npm - bun-scan - Versions diffs - 1.0.1 → 1.1.0-beta.2 - Mend

bun-scan 1.0.1 → 1.1.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/cli.js +1349 -0
package/dist/index.js +1498 -0
package/package.json +22 -25
package/src/__tests__/factory.test.ts +45 -0
package/src/__tests__/multi.test.ts +125 -0
package/src/__tests__/scanner.test.ts +307 -0
package/src/__tests__/setup.ts +5 -0
package/src/cli.ts +8 -14
package/src/index.ts +53 -26
package/src/sources/factory.ts +34 -0
package/src/sources/multi.ts +106 -0
package/LICENSE +0 -22
package/README.md +0 -338
package/SECURITY.md +0 -360
package/src/client.ts +0 -284
package/src/config.ts +0 -151
package/src/constants.ts +0 -121
package/src/logger.ts +0 -80
package/src/processor.ts +0 -195
package/src/retry.ts +0 -86
package/src/schema.ts +0 -124
package/src/semver.ts +0 -109
package/src/severity.ts +0 -103
package/src/types.ts +0 -28

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,1349 @@
+// @bun
+// ../core/src/types.ts
+var DEFAULT_SOURCE = "osv";
+// ../core/src/constants.ts
+var OSV_API = {
+  BASE_URL: "https://api.osv.dev/v1",
+  TIMEOUT_MS: 30000,
+  MAX_BATCH_SIZE: 1000,
+  MAX_RETRY_ATTEMPTS: 2,
+  RETRY_DELAY_MS: 1000,
+  DEFAULT_ECOSYSTEM: "npm"
+};
+var HTTP = {
+  CONTENT_TYPE: "application/json",
+  USER_AGENT: "bun-osv-scanner/1.0.0"
+};
+var SECURITY = {
+  CVSS_FATAL_THRESHOLD: 7,
+  FATAL_SEVERITIES: ["CRITICAL", "HIGH"],
+  MAX_VULNERABILITIES_PER_PACKAGE: 100,
+  MAX_DESCRIPTION_LENGTH: 200
+};
+var PERFORMANCE = {
+  USE_BATCH_QUERIES: true,
+  MAX_CONCURRENT_DETAILS: 10,
+  MAX_RESPONSE_SIZE: 32 * 1024 * 1024
+};
+var ENV = {
+  LOG_LEVEL: "BUN_SCAN_LOG_LEVEL",
+  API_BASE_URL: "OSV_API_BASE_URL",
+  TIMEOUT_MS: "OSV_TIMEOUT_MS",
+  DISABLE_BATCH: "OSV_DISABLE_BATCH"
+};
+function getConfig(envVar, defaultValue, parser) {
+  const envValue = Bun.env[envVar];
+  if (!envValue)
+    return defaultValue;
+  if (parser) {
+    try {
+      return parser(envValue);
+    } catch {
+      return defaultValue;
+    }
+  }
+  if (typeof defaultValue === "number") {
+    const parsed = Number(envValue);
+    return Number.isNaN(parsed) ? defaultValue : parsed;
+  }
+  if (typeof defaultValue === "boolean") {
+    return envValue.toLowerCase() === "true";
+  }
+  return envValue;
+}
+// ../core/src/logger.ts
+var LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
+function parseLogLevel(level) {
+  if (!level)
+    return null;
+  const normalized = level.toLowerCase();
+  return normalized in LEVELS ? normalized : null;
+}
+function safeStringify(obj) {
+  try {
+    return JSON.stringify(obj);
+  } catch {
+    return "[Circular]";
+  }
+}
+function formatMessage(level, message, context) {
+  const timestamp = new Date().toISOString();
+  const prefix = `[${timestamp}] OSV-${level.toUpperCase()}:`;
+  const contextStr = context ? ` ${safeStringify(context)}` : "";
+  return `${prefix} ${message}${contextStr}`;
+}
+var noop = () => {};
+var realDebug = (message, context) => console.debug(formatMessage("debug", message, context));
+var realInfo = (message, context) => console.info(formatMessage("info", message, context));
+var realWarn = (message, context) => console.warn(formatMessage("warn", message, context));
+var realError = (message, context) => console.error(formatMessage("error", message, context));
+function createLogger(level) {
+  const minLevel = LEVELS[level ?? parseLogLevel(Bun.env[ENV.LOG_LEVEL]) ?? "info"];
+  return {
+    debug: minLevel <= LEVELS.debug ? realDebug : noop,
+    info: minLevel <= LEVELS.info ? realInfo : noop,
+    warn: minLevel <= LEVELS.warn ? realWarn : noop,
+    error: realError
+  };
+}
+var logger = createLogger();
+// ../core/src/retry.ts
+var defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+var sleep = defaultSleep;
+var DEFAULT_RETRY_CONFIG = {
+  maxAttempts: OSV_API.MAX_RETRY_ATTEMPTS + 1,
+  delayMs: OSV_API.RETRY_DELAY_MS,
+  shouldRetry: (error) => {
+    if (error.message.includes("400") || error.message.includes("401") || error.message.includes("403")) {
+      return false;
+    }
+    if (error.message.includes("404")) {
+      return false;
+    }
+    return true;
+  }
+};
+async function withRetry(operation, operationName, config = DEFAULT_RETRY_CONFIG) {
+  let lastError = new Error("Unknown error");
+  for (let attempt = 1;attempt <= config.maxAttempts; attempt++) {
+    try {
+      const result = await operation();
+      if (attempt > 1) {
+        logger.info(`${operationName} succeeded on attempt ${attempt}`);
+      }
+      return result;
+    } catch (error) {
+      lastError = error instanceof Error ? error : new Error(String(error));
+      const isLastAttempt = attempt === config.maxAttempts;
+      const shouldRetry = config.shouldRetry?.(lastError) ?? true;
+      if (isLastAttempt || !shouldRetry) {
+        logger.error(`${operationName} failed after ${attempt} attempts`, {
+          error: lastError.message,
+          attempts: attempt
+        });
+        break;
+      }
+      const delay = config.delayMs * 1.5 ** (attempt - 1);
+      logger.warn(`${operationName} attempt ${attempt} failed, retrying in ${delay}ms`, {
+        error: lastError.message,
+        nextDelay: delay
+      });
+      await sleep(delay);
+    }
+  }
+  throw lastError;
+}
+// ../core/src/config.ts
+import { z } from "zod";
+var IgnorePackageRuleSchema = z.object({
+  vulnerabilities: z.array(z.string()).optional(),
+  until: z.string().optional(),
+  reason: z.string().optional()
+});
+var IgnoreConfigSchema = z.object({
+  ignore: z.array(z.string()).optional(),
+  packages: z.record(z.string(), IgnorePackageRuleSchema).optional()
+});
+var ConfigSchema = z.object({
+  source: z.enum(["osv", "npm", "both"]).catch(DEFAULT_SOURCE).optional(),
+  ignore: z.array(z.string()).optional(),
+  packages: z.record(z.string(), IgnorePackageRuleSchema).optional()
+});
+function compileIgnoreConfig(config) {
+  const ignoreSet = new Set(config.ignore ?? []);
+  const packages = new Map;
+  for (const [name, rule] of Object.entries(config.packages ?? {})) {
+    packages.set(name, {
+      vulnerabilitiesSet: new Set(rule.vulnerabilities ?? []),
+      until: rule.until,
+      reason: rule.reason
+    });
+  }
+  return { ignoreSet, packages };
+}
+var CONFIG_FILES = [".bun-scan.json", ".bun-scan.config.json"];
+async function loadConfig() {
+  for (const filename of CONFIG_FILES) {
+    const config = await tryLoadConfigFile(filename);
+    if (config) {
+      return { source: DEFAULT_SOURCE, ...config };
+    }
+  }
+  return { source: DEFAULT_SOURCE };
+}
+async function tryLoadConfigFile(filename) {
+  try {
+    const file = Bun.file(filename);
+    const exists = await file.exists();
+    if (!exists) {
+      return null;
+    }
+    const content = await file.json();
+    const parsed = ConfigSchema.parse(content);
+    logger.info(`Loaded configuration from ${filename}`);
+    logConfigStats(parsed);
+    return parsed;
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      logger.warn(`Invalid config in ${filename}`, {
+        errors: error.issues.map((e) => `${e.path.join(".")}: ${e.message}`)
+      });
+    } else if (error instanceof SyntaxError) {
+      logger.warn(`Failed to parse ${filename} as JSON`, {
+        error: error.message
+      });
+    }
+    return null;
+  }
+}
+function logConfigStats(config) {
+  const globalIgnores = config.ignore?.length ?? 0;
+  const packageRules = Object.keys(config.packages ?? {}).length;
+  const source = config.source ?? DEFAULT_SOURCE;
+  if (globalIgnores > 0 || packageRules > 0) {
+    logger.info(`Configuration loaded`, {
+      source,
+      globalIgnores,
+      packageRules
+    });
+  }
+}
+function shouldIgnoreVulnerability(vulnId, vulnAliases, packageName, config) {
+  const idsToCheck = [vulnId, ...vulnAliases ?? []];
+  for (const id of idsToCheck) {
+    if (config.ignoreSet.has(id)) {
+      return { ignored: true, reason: `globally ignored (${id})` };
+    }
+  }
+  if (packageName) {
+    const rule = config.packages.get(packageName);
+    if (rule) {
+      if (rule.until) {
+        const untilDate = new Date(rule.until);
+        if (untilDate < new Date) {
+          logger.debug(`Ignore rule for ${packageName} expired on ${rule.until}`);
+          return { ignored: false };
+        }
+      }
+      for (const id of idsToCheck) {
+        if (rule.vulnerabilitiesSet.has(id)) {
+          const reason = rule.reason ? `package rule: ${rule.reason}` : `ignored for ${packageName} (${id})`;
+          return { ignored: true, reason };
+        }
+      }
+    }
+  }
+  return { ignored: false };
+}
+// ../source-osv/src/schema.ts
+import { z as z2 } from "zod";
+var OSVQuerySchema = z2.object({
+  commit: z2.string().optional(),
+  version: z2.string().optional(),
+  package: z2.object({
+    name: z2.string(),
+    ecosystem: z2.string(),
+    purl: z2.string().optional()
+  }).optional(),
+  page_token: z2.string().optional()
+});
+var OSVAffectedSchema = z2.object({
+  package: z2.object({
+    name: z2.string(),
+    ecosystem: z2.string(),
+    purl: z2.string().optional()
+  }),
+  ranges: z2.array(z2.object({
+    type: z2.string(),
+    repo: z2.string().optional(),
+    events: z2.array(z2.object({
+      introduced: z2.string().optional(),
+      fixed: z2.string().optional(),
+      last_affected: z2.string().optional()
+    }))
+  })).optional(),
+  versions: z2.array(z2.string()).optional(),
+  ecosystem_specific: z2.record(z2.string(), z2.any()).optional(),
+  database_specific: z2.record(z2.string(), z2.any()).optional()
+});
+var OSVVulnerabilitySchema = z2.object({
+  id: z2.string(),
+  summary: z2.string().optional(),
+  details: z2.string().optional(),
+  modified: z2.string().optional(),
+  published: z2.string().optional(),
+  withdrawn: z2.string().optional(),
+  aliases: z2.array(z2.string()).optional(),
+  related: z2.array(z2.string()).optional(),
+  schema_version: z2.string().optional(),
+  affected: z2.array(OSVAffectedSchema).optional(),
+  references: z2.array(z2.object({
+    type: z2.string().optional(),
+    url: z2.string()
+  })).optional(),
+  database_specific: z2.record(z2.string(), z2.any()).optional(),
+  severity: z2.array(z2.object({
+    type: z2.string(),
+    score: z2.string()
+  })).optional(),
+  ecosystem_specific: z2.record(z2.string(), z2.any()).optional(),
+  credits: z2.array(z2.object({
+    name: z2.string(),
+    contact: z2.array(z2.string()).optional(),
+    type: z2.string().optional()
+  })).optional()
+});
+var OSVResponseSchema = z2.object({
+  vulns: z2.array(OSVVulnerabilitySchema).optional(),
+  next_page_token: z2.string().optional()
+});
+var OSVBatchQuerySchema = z2.object({
+  queries: z2.array(OSVQuerySchema)
+});
+var OSVBatchResponseSchema = z2.object({
+  results: z2.array(z2.object({
+    vulns: z2.array(z2.object({
+      id: z2.string(),
+      modified: z2.string()
+    })).optional(),
+    next_page_token: z2.string().optional()
+  }))
+});
+// ../source-osv/src/client.ts
+function createOSVClient() {
+  const baseUrl = getConfig(ENV.API_BASE_URL, OSV_API.BASE_URL);
+  const timeout = getConfig(ENV.TIMEOUT_MS, OSV_API.TIMEOUT_MS);
+  const useBatch = !getConfig(ENV.DISABLE_BATCH, false);
+  function deduplicatePackages(packages) {
+    const packageMap = new Map;
+    for (const pkg of packages) {
+      const key = `${pkg.name}@${pkg.version}`;
+      if (!packageMap.has(key)) {
+        packageMap.set(key, pkg);
+      }
+    }
+    const uniquePackages = Array.from(packageMap.values());
+    if (uniquePackages.length < packages.length) {
+      logger.debug(`Deduplicated ${packages.length} packages to ${uniquePackages.length} unique packages`);
+    }
+    return uniquePackages;
+  }
+  async function executeBatchQuery(queries) {
+    const vulnerabilityIds = [];
+    const response = await withRetry(async () => {
+      const res = await fetch(`${baseUrl}/querybatch`, {
+        method: "POST",
+        headers: {
+          "Content-Type": HTTP.CONTENT_TYPE,
+          "User-Agent": HTTP.USER_AGENT
+        },
+        body: JSON.stringify({ queries }),
+        signal: AbortSignal.timeout(timeout)
+      });
+      if (!res.ok) {
+        throw new Error(`OSV API returned ${res.status}: ${res.statusText}`);
+      }
+      return res;
+    }, `OSV batch query (${queries.length} packages)`);
+    const data = await response.json();
+    const parsed = OSVBatchResponseSchema.parse(data);
+    for (const result of parsed.results) {
+      if (result.vulns) {
+        vulnerabilityIds.push(...result.vulns.map((v) => v.id));
+      }
+    }
+    const vulnCount = parsed.results.reduce((sum, r) => sum + (r.vulns?.length || 0), 0);
+    logger.info(`Batch query found ${vulnCount} vulnerabilities across ${queries.length} packages`);
+    return [...new Set(vulnerabilityIds)];
+  }
+  async function fetchSingleVulnerability(id) {
+    try {
+      return await withRetry(async () => {
+        const response = await fetch(`${baseUrl}/vulns/${id}`, {
+          headers: {
+            "User-Agent": HTTP.USER_AGENT
+          },
+          signal: AbortSignal.timeout(timeout)
+        });
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        return OSVVulnerabilitySchema.parse(data);
+      }, `Get vulnerability ${id}`);
+    } catch (error) {
+      logger.warn(`Failed to fetch vulnerability ${id}`, {
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return null;
+    }
+  }
+  async function fetchVulnerabilityDetails(ids) {
+    if (ids.length === 0)
+      return [];
+    const uniqueIds = [...new Set(ids)];
+    logger.info(`Fetching details for ${uniqueIds.length} vulnerabilities`);
+    const chunkSize = PERFORMANCE.MAX_CONCURRENT_DETAILS;
+    const vulnerabilities = [];
+    for (let i = 0;i < uniqueIds.length; i += chunkSize) {
+      const chunk = uniqueIds.slice(i, i + chunkSize);
+      const chunkResults = await Promise.allSettled(chunk.map((id) => fetchSingleVulnerability(id)));
+      for (const result of chunkResults) {
+        if (result.status === "fulfilled" && result.value) {
+          vulnerabilities.push(result.value);
+        }
+      }
+    }
+    logger.info(`Retrieved ${vulnerabilities.length}/${uniqueIds.length} vulnerability details`);
+    return vulnerabilities;
+  }
+  async function queryWithBatch(queries) {
+    const vulnerabilityIds = [];
+    for (let i = 0;i < queries.length; i += OSV_API.MAX_BATCH_SIZE) {
+      const batchQueries = queries.slice(i, i + OSV_API.MAX_BATCH_SIZE);
+      try {
+        const batchIds = await executeBatchQuery(batchQueries);
+        vulnerabilityIds.push(...batchIds);
+      } catch (error) {
+        logger.error(`Batch query failed for ${batchQueries.length} packages`, {
+          error: error instanceof Error ? error.message : String(error),
+          startIndex: i
+        });
+      }
+    }
+    return await fetchVulnerabilityDetails(vulnerabilityIds);
+  }
+  async function querySinglePackage(query) {
+    const allVulns = [];
+    let currentQuery = { ...query };
+    while (true) {
+      try {
+        const response = await withRetry(async () => {
+          const res = await fetch(`${baseUrl}/query`, {
+            method: "POST",
+            headers: {
+              "Content-Type": HTTP.CONTENT_TYPE,
+              "User-Agent": HTTP.USER_AGENT
+            },
+            body: JSON.stringify(currentQuery),
+            signal: AbortSignal.timeout(timeout)
+          });
+          if (!res.ok) {
+            throw new Error(`HTTP ${res.status}: ${res.statusText}`);
+          }
+          return res;
+        }, `OSV query for ${query.package?.name || "unknown"}@${query.version || "unknown"}`);
+        const data = await response.json();
+        const parsed = OSVResponseSchema.parse(data);
+        if (parsed.vulns) {
+          allVulns.push(...parsed.vulns);
+        }
+        if (parsed.next_page_token) {
+          currentQuery = { ...query, page_token: parsed.next_page_token };
+        } else {
+          break;
+        }
+      } catch (error) {
+        logger.warn(`Query failed for ${query.package?.name || "unknown"}@${query.version || "unknown"}`, {
+          error: error instanceof Error ? error.message : String(error)
+        });
+        break;
+      }
+    }
+    return allVulns;
+  }
+  async function queryIndividually(queries) {
+    const responses = await Promise.allSettled(queries.map((query) => querySinglePackage(query)));
+    const vulnerabilities = [];
+    let successCount = 0;
+    for (const response of responses) {
+      if (response.status === "fulfilled") {
+        vulnerabilities.push(...response.value);
+        successCount++;
+      }
+    }
+    logger.info(`Individual queries completed: ${successCount}/${queries.length} successful`);
+    return vulnerabilities;
+  }
+  async function queryVulnerabilities(packages) {
+    if (packages.length === 0) {
+      return [];
+    }
+    const uniquePackages = deduplicatePackages(packages);
+    logger.info(`Scanning ${uniquePackages.length} unique packages (${packages.length} total)`);
+    const queries = uniquePackages.map((pkg) => ({
+      package: {
+        name: pkg.name,
+        ecosystem: OSV_API.DEFAULT_ECOSYSTEM
+      },
+      version: pkg.version
+    }));
+    if (useBatch && queries.length > 1) {
+      return await queryWithBatch(queries);
+    } else {
+      return await queryIndividually(queries);
+    }
+  }
+  return {
+    queryVulnerabilities
+  };
+}
+// ../source-osv/src/semver.ts
+function isPackageAffected(pkg, affected) {
+  if (affected.package.name !== pkg.name) {
+    return false;
+  }
+  if (affected.versions?.includes(pkg.version)) {
+    logger.debug(`Package ${pkg.name}@${pkg.version} found in explicit versions list`);
+    return true;
+  }
+  if (affected.ranges) {
+    for (const range of affected.ranges) {
+      if (isVersionInRange(pkg.version, range)) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function isVersionInRange(version, range) {
+  if (!range.events || range.events.length === 0) {
+    return false;
+  }
+  if (range.type === "SEMVER") {
+    return isVersionInSemverRange(version, range);
+  }
+  logger.debug(`Unsupported range type: ${range.type}`, { range });
+  return false;
+}
+function isVersionInSemverRange(version, range) {
+  try {
+    const rangeGroups = [];
+    let currentGroup = [];
+    for (const event of range.events) {
+      if (event.introduced) {
+        if (currentGroup.length > 0) {
+          rangeGroups.push(currentGroup.join(" "));
+          currentGroup = [];
+        }
+        if (event.introduced === "0") {
+          currentGroup.push("*");
+        } else {
+          currentGroup.push(`>=${event.introduced}`);
+        }
+      }
+      if (event.fixed) {
+        currentGroup.push(`<${event.fixed}`);
+        rangeGroups.push(currentGroup.join(" "));
+        currentGroup = [];
+      }
+      if (event.last_affected) {
+        currentGroup.push(`<=${event.last_affected}`);
+        rangeGroups.push(currentGroup.join(" "));
+        currentGroup = [];
+      }
+    }
+    if (currentGroup.length > 0) {
+      rangeGroups.push(currentGroup.join(" "));
+    }
+    if (rangeGroups.length === 0) {
+      return false;
+    }
+    const combinedRange = rangeGroups.join(" || ");
+    logger.debug(`Checking ${version} against range: ${combinedRange}`);
+    return Bun.semver.satisfies(version, combinedRange);
+  } catch (error) {
+    logger.warn(`Failed to parse semver range`, {
+      version,
+      range: range.events,
+      error: error instanceof Error ? error.message : String(error)
+    });
+    return false;
+  }
+}
+// ../source-osv/src/severity.ts
+function mapSeverityToLevel(vuln) {
+  const dbSeverity = vuln.database_specific?.severity;
+  if (dbSeverity && isFatalSeverity(dbSeverity)) {
+    logger.debug(`Vulnerability ${vuln.id} marked fatal due to database severity: ${dbSeverity}`);
+    return "fatal";
+  }
+  if (vuln.severity) {
+    const cvssScore = extractHighestCVSSScore(vuln.severity);
+    if (cvssScore !== null && cvssScore >= SECURITY.CVSS_FATAL_THRESHOLD) {
+      logger.debug(`Vulnerability ${vuln.id} marked fatal due to CVSS score: ${cvssScore}`);
+      return "fatal";
+    }
+  }
+  logger.debug(`Vulnerability ${vuln.id} marked as warning (default)`);
+  return "warn";
+}
+function isFatalSeverity(severity) {
+  return typeof severity === "string" && SECURITY.FATAL_SEVERITIES.includes(severity);
+}
+function extractHighestCVSSScore(severities) {
+  if (!Array.isArray(severities))
+    return null;
+  let highestScore = null;
+  for (const severity of severities) {
+    if (!severity.type.startsWith("CVSS"))
+      continue;
+    const score = parseCVSSScore(severity.score, severity.type);
+    if (score !== null && (highestScore === null || score > highestScore)) {
+      highestScore = score;
+    }
+  }
+  return highestScore;
+}
+function parseCVSSScore(scoreString, type) {
+  try {
+    if (scoreString.includes("CVSS:")) {
+      const vectorMatch = scoreString.match(/CVSS:[\d.]+\/.*?(\d+\.\d+|\d+)$/);
+      if (vectorMatch?.[1]) {
+        return parseFloat(vectorMatch[1]);
+      }
+      const scoreMatch = scoreString.match(/(\d+\.\d+|\d+)$/);
+      if (scoreMatch?.[1]) {
+        return parseFloat(scoreMatch[1]);
+      }
+    }
+    const numericScore = parseFloat(scoreString);
+    if (!Number.isNaN(numericScore) && numericScore >= 0 && numericScore <= 10) {
+      return numericScore;
+    }
+    logger.debug(`Failed to parse CVSS score`, { type, scoreString });
+    return null;
+  } catch (error) {
+    logger.warn(`Error parsing CVSS score`, {
+      type,
+      scoreString,
+      error: error instanceof Error ? error.message : String(error)
+    });
+    return null;
+  }
+}
+// ../source-osv/src/processor.ts
+var HOSTNAME_REGEX = /^https?:\/\/([^/:?#]+)(?::\d+)?(?:[/?#]|$)/;
+var CVE_HOSTS = new Set(["cve.mitre.org", "nvd.nist.gov"]);
+function createVulnerabilityProcessor(ignoreConfig = {}) {
+  const compiledIgnoreConfig = compileIgnoreConfig(ignoreConfig);
+  let ignoredCount = 0;
+  function getVulnerabilityUrl(vuln) {
+    if (!vuln.references || vuln.references.length === 0) {
+      return null;
+    }
+    const advisoryRef = vuln.references.find((ref) => ref.type === "ADVISORY" || ref.url.includes("github.com/advisories"));
+    if (advisoryRef) {
+      return advisoryRef.url;
+    }
+    const cveRef = vuln.references.find((ref) => {
+      const match = ref.url.match(HOSTNAME_REGEX);
+      const hostname = match?.[1]?.toLowerCase();
+      return hostname ? CVE_HOSTS.has(hostname) : false;
+    });
+    if (cveRef) {
+      return cveRef.url;
+    }
+    return vuln.references[0]?.url || null;
+  }
+  function getVulnerabilityDescription(vuln) {
+    if (vuln.summary?.trim()) {
+      return vuln.summary.trim();
+    }
+    if (vuln.details?.trim()) {
+      const details = vuln.details.trim();
+      if (details.length <= SECURITY.MAX_DESCRIPTION_LENGTH) {
+        return details;
+      }
+      const firstSentence = details.match(/^[^.!?]*[.!?]/)?.[0];
+      if (firstSentence && firstSentence.length <= SECURITY.MAX_DESCRIPTION_LENGTH) {
+        return firstSentence;
+      }
+      return `${details.substring(0, SECURITY.MAX_DESCRIPTION_LENGTH - 3)}...`;
+    }
+    return null;
+  }
+  function createAdvisory(vuln, pkg) {
+    const level = mapSeverityToLevel(vuln);
+    const url = getVulnerabilityUrl(vuln);
+    const description = getVulnerabilityDescription(vuln);
+    return {
+      id: vuln.id,
+      message: vuln.summary || vuln.details || vuln.id,
+      level,
+      package: pkg.name,
+      url,
+      description
+    };
+  }
+  function processVulnerability(vuln, packagesByName, processedPairs, compiledConfig) {
+    const advisories = [];
+    if (!vuln.affected) {
+      logger.debug(`Vulnerability ${vuln.id} has no affected packages`);
+      return advisories;
+    }
+    for (const affected of vuln.affected) {
+      const matchingPackages = packagesByName.get(affected.package.name);
+      if (!matchingPackages) {
+        continue;
+      }
+      for (const pkg of matchingPackages) {
+        const pairKey = `${vuln.id}:${pkg.name}@${pkg.version}`;
+        if (processedPairs.has(pairKey)) {
+          continue;
+        }
+        if (isPackageAffected(pkg, affected)) {
+          const ignoreResult = shouldIgnoreVulnerability(vuln.id, vuln.aliases, pkg.name, compiledConfig);
+          if (ignoreResult.ignored) {
+            logger.debug(`Ignoring ${vuln.id} for ${pkg.name}: ${ignoreResult.reason}`);
+            ignoredCount++;
+            processedPairs.add(pairKey);
+            continue;
+          }
+          const advisory = createAdvisory(vuln, pkg);
+          advisories.push(advisory);
+          processedPairs.add(pairKey);
+          logger.debug(`Created advisory for ${pkg.name}@${pkg.version}`, {
+            vulnerability: vuln.id,
+            level: advisory.level
+          });
+          break;
+        }
+      }
+    }
+    return advisories;
+  }
+  function processVulnerabilities(vulnerabilities, packages) {
+    if (vulnerabilities.length === 0 || packages.length === 0) {
+      return [];
+    }
+    logger.info(`Processing ${vulnerabilities.length} vulnerabilities against ${packages.length} packages`);
+    const packagesByName = new Map;
+    for (const pkg of packages) {
+      const existing = packagesByName.get(pkg.name);
+      if (existing) {
+        existing.push(pkg);
+      } else {
+        packagesByName.set(pkg.name, [pkg]);
+      }
+    }
+    const advisories = [];
+    const processedPairs = new Set;
+    ignoredCount = 0;
+    for (const vuln of vulnerabilities) {
+      const vulnAdvisories = processVulnerability(vuln, packagesByName, processedPairs, compiledIgnoreConfig);
+      advisories.push(...vulnAdvisories);
+    }
+    if (ignoredCount > 0) {
+      logger.info(`Ignored ${ignoredCount} vulnerabilities based on config`);
+    }
+    logger.info(`Generated ${advisories.length} security advisories`);
+    return advisories;
+  }
+  return {
+    processVulnerabilities
+  };
+}
+// ../source-osv/src/index.ts
+function createOSVSource(ignoreConfig = {}) {
+  const client = createOSVClient();
+  const processor = createVulnerabilityProcessor(ignoreConfig);
+  return {
+    name: "osv",
+    async scan(packages) {
+      logger.info(`[OSV] Starting scan for ${packages.length} packages`);
+      const vulnerabilities = await client.queryVulnerabilities(packages);
+      const advisories = processor.processVulnerabilities(vulnerabilities, packages);
+      logger.info(`[OSV] Scan complete: ${advisories.length} advisories found`);
+      return advisories;
+    }
+  };
+}
+// ../source-npm/src/schema.ts
+import { z as z3 } from "zod";
+var NpmAuditRequestSchema = z3.record(z3.string(), z3.array(z3.string()));
+var NpmAdvisorySchema = z3.object({
+  id: z3.union([z3.string(), z3.number()]),
+  title: z3.string(),
+  name: z3.string().optional(),
+  module_name: z3.string().optional(),
+  severity: z3.enum(["critical", "high", "moderate", "low", "info"]),
+  vulnerable_versions: z3.string(),
+  patched_versions: z3.string().optional(),
+  url: z3.string(),
+  overview: z3.string().optional(),
+  recommendation: z3.string().optional(),
+  references: z3.string().optional(),
+  access: z3.string().optional(),
+  cwe: z3.union([z3.string(), z3.array(z3.string())]).optional(),
+  cves: z3.array(z3.string()).optional(),
+  cvss: z3.object({
+    score: z3.number(),
+    vectorString: z3.string().nullable().optional()
+  }).optional(),
+  findings: z3.array(z3.object({
+    version: z3.string(),
+    paths: z3.array(z3.string())
+  })).optional(),
+  created: z3.string().optional(),
+  updated: z3.string().optional(),
+  deleted: z3.boolean().optional(),
+  github_advisory_id: z3.string().optional()
+});
+var NpmAuditResponseSchema = z3.record(z3.string(), z3.array(NpmAdvisorySchema));
+// ../source-npm/src/constants.ts
+var NPM_AUDIT_API = {
+  REGISTRY_URL: "https://registry.npmjs.org",
+  BULK_ADVISORY_PATH: "/-/npm/v1/security/advisories/bulk",
+  TIMEOUT_MS: 30000,
+  MAX_RETRY_ATTEMPTS: 2,
+  RETRY_DELAY_MS: 1000,
+  MAX_PACKAGES_PER_REQUEST: 1000
+};
+var HTTP2 = {
+  CONTENT_TYPE: "application/json",
+  CONTENT_ENCODING: "gzip",
+  USER_AGENT: "@bun-security-scanner/npm/1.0.0"
+};
+var SECURITY2 = {
+  CVSS_FATAL_THRESHOLD: 7,
+  FATAL_SEVERITIES: ["critical", "high"],
+  MAX_VULNERABILITIES_PER_PACKAGE: 100,
+  MAX_DESCRIPTION_LENGTH: 200
+};
+var ENV2 = {
+  REGISTRY_URL: "NPM_SCANNER_REGISTRY_URL",
+  TIMEOUT_MS: "NPM_SCANNER_TIMEOUT_MS"
+};
+function getConfig2(envVar, defaultValue, parser) {
+  const envValue = Bun.env[envVar];
+  if (!envValue)
+    return defaultValue;
+  if (parser) {
+    try {
+      return parser(envValue);
+    } catch {
+      return defaultValue;
+    }
+  }
+  if (typeof defaultValue === "number") {
+    const parsed = Number(envValue);
+    return Number.isNaN(parsed) ? defaultValue : parsed;
+  }
+  if (typeof defaultValue === "boolean") {
+    return envValue.toLowerCase() === "true";
+  }
+  return envValue;
+}
+// ../source-npm/src/client.ts
+function createNpmAuditClient() {
+  const registryUrl = getConfig2(ENV2.REGISTRY_URL, NPM_AUDIT_API.REGISTRY_URL);
+  const timeout = getConfig2(ENV2.TIMEOUT_MS, NPM_AUDIT_API.TIMEOUT_MS);
+  function deduplicatePackages(packages) {
+    const packageMap = new Map;
+    for (const pkg of packages) {
+      const key = `${pkg.name}@${pkg.version}`;
+      if (!packageMap.has(key)) {
+        packageMap.set(key, pkg);
+      }
+    }
+    const uniquePackages = Array.from(packageMap.values());
+    if (uniquePackages.length < packages.length) {
+      logger.debug(`Deduplicated ${packages.length} packages to ${uniquePackages.length} unique packages`);
+    }
+    return uniquePackages;
+  }
+  function buildRequestPayload(packages) {
+    const payload = {};
+    for (const pkg of packages) {
+      if (!payload[pkg.name]) {
+        payload[pkg.name] = [];
+      }
+      const versions = payload[pkg.name];
+      if (versions && !versions.includes(pkg.version)) {
+        versions.push(pkg.version);
+      }
+    }
+    return payload;
+  }
+  async function executeBulkQuery(payload) {
+    const packageCount = Object.keys(payload).length;
+    const versionCount = Object.values(payload).reduce((sum, versions) => sum + versions.length, 0);
+    logger.debug(`Querying ${packageCount} packages with ${versionCount} versions`);
+    const jsonPayload = JSON.stringify(payload);
+    const compressedPayload = Bun.gzipSync(jsonPayload);
+    const response = await withRetry(async () => {
+      const url = `${registryUrl}${NPM_AUDIT_API.BULK_ADVISORY_PATH}`;
+      const res = await fetch(url, {
+        method: "POST",
+        headers: {
+          "Content-Type": HTTP2.CONTENT_TYPE,
+          "Content-Encoding": HTTP2.CONTENT_ENCODING,
+          "User-Agent": HTTP2.USER_AGENT,
+          Accept: HTTP2.CONTENT_TYPE
+        },
+        body: compressedPayload,
+        signal: AbortSignal.timeout(timeout)
+      });
+      if (!res.ok) {
+        throw new Error(`npm registry returned ${res.status}: ${res.statusText}`);
+      }
+      return res;
+    }, `npm audit query (${packageCount} packages)`, {
+      maxAttempts: NPM_AUDIT_API.MAX_RETRY_ATTEMPTS + 1,
+      delayMs: NPM_AUDIT_API.RETRY_DELAY_MS
+    });
+    const data = await response.json();
+    const parsedResponse = NpmAuditResponseSchema.parse(data);
+    const advisories = [];
+    for (const [packageName, packageAdvisories] of Object.entries(parsedResponse)) {
+      for (const advisory of packageAdvisories) {
+        advisories.push({
+          ...advisory,
+          name: advisory.name || packageName
+        });
+      }
+    }
+    logger.info(`Found ${advisories.length} advisories for ${packageCount} packages`);
+    return advisories;
+  }
+  async function queryInBatches(packages) {
+    const advisories = [];
+    const batchSize = NPM_AUDIT_API.MAX_PACKAGES_PER_REQUEST;
+    for (let i = 0;i < packages.length; i += batchSize) {
+      const batch = packages.slice(i, i + batchSize);
+      const payload = buildRequestPayload(batch);
+      try {
+        const batchAdvisories = await executeBulkQuery(payload);
+        advisories.push(...batchAdvisories);
+      } catch (error) {
+        logger.error(`Batch query failed for ${batch.length} packages`, {
+          error: error instanceof Error ? error.message : String(error),
+          startIndex: i
+        });
+      }
+    }
+    return advisories;
+  }
+  async function queryVulnerabilities(packages) {
+    if (packages.length === 0) {
+      return [];
+    }
+    const uniquePackages = deduplicatePackages(packages);
+    logger.info(`Scanning ${uniquePackages.length} unique packages (${packages.length} total)`);
+    const requestPayload = buildRequestPayload(uniquePackages);
+    if (uniquePackages.length > NPM_AUDIT_API.MAX_PACKAGES_PER_REQUEST) {
+      return await queryInBatches(uniquePackages);
+    }
+    return await executeBulkQuery(requestPayload);
+  }
+  return {
+    queryVulnerabilities
+  };
+}
+// ../source-npm/src/severity.ts
+function mapSeverityToLevel2(severity) {
+  if (isFatalSeverity2(severity)) {
+    logger.debug(`Advisory marked fatal due to npm severity: ${severity}`);
+    return "fatal";
+  }
+  logger.debug(`Advisory marked as warning (severity: ${severity})`);
+  return "warn";
+}
+function isFatalSeverity2(severity) {
+  return SECURITY2.FATAL_SEVERITIES.includes(severity);
+}
+// ../source-npm/src/processor.ts
+function createAdvisoryProcessor(ignoreConfig = {}) {
+  const compiledIgnoreConfig = compileIgnoreConfig(ignoreConfig);
+  let ignoredCount = 0;
+  function buildAliases(advisory) {
+    const aliases = new Set([
+      ...advisory.cves ?? [],
+      ...advisory.github_advisory_id ? [advisory.github_advisory_id.toUpperCase()] : []
+    ]);
+    const ghsaFromUrl = extractGhsaFromUrl(advisory.url);
+    if (ghsaFromUrl) {
+      aliases.add(ghsaFromUrl);
+    }
+    return Array.from(aliases);
+  }
+  function extractGhsaFromUrl(url) {
+    const match = url.match(/GHSA-[0-9a-z]{4}-[0-9a-z]{4}-[0-9a-z]{4}/i);
+    return match ? match[0].toUpperCase() : null;
+  }
+  function isVersionAffected(version, vulnerableVersions) {
+    try {
+      return Bun.semver.satisfies(version, vulnerableVersions);
+    } catch (error) {
+      logger.warn(`Failed to parse version range "${vulnerableVersions}" for version ${version}`, {
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return false;
+    }
+  }
+  function getAdvisoryDescription(advisory) {
+    if (advisory.overview?.trim()) {
+      const overview = advisory.overview.trim();
+      if (overview.length <= SECURITY2.MAX_DESCRIPTION_LENGTH) {
+        return overview;
+      }
+      const firstSentence = overview.match(/^[^.!?]*[.!?]/)?.[0];
+      if (firstSentence && firstSentence.length <= SECURITY2.MAX_DESCRIPTION_LENGTH) {
+        return firstSentence;
+      }
+      return `${overview.substring(0, SECURITY2.MAX_DESCRIPTION_LENGTH - 3)}...`;
+    }
+    if (advisory.recommendation?.trim()) {
+      const recommendation = advisory.recommendation.trim();
+      if (recommendation.length <= SECURITY2.MAX_DESCRIPTION_LENGTH) {
+        return recommendation;
+      }
+      return `${recommendation.substring(0, SECURITY2.MAX_DESCRIPTION_LENGTH - 3)}...`;
+    }
+    return null;
+  }
+  function createBunAdvisory(advisory, pkg, aliases) {
+    const level = mapSeverityToLevel2(advisory.severity);
+    const description = getAdvisoryDescription(advisory);
+    const message = advisory.title || `Security advisory ${advisory.id}`;
+    return {
+      id: String(advisory.id),
+      message,
+      level,
+      package: pkg.name,
+      url: advisory.url,
+      description,
+      aliases
+    };
+  }
+  function processAdvisory(advisory, packages, processedPairs, compiledConfig) {
+    const bunAdvisories = [];
+    const advisoryPackageName = advisory.name || advisory.module_name;
+    if (!advisoryPackageName) {
+      logger.debug(`Advisory ${advisory.id} has no package name`);
+      return bunAdvisories;
+    }
+    const aliases = buildAliases(advisory);
+    for (const pkg of packages) {
+      if (pkg.name !== advisoryPackageName) {
+        continue;
+      }
+      const pairKey = `${advisory.id}:${pkg.name}@${pkg.version}`;
+      if (processedPairs.has(pairKey)) {
+        continue;
+      }
+      if (isVersionAffected(pkg.version, advisory.vulnerable_versions)) {
+        const ignoreResult = shouldIgnoreVulnerability(String(advisory.id), aliases, pkg.name, compiledConfig);
+        if (ignoreResult.ignored) {
+          logger.debug(`Ignoring ${advisory.id} for ${pkg.name}: ${ignoreResult.reason}`);
+          ignoredCount++;
+          processedPairs.add(pairKey);
+          continue;
+        }
+        const bunAdvisory = createBunAdvisory(advisory, pkg, aliases);
+        bunAdvisories.push(bunAdvisory);
+        processedPairs.add(pairKey);
+        logger.debug(`Created advisory for ${pkg.name}@${pkg.version}`, {
+          advisory: advisory.id,
+          level: bunAdvisory.level
+        });
+      }
+    }
+    return bunAdvisories;
+  }
+  function processAdvisories(advisories, packages) {
+    if (advisories.length === 0 || packages.length === 0) {
+      return [];
+    }
+    logger.info(`Processing ${advisories.length} advisories against ${packages.length} packages`);
+    ignoredCount = 0;
+    const bunAdvisories = [];
+    const processedPairs = new Set;
+    for (const advisory of advisories) {
+      const matched = processAdvisory(advisory, packages, processedPairs, compiledIgnoreConfig);
+      bunAdvisories.push(...matched);
+    }
+    if (ignoredCount > 0) {
+      logger.info(`Ignored ${ignoredCount} advisories based on configuration`);
+    }
+    logger.info(`Generated ${bunAdvisories.length} security advisories`);
+    return bunAdvisories;
+  }
+  return {
+    processAdvisories
+  };
+}
+// ../source-npm/src/index.ts
+function createNpmSource(ignoreConfig = {}) {
+  const client = createNpmAuditClient();
+  const processor = createAdvisoryProcessor(ignoreConfig);
+  return {
+    name: "npm",
+    async scan(packages) {
+      if (packages.length === 0)
+        return [];
+      logger.info(`[npm] Starting scan for ${packages.length} packages`);
+      const advisories = await client.queryVulnerabilities(packages);
+      const bunAdvisories = processor.processAdvisories(advisories, packages);
+      logger.info(`[npm] Scan complete: ${bunAdvisories.length} advisories found`);
+      return bunAdvisories;
+    }
+  };
+}
+// src/sources/factory.ts
+function createSources(type, ignoreConfig) {
+  switch (type) {
+    case "osv":
+      return [createOSVSource(ignoreConfig)];
+    case "npm":
+      return [createNpmSource(ignoreConfig)];
+    case "both":
+      return [createOSVSource(ignoreConfig), createNpmSource(ignoreConfig)];
+    default:
+      throw new Error(`Unknown source type: ${type}`);
+  }
+}
+// src/sources/multi.ts
+function createMultiSourceScanner(sources) {
+  if (sources.length === 0) {
+    throw new Error("MultiSourceScanner requires at least one source");
+  }
+  function isHigherSeverity(a, b) {
+    const priority = { fatal: 2, warn: 1 };
+    return (priority[a] ?? 0) > (priority[b] ?? 0);
+  }
+  function deduplicateAdvisories(advisories) {
+    const map = new Map;
+    for (const advisory of advisories) {
+      const currentIds = new Set([advisory.id, ...advisory.aliases ?? []]);
+      const packageKey = advisory.package;
+      let existingKey = null;
+      for (const id of currentIds) {
+        const key = `${packageKey}:${id}`;
+        if (map.has(key)) {
+          existingKey = key;
+          break;
+        }
+      }
+      if (!existingKey) {
+        for (const id of currentIds) {
+          map.set(`${packageKey}:${id}`, advisory);
+        }
+        continue;
+      }
+      const existing = map.get(existingKey);
+      const winner = isHigherSeverity(advisory.level, existing.level) ? advisory : existing;
+      const existingIds = new Set([existing.id, ...existing.aliases ?? []]);
+      const mergedIds = new Set([...currentIds, ...existingIds]);
+      for (const id of mergedIds) {
+        map.set(`${packageKey}:${id}`, winner);
+      }
+    }
+    return Array.from(new Set(map.values()));
+  }
+  async function scan(packages) {
+    const sourceNames = sources.map((s) => s.name).join(", ");
+    logger.info(`Scanning with sources: ${sourceNames}`);
+    const results = await Promise.allSettled(sources.map((source) => source.scan(packages)));
+    const allAdvisories = [];
+    for (const [i, result] of results.entries()) {
+      const source = sources[i];
+      if (!source)
+        continue;
+      if (result.status === "fulfilled") {
+        logger.info(`[${source.name}] Found ${result.value.length} advisories`);
+        allAdvisories.push(...result.value);
+      } else {
+        logger.error(`[${source.name}] Scan failed`, {
+          error: result.reason instanceof Error ? result.reason.message : String(result.reason)
+        });
+      }
+    }
+    return deduplicateAdvisories(allAdvisories);
+  }
+  return {
+    scan
+  };
+}
+// src/index.ts
+var scanner = {
+  version: "1",
+  async scan({ packages }) {
+    try {
+      logger.info(`Starting vulnerability scan for ${packages.length} packages`);
+      const config = await loadConfig();
+      const sources = createSources(config.source ?? "osv", config);
+      const multiScanner = createMultiSourceScanner(sources);
+      const advisories = await multiScanner.scan(packages);
+      logger.info(`Scan completed: ${advisories.length} advisories found for ${packages.length} packages`);
+      return advisories;
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      logger.error("Scanner encountered an unexpected error", {
+        error: message
+      });
+      return [];
+    }
+  }
+};
+if (false) {}
+// src/cli.ts
+function printUsage() {
+  console.log(`
+Bun Vulnerability Scanner CLI
+Usage:
+  bun run src/cli.ts test <package@version> [package@version...]
+  bun run src/cli.ts scan <package.json>
+  bun run src/cli.ts --help
+Commands:
+  test      Test scanning specific packages
+  scan      Scan packages from a package.json file
+  --help    Show this help message
+Examples:
+  bun run src/cli.ts test lodash@4.17.20 express@4.18.0
+  bun run src/cli.ts test event-stream@3.3.6
+  bun run src/cli.ts scan ./package.json
+Environment Variables:
+  BUN_SCAN_LOG_LEVEL  Set logging level (debug, info, warn, error)
+  BUN_SCAN_SOURCE     Set vulnerability source (osv, npm, both)
+`);
+}
+function exitWithError(message, code = 1) {
+  logger.error(message);
+  process.exit(code);
+}
+async function testPackages(packageSpecs) {
+  if (packageSpecs.length === 0) {
+    exitWithError("No packages specified for testing");
+  }
+  const packages = [];
+  for (const spec of packageSpecs) {
+    const match = spec.match(/^(.+)@(.+)$/);
+    if (!match) {
+      exitWithError(`Invalid package specification: ${spec}. Use format: package@version`);
+    }
+    const [, name, version] = match;
+    if (!name || !version) {
+      exitWithError(`Invalid package specification: ${spec}`);
+    }
+    packages.push({
+      name,
+      version,
+      requestedRange: version,
+      tarball: `https://registry.npmjs.org/${name}/-/${name}-${version}.tgz`
+    });
+  }
+  logger.info(`Testing ${packages.length} packages:`);
+  for (const pkg of packages) {
+    logger.info(`  - ${pkg.name}@${pkg.version}`);
+  }
+  const startTime = Date.now();
+  const advisories = await scanner.scan({ packages });
+  const duration = Date.now() - startTime;
+  console.log(`
+\uD83D\uDCCA Scan Results (completed in ${duration}ms):`);
+  console.log(`Packages scanned: ${packages.length}`);
+  console.log(`Advisories found: ${advisories.length}
+`);
+  if (advisories.length === 0) {
+    console.log("\u2705 No security advisories found - all packages appear safe!");
+  } else {
+    console.log("\uD83D\uDEA8 Security advisories:");
+    for (const advisory of advisories) {
+      const levelIcon = advisory.level === "fatal" ? "\uD83D\uDD34" : "\u26A0\uFE0F";
+      const levelText = advisory.level.toUpperCase();
+      console.log(`
+${levelIcon} ${levelText}: ${advisory.package}`);
+      if (advisory.description) {
+        console.log(`   Description: ${advisory.description}`);
+      }
+      if (advisory.url) {
+        console.log(`   URL: ${advisory.url}`);
+      }
+    }
+  }
+}
+async function scanPackageJson(packageJsonPath) {
+  try {
+    const file = Bun.file(packageJsonPath);
+    if (!await file.exists()) {
+      exitWithError(`Package.json file not found: ${packageJsonPath}`);
+    }
+    const packageJson = await file.json();
+    const dependencies = {
+      ...packageJson.dependencies,
+      ...packageJson.devDependencies,
+      ...packageJson.peerDependencies
+    };
+    const packages = [];
+    for (const [name, versionRange] of Object.entries(dependencies)) {
+      let version = versionRange;
+      version = version.replace(/^[~^]/, "");
+      packages.push({
+        name,
+        version,
+        requestedRange: versionRange,
+        tarball: `https://registry.npmjs.org/${name}/-/${name}-${version}.tgz`
+      });
+    }
+    logger.info(`Found ${packages.length} dependencies in ${packageJsonPath}`);
+    await testPackages(packages.map((p) => `${p.name}@${p.version}`));
+  } catch (error) {
+    exitWithError(`Failed to read package.json: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+async function runCli() {
+  const args = process.argv.slice(2);
+  if (args.length === 0 || args.includes("--help") || args.includes("-h")) {
+    printUsage();
+    return;
+  }
+  const command = args[0];
+  const commandArgs = args.slice(1);
+  switch (command) {
+    case "test": {
+      await testPackages(commandArgs);
+      break;
+    }
+    case "scan": {
+      if (commandArgs.length === 0) {
+        exitWithError("No package.json file specified");
+      }
+      const file = commandArgs[0];
+      if (!file) {
+        exitWithError("Package.json file path required");
+      }
+      await scanPackageJson(file);
+      break;
+    }
+    default: {
+      exitWithError(`Unknown command: ${command}`);
+    }
+  }
+}
+if (import.meta.main) {
+  await runCli();
+}
+export {
+  runCli
+};