npm - autoremediator - Versions diffs - 0.13.0 → 0.14.1 - Mend

autoremediator 0.13.0 → 0.14.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/{chunk-4CVVRAQM.js → chunk-IXCNMTOO.js} +456 -133
package/dist/cli.js +3 -4
package/dist/index.d.ts +5 -4
package/dist/index.js +454 -130
package/dist/index.js.map +1 -1
package/dist/mcp/server.js +3 -4
package/dist/openapi/server.js +4 -5
package/llms.txt +1 -1
package/package.json +1 -1
package/dist/chunk-4CVVRAQM.js.map +0 -1
package/dist/cli.js.map +0 -1
package/dist/mcp/server.js.map +0 -1
package/dist/openapi/server.js.map +0 -1

package/dist/{chunk-4CVVRAQM.js → chunk-IXCNMTOO.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 // src/api/options-schema.ts
-var PACKAGE_MANAGER_VALUES = ["npm", "pnpm", "yarn"];
+var PACKAGE_MANAGER_VALUES = ["npm", "pnpm", "yarn", "bun", "deno"];
 var LLM_PROVIDER_VALUES = ["remote", "local"];
 var PROVENANCE_SOURCE_VALUES = ["cli", "sdk", "mcp", "openapi", "unknown"];
 var OPTION_DESCRIPTIONS = {
@@ -296,21 +296,26 @@ function createUpdateOutdatedOptionSchemaProperties() {
 // src/api/patches/inspection.ts
 import { existsSync as existsSync4 } from "fs";
 import { readdir, readFile as readFile2, stat } from "fs/promises";
-import { join as join3 } from "path";
+import { join as join4 } from "path";
 // src/remediation/strategies/patch-utils.ts
-import { existsSync as existsSync2, mkdirSync, writeFileSync, readFileSync } from "fs";
-import { join as join2 } from "path";
+import { existsSync as existsSync2, mkdirSync, writeFileSync, readFileSync as readFileSync2 } from "fs";
+import { join as join3 } from "path";
 import { execa as execa2 } from "execa";
 // src/platform/package-manager/index.ts
 import { existsSync } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 import { execa } from "execa";
 // src/platform/package-manager/list-parser.ts
+import { readFileSync } from "fs";
+import { join } from "path";
 function parsePackageManagerListOutput(pm, stdout) {
   const versions = /* @__PURE__ */ new Map();
+  if (pm === "bun") {
+    return parseBunListOutput(stdout, versions);
+  }
   if (!stdout.trim()) return versions;
   if (pm === "yarn") {
     return parseYarnListOutput(stdout, versions);
@@ -360,6 +365,61 @@ function collectDependencyTree(tree, versions) {
     collectDependencyTree(entry.dependencies, versions);
   }
 }
+function parseBunListOutput(stdout, versions) {
+  const lines = stdout.split("\n").map((line) => line.replace(/^[\s│├└─]+/, "").trim()).filter(Boolean);
+  for (const line of lines) {
+    const at = line.lastIndexOf("@");
+    if (at <= 0) continue;
+    const name = line.slice(0, at);
+    const version = line.slice(at + 1);
+    if (name && version) {
+      versions.set(name, version);
+    }
+  }
+  return versions;
+}
+function resolveDenoInventory(cwd) {
+  const versions = /* @__PURE__ */ new Map();
+  let raw;
+  try {
+    raw = readFileSync(join(cwd, "deno.lock"), "utf8");
+  } catch {
+    return versions;
+  }
+  let lock;
+  try {
+    lock = JSON.parse(raw);
+  } catch {
+    return versions;
+  }
+  if (!lock || typeof lock !== "object") return versions;
+  const lockObj = lock;
+  const packages = lockObj["packages"];
+  if (packages && typeof packages === "object") {
+    const pkgsObj = packages;
+    const npmMap = pkgsObj["npm"];
+    if (npmMap && typeof npmMap === "object") {
+      for (const key of Object.keys(npmMap)) {
+        extractNameVersion(key, versions);
+      }
+      return versions;
+    }
+    for (const key of Object.keys(pkgsObj)) {
+      const stripped = key.startsWith("npm:") ? key.slice(4) : key;
+      extractNameVersion(stripped, versions);
+    }
+  }
+  return versions;
+}
+function extractNameVersion(spec, versions) {
+  const at = spec.lastIndexOf("@");
+  if (at <= 0) return;
+  const name = spec.slice(0, at);
+  const version = spec.slice(at + 1);
+  if (name && version) {
+    versions.set(name, version);
+  }
+}
 // src/platform/package-manager/index.ts
 async function getYarnMajorVersion(cwd) {
@@ -372,8 +432,10 @@ async function getYarnMajorVersion(cwd) {
   }
 }
 function detectPackageManager(cwd) {
-  if (existsSync(join(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (existsSync(join(cwd, "yarn.lock"))) return "yarn";
+  if (existsSync(join2(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (existsSync(join2(cwd, "yarn.lock"))) return "yarn";
+  if (existsSync(join2(cwd, "bun.lockb")) || existsSync(join2(cwd, "bun.lock"))) return "bun";
+  if (existsSync(join2(cwd, "deno.lock"))) return "deno";
   return "npm";
 }
 function withWorkspace(command, pm, workspace) {
@@ -390,6 +452,20 @@ function resolveInstallCommand(pm, constraints, yarnMajor) {
   const installMode = constraints?.installMode ?? "deterministic";
   const preferOfflineOverride = constraints?.installPreferOffline;
   const frozenOverride = constraints?.enforceFrozenLockfile;
+  if (pm === "bun") {
+    const frozen = frozenOverride ?? installMode === "deterministic";
+    const command2 = ["bun", "install"];
+    if (frozen) command2.push("--frozen-lockfile");
+    return withWorkspace(command2, pm, constraints?.workspace);
+  }
+  if (pm === "deno") {
+    const frozen = frozenOverride ?? installMode === "deterministic";
+    const preferOffline = preferOfflineOverride ?? installMode === "prefer-offline";
+    const command2 = ["deno", "install"];
+    if (frozen) command2.push("--frozen");
+    if (preferOffline && !frozen) command2.push("--cache-only");
+    return withWorkspace(command2, pm, constraints?.workspace);
+  }
   const includePreferOffline = pm !== "yarn" && (preferOfflineOverride ?? installMode !== "standard");
   let includeFrozenLockfile = pm !== "npm" && (frozenOverride ?? installMode === "deterministic");
   if (frozenOverride === false) {
@@ -410,22 +486,36 @@ function resolveInstallCommand(pm, constraints, yarnMajor) {
   return withWorkspace(command, pm, constraints?.workspace);
 }
 function resolveListCommand(pm, constraints) {
-  const base = pm === "pnpm" ? ["pnpm", "list", "--json", "--depth", "99"] : pm === "yarn" ? ["yarn", "list", "--json"] : ["npm", "list", "--json", "--all"];
+  if (pm === "deno") {
+    return [];
+  }
+  const base = pm === "pnpm" ? ["pnpm", "list", "--json", "--depth", "99"] : pm === "yarn" ? ["yarn", "list", "--json"] : pm === "bun" ? ["bun", "pm", "ls", "--all"] : ["npm", "list", "--json", "--all"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveTestCommand(pm, constraints) {
-  const base = pm === "pnpm" ? ["pnpm", "test"] : pm === "yarn" ? ["yarn", "test"] : ["npm", "test"];
+  const base = pm === "pnpm" ? ["pnpm", "test"] : pm === "yarn" ? ["yarn", "test"] : pm === "bun" ? ["bun", "test"] : pm === "deno" ? ["deno", "test"] : ["npm", "test"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveAuditCommand(pm, constraints) {
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
   const base = pm === "yarn" ? ["yarn", "audit", "--json"] : [pm, "audit", "--json"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveWhyCommand(pm, packageName, constraints) {
+  if (pm === "deno") return [];
+  if (pm === "bun") {
+    const base2 = ["bun", "pm", "why", packageName];
+    return withWorkspace(base2, pm, constraints?.workspace);
+  }
   const base = pm === "npm" ? ["npm", "explain", packageName] : [pm, "why", packageName];
   return withWorkspace(base, pm, constraints?.workspace);
 }
 function resolveDedupeCommand(pm, constraints) {
+  if (pm === "bun" || pm === "deno") return [];
   const base = [pm, "dedupe"];
   return withWorkspace(base, pm, constraints?.workspace);
 }
@@ -452,6 +542,28 @@ function getPackageManagerCommands(pm) {
       lockfileName: "yarn.lock"
     };
   }
+  if (pm === "bun") {
+    return {
+      install: ["bun", "install"],
+      installPreferOffline: ["bun", "install"],
+      installDeterministic: resolveInstallCommand("bun", { installMode: "deterministic" }),
+      installDev: (pkg) => ["bun", "add", "-d", pkg],
+      test: ["bun", "test"],
+      list: ["bun", "pm", "ls", "--all"],
+      lockfileName: "bun.lockb"
+    };
+  }
+  if (pm === "deno") {
+    return {
+      install: ["deno", "install"],
+      installPreferOffline: ["deno", "install", "--cache-only"],
+      installDeterministic: resolveInstallCommand("deno", { installMode: "deterministic" }),
+      installDev: (pkg) => ["deno", "add", pkg],
+      test: ["deno", "test"],
+      list: [],
+      lockfileName: "deno.lock"
+    };
+  }
   return {
     install: ["npm", "install"],
     installPreferOffline: ["npm", "install", "--prefer-offline"],
@@ -501,13 +613,21 @@ function validatePatchDiff(patchContent) {
 // src/api/patches/helpers.ts
 import { existsSync as existsSync3 } from "fs";
 import { readFile } from "fs/promises";
-import { isAbsolute, resolve } from "path";
+import { isAbsolute, resolve, sep } from "path";
 var DEFAULT_PATCHES_DIR = "./patches";
 function resolvePatchesDir(cwd, patchesDir = DEFAULT_PATCHES_DIR) {
   return isAbsolute(patchesDir) ? patchesDir : resolve(cwd, patchesDir);
 }
 function resolveArtifactPath(cwd, patchFilePath) {
-  return isAbsolute(patchFilePath) ? patchFilePath : resolve(cwd, patchFilePath);
+  const resolved = isAbsolute(patchFilePath) ? patchFilePath : resolve(cwd, patchFilePath);
+  if (!resolved.endsWith(".patch")) {
+    throw new Error(`patchFilePath must point to a .patch file: ${patchFilePath}`);
+  }
+  const patchesRoot = resolvePatchesDir(cwd);
+  if (!resolved.startsWith(patchesRoot + sep)) {
+    throw new Error(`patchFilePath must be inside the patches directory: ${patchFilePath}`);
+  }
+  return resolved;
 }
 async function readManifest(manifestFilePath) {
   if (!existsSync3(manifestFilePath)) {
@@ -515,7 +635,11 @@ async function readManifest(manifestFilePath) {
   }
   try {
     const raw = await readFile(manifestFilePath, "utf8");
-    return JSON.parse(raw);
+    const parsed = JSON.parse(raw);
+    if (parsed === null || typeof parsed !== "object" || parsed.schemaVersion !== "1.0" || typeof parsed.packageName !== "string" || typeof parsed.vulnerableVersion !== "string" || typeof parsed.patchFilePath !== "string" || typeof parsed.patchFileName !== "string" || typeof parsed.applied !== "boolean" || typeof parsed.dryRun !== "boolean" || typeof parsed.generatedAt !== "string") {
+      return void 0;
+    }
+    return parsed;
   } catch {
     return void 0;
   }
@@ -555,7 +679,7 @@ async function listPatchArtifacts(options = {}) {
     return [];
   }
   const entries = await readdir(patchesDirPath, { withFileTypes: true });
-  const patchFiles = entries.filter((entry) => entry.isFile() && entry.name.endsWith(".patch")).map((entry) => join3(patchesDirPath, entry.name)).sort((left, right) => left.localeCompare(right));
+  const patchFiles = entries.filter((entry) => entry.isFile() && entry.name.endsWith(".patch")).map((entry) => join4(patchesDirPath, entry.name)).sort((left, right) => left.localeCompare(right));
   const summaries = await Promise.all(
     patchFiles.map(async (patchFilePath) => {
       const inspection = await inspectPatchArtifact(patchFilePath, options);
@@ -616,13 +740,13 @@ function defineTool(config) {
 // src/remediation/tools/check-inventory.ts
 import { z } from "zod";
-import { readFileSync as readFileSync3 } from "fs";
-import { join as join5 } from "path";
+import { readFileSync as readFileSync4 } from "fs";
+import { join as join6 } from "path";
 import { execa as execa3 } from "execa";
 // src/platform/policy.ts
-import { existsSync as existsSync5, readFileSync as readFileSync2 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync5, readFileSync as readFileSync3 } from "fs";
+import { join as join5 } from "path";
 import { parse as yamlParse } from "yaml";
 var DEFAULT_POLICY = {
   allowMajorBumps: false,
@@ -653,10 +777,10 @@ var DEFAULT_POLICY = {
   escalationGraph: void 0
 };
 function loadPolicy(cwd, explicitPath) {
-  const candidate = explicitPath ?? join4(cwd, ".github", "autoremediator.yml");
+  const candidate = explicitPath ?? join5(cwd, ".github", "autoremediator.yml");
   if (!existsSync5(candidate)) return DEFAULT_POLICY;
   try {
-    const parsed = yamlParse(readFileSync2(candidate, "utf8"));
+    const parsed = yamlParse(readFileSync3(candidate, "utf8"));
     return {
       allowMajorBumps: parsed.allowMajorBumps ?? DEFAULT_POLICY.allowMajorBumps,
       denyPackages: parsed.denyPackages ?? DEFAULT_POLICY.denyPackages,
@@ -717,7 +841,7 @@ function isActiveSuppression(suppression) {
 }
 function loadSuppressionsFile(filePath) {
   try {
-    const content = readFileSync2(filePath, "utf8");
+    const content = readFileSync3(filePath, "utf8");
     const parsed = yamlParse(content);
     return Array.isArray(parsed?.suppressions) ? parsed.suppressions : [];
   } catch {
@@ -748,14 +872,14 @@ var checkInventoryTool = defineTool({
   description: "Read the project's package.json and installed dependencies to list packages and exact versions. Must be called before checking version matches.",
   parameters: z.object({
     cwd: z.string().describe("Absolute path to the consumer project's root directory"),
-    packageManager: z.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     policy: z.string().optional().describe("Optional path to .github/autoremediator.yml policy file"),
     workspace: z.string().optional().describe("Optional workspace/package selector for monorepos")
   }),
   execute: async ({ cwd, packageManager, policy, workspace }) => {
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync3(join5(cwd, "package.json"), "utf8"));
+      pkgJson = JSON.parse(readFileSync4(join6(cwd, "package.json"), "utf8"));
     } catch {
       return {
         packages: [],
@@ -769,15 +893,21 @@ var checkInventoryTool = defineTool({
       workspace: workspace ?? loadedPolicy.constraints?.workspace
     });
     let installedVersions = /* @__PURE__ */ new Map();
-    try {
-      const [cmd, ...args] = listCommand;
-      const listResult = await execa3(cmd, args, {
-        cwd,
-        stdio: "pipe",
-        reject: false
-      });
-      installedVersions = parseListOutput(pm, listResult.stdout || "");
-    } catch {
+    if (pm === "deno") {
+      installedVersions = resolveDenoInventory(cwd);
+    } else {
+      try {
+        const [cmd, ...args] = listCommand;
+        if (cmd) {
+          const listResult = await execa3(cmd, args, {
+            cwd,
+            stdio: "pipe",
+            reject: false
+          });
+          installedVersions = parseListOutput(pm, listResult.stdout || "");
+        }
+      } catch {
+      }
     }
     const packages = [];
     for (const [name, version] of installedVersions.entries()) {
@@ -944,6 +1074,11 @@ async function loadRemoteFactory() {
       "AUTOREMEDIATOR_REMOTE_CLIENT_MODULE is required for remote provider model loading."
     );
   }
+  if (moduleName.startsWith("./") || moduleName.startsWith("../") || moduleName.startsWith("/") || moduleName.startsWith("file:")) {
+    throw new Error(
+      `AUTOREMEDIATOR_REMOTE_CLIENT_MODULE must be a package name, not a file path: ${moduleName}`
+    );
+  }
   const loaded = await import(moduleName);
   const factory = loaded[exportName];
   if (typeof factory !== "function") {
@@ -1016,14 +1151,14 @@ function getIntelligenceSourceConfig() {
 }
 // src/platform/idempotency.ts
-import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
-import { join as join6 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
+import { join as join7 } from "path";
 var DEFAULT_INDEX = {
   schemaVersion: "1.0",
   entries: {}
 };
 function indexFilePath(cwd) {
-  return join6(cwd, ".autoremediator", "state", "idempotency.json");
+  return join7(cwd, ".autoremediator", "state", "idempotency.json");
 }
 function entryKey(idempotencyKey, cveId) {
   return `${idempotencyKey}::${cveId.toUpperCase()}`;
@@ -1032,7 +1167,7 @@ function loadIndex(cwd) {
   const filePath = indexFilePath(cwd);
   if (!existsSync6(filePath)) return DEFAULT_INDEX;
   try {
-    const parsed = JSON.parse(readFileSync4(filePath, "utf8"));
+    const parsed = JSON.parse(readFileSync5(filePath, "utf8"));
     if (parsed && parsed.schemaVersion === "1.0" && parsed.entries) {
       return parsed;
     }
@@ -1043,7 +1178,7 @@ function loadIndex(cwd) {
 }
 function saveIndex(cwd, index) {
   const filePath = indexFilePath(cwd);
-  mkdirSync2(join6(cwd, ".autoremediator", "state"), { recursive: true });
+  mkdirSync2(join7(cwd, ".autoremediator", "state"), { recursive: true });
   writeFileSync2(filePath, JSON.stringify(index, null, 2) + "\n", "utf8");
 }
 function readIdempotentReport(cwd, idempotencyKey, cveId) {
@@ -1105,7 +1240,15 @@ async function httpClient(request) {
   }
   try {
     const res = await requestWithTimeout(url, init, timeout);
+    const MAX_RESPONSE_BYTES = 10 * 1024 * 1024;
+    const contentLength = res.headers?.get?.("content-length") ?? null;
+    if (contentLength && parseInt(contentLength, 10) > MAX_RESPONSE_BYTES) {
+      throw new HttpError(`Response too large (content-length: ${contentLength})`, "HTTP_ERROR");
+    }
     const text = await res.text();
+    if (Buffer.byteLength(text) > MAX_RESPONSE_BYTES) {
+      throw new HttpError("Response body exceeds 10 MB limit", "HTTP_ERROR");
+    }
     let data;
     try {
       data = text ? JSON.parse(text) : {};
@@ -1331,8 +1474,8 @@ async function enrichWithNvd(details) {
 // src/remediation/tools/check-reachability.ts
 import { z as z2 } from "zod";
-import { readdirSync, readFileSync as readFileSync5, statSync } from "fs";
-import { join as join7, extname } from "path";
+import { readdirSync, readFileSync as readFileSync6, statSync } from "fs";
+import { join as join8, extname } from "path";
 var SOURCE_EXTENSIONS = /* @__PURE__ */ new Set([".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs"]);
 var SKIP_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", "out", ".git", "coverage", ".cache"]);
 var MAX_FILES = 500;
@@ -1346,7 +1489,7 @@ function collectSourceFiles(dir, files = []) {
   }
   for (const entry of entries) {
     if (files.length >= MAX_FILES) break;
-    const full = join7(dir, entry);
+    const full = join8(dir, entry);
     let stat2;
     try {
       stat2 = statSync(full);
@@ -1379,7 +1522,7 @@ function assessPackageReachability(cwd, packageName) {
   for (const filePath of files) {
     let content;
     try {
-      content = readFileSync5(filePath, "utf8");
+      content = readFileSync6(filePath, "utf8");
     } catch {
       continue;
     }
@@ -1535,8 +1678,8 @@ function buildSbom(packages, vulnerableNames, results) {
 }
 // src/intelligence/sources/registry.ts
-import { readFileSync as readFileSync6 } from "fs";
-import { join as join8 } from "path";
+import { readFileSync as readFileSync7 } from "fs";
+import { join as join9 } from "path";
 import { execa as execa4 } from "execa";
 import semver from "semver";
 var NPM_REGISTRY = "https://registry.npmjs.org";
@@ -1705,7 +1848,7 @@ async function queryOutdatedPackages(cwd, options = {}) {
   }
   let directDeps;
   try {
-    const pkgRaw = JSON.parse(readFileSync6(join8(cwd, "package.json"), "utf8"));
+    const pkgRaw = JSON.parse(readFileSync7(join9(cwd, "package.json"), "utf8"));
     directDeps = /* @__PURE__ */ new Set([
       ...Object.keys(pkgRaw.dependencies ?? {}),
       ...Object.keys(pkgRaw.devDependencies ?? {})
@@ -1735,22 +1878,22 @@ async function queryOutdatedPackages(cwd, options = {}) {
 // src/remediation/tools/apply-version-bump.ts
 import { z as z4 } from "zod";
-import { join as join10 } from "path";
-import { readFileSync as readFileSync7, writeFileSync as writeFileSync3 } from "fs";
+import { join as join11 } from "path";
+import { readFileSync as readFileSync8, writeFileSync as writeFileSync3 } from "fs";
 import { execa as execa5 } from "execa";
 import semver2 from "semver";
 // src/platform/repo-lock.ts
 import { mkdir, rm } from "fs/promises";
-import { join as join9 } from "path";
+import { join as join10 } from "path";
 async function sleep(ms) {
-  await new Promise((resolve2) => setTimeout(resolve2, ms));
+  await new Promise((resolve3) => setTimeout(resolve3, ms));
 }
 async function acquireRepoLock(cwd, options = {}) {
   const timeoutMs = options.timeoutMs ?? 15e3;
   const retryDelayMs = options.retryDelayMs ?? 125;
-  const lockRoot = join9(cwd, ".autoremediator", "locks");
-  const lockPath = join9(cwd, ".autoremediator", "locks", "remediation.lock");
+  const lockRoot = join10(cwd, ".autoremediator", "locks");
+  const lockPath = join10(cwd, ".autoremediator", "locks", "remediation.lock");
   const startedAt = Date.now();
   await mkdir(lockRoot, { recursive: true });
   while (true) {
@@ -1784,7 +1927,7 @@ var applyVersionBumpTool = defineTool({
   description: "Update package.json to use the safe version of a vulnerable package and run the project's package manager install. In dry-run mode, only reports what would change.",
   parameters: z4.object({
     cwd: z4.string().describe("Absolute path to the consumer project root"),
-    packageManager: z4.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z4.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     packageName: z4.string().describe("The npm package to upgrade"),
     fromVersion: z4.string().describe("The currently installed vulnerable version"),
     toVersion: z4.string().describe("The safe target version to upgrade to"),
@@ -1811,7 +1954,7 @@ var applyVersionBumpTool = defineTool({
     workspace
   }) => {
     const pm = packageManager ?? detectPackageManager(cwd);
-    const pkgPath = join10(cwd, "package.json");
+    const pkgPath = join11(cwd, "package.json");
     const loadedPolicy = loadPolicy(cwd, policy);
     const commandConstraints = {
       ...loadedPolicy.constraints,
@@ -1851,7 +1994,7 @@ var applyVersionBumpTool = defineTool({
     }
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync7(pkgPath, "utf8"));
+      pkgJson = JSON.parse(readFileSync8(pkgPath, "utf8"));
     } catch {
       return {
         packageName,
@@ -1975,8 +2118,8 @@ var applyVersionBumpTool = defineTool({
 // src/remediation/tools/apply-package-override/index.ts
 import { z as z5 } from "zod";
-import { join as join11 } from "path";
-import { readFileSync as readFileSync8, writeFileSync as writeFileSync4 } from "fs";
+import { join as join12 } from "path";
+import { existsSync as existsSync7, readFileSync as readFileSync9, writeFileSync as writeFileSync4 } from "fs";
 import { execa as execa7 } from "execa";
 import semver3 from "semver";
@@ -1985,6 +2128,7 @@ import { execa as execa6 } from "execa";
 async function collectDependencyTrace(cwd, pm, packageName, constraints) {
   try {
     const whyCommand = resolveWhyCommand(pm, packageName, constraints);
+    if (whyCommand.length === 0) return void 0;
     const [whyCmd, ...whyArgs] = whyCommand;
     const result = await execa6(whyCmd, whyArgs, {
       cwd,
@@ -1999,17 +2143,20 @@ async function collectDependencyTrace(cwd, pm, packageName, constraints) {
   }
 }
 function describeOverrideField(packageManager) {
-  if (packageManager === "npm") return "overrides";
+  if (packageManager === "npm" || packageManager === "bun") return "overrides";
   if (packageManager === "pnpm") return "pnpm.overrides";
+  if (packageManager === "deno") return "overrides";
   return "resolutions";
 }
 function getOverrideValue(pkgJson, packageManager, packageName) {
-  if (packageManager === "npm") return pkgJson.overrides?.[packageName];
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
+    return pkgJson.overrides?.[packageName];
+  }
   if (packageManager === "pnpm") return pkgJson.pnpm?.overrides?.[packageName];
   return pkgJson.resolutions?.[packageName];
 }
 function setOverrideValue(pkgJson, packageManager, packageName, version) {
-  if (packageManager === "npm") {
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
     pkgJson.overrides = { ...pkgJson.overrides ?? {}, [packageName]: version };
     return;
   }
@@ -2026,7 +2173,7 @@ function setOverrideValue(pkgJson, packageManager, packageName, version) {
   pkgJson.resolutions = { ...pkgJson.resolutions ?? {}, [packageName]: version };
 }
 function restoreOverrideValue(pkgJson, packageManager, packageName, previousValue) {
-  if (packageManager === "npm") {
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") {
     pkgJson.overrides = restoreRecord(pkgJson.overrides, packageName, previousValue);
     return;
   }
@@ -2045,6 +2192,34 @@ function restoreOverrideValue(pkgJson, packageManager, packageName, previousValu
   }
   pkgJson.resolutions = restoreRecord(pkgJson.resolutions, packageName, previousValue);
 }
+function getDenoJsonImportValue(denoJson, packageName) {
+  const imports = denoJson.imports ?? {};
+  if (imports[packageName] !== void 0) {
+    return { key: packageName, value: imports[packageName] };
+  }
+  const npmKey = `npm:${packageName}`;
+  if (imports[npmKey] !== void 0) {
+    return { key: npmKey, value: imports[npmKey] };
+  }
+  return void 0;
+}
+function setDenoJsonImportValue(denoJson, packageName, version) {
+  const existing = getDenoJsonImportValue(denoJson, packageName);
+  const key = existing?.key ?? `npm:${packageName}`;
+  denoJson.imports = { ...denoJson.imports ?? {}, [key]: `npm:${packageName}@${version}` };
+}
+function restoreDenoJsonImportValue(denoJson, packageName, previousEntry) {
+  const existing = getDenoJsonImportValue(denoJson, packageName);
+  if (!existing) return;
+  const imports = { ...denoJson.imports ?? {} };
+  if (previousEntry === void 0) {
+    delete imports[existing.key];
+  } else {
+    delete imports[existing.key];
+    imports[previousEntry.key] = previousEntry.value;
+  }
+  denoJson.imports = Object.keys(imports).length > 0 ? imports : void 0;
+}
 function restoreRecord(record, key, previousValue) {
   const nextRecord = { ...record ?? {} };
   if (previousValue === void 0) {
@@ -2057,10 +2232,10 @@ function restoreRecord(record, key, previousValue) {
 // src/remediation/tools/apply-package-override/index.ts
 var applyPackageOverrideTool = defineTool({
-  description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, or yarn resolutions.",
+  description: "Apply a package-manager-native package.json override for a vulnerable transitive dependency and reinstall. Uses npm overrides, pnpm.overrides, yarn resolutions, bun overrides, or deno.json imports.",
   parameters: z5.object({
     cwd: z5.string().describe("Absolute path to the consumer project root"),
-    packageManager: z5.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z5.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     packageName: z5.string().describe("The npm package to override"),
     selector: z5.string().optional().describe("Optional manager-native override selector key (for nested or scoped overrides)"),
     fromVersion: z5.string().describe("The currently installed vulnerable version"),
@@ -2089,7 +2264,9 @@ var applyPackageOverrideTool = defineTool({
     workspace
   }) => {
     const pm = packageManager ?? detectPackageManager(cwd);
-    const pkgPath = join11(cwd, "package.json");
+    const pkgPath = join12(cwd, "package.json");
+    const denoJsonPath = join12(cwd, "deno.json");
+    const isDenoNative = pm === "deno" && !existsSync7(pkgPath);
     const loadedPolicy = loadPolicy(cwd, policy);
     const commandConstraints = {
       ...loadedPolicy.constraints,
@@ -2128,9 +2305,108 @@ var applyPackageOverrideTool = defineTool({
         message: `Policy blocked major override for "${packageName}" (${fromVersion} -> ${toVersion}).`
       };
     }
+    if (isDenoNative) {
+      let denoJson;
+      try {
+        denoJson = JSON.parse(readFileSync9(denoJsonPath, "utf8"));
+      } catch {
+        return {
+          packageName,
+          strategy: "none",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun,
+          unresolvedReason: "package-json-not-found",
+          message: `Could not read deno.json at "${denoJsonPath}".`
+        };
+      }
+      const existingEntry = getDenoJsonImportValue(denoJson, overrideSelector);
+      if (!existingEntry) {
+        return {
+          packageName,
+          strategy: "none",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun,
+          unresolvedReason: "transitive-override-unsupported-deno-native",
+          message: `Cannot apply transitive override for "${overrideSelector}" in a native Deno project (no package.json). Only direct dependencies declared in deno.json imports can be overridden.`
+        };
+      }
+      const dependencyTrace2 = await collectDependencyTrace(cwd, pm, packageName, commandConstraints);
+      const dependencyTraceSuffix2 = dependencyTrace2 ? ` Dependency trace: ${dependencyTrace2}` : "";
+      if (dryRun) {
+        return {
+          packageName,
+          strategy: "override",
+          fromVersion,
+          toVersion,
+          applied: false,
+          dryRun: true,
+          message: `[DRY RUN] Would update deno.json imports["${existingEntry.key}"] to "npm:${overrideSelector}@${toVersion}", then run ${installCommand.join(" ")}.${dependencyTraceSuffix2}`
+        };
+      }
+      return withRepoLock(cwd, async () => {
+        setDenoJsonImportValue(denoJson, overrideSelector, toVersion);
+        writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+        try {
+          const [installCmd, ...installArgs] = installCommand;
+          await execa7(installCmd, installArgs, { cwd, stdio: "pipe" });
+        } catch (err) {
+          restoreDenoJsonImportValue(denoJson, overrideSelector, existingEntry);
+          writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+          const message = err instanceof Error ? err.message : String(err);
+          return {
+            packageName,
+            strategy: "override",
+            fromVersion,
+            toVersion,
+            applied: false,
+            dryRun: false,
+            unresolvedReason: "override-apply-failed",
+            message: `${installCommand.join(" ")} failed after updating deno.json imports for "${overrideSelector}" to ${toVersion}. Reverted. Error: ${message}${dependencyTraceSuffix2}`
+          };
+        }
+        if (runTests) {
+          try {
+            const [testCmd, ...testArgs] = testCommand;
+            await execa7(testCmd, testArgs, { cwd, stdio: "pipe" });
+          } catch (err) {
+            restoreDenoJsonImportValue(denoJson, overrideSelector, existingEntry);
+            writeFileSync4(denoJsonPath, JSON.stringify(denoJson, null, 2) + "\n", "utf8");
+            try {
+              const [rollbackCmd, ...rollbackArgs] = installCommand;
+              await execa7(rollbackCmd, rollbackArgs, { cwd, stdio: "pipe" });
+            } catch {
+            }
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+              packageName,
+              strategy: "override",
+              fromVersion,
+              toVersion,
+              applied: false,
+              dryRun: false,
+              unresolvedReason: "validation-failed",
+              message: `${testCommand.join(" ")} failed after updating deno.json imports for "${overrideSelector}" to ${toVersion}. Reverted. Error: ${message}${dependencyTraceSuffix2}`
+            };
+          }
+        }
+        return {
+          packageName,
+          strategy: "override",
+          fromVersion,
+          toVersion,
+          applied: true,
+          dryRun: false,
+          message: `Successfully updated deno.json imports["${existingEntry.key}"] for "${overrideSelector}" from ${fromVersion} to ${toVersion}, then ran ${installCommand.join(" ")}${runTests ? ` and passed ${testCommand.join(" ")}` : ""}.${dependencyTraceSuffix2}`
+        };
+      });
+    }
     let pkgJson;
     try {
-      pkgJson = JSON.parse(readFileSync8(pkgPath, "utf8"));
+      pkgJson = JSON.parse(readFileSync9(pkgPath, "utf8"));
     } catch {
       return {
         packageName,
@@ -2205,12 +2481,14 @@ var applyPackageOverrideTool = defineTool({
         }
       }
       let dedupeNote = "";
-      try {
-        const [dedupeCmd, ...dedupeArgs] = dedupeCommand;
-        await execa7(dedupeCmd, dedupeArgs, { cwd, stdio: "pipe" });
-      } catch (err) {
-        const message = err instanceof Error ? err.message : String(err);
-        dedupeNote = ` Dedupe warning: ${dedupeCommand.join(" ")} failed (${message}).`;
+      if (dedupeCommand.length > 0) {
+        try {
+          const [dedupeCmd, ...dedupeArgs] = dedupeCommand;
+          await execa7(dedupeCmd, dedupeArgs, { cwd, stdio: "pipe" });
+        } catch (err) {
+          const message = err instanceof Error ? err.message : String(err);
+          dedupeNote = ` Dedupe warning: ${dedupeCommand.join(" ")} failed (${message}).`;
+        }
       }
       return {
         packageName,
@@ -2368,8 +2646,9 @@ async function resolvePrimaryResult(params) {
 // src/remediation/tools/fetch-package-source.ts
 import { z as z6 } from "zod";
-import { mkdir as mkdir2, readdir as readdir2, readFile as readFile3, rm as rm2 } from "fs/promises";
-import { join as join12 } from "path";
+import { mkdir as mkdir2, mkdtemp, readdir as readdir2, readFile as readFile3, rm as rm2 } from "fs/promises";
+import { join as join13 } from "path";
+import { tmpdir } from "os";
 import { execa as execa8 } from "execa";
 var fetchPackageSourceTool = defineTool({
   description: "Download package tarball from npm and extract source files for CVE analysis. Supports custom file patterns (default: *.js, *.ts).",
@@ -2385,24 +2664,34 @@ var fetchPackageSourceTool = defineTool({
     version,
     filePatterns
   }) => {
-    const tempBaseDir = `/tmp/autoremediator-pkg-${Date.now()}`;
-    const extractDir = join12(tempBaseDir, "out");
+    if (!/^(@[a-z0-9][a-z0-9._-]*\/)?[a-z0-9][a-z0-9._-]*$/i.test(packageName)) {
+      return { success: false, error: `Invalid package name: ${packageName}` };
+    }
+    const safePatterns = (filePatterns ?? ["*.js", "*.ts"]).filter(
+      (p) => /^[a-zA-Z0-9._/*?-]+$/.test(p)
+    );
+    if (safePatterns.length === 0) {
+      return { success: false, error: "No valid file patterns provided." };
+    }
+    const tempBaseDir = await mkdtemp(join13(tmpdir(), "autoremediator-pkg-"));
+    const extractDir = join13(tempBaseDir, "out");
     try {
-      const npmUrl = `https://registry.npmjs.org/${packageName}/-/${packageName.split("/").pop()}-${version}.tgz`;
+      const scopedName = packageName.split("/").pop();
+      const npmUrl = `https://registry.npmjs.org/${packageName}/-/${scopedName}-${version}.tgz`;
       await mkdir2(tempBaseDir, { recursive: true });
-      const tarballPath = join12(tempBaseDir, "package.tgz");
+      const tarballPath = join13(tempBaseDir, "package.tgz");
       await execa8("curl", ["-L", "-o", tarballPath, npmUrl]);
       await mkdir2(extractDir, { recursive: true });
       await execa8("tar", ["-xzf", tarballPath, "-C", extractDir]);
       const extractedContents = await readdir2(extractDir);
-      const packageRootDir = extractedContents.includes("package") ? join12(extractDir, "package") : extractDir;
+      const packageRootDir = extractedContents.includes("package") ? join13(extractDir, "package") : extractDir;
       const sourceCode = {};
       async function walkDir(dir, relativeBase) {
         try {
           const files = await readdir2(dir, { withFileTypes: true });
           for (const file of files) {
-            const fullPath = join12(dir, file.name);
-            const relPath = join12(relativeBase, file.name);
+            const fullPath = join13(dir, file.name);
+            const relPath = join13(relativeBase, file.name);
             if (file.isDirectory()) {
               if (![
                 "node_modules",
@@ -2416,7 +2705,7 @@ var fetchPackageSourceTool = defineTool({
                 await walkDir(fullPath, relPath);
               }
             } else if (file.isFile()) {
-              const matches = filePatterns.some((pattern) => {
+              const matches = safePatterns.some((pattern) => {
                 const regex = new RegExp(
                   `^${pattern.replace(/\*/g, ".*").replace(/\./g, "\\.")}$`
                 );
@@ -2438,7 +2727,7 @@ var fetchPackageSourceTool = defineTool({
       if (Object.keys(sourceCode).length === 0) {
         return {
           success: false,
-          error: `No source files matching patterns [${filePatterns.join(", ")}] found in ${packageName}@${version}. Download succeeded but extraction yielded no matching files.`
+          error: `No source files matching patterns [${safePatterns.join(", ")}] found in ${packageName}@${version}. Download succeeded but extraction yielded no matching files.`
         };
       }
       return {
@@ -2774,24 +3063,23 @@ var generatePatchTool = defineTool({
 // src/remediation/tools/apply-patch-file/index.ts
 import { z as z8 } from "zod";
 import { mkdir as mkdir3, writeFile as writeFile2 } from "fs/promises";
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 import { execa as execa10 } from "execa";
 // src/remediation/tools/apply-patch-file/helpers.ts
-import { existsSync as existsSync7 } from "fs";
-import { mkdtemp, readFile as readFile4, rm as rm3, writeFile } from "fs/promises";
+import { existsSync as existsSync8 } from "fs";
+import { mkdtemp as mkdtemp2, readFile as readFile4, rm as rm3, writeFile } from "fs/promises";
 import { createHash } from "crypto";
-import { tmpdir } from "os";
-import { join as join13 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+import { join as join14 } from "path";
 import { execa as execa9 } from "execa";
 async function resolvePatchMode(packageManager, cwd) {
-  if (packageManager === "npm") return "patch-package";
+  if (packageManager === "npm" || packageManager === "bun" || packageManager === "deno") return "patch-package";
   if (packageManager === "pnpm") return "native-pnpm";
   const major = await getYarnMajorVersion(cwd);
   return major >= 2 ? "native-yarn" : "patch-package";
 }
 function patchModeRequiresPackageJsonSnapshot(packageManager) {
-  if (packageManager === "npm") return true;
   if (packageManager === "pnpm") return false;
   return true;
 }
@@ -2817,7 +3105,7 @@ async function writePatchManifest(manifestFilePath, artifact) {
   await writeFile(manifestFilePath, JSON.stringify(artifact, null, 2) + "\n", "utf8");
 }
 async function configurePatchPackagePostinstall(cwd, packageManager) {
-  const pkgJsonPath = join13(cwd, "package.json");
+  const pkgJsonPath = join14(cwd, "package.json");
   let pkgJson;
   try {
     pkgJson = JSON.parse(await readFile4(pkgJsonPath, "utf8"));
@@ -2857,7 +3145,7 @@ async function configurePatchPackagePostinstall(cwd, packageManager) {
   return { success: true };
 }
 async function capturePackageJsonSnapshot(cwd) {
-  const path = join13(cwd, "package.json");
+  const path = join14(cwd, "package.json");
   try {
     const content = await readFile4(path, "utf8");
     return { path, content };
@@ -2927,8 +3215,8 @@ ${createResult.stderr}`);
       error: `Could not determine native patch directory for ${packageSpec}.`
     };
   }
-  const tempPatchDir = await mkdtemp(join13(tmpdir(), "autoremediator-native-patch-"));
-  const tempPatchFile = join13(tempPatchDir, "change.patch");
+  const tempPatchDir = await mkdtemp2(join14(tmpdir2(), "autoremediator-native-patch-"));
+  const tempPatchFile = join14(tempPatchDir, "change.patch");
   try {
     await writeFile(tempPatchFile, patchContent, "utf8");
     await execa9("patch", ["-p1", "-i", tempPatchFile], {
@@ -2959,12 +3247,12 @@ ${createResult.stderr}`);
 function extractPatchDirectory(output) {
   const lines = output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
   for (const line of lines) {
-    if (existsSync7(line)) {
+    if (existsSync8(line)) {
       return line;
     }
     const tokens = line.split(/\s+/).map((token) => token.replace(/^['"]|['"]$/g, ""));
     for (const token of tokens) {
-      if (token.startsWith("/") && existsSync7(token)) {
+      if (token.startsWith("/") && existsSync8(token)) {
         return token;
       }
     }
@@ -3030,7 +3318,7 @@ var applyPatchFileTool = defineTool({
     ).optional().describe("Patch list from generate-patch; first patch is applied"),
     patchesDir: z8.string().optional().default("./patches").describe("Directory to store patch files"),
     cwd: z8.string().describe("Project root directory (for package.json)"),
-    packageManager: z8.enum(["npm", "pnpm", "yarn"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
+    packageManager: z8.enum(["npm", "pnpm", "yarn", "bun", "deno"]).optional().describe("Package manager used by the target project (auto-detected if omitted)"),
     policy: z8.string().optional().describe("Optional path to .autoremediator policy file"),
     installMode: z8.enum(["standard", "prefer-offline", "deterministic"]).optional(),
     installPreferOffline: z8.boolean().optional(),
@@ -3108,7 +3396,7 @@ var applyPatchFileTool = defineTool({
         };
       }
       const patchFileName = buildPatchFileName(packageName, vulnerableVersion);
-      const patchFilePath = join14(cwd, patchesDir, patchFileName);
+      const patchFilePath = join15(cwd, patchesDir, patchFileName);
       const manifestFilePath = `${patchFilePath}.json`;
       const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
       const baseArtifact = {
@@ -3147,7 +3435,7 @@ var applyPatchFileTool = defineTool({
       }
       return withRepoLock(cwd, async () => {
         const packageJsonSnapshot = patchModeRequiresPackageJsonSnapshot(pm) ? await capturePackageJsonSnapshot(cwd) : void 0;
-        const patchesDirPath = join14(cwd, patchesDir);
+        const patchesDirPath = join15(cwd, patchesDir);
         await mkdir3(patchesDirPath, { recursive: true });
         await writeFile2(patchFilePath, selectedPatch, "utf8");
         validationPhases.push({
@@ -4107,8 +4395,8 @@ function accumulateStepResults(params) {
 }
 // src/remediation/orchestration-prompt.ts
-import { existsSync as existsSync8, readFileSync as readFileSync9 } from "fs";
-import { join as join15 } from "path";
+import { existsSync as existsSync9, readFileSync as readFileSync10 } from "fs";
+import { join as join16 } from "path";
 function buildProviderAddendum(provider, personality = "balanced") {
   const personalityDirective = personality === "analytical" ? "Use concise, explicit rationale for tool decisions and unresolved outcomes." : personality === "pragmatic" ? "Prefer the smallest safe remediation path while preserving policy and validation gates." : "Balance concise execution with brief rationale for risky or unresolved outcomes.";
   const providerDirective = provider === "remote" ? "Use strict structured output and deterministic reporting fields." : "Use deterministic-first behavior and only rely on remote model fallback when required by patch generation.";
@@ -4119,8 +4407,8 @@ Provider profile:
 - ${personalityDirective}`;
 }
 function loadOrchestrationPrompt(ctx) {
-  const promptPath = join15(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
-  if (!existsSync8(promptPath)) {
+  const promptPath = join16(process.cwd(), ".github", "instructions", "orchestration.instructions.md");
+  if (!existsSync9(promptPath)) {
     return `You are autoremediator, an agentic security remediation system for Node.js package dependencies.
 Working directory: ${ctx.cwd}
   Package manager: ${ctx.packageManager}
@@ -4146,7 +4434,7 @@ Fallback sequence (when neither version bump nor override can be applied):
 Always respect dryRun and policy constraints.`;
   }
-  const template = readFileSync9(promptPath, "utf8");
+  const template = readFileSync10(promptPath, "utf8");
   return template.replaceAll("{{cveId}}", ctx.cveId).replaceAll("{{cwd}}", ctx.cwd).replaceAll("{{packageManager}}", ctx.packageManager).replaceAll("{{dryRun}}", String(ctx.dryRun)).replaceAll("{{runTests}}", String(ctx.runTests)).replaceAll("{{policy}}", ctx.policy || "undefined").replaceAll("{{patchesDir}}", ctx.patchesDir).replaceAll("{{directDependenciesOnly}}", String(ctx.constraints.directDependenciesOnly ?? false)).replaceAll("{{preferVersionBump}}", String(ctx.constraints.preferVersionBump ?? false)) + buildProviderAddendum(ctx.llmProvider, ctx.modelPersonality);
 }
@@ -4409,6 +4697,13 @@ async function enrichWithOssfScorecard(details) {
 async function probeFeed(url, cveId, token) {
   try {
     const feedUrl = new URL(url);
+    const hostname = feedUrl.hostname.toLowerCase();
+    if (hostname === "localhost" || /^127\./.test(hostname) || /^10\./.test(hostname) || /^172\.(1[6-9]|2\d|3[01])\./.test(hostname) || /^192\.168\./.test(hostname) || hostname === "0.0.0.0" || /^169\.254\./.test(hostname) || hostname === "[::1]" || hostname === "::1") {
+      return void 0;
+    }
+    if (feedUrl.protocol !== "https:" && feedUrl.protocol !== "http:") {
+      return void 0;
+    }
     feedUrl.searchParams.set("cve", cveId);
     const headers = {};
     if (token) headers.Authorization = `Bearer ${token}`;
@@ -4839,6 +5134,7 @@ async function runRemediationPipeline(cveId, options = {}) {
 // src/api/change-request/index.ts
 import { execa as execa11 } from "execa";
+import { randomBytes } from "crypto";
 function sanitizeBranchToken(value) {
   return value.toLowerCase().replace(/[^a-z0-9._/-]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80);
 }
@@ -4891,7 +5187,7 @@ async function ensureRepoHasChanges(cwd) {
 }
 function toBranchName(prefix, cveIds) {
   const token = sanitizeBranchToken(cveIds.join("-") || "remediation");
-  return `${sanitizeBranchToken(prefix)}/${token}-${Date.now()}`;
+  return `${sanitizeBranchToken(prefix)}/${token}-${randomBytes(6).toString("hex")}`;
 }
 async function createGitHubRequest(params) {
   const args = ["pr", "create", "--head", params.head, "--base", params.base, "--title", params.title, "--body", params.body];
@@ -4937,11 +5233,12 @@ async function createChangeRequestsForReports(params) {
   const provider = resolveProvider2(options);
   const grouping = resolveGrouping(options);
   const plan = buildPlan(reports);
-  const titlePrefix = options.titlePrefix?.trim();
+  const titlePrefix = options.titlePrefix?.trim().slice(0, 200);
+  const bodyFooter = options.bodyFooter ? options.bodyFooter.slice(0, 2e3) : void 0;
   const title = titlePrefix ? `${titlePrefix} ${plan.title}` : plan.title;
-  const body = options.bodyFooter ? `${plan.body}
+  const body = bodyFooter ? `${plan.body}
-${options.bodyFooter}` : plan.body;
+${bodyFooter}` : plan.body;
   try {
     const hasChanges = await ensureRepoHasChanges(cwd);
     if (!hasChanges) {
@@ -4964,6 +5261,12 @@ ${options.bodyFooter}` : plan.body;
     const branchPrefix = options.branchPrefix ?? "autoremediator";
     const branchName = toBranchName(branchPrefix, plan.cveIds);
     const pushRemote = options.pushRemote ?? "origin";
+    if (options.pushRemote && !/^[a-zA-Z0-9._-]+$/.test(options.pushRemote)) {
+      throw new Error(`Invalid pushRemote value: ${options.pushRemote}`);
+    }
+    if (options.repository && !/^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/.test(options.repository)) {
+      throw new Error(`Invalid repository format: ${options.repository}`);
+    }
     await execa11("git", ["checkout", "-b", branchName], { cwd, stdio: "pipe" });
     await execa11("git", ["add", "-A"], { cwd, stdio: "pipe" });
     await execa11("git", ["commit", "-m", title], { cwd, stdio: "pipe" });
@@ -5050,7 +5353,7 @@ function resolveConstraints(options, cwd) {
 // src/platform/evidence.ts
 import { mkdirSync as mkdirSync3, writeFileSync as writeFileSync5 } from "fs";
-import { join as join16 } from "path";
+import { join as join17 } from "path";
 function createEvidenceLog(cwd, cveIds, context = {}) {
   return {
     runId: `${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
@@ -5081,9 +5384,9 @@ function finalizeEvidence(log) {
   return log;
 }
 function writeEvidenceLog(cwd, log) {
-  const dir = join16(cwd, ".autoremediator", "evidence");
+  const dir = join17(cwd, ".autoremediator", "evidence");
   mkdirSync3(dir, { recursive: true });
-  const filePath = join16(dir, `${log.runId}.json`);
+  const filePath = join17(dir, `${log.runId}.json`);
   writeFileSync5(filePath, JSON.stringify(log, null, 2) + "\n", "utf8");
   return filePath;
 }
@@ -5651,13 +5954,13 @@ async function planRemediation(cveId, options = {}) {
 }
 // src/scanner/parse-input.ts
-import { extname as extname2 } from "path";
-import { readFileSync as readFileSync13 } from "fs";
+import { extname as extname2, resolve as resolve2 } from "path";
+import { readFileSync as readFileSync14 } from "fs";
 import { execa as execa12 } from "execa";
 // src/scanner/adapters/npm-audit.ts
-import { readFileSync as readFileSync10 } from "fs";
-var CVE_REGEX = /CVE-\d{4}-\d+/gi;
+import { readFileSync as readFileSync11 } from "fs";
+var CVE_REGEX = /CVE-\d{4}-\d{1,7}/gi;
 function normalizeSeverity(raw) {
   if (!raw) return "UNKNOWN";
   const up = raw.toUpperCase();
@@ -5690,13 +5993,13 @@ function parseNpmAuditJsonFromString(content) {
   return findings;
 }
 function parseNpmAuditJsonFile(filePath) {
-  const content = readFileSync10(filePath, "utf8");
+  const content = readFileSync11(filePath, "utf8");
   return parseNpmAuditJsonFromString(content);
 }
 // src/scanner/adapters/yarn-audit.ts
-import { readFileSync as readFileSync11 } from "fs";
-var CVE_REGEX2 = /CVE-\d{4}-\d+/gi;
+import { readFileSync as readFileSync12 } from "fs";
+var CVE_REGEX2 = /CVE-\d{4}-\d{1,7}/gi;
 function normalizeSeverity2(raw) {
   if (!raw) return "UNKNOWN";
   const up = raw.toUpperCase();
@@ -5738,13 +6041,13 @@ function parseYarnAuditJsonFromString(content) {
   return findings;
 }
 function parseYarnAuditJsonFile(filePath) {
-  const content = readFileSync11(filePath, "utf8");
+  const content = readFileSync12(filePath, "utf8");
   return parseYarnAuditJsonFromString(content);
 }
 // src/scanner/adapters/sarif.ts
-import { readFileSync as readFileSync12 } from "fs";
-var CVE_REGEX3 = /CVE-\d{4}-\d+/gi;
+import { readFileSync as readFileSync13 } from "fs";
+var CVE_REGEX3 = /CVE-\d{4}-\d{1,7}/gi;
 function extractPackageName(result) {
   const pkg = result.properties?.["packageName"];
   return typeof pkg === "string" ? pkg : void 0;
@@ -5753,9 +6056,15 @@ function parseSarifFromString(content) {
   const report = JSON.parse(content);
   const findings = [];
   const seen = /* @__PURE__ */ new Set();
-  for (const run of report.runs ?? []) {
+  const MAX_RUNS = 100;
+  const MAX_TOTAL_RESULTS = 1e4;
+  let totalResults = 0;
+  for (const run of (report.runs ?? []).slice(0, MAX_RUNS)) {
     for (const result of run.results ?? []) {
-      const combined = `${result.ruleId ?? ""} ${result.message?.text ?? ""}`;
+      if (totalResults++ >= MAX_TOTAL_RESULTS) break;
+      const ruleId = (result.ruleId ?? "").slice(0, 1024);
+      const messageText = (result.message?.text ?? "").slice(0, 4096);
+      const combined = `${ruleId} ${messageText}`;
       const matches = combined.match(CVE_REGEX3) ?? [];
       for (const match of matches) {
         const cveId = match.toUpperCase();
@@ -5775,21 +6084,25 @@ function parseSarifFromString(content) {
   return findings;
 }
 function parseSarifFile(filePath) {
-  const content = readFileSync12(filePath, "utf8");
+  const content = readFileSync13(filePath, "utf8");
   return parseSarifFromString(content);
 }
 // src/scanner/parse-input.ts
 function parseScanInput(filePath, format) {
-  const resolved = format === "auto" ? inferFormat(filePath) : format;
+  if (filePath.includes("\0")) {
+    throw new Error("Invalid scan input path: path contains null bytes");
+  }
+  const resolvedPath = resolve2(filePath);
+  const resolved = format === "auto" ? inferFormat(resolvedPath) : format;
   if (resolved === "npm-audit") {
-    return parseNpmAuditJsonFile(filePath);
+    return parseNpmAuditJsonFile(resolvedPath);
   }
   if (resolved === "yarn-audit") {
-    return parseYarnAuditJsonFile(filePath);
+    return parseYarnAuditJsonFile(resolvedPath);
   }
   if (resolved === "sarif") {
-    return parseSarifFile(filePath);
+    return parseSarifFile(resolvedPath);
   }
   throw new Error(`Unsupported input format: ${resolved}`);
 }
@@ -5826,10 +6139,21 @@ async function parseScanInputFromAudit(params) {
   }
 }
 function defaultAuditFormat(pm) {
-  return pm === "yarn" ? "yarn-audit" : "npm-audit";
+  if (pm === "yarn") return "yarn-audit";
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
+  return "npm-audit";
 }
 function ensureAuditFormatCompatibility(pm, resolved) {
   if (resolved === "sarif") return;
+  if (pm === "deno") {
+    throw new Error(
+      "Deno does not support a native audit command. Use --input with a SARIF or npm-audit scan file instead."
+    );
+  }
   if (pm === "yarn" && resolved !== "yarn-audit") {
     throw new Error('Format "npm-audit" is not supported with package manager "yarn" in --audit mode. Use --format yarn-audit or --format auto.');
   }
@@ -5841,7 +6165,7 @@ function inferFormat(filePath) {
   const ext = extname2(filePath).toLowerCase();
   if (ext === ".sarif") return "sarif";
   try {
-    const content = readFileSync13(filePath, "utf8");
+    const content = readFileSync14(filePath, "utf8");
     const firstLine = content.split("\n").find((line) => line.trim().startsWith("{"));
     if (firstLine) {
       const parsed = JSON.parse(firstLine);
@@ -6239,14 +6563,14 @@ async function remediatePortfolio(targets, options = {}) {
 }
 // src/api/update-outdated/index.ts
-import { join as join17 } from "path";
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
+import { join as join18 } from "path";
+import { readFileSync as readFileSync15, writeFileSync as writeFileSync6 } from "fs";
 import { execa as execa13 } from "execa";
 async function applyBump(params) {
-  const pkgPath = join17(params.cwd, "package.json");
+  const pkgPath = join18(params.cwd, "package.json");
   let pkgJson;
   try {
-    pkgJson = JSON.parse(readFileSync14(pkgPath, "utf8"));
+    pkgJson = JSON.parse(readFileSync15(pkgPath, "utf8"));
   } catch {
     return {
       applied: false,
@@ -6547,9 +6871,9 @@ function toSarifOutput(report) {
 }
 // src/version.ts
-import { readFileSync as readFileSync15 } from "fs";
+import { readFileSync as readFileSync16 } from "fs";
 function readPackageVersion() {
-  const raw = readFileSync15(new URL("../package.json", import.meta.url), "utf8");
+  const raw = readFileSync16(new URL("../package.json", import.meta.url), "utf8");
   const metadata = JSON.parse(raw);
   if (!metadata.version) {
     throw new Error("packages/core/package.json is missing a version field.");
@@ -6577,4 +6901,3 @@ export {
   updateOutdated,
   PACKAGE_VERSION
 };
-//# sourceMappingURL=chunk-4CVVRAQM.js.map