>` | Shortest path(s) from workspace root(s) to a package in the lockfile graph |
+| `graph <pkg>` | Enumerate paths (capped) between roots and the package |
+| `impact <pkg>` | Transitive consumers (reverse reachability in the graph) |
+| `diff <before> <after>` | Compare two lockfiles (`--kind npm\|pnpm`) — added/removed package keys |
+
+## Flags (report)
+
+- `--json` / `--markdown` / `--html` — output modes  
+- `--ci` — apply exit-code policy and print structured CI diagnostics to stderr  
+- `--ci-verbose` — more explanatory CI text  
+- `--fail-on <level>` — `critical` \| `high` \| `moderate` \| `low` \| `info` \| `none` (default: `high` in CI contexts; in local runs without `--ci`, exit code stays 0 unless `--ci` is passed)  
+- `--prod-only` — drop findings whose traced paths are dev-only (best-effort; requires dev flags in the lockfile)  
+- `--audit-file <path>` — parse audit JSON instead of invoking `npm|pnpm|yarn audit`  
+- `--pm npm\|pnpm\|yarn` — force audit runner  
+- `--entry <file>` — optional entry for **madge**-based reachability heuristic (tags titles)  
+
+## CiDiagnostic codes
+
+Stable codes emitted in JSON (`diagnostics[]`) and echoed in human CI summaries:
+
+| Code | Meaning |
+|------|---------|
+| `NO_LOCKFILE` | No supported lockfile at project root — graph/ownership is degraded |
+| `AUDIT_SOURCE_FALLBACK` | Audit subprocess failed or returned empty — verify tool versions |
+| `FILTER_CONTEXT` | Some items excluded by `--prod-only` / future filters |
+| `FAIL_HIGH_PROD` | High/critical findings matched the failure threshold |
+| `FAIL_POLICY` | Generic policy failure (`--fail-on` and severity counts) |
+| `GRAPH_BUILD_WARN` | Reserved for graph/parser warnings |
+
+## GitHub Actions
+
+See [`examples/github-actions/ci.yml`](examples/github-actions/ci.yml) for a sample workflow posting JSON + human-readable sections.
+
+## Plugins (experimental)
+
+Plugins can implement hooks such as `afterGraphBuilt`, `afterAuditNormalized`, `onCiDiagnostics`, and `formatReport`. Register via the internal `plugins/registry` API (local imports) — a config file loader can be added later.
+
+## Development
+
+```bash
+npm test
+npm run build
+```
+
+## Limitations
+
+- **Yarn Berry** lockfiles and audits differ by release; classic `yarn.lock` + `yarn audit --json` are the primary targets.
+- **Reachability** via `madge` is **heuristic** (static graph); dynamic `require` is not modeled.
+- **Remediation** prefers `overrides` / `resolutions` when audit provides patched ranges; otherwise a manual upgrade path is suggested.
+
+## License
+
+MIT

package/dist/cli/ink/ReportTui.d.ts

@@ -0,0 +1,8 @@
+import React from "react";
+import type { AuditReport } from "../../core/models.js";
+import type { OwnershipPath } from "../../core/ownership/tracer.js";
+export declare function ReportTui(props: {
+    report: AuditReport;
+    ownership: OwnershipPath[];
+}): React.ReactElement;
+//# sourceMappingURL=ReportTui.d.ts.map

package/dist/cli/ink/ReportTui.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReportTui.d.ts","sourceRoot":"","sources":["../../../src/cli/ink/ReportTui.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAmB,MAAM,OAAO,CAAC;AAExC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAEpE,wBAAgB,SAAS,CAAC,KAAK,EAAE;IAC/B,MAAM,EAAE,WAAW,CAAC;IACpB,SAAS,EAAE,aAAa,EAAE,CAAC;CAC5B,GAAG,KAAK,CAAC,YAAY,CAwCrB"}

package/dist/cli/ink/ReportTui.js

@@ -0,0 +1,20 @@
+import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { useState } from "react";
+import { Box, Text, useInput } from "ink";
+export function ReportTui(props) {
+    const [idx, setIdx] = useState(0);
+    useInput((input, key) => {
+        if (key.upArrow)
+            setIdx((i) => Math.max(0, i - 1));
+        if (key.downArrow)
+            setIdx((i) => Math.min(props.report.findings.length - 1, i + 1));
+        if (input === "q" || key.escape)
+            process.exit(0);
+    });
+    const f = props.report.findings[idx];
+    return (_jsxs(Box, { flexDirection: "column", padding: 1, children: [_jsx(Text, { bold: true, children: "audit-trace \u2014 interactive (\u2191/\u2193 navigate, q quit)" }), _jsx(Box, { marginTop: 1, children: _jsxs(Text, { dimColor: true, children: ["Finding ", idx + 1, "/", props.report.findings.length] }) }), f ? (_jsxs(Box, { flexDirection: "column", marginTop: 1, children: [_jsxs(Text, { color: f.severity === "critical" ? "red" : "yellow", children: ["[", f.severity, "] ", f.packageName] }), _jsx(Text, { children: f.title ?? f.id }), _jsxs(Box, { marginTop: 1, flexDirection: "column", children: [_jsx(Text, { bold: true, children: "Owners / paths sample" }), props.ownership
+                                .filter((o) => o.packageName === f.packageName)
+                                .slice(0, 5)
+                                .map((o, i) => (_jsxs(Text, { children: ["via ", o.topLevelNames.join(", ") || "?", " \u2014 dev:", String(o.isDevDependency)] }, i)))] })] })) : (_jsx(Text, { children: "No findings." }))] }));
+}
+//# sourceMappingURL=ReportTui.js.map

package/dist/cli/ink/ReportTui.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ReportTui.js","sourceRoot":"","sources":["../../../src/cli/ink/ReportTui.tsx"],"names":[],"mappings":";AAAA,OAAc,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACxC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAI1C,MAAM,UAAU,SAAS,CAAC,KAGzB;IACC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAClC,QAAQ,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QACtB,IAAI,GAAG,CAAC,OAAO;YAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACnD,IAAI,GAAG,CAAC,SAAS;YAAE,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACpF,IAAI,KAAK,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IACH,MAAM,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAErC,OAAO,CACL,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,EAAC,OAAO,EAAE,CAAC,aACpC,KAAC,IAAI,IAAC,IAAI,sFAAwD,EAClE,KAAC,GAAG,IAAC,SAAS,EAAE,CAAC,YACf,MAAC,IAAI,IAAC,QAAQ,+BACH,GAAG,GAAG,CAAC,OAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,IAC1C,GACH,EACL,CAAC,CAAC,CAAC,CAAC,CACH,MAAC,GAAG,IAAC,aAAa,EAAC,QAAQ,EAAC,SAAS,EAAE,CAAC,aACtC,MAAC,IAAI,IAAC,KAAK,EAAE,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,kBACrD,CAAC,CAAC,QAAQ,QAAI,CAAC,CAAC,WAAW,IACxB,EACP,KAAC,IAAI,cAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,EAAE,GAAQ,EAC9B,MAAC,GAAG,IAAC,SAAS,EAAE,CAAC,EAAE,aAAa,EAAC,QAAQ,aACvC,KAAC,IAAI,IAAC,IAAI,4CAA6B,EACtC,KAAK,CAAC,SAAS;iCACb,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,WAAW,CAAC;iCAC9C,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;iCACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CACb,MAAC,IAAI,uBACE,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,kBAAS,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,KAD/D,CAAC,CAEL,CACR,CAAC,IACA,IACF,CACP,CAAC,CAAC,CAAC,CACF,KAAC,IAAI,+BAAoB,CAC1B,IACG,CACP,CAAC;AACJ,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,150 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { resolve } from "node:path";
+import { readFile } from "node:fs/promises";
+import ora from "ora";
+import { analyze } from "./lib/analyze.js";
+import { renderPretty, printCiSummary } from "./output/terminal-renderer.js";
+import { toJsonReport } from "./output/json-reporter.js";
+import { toMarkdownReport } from "./output/markdown-reporter.js";
+import { toHtmlReport } from "./output/html-reporter.js";
+import { loadLockfileGraph } from "./core/graph-engine/load-lockfile.js";
+import { buildIndexes, dfsAllPathsWithLimit, impactSet, shortestPathFromRoots, } from "./core/graph-engine/traverse.js";
+import { diffLockfiles } from "./integrations/lockfile-diff/compare.js";
+import React from "react";
+import { render } from "ink";
+import { ReportTui } from "./ink/ReportTui.js";
+const program = new Command();
+program
+    .name("audit-trace")
+    .description("Dependency vulnerability analysis with ownership tracing")
+    .version("0.1.0");
+program
+    .command("report", { isDefault: true })
+    .description("Run audit and print ownership-aware report")
+    .option("-C, --cwd <dir>", "project root", process.cwd())
+    .option("--json", "machine-readable JSON")
+    .option("--markdown", "Markdown report")
+    .option("--html", "HTML report")
+    .option("--ci", "CI mode (exit codes + diagnostics)")
+    .option("--ci-verbose", "extra CI explanation on stderr")
+    .option("--fail-on <level>", "critical|high|moderate|low|info|none", "high")
+    .option("--prod-only", "filter devDependency paths when possible")
+    .option("--audit-file <path>", "read audit JSON instead of running pm audit")
+    .option("--pm <name>", "npm|pnpm|yarn")
+    .option("--entry <file>", "entry file for madge reachability heuristics")
+    .option("--assume-reachable", "skip strict reachability interpretation in policy")
+    .option("-i, --interactive", "interactive terminal UI (Ink)")
+    .action(async (opts) => {
+    const spin = ora("Analyzing…").start();
+    const { report, ownership, exitCode, workspace } = await analyze({
+        cwd: opts.cwd,
+        useAuditFile: opts.auditFile,
+        pm: opts.pm,
+        prodOnly: opts.prodOnly,
+        ci: opts.ci,
+        ciVerbose: opts.ciVerbose,
+        failOn: opts.failOn,
+        runtimeEntry: opts.entry,
+        assumeReachable: opts.assumeReachable,
+    });
+    spin.succeed("Done");
+    if (workspace.isMonorepo) {
+        process.stderr.write(`Monorepo markers: ${JSON.stringify(workspace.tools)}\n`);
+    }
+    if (opts.json) {
+        process.stdout.write(toJsonReport({ ...report, summary: { workspace: workspace.tools } }));
+        process.stdout.write("\n");
+    }
+    else if (opts.markdown) {
+        process.stdout.write(toMarkdownReport(report, ownership));
+    }
+    else if (opts.html) {
+        process.stdout.write(toHtmlReport(report, ownership));
+    }
+    else if (opts.interactive) {
+        render(React.createElement(ReportTui, { report, ownership }));
+    }
+    else {
+        process.stdout.write(renderPretty(report.findings, ownership, report.graph, {
+            ci: opts.ci,
+            verbose: opts.ciVerbose,
+        }));
+        process.stdout.write("\n");
+        if (opts.ci) {
+            process.stderr.write(printCiSummary(report.diagnostics, Boolean(opts.ciVerbose)) + "\n");
+        }
+    }
+    if (opts.ci)
+        process.exit(exitCode);
+});
+program
+    .command("why")
+    .argument("<pkg>", "package name")
+    .option("-C, --cwd <dir>", "project root", process.cwd())
+    .action(async (pkg, opts) => {
+    const { graph } = await loadLockfileGraph(resolve(opts.cwd));
+    if (!graph.nodes.size) {
+        process.stderr.write("No lockfile graph.\n");
+        process.exit(1);
+    }
+    const ids = graph.byPackageName.get(pkg) ?? [];
+    const idx = buildIndexes(graph);
+    for (const id of ids) {
+        const path = shortestPathFromRoots(graph, idx, id);
+        process.stdout.write((path ?? [id]).map((x) => graph.nodes.get(x)?.name ?? x).join(" → ") + "\n");
+    }
+});
+program
+    .command("graph")
+    .argument("<pkg>", "package name")
+    .option("-C, --cwd <dir>", "project root", process.cwd())
+    .option("--limit <n>", "max paths", "5")
+    .action(async (pkg, opts) => {
+    const { graph } = await loadLockfileGraph(resolve(opts.cwd));
+    const ids = graph.byPackageName.get(pkg) ?? [];
+    const idx = buildIndexes(graph);
+    const lim = Number(opts.limit) || 5;
+    for (const id of ids.slice(0, 3)) {
+        for (const root of graph.rootIds.slice(0, 2)) {
+            const paths = dfsAllPathsWithLimit(idx, root, id, lim, 40);
+            for (const p of paths) {
+                process.stdout.write(p.map((x) => graph.nodes.get(x)?.name ?? x).join(" → ") + "\n");
+            }
+        }
+    }
+});
+program
+    .command("impact")
+    .argument("<pkg>", "package name")
+    .option("-C, --cwd <dir>", "project root", process.cwd())
+    .action(async (pkg, opts) => {
+    const { graph } = await loadLockfileGraph(resolve(opts.cwd));
+    const ids = graph.byPackageName.get(pkg) ?? [];
+    const idx = buildIndexes(graph);
+    for (const id of ids.slice(0, 1)) {
+        const s = impactSet(idx, id);
+        for (const n of s) {
+            const node = graph.nodes.get(n);
+            if (node)
+                process.stdout.write(`${node.name}@${node.version}\n`);
+        }
+    }
+});
+program
+    .command("diff")
+    .argument("<before>", "path to previous lockfile")
+    .argument("<after>", "path to new lockfile")
+    .option("--kind <npm|pnpm>", "lockfile family", "npm")
+    .action(async (before, after, opts) => {
+    const a = await readFile(resolve(before), "utf8");
+    const b = await readFile(resolve(after), "utf8");
+    const kind = opts.kind === "pnpm" ? "pnpm" : "npm";
+    const d = diffLockfiles(a, b, kind);
+    process.stdout.write(JSON.stringify(d, null, 2) + "\n");
+});
+program.parseAsync(process.argv).catch((e) => {
+    console.error(e);
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,+BAA+B,CAAC;AAC7E,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,SAAS,EACT,qBAAqB,GACtB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,yCAAyC,CAAC;AACxE,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,aAAa,CAAC;KACnB,WAAW,CAAC,0DAA0D,CAAC;KACvE,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KACtC,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,iBAAiB,EAAE,cAAc,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACxD,MAAM,CAAC,QAAQ,EAAE,uBAAuB,CAAC;KACzC,MAAM,CAAC,YAAY,EAAE,iBAAiB,CAAC;KACvC,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;KAC/B,MAAM,CAAC,MAAM,EAAE,oCAAoC,CAAC;KACpD,MAAM,CAAC,cAAc,EAAE,gCAAgC,CAAC;KACxD,MAAM,CAAC,mBAAmB,EAAE,sCAAsC,EAAE,MAAM,CAAC;KAC3E,MAAM,CAAC,aAAa,EAAE,0CAA0C,CAAC;KACjE,MAAM,CAAC,qBAAqB,EAAE,6CAA6C,CAAC;KAC5E,MAAM,CAAC,aAAa,EAAE,eAAe,CAAC;KACtC,MAAM,CAAC,gBAAgB,EAAE,8CAA8C,CAAC;KACxE,MAAM,CAAC,oBAAoB,EAAE,mDAAmD,CAAC;KACjF,MAAM,CAAC,mBAAmB,EAAE,+BAA+B,CAAC;KAC5D,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;IACrB,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,CAAC,KAAK,EAAE,CAAC;IACvC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC;QAC/D,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,YAAY,EAAE,IAAI,CAAC,SAAS;QAC5B,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,YAAY,EAAE,IAAI,CAAC,KAAK;QACxB,eAAe,EAAE,IAAI,CAAC,eAAe;KACtC,CAAC,CAAC;IACH,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACrB,IAAI,SAAS,CAAC,UAAU,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjF,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,CAAC,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,SAAS,CAAC,KAAK,EAAE,EAAE,CAAC,CACrE,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;SAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IAC5D,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACrB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;SAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QAC5B,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,SAAS,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE;YACrD,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,OAAO,EAAE,IAAI,CAAC,SAAS;SACxB,CAAC,CACH,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,cAAc,CAAC,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,GAAG,IAAI,CACnE,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,EAAE;QAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,KAAK,CAAC;KACd,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;KACjC,MAAM,CAAC,iBAAiB,EAAE,cAAc,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACxD,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC1B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,GAAG,qBAAqB,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,CAAC,IAAI,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,CACpF,CAAC;IACJ,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;KACjC,MAAM,CAAC,iBAAiB,EAAE,cAAc,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACxD,MAAM,CAAC,aAAa,EAAE,WAAW,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC1B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;YAC3D,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;gBACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,QAAQ,CAAC,OAAO,EAAE,cAAc,CAAC;KACjC,MAAM,CAAC,iBAAiB,EAAE,cAAc,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACxD,MAAM,CAAC,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;IAC1B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAChC,KAAK,MAAM,EAAE,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,SAAS,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,IAAI;gBAAE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,QAAQ,CAAC,UAAU,EAAE,2BAA2B,CAAC;KACjD,QAAQ,CAAC,SAAS,EAAE,sBAAsB,CAAC;KAC3C,MAAM,CAAC,mBAAmB,EAAE,iBAAiB,EAAE,KAAK,CAAC;KACrD,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;IACpC,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;IAClD,MAAM,CAAC,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;IACnD,MAAM,CAAC,GAAG,aAAa,CAAC,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;IACpC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AAC1D,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAC3C,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/core/audit-parser/normalize.d.ts

@@ -0,0 +1,8 @@
+import type { VulnerabilityFinding } from "../models.js";
+/** npm audit --json (npm 7+) */
+export declare function parseNpmAuditJson(raw: Record<string, unknown>): VulnerabilityFinding[];
+/** pnpm audit --json is often compatible with npm audit shape; fallback parse */
+export declare function parsePnpmAuditJson(raw: Record<string, unknown>): VulnerabilityFinding[];
+/** yarn audit --json: one JSON object per line */
+export declare function parseYarnAuditJsonLines(text: string): VulnerabilityFinding[];
+//# sourceMappingURL=normalize.d.ts.map

package/dist/core/audit-parser/normalize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.d.ts","sourceRoot":"","sources":["../../../src/core/audit-parser/normalize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAY,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAWnE,gCAAgC;AAChC,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,oBAAoB,EAAE,CAyEtF;AAED,iFAAiF;AACjF,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,oBAAoB,EAAE,CAEvF;AAED,kDAAkD;AAClD,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,EAAE,CAwC5E"}

package/dist/core/audit-parser/normalize.js

@@ -0,0 +1,107 @@
+function sev(s) {
+    const x = (s ?? "low").toLowerCase();
+    if (x === "critical")
+        return "critical";
+    if (x === "high")
+        return "high";
+    if (x === "moderate" || x === "medium")
+        return "moderate";
+    if (x === "low")
+        return "low";
+    return "info";
+}
+/** npm audit --json (npm 7+) */
+export function parseNpmAuditJson(raw) {
+    const out = [];
+    const vulns = raw.vulnerabilities;
+    if (vulns) {
+        for (const [name, v] of Object.entries(vulns)) {
+            const via = v.via;
+            const titles = [];
+            const urls = [];
+            if (Array.isArray(via)) {
+                for (const item of via) {
+                    if (typeof item === "object" && item) {
+                        if (item.title)
+                            titles.push(String(item.title));
+                        if (item.url)
+                            urls.push(String(item.url));
+                    }
+                }
+            }
+            const id = `${name}:${v.range ?? "*"}`;
+            out.push({
+                id,
+                packageName: v.name ?? name,
+                vulnerableRange: v.range,
+                severity: sev(v.severity),
+                title: titles[0],
+                url: urls[0],
+                nodePaths: v.nodes,
+            });
+        }
+    }
+    const advisories = raw.advisories;
+    if (advisories && out.length === 0) {
+        for (const [aid, a] of Object.entries(advisories)) {
+            out.push({
+                id: `adv:${aid}`,
+                packageName: a.module_name ?? "unknown",
+                vulnerableRange: a.vulnerable_versions,
+                patchedRange: a.patched_versions,
+                severity: sev(a.severity),
+                title: a.title,
+                url: a.url,
+                cveIds: a.cves,
+            });
+        }
+    }
+    return dedupe(out);
+}
+/** pnpm audit --json is often compatible with npm audit shape; fallback parse */
+export function parsePnpmAuditJson(raw) {
+    return parseNpmAuditJson(raw);
+}
+/** yarn audit --json: one JSON object per line */
+export function parseYarnAuditJsonLines(text) {
+    const out = [];
+    for (const line of text.split("\n")) {
+        const t = line.trim();
+        if (!t)
+            continue;
+        let row;
+        try {
+            row = JSON.parse(t);
+        }
+        catch {
+            continue;
+        }
+        const typ = row.type;
+        if (typ !== "auditAdvisory")
+            continue;
+        const data = row.data;
+        const a = data?.advisory;
+        if (!a?.module_name)
+            continue;
+        out.push({
+            id: `yarn:${a.module_name}:${a.vulnerable_versions ?? ""}`,
+            packageName: a.module_name,
+            vulnerableRange: a.vulnerable_versions,
+            patchedRange: a.patched_versions,
+            severity: sev(a.severity),
+            title: a.title,
+            url: a.url,
+            cveIds: a.cves,
+        });
+    }
+    return dedupe(out);
+}
+function dedupe(f) {
+    const m = new Map();
+    for (const x of f) {
+        if (!m.has(x.id))
+            m.set(x.id, x);
+    }
+    return [...m.values()];
+}
+//# sourceMappingURL=normalize.js.map

package/dist/core/audit-parser/normalize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"normalize.js","sourceRoot":"","sources":["../../../src/core/audit-parser/normalize.ts"],"names":[],"mappings":"AAEA,SAAS,GAAG,CAAC,CAAqB;IAChC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACxC,IAAI,CAAC,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC;IAC1D,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gCAAgC;AAChC,MAAM,UAAU,iBAAiB,CAAC,GAA4B;IAC5D,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,GAAG,CAAC,eAYL,CAAC;IAEd,IAAI,KAAK,EAAE,CAAC;QACV,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;YAClB,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvB,KAAK,MAAM,IAAI,IAAI,GAAG,EAAE,CAAC;oBACvB,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,EAAE,CAAC;wBACrC,IAAI,IAAI,CAAC,KAAK;4BAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;wBAChD,IAAI,IAAI,CAAC,GAAG;4BAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC5C,CAAC;gBACH,CAAC;YACH,CAAC;YACD,MAAM,EAAE,GAAG,GAAG,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,GAAG,EAAE,CAAC;YACvC,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE;gBACF,WAAW,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI;gBAC3B,eAAe,EAAE,CAAC,CAAC,KAAK;gBACxB,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACzB,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;gBAChB,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;gBACZ,SAAS,EAAE,CAAC,CAAC,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,UAaV,CAAC;IAEd,IAAI,UAAU,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YAClD,GAAG,CAAC,IAAI,CAAC;gBACP,EAAE,EAAE,OAAO,GAAG,EAAE;gBAChB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,SAAS;gBACvC,eAAe,EAAE,CAAC,CAAC,mBAAmB;gBACtC,YAAY,EAAE,CAAC,CAAC,gBAAgB;gBAChC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;gBACzB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,MAAM,EAAE,CAAC,CAAC,IAAI;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,iFAAiF;AACjF,MAAM,UAAU,kBAAkB,CAAC,GAA4B;IAC7D,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,kDAAkD;AAClD,MAAM,UAAU,uBAAuB,CAAC,IAAY;IAClD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,IAAI,GAA4B,CAAC;QACjC,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAA4B,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC;QACrB,IAAI,GAAG,KAAK,eAAe;YAAE,SAAS;QACtC,MAAM,IAAI,GAAG,GAAG,CAAC,IAYJ,CAAC;QACd,MAAM,CAAC,GAAG,IAAI,EAAE,QAAQ,CAAC;QACzB,IAAI,CAAC,CAAC,EAAE,WAAW;YAAE,SAAS;QAC9B,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,QAAQ,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,mBAAmB,IAAI,EAAE,EAAE;YAC1D,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,eAAe,EAAE,CAAC,CAAC,mBAAmB;YACtC,YAAY,EAAE,CAAC,CAAC,gBAAgB;YAChC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;YACzB,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,MAAM,EAAE,CAAC,CAAC,IAAI;SACf,CAAC,CAAC;IACL,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,MAAM,CAAC,CAAyB;IACvC,MAAM,CAAC,GAAG,IAAI,GAAG,EAAgC,CAAC;IAClD,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACzB,CAAC"}

package/dist/core/audit-parser/run-audit.d.ts

@@ -0,0 +1,9 @@
+export declare function runCmd(cmd: string, args: string[], cwd: string): Promise<{
+    code: number;
+    stdout: string;
+    stderr: string;
+}>;
+export declare function runNpmAudit(cwd: string): Promise<string>;
+export declare function runPnpmAudit(cwd: string): Promise<string>;
+export declare function runYarnAudit(cwd: string): Promise<string>;
+//# sourceMappingURL=run-audit.d.ts.map

package/dist/core/audit-parser/run-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-audit.d.ts","sourceRoot":"","sources":["../../../src/core/audit-parser/run-audit.ts"],"names":[],"mappings":"AAEA,wBAAsB,MAAM,CAC1B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EAAE,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAU3D;AAED,wBAAsB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG9D;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D;AAED,wBAAsB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/D"}

package/dist/core/audit-parser/run-audit.js

@@ -0,0 +1,25 @@
+import { spawn } from "node:child_process";
+export async function runCmd(cmd, args, cwd) {
+    return new Promise((resolve) => {
+        const p = spawn(cmd, args, { cwd, shell: false, env: process.env });
+        let stdout = "";
+        let stderr = "";
+        p.stdout?.on("data", (d) => (stdout += String(d)));
+        p.stderr?.on("data", (d) => (stderr += String(d)));
+        p.on("close", (code) => resolve({ code: code ?? 0, stdout, stderr }));
+        p.on("error", () => resolve({ code: 127, stdout, stderr }));
+    });
+}
+export async function runNpmAudit(cwd) {
+    const r = await runCmd("npm", ["audit", "--json"], cwd);
+    return r.stdout || r.stderr;
+}
+export async function runPnpmAudit(cwd) {
+    const r = await runCmd("pnpm", ["audit", "--json"], cwd);
+    return r.stdout || r.stderr;
+}
+export async function runYarnAudit(cwd) {
+    const r = await runCmd("yarn", ["audit", "--json"], cwd);
+    return r.stdout || r.stderr;
+}
+//# sourceMappingURL=run-audit.js.map

package/dist/core/audit-parser/run-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run-audit.js","sourceRoot":"","sources":["../../../src/core/audit-parser/run-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAE3C,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,GAAW,EACX,IAAc,EACd,GAAW;IAEX,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QACpE,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QACtE,CAAC,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,GAAW;IAC3C,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;AAC9B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAW;IAC5C,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC;IACzD,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC;AAC9B,CAAC"}

package/dist/core/graph-engine/load-lockfile.d.ts

@@ -0,0 +1,20 @@
+import type { DependencyGraphSnapshot } from "../models.js";
+export type DetectedLock = {
+    kind: "npm";
+    path: string;
+} | {
+    kind: "pnpm";
+    path: string;
+} | {
+    kind: "yarn";
+    path: string;
+} | {
+    kind: "none";
+    path?: undefined;
+};
+export declare function detectLockfile(rootDir: string): Promise<DetectedLock>;
+export declare function loadLockfileGraph(rootDir: string): Promise<{
+    graph: DependencyGraphSnapshot;
+    lock: DetectedLock;
+}>;
+//# sourceMappingURL=load-lockfile.d.ts.map

package/dist/core/graph-engine/load-lockfile.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-lockfile.d.ts","sourceRoot":"","sources":["../../../src/core/graph-engine/load-lockfile.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAK5D,MAAM,MAAM,YAAY,GACpB;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC7B;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC9B;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAC9B;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,SAAS,CAAA;CAAE,CAAC;AAEvC,wBAAsB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAO3E;AAED,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,KAAK,EAAE,uBAAuB,CAAC;IAAC,IAAI,EAAE,YAAY,CAAA;CAAE,CAAC,CAejE"}

package/dist/core/graph-engine/load-lockfile.js

@@ -0,0 +1,43 @@
+import { readFile, readdir } from "node:fs/promises";
+import { join } from "node:path";
+import { buildGraphFromPackageLock } from "./npm-lock.js";
+import { buildGraphFromPnpmLock } from "./pnpm-lock.js";
+import { buildGraphFromYarnLock } from "./yarn-lock.js";
+export async function detectLockfile(rootDir) {
+    const entries = new Set(await readdir(rootDir).catch(() => []));
+    if (entries.has("pnpm-lock.yaml"))
+        return { kind: "pnpm", path: join(rootDir, "pnpm-lock.yaml") };
+    if (entries.has("yarn.lock"))
+        return { kind: "yarn", path: join(rootDir, "yarn.lock") };
+    if (entries.has("package-lock.json"))
+        return { kind: "npm", path: join(rootDir, "package-lock.json") };
+    return { kind: "none" };
+}
+export async function loadLockfileGraph(rootDir) {
+    const lock = await detectLockfile(rootDir);
+    if (lock.kind === "none") {
+        return { graph: empty(), lock };
+    }
+    const raw = await readFile(lock.path, "utf8");
+    let graph;
+    if (lock.kind === "npm") {
+        graph = buildGraphFromPackageLock(JSON.parse(raw), rootDir);
+    }
+    else if (lock.kind === "pnpm") {
+        graph = buildGraphFromPnpmLock(raw);
+    }
+    else {
+        graph = buildGraphFromYarnLock(raw);
+    }
+    return { graph, lock };
+}
+function empty() {
+    return {
+        nodes: new Map(),
+        edges: [],
+        rootIds: [],
+        lockfileKind: "unknown",
+        byPackageName: new Map(),
+    };
+}
+//# sourceMappingURL=load-lockfile.js.map

package/dist/core/graph-engine/load-lockfile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"load-lockfile.js","sourceRoot":"","sources":["../../../src/core/graph-engine/load-lockfile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,yBAAyB,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AAQxD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAe;IAClD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IAChE,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,EAAE,CAAC;IAClG,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,EAAE,CAAC;IACxF,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,EAAE,CAAC;IACnE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAe;IAEf,MAAM,IAAI,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,CAAC;IAC3C,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC;IAClC,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9C,IAAI,KAA8B,CAAC;IACnC,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QACxB,KAAK,GAAG,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,EAAE,OAAO,CAAC,CAAC;IACzF,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QAChC,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,SAAS,KAAK;IACZ,OAAO;QACL,KAAK,EAAE,IAAI,GAAG,EAAE;QAChB,KAAK,EAAE,EAAE;QACT,OAAO,EAAE,EAAE;QACX,YAAY,EAAE,SAAS;QACvB,aAAa,EAAE,IAAI,GAAG,EAAE;KACzB,CAAC;AACJ,CAAC"}

package/dist/core/graph-engine/npm-lock.d.ts

@@ -0,0 +1,5 @@
+import type { DependencyGraphSnapshot } from "../models.js";
+/** Resolve child path for a dependency name from parent lock path (npm v2/v3 packages keys). */
+export declare function resolveNpmPackagePath(packages: Record<string, unknown>, parentPath: string, depName: string): string | undefined;
+export declare function buildGraphFromPackageLock(raw: Record<string, unknown>, _rootDir: string): DependencyGraphSnapshot;
+//# sourceMappingURL=npm-lock.d.ts.map

package/dist/core/graph-engine/npm-lock.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"npm-lock.d.ts","sourceRoot":"","sources":["../../../src/core/graph-engine/npm-lock.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAkB,uBAAuB,EAAkB,MAAM,cAAc,CAAC;AAM5F,gGAAgG;AAChG,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,MAAM,GAAG,SAAS,CAuBpB;AAcD,wBAAgB,yBAAyB,CACvC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5B,QAAQ,EAAE,MAAM,GACf,uBAAuB,CAsGzB"}