autoremediator 0.13.0 → 0.14.0

package/dist/{chunk-4CVVRAQM.js → chunk-3NNNFJLV.js}

@@ -1,5 +1,5 @@
 // src/api/options-schema.ts
-var PACKAGE_MANAGER_VALUES = ["npm", "pnpm", "yarn"];
+var PACKAGE_MANAGER_VALUES = ["npm", "pnpm", "yarn", "bun", "deno"];
 var LLM_PROVIDER_VALUES = ["remote", "local"];
 var PROVENANCE_SOURCE_VALUES = ["cli", "sdk", "mcp", "openapi", "unknown"];
 var OPTION_DESCRIPTIONS = {
@@ -296,21 +296,26 @@ function createUpdateOutdatedOptionSchemaProperties() {
 // src/api/patches/inspection.ts
 import { existsSync as existsSync4 } from "fs";
 import { readdir, readFile as readFile2, stat } from "fs/promises";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 
 // src/remediation/strategies/patch-utils.ts
-import { existsSync as existsSync2, mkdirSync, writeFileSync, readFileSync } from "fs";
-import { join as join2 } from "path";
+import { existsSync as existsSync2, mkdirSync, writeFileSync, readFileSync as readFileSync2 } from "fs";
+import { join as join3 } from "path";
 import { execa as execa2 } from "execa";
 
 // src/platform/package-manager/index.ts
 import { existsSync } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 import { execa } from "execa";
 
 // src/platform/package-manager/list-parser.ts
+import { readFileSync } from "fs";
+import { join } from "path";
 function parsePackageManagerListOutput(pm, stdout) {
   const versions = /* @__PURE__ */ new Map();
+  if (pm === "bun") {
+    return parseBunListOutput(stdout, versions);
+  }
   if (!stdout.trim()) return versions;
   if (pm === "yarn") {
     return parseYarnListOutput(stdout, versions);
@@ -360,6 +365,61 @@ function collectDependencyTree(tree, versions) {
     collectDependencyTree(entry.dependencies, versions);
   }
 }
+function parseBunListOutput(stdout, versions) {
+  const lines = stdout.split("\n").map((line) => line.replace(/^[\s│├└─]+/, "").trim()).filter(Boolean);
+  for (const line of lines) {
+    const at = line.lastIndexOf("@");
+    if (at <= 0) continue;
+    const name = line.slice(0, at);
+    const version = line.slice(at + 1);
+    if (name && version) {
+      versions.set(name, version);
+    }
+  }
+  return versions;
+}
+function resolveDenoInventory(cwd) {
+  const versions = /* @__PURE__ */ new Map();
+  let raw;
+  try {
+    raw = readFileSync(join(cwd, "deno.lock"), "utf8");
+  } catch {
+    return versions;
+  }
+  let lock;
+  try {
+    lock = JSON.parse(raw);
+  } catch {
+    return versions;
+  }
+  if (!lock || typeof lock !== "object") return versions;
+  const lockObj = lock;
+  const packages = lockObj["packages"];
+  if (packages && typeof packages === "object") {
+    const pkgsObj = packages;
+    const npmMap = pkgsObj["npm"];
+    if (npmMap && typeof npmMap === "object") {
+      for (const key of Object.keys(npmMap)) {
+        extractNameVersion(key, versions);
+      }
+      return versions;
+    }
+    for (const key of Object.keys(pkgsObj)) {
+      const stripped = key.startsWith("npm:") ? key.slice(4) : key;
+      extractNameVersion(stripped, versions);
+    }
+  }
+  return versions;
+}
+function extractNameVersion(spec, versions) {
+  const at = spec.lastIndexOf("@");
+  if (at <= 0) return;
+  const name = spec.slice(0, at);
+  const version = spec.slice(at + 1);
+  if (name && version) {
+    versions.set(name, version);
+  }
+}
 
 // src/platform/package-manager/index.ts
 async function getYarnMajorVersion(cwd) {
@@ -372,8 +432,10 @@ async function getYarnMajorVersion(cwd) {
   }
 }
 function detectPackageManager(cwd) {
-  if (existsSync(join(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync(join(cwd, "yarn.lock"))) return "yarn";
+  if (existsSync(join2(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync(join2(cwd, "yarn.lock"))) return "yarn";
+  if (existsSync(join2(cwd, "bun.lockb")) || existsSync(join2(cwd, "bun.lock"))) return "bun";
+  if (existsSync(join2(cwd, "deno.lock"))) return "deno";
   return "npm";
 }
 function withWorkspace(command, pm, workspace) {
@@ -390,6 +452,20 @@ function resolveInstallCommand(pm, constraints, yarnMajor) {
   const installMode = constraints?.installMode ?? "deterministic";
   const preferOfflineOverride = constraints?.installPreferOffline;
   const frozenOverride = constraints?.enforceFrozenLockfile;
+  if (pm === "bun") {
+    const frozen = frozenOverride ?? installMode === "deterministic";
+    const command2 = ["bun", "install"];
+    if (frozen) command2.push("--frozen-lockfile");
+    return withWorkspace(command2, pm, constraints?.workspace);
+  }
+  if (pm === "deno") {
+    const frozen = frozenOverride ?? installMode === "deterministic";
+    const preferOffline = preferOfflineOverride ?? installMode === "prefer-offline";
+    const command2 = ["deno", "install"];
+    if (frozen) command2.push("--frozen");
+    if (preferOffline && !frozen) command2.push("--cache-only");
+    return withWorkspace(command2, pm, constraints?.workspace);
+  }
   const includePreferOffline = pm !== "yarn" && (preferOfflineOverride ?? installMode !== "standard");
   let includeFrozenLockfile = pm !== "npm" && (frozenOverride ?? installMode === "deterministic");
   if (frozenOverride === false) {
@@ -410,22 +486,36 @@ function resolveInstallCommand(pm, constraints, yarnMajor) {
   return withWorkspace(command, pm, constraints?.workspace);
 }
 function resolveListCommand(pm, constraints) {
-  const base = pm === "pnpm" ? ["pnpm", "list", "--json", "--depth", "99"] : pm === "yarn" ? ["yarn", "list", "--json"] : ["npm", "list", "--json", "--all"];
+  if (pm === "deno") {
+    return [];
+  }
+  const base = pm === "pnpm" ? ["pnpm", "list", "--json", "--depth", "99"] : pm === "yarn" ? ["yarn", "list", "--json"] : pm === "bun" ? ["bun", "pm", "ls", "--all"] : ["npm", "list", "--json", "--all"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveTestCommand(pm, constraints) {
-  const base = pm === "pnpm" ? ["pnpm", "test"] : pm === "yarn" ? ["yarn", "test"] : ["npm", "test"];
+  const base = pm === "pnpm" ? ["pnpm", "test"] : pm === "yarn" ? ["yarn", "test"] : pm === "bun" ? ["bun", "test"] : pm === "deno" ? ["deno", "test"] : ["npm", "test"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveAuditCommand(pm, constraints) {
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
   const base = pm === "yarn" ? ["yarn", "audit", "--json"] : [pm, "audit", "--json"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveWhyCommand(pm, packageName, constraints) {
+  if (pm === "deno") return [];
+  if (pm === "bun") {
+    const base2 = ["bun", "pm", "why", packageName];
+    return withWorkspace(base2, pm, constraints?.workspace);
+  }
   const base = pm === "npm" ? ["npm", "explain", packageName] : [pm, "why", packageName];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveDedupeCommand(pm, constraints) {
+  if (pm === "bun" || pm === "deno") return [];
   const base = [pm, "dedupe"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
@@ -452,6 +542,28 @@ function getPackageManagerCommands(pm) {
       lockfileName: "yarn.lock"
     };
   }
+  if (pm === "bun") {
+    return {
+      install: ["bun", "install"],
+      installPreferOffline: ["bun", "install"],
+      installDeterministic: resolveInstallCommand("bun", { installMode: "deterministic" }),
+      installDev: (pkg) => ["bun", "add", "-d", pkg],
+      test: ["bun", "test"],
+      list: ["bun", "pm", "ls", "--all"],
+      lockfileName: "bun.lockb"
+    };
+  }
+  if (pm === "deno") {
+    return {
+      install: ["deno", "install"],
+      installPreferOffline: ["deno", "install", "--cache-only"],
+      installDeterministic: resolveInstallCommand("deno", { installMode: "deterministic" }),
+      installDev: (pkg) => ["deno", "add", pkg],
+      test: ["deno", "test"],
+      list: [],
+      lockfileName: "deno.lock"
+    };
+  }
   return {
     install: ["npm", "install"],
     installPreferOffline: ["npm", "install", "--prefer-offline"],
@@ -555,7 +667,7 @@ async function listPatchArtifacts(options = {}) {
     return [];
   }
   const entries = await readdir(patchesDirPath, { withFileTypes: true });
-  const patchFiles = entries.filter((entry) => entry.isFile() && entry.name.endsWith(".patch")).map((entry) => join3(patchesDirPath, entry.name)).sort((left, right) => left.localeCompare(right));
+  const patchFiles = entries.filter((entry) => entry.isFile() && entry.name.endsWith(".patch")).map((entry) => join4(patchesDirPath, entry.name)).sort((left, right) => left.localeCompare(right));
   const summaries = await Promise.all(
     patchFiles.map(async (patchFilePath) => {
       const inspection = await inspectPatchArtifact(patchFilePath, options);
@@ -616,13 +728,13 @@ function defineTool(config) {
 
 // src/remediation/tools/check-inventory.ts
 import { z } from "zod";
-import { readFileSync as readFileSync3 } from "fs";
-import { join as join5 } from "path";
+import { readFileSync as readFileSync4 } from "fs";
+import { join as join6 } from "path";
 import { execa as execa3 } from "execa";
 
 // src/platform/policy.ts
-import { existsSync as existsSync5, readFileSync as readFileSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { join as join5 } from "path";
 import { parse as yamlParse } from "yaml";
 var DEFAULT_POLICY = {
   allowMajorBumps: false,
@@ -653,10 +765,10 @@ var DEFAULT_POLICY = {
   escalationGraph: void 0
 };
 function loadPolicy(cwd, explicitPath) {
-  const candidate = explicitPath ?? join4(cwd, ".github", "autoremediator.yml");
+  const candidate = explicitPath ?? join5(cwd, ".github", "autoremediator.yml");
   if (!existsSync5(candidate)) return DEFAULT_POLICY;
   try {
-    const parsed = yamlParse(readFileSync2(candidate, "utf8"));
+    const parsed = yamlParse(readFileSync3(candidate, "utf8"));
     return {
       allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
       denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
@@ -717,7 +829,7 @@ function isActiveSuppression(suppression) {
 }
 function loadSuppressionsFile(filePath) {
   try {
-    const content = readFileSync2(filePath, "utf8");
+    const content = readFileSync3(filePath, "utf8");
     const parsed = yamlParse(content);
     return Array.isArray(parsed?.suppressions) ? parsed.suppressions : [];
   } catch {
@@ -748,14 +860,14 @@ var checkInventoryTool = defineTool({
   description: "Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.",
   parameters: z.object({
     cwd: z.string().describe("Absolute path to the consumer project's root directory"),
-    packageManager: z.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     policy: z.string().optional().describe("Optional path to .github/autoremediator.yml policy file"),
     workspace: z.string().optional().describe("Optional workspace/package selector for monorepos")
   }),
   execute: async ({ cwd, packageManager, policy, workspace }) => {
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync3(join5(cwd, "package.json"), "utf8"));
+      pkgJson = JSON.parse(readFileSync4(join6(cwd, "package.json"), "utf8"));
     } catch {
       return {
         packages: [],
@@ -769,15 +881,21 @@ var checkInventoryTool = defineTool({
       workspace: workspace ?? loadedPolicy.constraints?.workspace
     });
     let installedVersions = /* @__PURE__ */ new Map();
-    try {
-      const [cmd, ...args] = listCommand;
-      const listResult = await execa3(cmd, args, {
-        cwd,
-        stdio: "pipe",
-        reject: false
-      });
-      installedVersions = parseListOutput(pm, listResult.stdout || "");
-    } catch {
+    if (pm === "deno") {
+      installedVersions = resolveDenoInventory(cwd);
+    } else {
+      try {
+        const [cmd, ...args] = listCommand;
+        if (cmd) {
+          const listResult = await execa3(cmd, args, {
+            cwd,
+            stdio: "pipe",
+            reject: false
+          });
+          installedVersions = parseListOutput(pm, listResult.stdout || "");
+        }
+      } catch {
+      }
     }
     const packages = [];
     for (const [name, version] of installedVersions.entries()) {
@@ -1016,14 +1134,14 @@ function getIntelligenceSourceConfig() {
 }
 
 // src/platform/idempotency.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { join as join6 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { join as join7 } from "path";
 var DEFAULT_INDEX = {
   schemaVersion: "1.0",
   entries: {}
 };
 function indexFilePath(cwd) {
-  return join6(cwd, ".autoremediator", "state", "idempotency.json");
+  return join7(cwd, ".autoremediator", "state", "idempotency.json");
 }
 function entryKey(idempotencyKey, cveId) {
   return `${idempotencyKey}::${cveId.toUpperCase()}`;
@@ -1032,7 +1150,7 @@ function loadIndex(cwd) {
   const filePath = indexFilePath(cwd);
   if (!existsSync6(filePath)) return DEFAULT_INDEX;
   try {
-    const parsed = JSON.parse(readFileSync4(filePath, "utf8"));
+    const parsed = JSON.parse(readFileSync5(filePath, "utf8"));
     if (parsed && parsed.schemaVersion === "1.0" && parsed.entries) {
       return parsed;
     }
@@ -1043,7 +1161,7 @@ function loadIndex(cwd) {
 }
 function saveIndex(cwd, index) {
   const filePath = indexFilePath(cwd);
-  mkdirSync2(join6(cwd, ".autoremediator", "state"), { recursive: true });
+  mkdirSync2(join7(cwd, ".autoremediator", "state"), { recursive: true });
   writeFileSync2(filePath, JSON.stringify(index, null, 2) + "\n", "utf8");
 }
 function readIdempotentReport(cwd, idempotencyKey, cveId) {
@@ -1331,8 +1449,8 @@ async function enrichWithNvd(details) {
 
 // src/remediation/tools/check-reachability.ts
 import { z as z2 } from "zod";
-import { readdirSync, readFileSync as readFileSync5, statSync } from "fs";
-import { join as join7, extname } from "path";
+import { readdirSync, readFileSync as readFileSync6, statSync } from "fs";
+import { join as join8, extname } from "path";
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
 var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", "out", ".git", "coverage", ".cache"]);
 var MAX_FILES = 500;
@@ -1346,7 +1464,7 @@ function collectSourceFiles(dir, files = []) {
   }
   for (const entry of entries) {
     if (files.length >= MAX_FILES) break;
-    const full = join7(dir, entry);
+    const full = join8(dir, entry);
     let stat2;
     try {
       stat2 = statSync(full);
@@ -1379,7 +1497,7 @@ function assessPackageReachability(cwd, packageName) {
   for (const filePath of files) {
     let content;
     try {
-      content = readFileSync5(filePath, "utf8");
+      content = readFileSync6(filePath, "utf8");
     } catch {
       continue;
     }
@@ -1535,8 +1653,8 @@ function buildSbom(packages, vulnerableNames, results) {
 }
 
 // src/intelligence/sources/registry.ts
-import { readFileSync as readFileSync6 } from "fs";
-import { join as join8 } from "path";
+import { readFileSync as readFileSync7 } from "fs";
+import { join as join9 } from "path";
 import { execa as execa4 } from "execa";
 import semver from "semver";
 var NPM_REGISTRY = "https://registry.npmjs.org";
@@ -1705,7 +1823,7 @@ async function queryOutdatedPackages(cwd, options = {}) {
   }
   let directDeps;
   try {
-    const pkgRaw = JSON.parse(readFileSync6(join8(cwd, "package.json"), "utf8"));
+    const pkgRaw = JSON.parse(readFileSync7(join9(cwd, "package.json"), "utf8"));
     directDeps = /* @__PURE__ */ new Set([
       ...Object.keys(pkgRaw.dependencies ?? {}),
       ...Object.keys(pkgRaw.devDependencies ?? {})
@@ -1735,22 +1853,22 @@ async function queryOutdatedPackages(cwd, options = {}) {
 
 // src/remediation/tools/apply-version-bump.ts
 import { z as z4 } from "zod";
-import { join as join10 } from "path";
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
+import { join as join11 } from "path";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync3 } from "fs";
 import { execa as execa5 } from "execa";
 import semver2 from "semver";
 
 // src/platform/repo-lock.ts
 import { mkdir, rm } from "fs/promises";
-import { join as join9 } from "path";
+import { join as join10 } from "path";
 async function sleep(ms) {
   await new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 async function acquireRepoLock(cwd, options = {}) {
   const timeoutMs = options.timeoutMs ?? 15e3;
   const retryDelayMs = options.retryDelayMs ?? 125;
-  const lockRoot = join9(cwd, ".autoremediator", "locks");
-  const lockPath = join9(cwd, ".autoremediator", "locks", "remediation.lock");
+  const lockRoot = join10(cwd, ".autoremediator", "locks");
+  const lockPath = join10(cwd, ".autoremediator", "locks", "remediation.lock");
   const startedAt = Date.now();
   await mkdir(lockRoot, { recursive: true });
   while (true) {
@@ -1784,7 +1902,7 @@ var applyVersionBumpTool = defineTool({
   description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
   parameters: z4.object({
     cwd: z4.string().describe("Absolute path to the consumer project root"),
-    packageManager: z4.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z4.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     packageName: z4.string().describe("The npm package to upgrade"),
     fromVersion: z4.string().describe("The currently installed vulnerable version"),
     toVersion: z4.string().describe("The safe target version to upgrade to"),
@@ -1811,7 +1929,7 @@ var applyVersionBumpTool = defineTool({
     workspace
   }) => {
     const pm = packageManager ?? detectPackageManager(cwd);
-    const pkgPath = join10(cwd, "package.json");
+    const pkgPath = join11(cwd, "package.json");
     const loadedPolicy = loadPolicy(cwd, policy);
     const commandConstraints = {
       ...loadedPolicy.constraints,
@@ -1851,7 +1969,7 @@ var applyVersionBumpTool = defineTool({
     }
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync7(pkgPath, "utf8"));
+      pkgJson = JSON.parse(readFileSync8(pkgPath, "utf8"));
     } catch {
       return {
         packageName,
@@ -1975,8 +2093,8 @@ var applyVersionBumpTool = defineTool({
 
 // src/remediation/tools/apply-package-override/index.ts
 import { z as z5 } from "zod";
-import { join as join11 } from "path";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync4 } from "fs";
+import { join as join12 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
 import { execa as execa7 } from "execa";
 import semver3 from "semver";
 
@@ -1985,6 +2103,7 @@ import { execa as execa6 } from "execa";
 async function collectDependencyTrace(cwd, pm, packageName, constraints) {
   try {
     const whyCommand = resolveWhyCommand(pm, packageName, constraints);
+    if (whyCommand.length === 0) return void 0;
     const [whyCmd, ...whyArgs] = whyCommand;
     const result = await execa6(whyCmd, whyArgs, {
       cwd,
@@ -1999,17 +2118,20 @@ async function collectDependencyTrace(cwd, pm, packageName, constraints) {
   }
 }
 function describeOverrideField(packageManager) {
-  if (packageManager === "npm") return "overrides";
+  if (packageManager === "npm" || packageManager === "bun") return "overrides";
   if (packageManager === "pnpm") return "pnpm.overrides";
+  if (packageManager === "deno") return "overrides";
   return "resolutions";
 }
 function getOverrideValue(pkgJson, packageManager, packageName) {
-  if (packageManager === "npm") return pkgJson.overrides?.[packageName];
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
+    return pkgJson.overrides?.[packageName];
+  }
   if (packageManager === "pnpm") return pkgJson.pnpm?.overrides?.[packageName];
   return pkgJson.resolutions?.[packageName];
 }
 function setOverrideValue(pkgJson, packageManager, packageName, version) {
-  if (packageManager === "npm") {
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
     pkgJson.overrides = { ...pkgJson.overrides ?? {}, [packageName]: version };
     return;
   }
@@ -2026,7 +2148,7 @@ function setOverrideValue(pkgJson, packageManager, packageName, version) {
   pkgJson.resolutions = { ...pkgJson.resolutions ?? {}, [packageName]: version };
 }
 function restoreOverrideValue(pkgJson, packageManager, packageName, previousValue) {
-  if (packageManager === "npm") {
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
     pkgJson.overrides = restoreRecord(pkgJson.overrides, packageName, previousValue);
     return;
   }
@@ -2045,6 +2167,34 @@ function restoreOverrideValue(pkgJson, packageManager, packageName, previousValu
   }
   pkgJson.resolutions = restoreRecord(pkgJson.resolutions, packageName, previousValue);
 }
+function getDenoJsonImportValue(denoJson, packageName) {
+  const imports = denoJson.imports ?? {};
+  if (imports[packageName] !== void 0) {
+    return { key: packageName, value: imports[packageName] };
+  }
+  const npmKey = `npm:${packageName}`;
+  if (imports[npmKey] !== void 0) {
+    return { key: npmKey, value: imports[npmKey] };
+  }
+  return void 0;
+}
+function setDenoJsonImportValue(denoJson, packageName, version) {
+  const existing = getDenoJsonImportValue(denoJson, packageName);
+  const key = existing?.key ?? `npm:${packageName}`;
+  denoJson.imports = { ...denoJson.imports ?? {}, [key]: `npm:${packageName}@${version}` };
+}
+function restoreDenoJsonImportValue(denoJson, packageName, previousEntry) {
+  const existing = getDenoJsonImportValue(denoJson, packageName);
+  if (!existing) return;
+  const imports = { ...denoJson.imports ?? {} };
+  if (previousEntry === void 0) {
+    delete imports[existing.key];
+  } else {
+    delete imports[existing.key];
+    imports[previousEntry.key] = previousEntry.value;
+  }
+  denoJson.imports = Object.keys(imports).length > 0 ? imports : void 0;
+}
 function restoreRecord(record, key, previousValue) {
   const nextRecord = { ...record ?? {} };
   if (previousValue === void 0) {
@@ -2057,10 +2207,10 @@ function restoreRecord(record, key, previousValue) {
 
 // src/remediation/tools/apply-package-override/index.ts
 var applyPackageOverrideTool = defineTool({
-  description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, or yarn resolutions.",
+  description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, yarn resolutions, bun overrides, or deno.json imports.",
   parameters: z5.object({
     cwd: z5.string().describe("Absolute path to the consumer project root"),
-    packageManager: z5.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z5.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     packageName: z5.string().describe("The npm package to override"),
     selector: z5.string().optional().describe("Optional manager-native override selector key (for nested or scoped overrides)"),
     fromVersion: z5.string().describe("The currently installed vulnerable version"),
@@ -2089,7 +2239,9 @@ var applyPackageOverrideTool = defineTool({
     workspace
   }) => {
     const pm = packageManager ?? detectPackageManager(cwd);
-    const pkgPath = join11(cwd, "package.json");
+    const pkgPath = join12(cwd, "package.json");
+    const denoJsonPath = join12(cwd, "deno.json");
+    const isDenoNative = pm === "deno" && !existsSync7(pkgPath);
     const loadedPolicy = loadPolicy(cwd, policy);
     const commandConstraints = {
       ...loadedPolicy.constraints,
@@ -2128,9 +2280,108 @@ var applyPackageOverrideTool = defineTool({
         message: `Policy blocked major override for "${packageName}" (${fromVersion} -> ${toVersion}).`
       };
     }
+    if (isDenoNative) {
+      let denoJson;
+      try {
+        denoJson = JSON.parse(readFileSync9(denoJsonPath, "utf8"));
+      } catch {
+        return {
+          packageName,
+          strategy: "none",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun,
+          unresolvedReason: "package-json-not-found",
+          message: `Could not read deno.json at "${denoJsonPath}".`
+        };
+      }
+      const existingEntry = getDenoJsonImportValue(denoJson, overrideSelector);
+      if (!existingEntry) {
+        return {
+          packageName,
+          strategy: "none",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun,
+          unresolvedReason: "transitive-override-unsupported-deno-native",
+          message: `Cannot apply transitive override for "${overrideSelector}" in a native Deno project (no package.json). Only direct dependencies declared in deno.json imports can be overridden.`
+        };
+      }
+      const dependencyTrace2 = await collectDependencyTrace(cwd, pm, packageName, commandConstraints);
+      const dependencyTraceSuffix2 = dependencyTrace2 ? ` Dependency trace: ${dependencyTrace2}` : "";
+      if (dryRun) {
+        return {
+          packageName,
+          strategy: "override",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun: true,
+          message: `[DRY RUN] Would update deno.json imports["${existingEntry.key}"] to "npm:${overrideSelector}@${toVersion}", then run ${installCommand.join(" ")}.${dependencyTraceSuffix2}`
+        };
+      }
+      return withRepoLock(cwd, async () => {
+        setDenoJsonImportValue(denoJson, overrideSelector, toVersion);
+        writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+        try {
+          const [installCmd, ...installArgs] = installCommand;
+          await execa7(installCmd, installArgs, { cwd, stdio: "pipe" });
+        } catch (err) {
+          restoreDenoJsonImportValue(denoJson, overrideSelector, existingEntry);
+          writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+          const message = err instanceof Error ? err.message : String(err);
+          return {
+            packageName,
+            strategy: "override",
+            fromVersion,
+            toVersion,
+            applied: false,
+            dryRun: false,
+            unresolvedReason: "override-apply-failed",
+            message: `${installCommand.join(" ")} failed after updating deno.json imports for "${overrideSelector}" to ${toVersion}. Reverted. Error: ${message}${dependencyTraceSuffix2}`
+          };
+        }
+        if (runTests) {
+          try {
+            const [testCmd, ...testArgs] = testCommand;
+            await execa7(testCmd, testArgs, { cwd, stdio: "pipe" });
+          } catch (err) {
+            restoreDenoJsonImportValue(denoJson, overrideSelector, existingEntry);
+            writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+            try {
+              const [rollbackCmd, ...rollbackArgs] = installCommand;
+              await execa7(rollbackCmd, rollbackArgs, { cwd, stdio: "pipe" });
+            } catch {
+            }
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+              packageName,
+              strategy: "override",
+              fromVersion,
+              toVersion,
+              applied: false,
+              dryRun: false,
+              unresolvedReason: "validation-failed",
+              message: `${testCommand.join(" ")} failed after updating deno.json imports for "${overrideSelector}" to ${toVersion}. Reverted. Error: ${message}${dependencyTraceSuffix2}`
+            };
+          }
+        }
+        return {
+          packageName,
+          strategy: "override",
+          fromVersion,
+          toVersion,
+          applied: true,
+          dryRun: false,
+          message: `Successfully updated deno.json imports["${existingEntry.key}"] for "${overrideSelector}" from ${fromVersion} to ${toVersion}, then ran ${installCommand.join(" ")}${runTests ? ` and passed ${testCommand.join(" ")}` : ""}.${dependencyTraceSuffix2}`
+        };
+      });
+    }
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync8(pkgPath, "utf8"));
+      pkgJson = JSON.parse(readFileSync9(pkgPath, "utf8"));
     } catch {
       return {
         packageName,
@@ -2205,12 +2456,14 @@ var applyPackageOverrideTool = defineTool({
         }
       }
       let dedupeNote = "";
-      try {
-        const [dedupeCmd, ...dedupeArgs] = dedupeCommand;
-        await execa7(dedupeCmd, dedupeArgs, { cwd, stdio: "pipe" });
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        dedupeNote = ` Dedupe warning: ${dedupeCommand.join(" ")} failed (${message}).`;
+      if (dedupeCommand.length > 0) {
+        try {
+          const [dedupeCmd, ...dedupeArgs] = dedupeCommand;
+          await execa7(dedupeCmd, dedupeArgs, { cwd, stdio: "pipe" });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          dedupeNote = ` Dedupe warning: ${dedupeCommand.join(" ")} failed (${message}).`;
+        }
       }
       return {
         packageName,
@@ -2369,7 +2622,7 @@ async function resolvePrimaryResult(params) {
 // src/remediation/tools/fetch-package-source.ts
 import { z as z6 } from "zod";
 import { mkdir as mkdir2, readdir as readdir2, readFile as readFile3, rm as rm2 } from "fs/promises";
-import { join as join12 } from "path";
+import { join as join13 } from "path";
 import { execa as execa8 } from "execa";
 var fetchPackageSourceTool = defineTool({
   description: "Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).",
@@ -2386,23 +2639,23 @@ var fetchPackageSourceTool = defineTool({
     filePatterns
   }) => {
     const tempBaseDir = `/tmp/autoremediator-pkg-${Date.now()}`;
-    const extractDir = join12(tempBaseDir, "out");
+    const extractDir = join13(tempBaseDir, "out");
     try {
       const npmUrl = `https://registry.npmjs.org/${packageName}/-/${packageName.split("/").pop()}-${version}.tgz`;
       await mkdir2(tempBaseDir, { recursive: true });
-      const tarballPath = join12(tempBaseDir, "package.tgz");
+      const tarballPath = join13(tempBaseDir, "package.tgz");
       await execa8("curl", ["-L", "-o", tarballPath, npmUrl]);
       await mkdir2(extractDir, { recursive: true });
       await execa8("tar", ["-xzf", tarballPath, "-C", extractDir]);
       const extractedContents = await readdir2(extractDir);
-      const packageRootDir = extractedContents.includes("package") ? join12(extractDir, "package") : extractDir;
+      const packageRootDir = extractedContents.includes("package") ? join13(extractDir, "package") : extractDir;
       const sourceCode = {};
       async function walkDir(dir, relativeBase) {
         try {
           const files = await readdir2(dir, { withFileTypes: true });
           for (const file of files) {
-            const fullPath = join12(dir, file.name);
-            const relPath = join12(relativeBase, file.name);
+            const fullPath = join13(dir, file.name);
+            const relPath = join13(relativeBase, file.name);
             if (file.isDirectory()) {
               if (![
                 "node_modules",
@@ -2774,24 +3027,23 @@ var generatePatchTool = defineTool({
 // src/remediation/tools/apply-patch-file/index.ts
 import { z as z8 } from "zod";
 import { mkdir as mkdir3, writeFile as writeFile2 } from "fs/promises";
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 import { execa as execa10 } from "execa";
 
 // src/remediation/tools/apply-patch-file/helpers.ts
-import { existsSync as existsSync7 } from "fs";
+import { existsSync as existsSync8 } from "fs";
 import { mkdtemp, readFile as readFile4, rm as rm3, writeFile } from "fs/promises";
 import { createHash } from "crypto";
 import { tmpdir } from "os";
-import { join as join13 } from "path";
+import { join as join14 } from "path";
 import { execa as execa9 } from "execa";
 async function resolvePatchMode(packageManager, cwd) {
-  if (packageManager === "npm") return "patch-package";
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") return "patch-package";
   if (packageManager === "pnpm") return "native-pnpm";
   const major = await getYarnMajorVersion(cwd);
   return major >= 2 ? "native-yarn" : "patch-package";
 }
 function patchModeRequiresPackageJsonSnapshot(packageManager) {
-  if (packageManager === "npm") return true;
   if (packageManager === "pnpm") return false;
   return true;
 }
@@ -2817,7 +3069,7 @@ async function writePatchManifest(manifestFilePath, artifact) {
   await writeFile(manifestFilePath, JSON.stringify(artifact, null, 2) + "\n", "utf8");
 }
 async function configurePatchPackagePostinstall(cwd, packageManager) {
-  const pkgJsonPath = join13(cwd, "package.json");
+  const pkgJsonPath = join14(cwd, "package.json");
   let pkgJson;
   try {
     pkgJson = JSON.parse(await readFile4(pkgJsonPath, "utf8"));
@@ -2857,7 +3109,7 @@ async function configurePatchPackagePostinstall(cwd, packageManager) {
   return { success: true };
 }
 async function capturePackageJsonSnapshot(cwd) {
-  const path = join13(cwd, "package.json");
+  const path = join14(cwd, "package.json");
   try {
     const content = await readFile4(path, "utf8");
     return { path, content };
@@ -2927,8 +3179,8 @@ ${createResult.stderr}`);
       error: `Could not determine native patch directory for ${packageSpec}.`
     };
   }
-  const tempPatchDir = await mkdtemp(join13(tmpdir(), "autoremediator-native-patch-"));
-  const tempPatchFile = join13(tempPatchDir, "change.patch");
+  const tempPatchDir = await mkdtemp(join14(tmpdir(), "autoremediator-native-patch-"));
+  const tempPatchFile = join14(tempPatchDir, "change.patch");
   try {
     await writeFile(tempPatchFile, patchContent, "utf8");
     await execa9("patch", ["-p1", "-i", tempPatchFile], {
@@ -2959,12 +3211,12 @@ ${createResult.stderr}`);
 function extractPatchDirectory(output) {
   const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
   for (const line of lines) {
-    if (existsSync7(line)) {
+    if (existsSync8(line)) {
       return line;
     }
     const tokens = line.split(/\s+/).map((token) => token.replace(/^['"]|['"]$/g, ""));
     for (const token of tokens) {
-      if (token.startsWith("/") && existsSync7(token)) {
+      if (token.startsWith("/") && existsSync8(token)) {
         return token;
       }
     }
@@ -3030,7 +3282,7 @@ var applyPatchFileTool = defineTool({
     ).optional().describe("Patch list from generate-patch; first patch is applied"),
     patchesDir: z8.string().optional().default("./patches").describe("Directory to store patch files"),
     cwd: z8.string().describe("Project root directory (for package.json)"),
-    packageManager: z8.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z8.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     policy: z8.string().optional().describe("Optional path to .autoremediator policy file"),
     installMode: z8.enum(["standard", "prefer-offline", "deterministic"]).optional(),
     installPreferOffline: z8.boolean().optional(),
@@ -3108,7 +3360,7 @@ var applyPatchFileTool = defineTool({
         };
       }
       const patchFileName = buildPatchFileName(packageName, vulnerableVersion);
-      const patchFilePath = join14(cwd, patchesDir, patchFileName);
+      const patchFilePath = join15(cwd, patchesDir, patchFileName);
       const manifestFilePath = `${patchFilePath}.json`;
       const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
       const baseArtifact = {
@@ -3147,7 +3399,7 @@ var applyPatchFileTool = defineTool({
       }
       return withRepoLock(cwd, async () => {
         const packageJsonSnapshot = patchModeRequiresPackageJsonSnapshot(pm) ? await capturePackageJsonSnapshot(cwd) : void 0;
-        const patchesDirPath = join14(cwd, patchesDir);
+        const patchesDirPath = join15(cwd, patchesDir);
         await mkdir3(patchesDirPath, { recursive: true });
         await writeFile2(patchFilePath, selectedPatch, "utf8");
         validationPhases.push({
@@ -4107,8 +4359,8 @@ function accumulateStepResults(params) {
 }
 
 // src/remediation/orchestration-prompt.ts
-import { existsSync as existsSync8, readFileSync as readFileSync9 } from "fs";
-import { join as join15 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync10 } from "fs";
+import { join as join16 } from "path";
 function buildProviderAddendum(provider, personality = "balanced") {
   const personalityDirective = personality === "analytical" ? "Use concise, explicit rationale for tool decisions and unresolved outcomes." : personality === "pragmatic" ? "Prefer the smallest safe remediation path while preserving policy and validation gates." : "Balance concise execution with brief rationale for risky or unresolved outcomes.";
   const providerDirective = provider === "remote" ? "Use strict structured output and deterministic reporting fields." : "Use deterministic-first behavior and only rely on remote model fallback when required by patch generation.";
@@ -4119,8 +4371,8 @@ Provider profile:
 - ${personalityDirective}`;
 }
 function loadOrchestrationPrompt(ctx) {
-  const promptPath = join15(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
-  if (!existsSync8(promptPath)) {
+  const promptPath = join16(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
+  if (!existsSync9(promptPath)) {
     return `You are autoremediator, an agentic security remediation system for Node.js package dependencies.
 Working directory: ${ctx.cwd}
   Package manager: ${ctx.packageManager}
@@ -4146,7 +4398,7 @@ Fallback sequence (when neither version bump nor override can be applied):
 
 Always respect dryRun and policy constraints.`;
   }
-  const template = readFileSync9(promptPath, "utf8");
+  const template = readFileSync10(promptPath, "utf8");
   return template.replaceAll("{{cveId}}", ctx.cveId).replaceAll("{{cwd}}", ctx.cwd).replaceAll("{{packageManager}}", ctx.packageManager).replaceAll("{{dryRun}}", String(ctx.dryRun)).replaceAll("{{runTests}}", String(ctx.runTests)).replaceAll("{{policy}}", ctx.policy || "undefined").replaceAll("{{patchesDir}}", ctx.patchesDir).replaceAll("{{directDependenciesOnly}}", String(ctx.constraints.directDependenciesOnly ?? false)).replaceAll("{{preferVersionBump}}", String(ctx.constraints.preferVersionBump ?? false)) + buildProviderAddendum(ctx.llmProvider, ctx.modelPersonality);
 }
 
@@ -5050,7 +5302,7 @@ function resolveConstraints(options, cwd) {
 
 // src/platform/evidence.ts
 import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync5 } from "fs";
-import { join as join16 } from "path";
+import { join as join17 } from "path";
 function createEvidenceLog(cwd, cveIds, context = {}) {
   return {
     runId: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
@@ -5081,9 +5333,9 @@ function finalizeEvidence(log) {
   return log;
 }
 function writeEvidenceLog(cwd, log) {
-  const dir = join16(cwd, ".autoremediator", "evidence");
+  const dir = join17(cwd, ".autoremediator", "evidence");
   mkdirSync3(dir, { recursive: true });
-  const filePath = join16(dir, `${log.runId}.json`);
+  const filePath = join17(dir, `${log.runId}.json`);
   writeFileSync5(filePath, JSON.stringify(log, null, 2) + "\n", "utf8");
   return filePath;
 }
@@ -5652,11 +5904,11 @@ async function planRemediation(cveId, options = {}) {
 
 // src/scanner/parse-input.ts
 import { extname as extname2 } from "path";
-import { readFileSync as readFileSync13 } from "fs";
+import { readFileSync as readFileSync14 } from "fs";
 import { execa as execa12 } from "execa";
 
 // src/scanner/adapters/npm-audit.ts
-import { readFileSync as readFileSync10 } from "fs";
+import { readFileSync as readFileSync11 } from "fs";
 var CVE_REGEX = /CVE-\d{4}-\d+/gi;
 function normalizeSeverity(raw) {
   if (!raw) return "UNKNOWN";
@@ -5690,12 +5942,12 @@ function parseNpmAuditJsonFromString(content) {
   return findings;
 }
 function parseNpmAuditJsonFile(filePath) {
-  const content = readFileSync10(filePath, "utf8");
+  const content = readFileSync11(filePath, "utf8");
   return parseNpmAuditJsonFromString(content);
 }
 
 // src/scanner/adapters/yarn-audit.ts
-import { readFileSync as readFileSync11 } from "fs";
+import { readFileSync as readFileSync12 } from "fs";
 var CVE_REGEX2 = /CVE-\d{4}-\d+/gi;
 function normalizeSeverity2(raw) {
   if (!raw) return "UNKNOWN";
@@ -5738,12 +5990,12 @@ function parseYarnAuditJsonFromString(content) {
   return findings;
 }
 function parseYarnAuditJsonFile(filePath) {
-  const content = readFileSync11(filePath, "utf8");
+  const content = readFileSync12(filePath, "utf8");
   return parseYarnAuditJsonFromString(content);
 }
 
 // src/scanner/adapters/sarif.ts
-import { readFileSync as readFileSync12 } from "fs";
+import { readFileSync as readFileSync13 } from "fs";
 var CVE_REGEX3 = /CVE-\d{4}-\d+/gi;
 function extractPackageName(result) {
   const pkg = result.properties?.["packageName"];
@@ -5775,7 +6027,7 @@ function parseSarifFromString(content) {
   return findings;
 }
 function parseSarifFile(filePath) {
-  const content = readFileSync12(filePath, "utf8");
+  const content = readFileSync13(filePath, "utf8");
   return parseSarifFromString(content);
 }
 
@@ -5826,10 +6078,21 @@ async function parseScanInputFromAudit(params) {
   }
 }
 function defaultAuditFormat(pm) {
-  return pm === "yarn" ? "yarn-audit" : "npm-audit";
+  if (pm === "yarn") return "yarn-audit";
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
+  return "npm-audit";
 }
 function ensureAuditFormatCompatibility(pm, resolved) {
   if (resolved === "sarif") return;
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
   if (pm === "yarn" && resolved !== "yarn-audit") {
     throw new Error('Format "npm-audit" is not supported with package manager "yarn" in --audit mode. Use --format yarn-audit or --format auto.');
   }
@@ -5841,7 +6104,7 @@ function inferFormat(filePath) {
   const ext = extname2(filePath).toLowerCase();
   if (ext === ".sarif") return "sarif";
   try {
-    const content = readFileSync13(filePath, "utf8");
+    const content = readFileSync14(filePath, "utf8");
     const firstLine = content.split("\n").find((line) => line.trim().startsWith("{"));
     if (firstLine) {
       const parsed = JSON.parse(firstLine);
@@ -6239,14 +6502,14 @@ async function remediatePortfolio(targets, options = {}) {
 }
 
 // src/api/update-outdated/index.ts
-import { join as join17 } from "path";
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
+import { join as join18 } from "path";
+import { readFileSync as readFileSync15, writeFileSync as writeFileSync6 } from "fs";
 import { execa as execa13 } from "execa";
 async function applyBump(params) {
-  const pkgPath = join17(params.cwd, "package.json");
+  const pkgPath = join18(params.cwd, "package.json");
   let pkgJson;
   try {
-    pkgJson = JSON.parse(readFileSync14(pkgPath, "utf8"));
+    pkgJson = JSON.parse(readFileSync15(pkgPath, "utf8"));
   } catch {
     return {
       applied: false,
@@ -6547,9 +6810,9 @@ function toSarifOutput(report) {
 }
 
 // src/version.ts
-import { readFileSync as readFileSync15 } from "fs";
+import { readFileSync as readFileSync16 } from "fs";
 function readPackageVersion() {
-  const raw = readFileSync15(new URL("../package.json", import.meta.url), "utf8");
+  const raw = readFileSync16(new URL("../package.json", import.meta.url), "utf8");
   const metadata = JSON.parse(raw);
   if (!metadata.version) {
     throw new Error("packages/core/package.json is missing a version field.");
@@ -6577,4 +6840,4 @@ export {
   updateOutdated,
   PACKAGE_VERSION
 };
-//# sourceMappingURL=chunk-4CVVRAQM.js.map
+//# sourceMappingURL=chunk-3NNNFJLV.js.map