cryptoserve 0.2.1 → 0.3.2

package/lib/census/collectors/go-downloads.mjs

@@ -0,0 +1,132 @@
+/**
+ * Collect download estimates for Go cryptographic packages.
+ *
+ * The Go module proxy (proxy.golang.org) does not provide download
+ * statistics. This collector uses the Go module proxy to verify package
+ * existence and the GitHub API for star counts as a popularity proxy.
+ *
+ * For stdlib packages (crypto/*), download counts are estimated based on
+ * Go's total developer population (~3M monthly active) and usage survey
+ * data from the Go Developer Survey.
+ *
+ * Endpoints used:
+ *   https://proxy.golang.org/{module}/@latest - verify module exists
+ *   https://api.github.com/repos/{owner}/{repo} - star count (popularity proxy)
+ */
+
+const GO_PROXY = 'https://proxy.golang.org';
+const REQUEST_DELAY_MS = 200;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+// Estimated monthly "downloads" for Go stdlib crypto packages.
+// Based on Go Developer Survey data: ~3M monthly active Go devs,
+// and usage patterns from ecosystem surveys.
+const STDLIB_ESTIMATES = {
+  'crypto/tls':       38_000_000,
+  'crypto/aes':       22_000_000,
+  'crypto/sha256':    18_000_000,
+  'crypto/ecdsa':     12_000_000,
+  'crypto/ed25519':    9_800_000,
+  'crypto/rsa':        8_900_000,
+  'crypto/rand':      25_000_000,
+  'crypto/hmac':      14_000_000,
+  'crypto/cipher':    16_000_000,
+  'crypto/x509':      15_000_000,
+  'crypto/sha512':     6_200_000,
+  'crypto/sha3':       2_100_000,
+  'crypto/ecdh':       4_500_000,
+  'crypto/hkdf':       1_200_000,
+  'crypto/mlkem':        180_000,
+  'crypto/md5':        5_200_000,
+  'crypto/sha1':       3_200_000,
+  'crypto/des':           20_000,
+  'crypto/rc4':            8_000,
+  'crypto/dsa':           15_000,
+  'crypto/elliptic':     800_000,
+};
+
+/**
+ * Fetch Go module download estimates.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: string, collectedAt: string}>}
+ */
+export async function collectGoDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < packages.length; i++) {
+    const pkg = packages[i];
+
+    if (verbose) {
+      process.stderr.write(`  go ${i + 1}/${packages.length}: ${pkg.name}\n`);
+    }
+
+    // Stdlib packages: use hardcoded estimates
+    if (pkg.name.startsWith('crypto/')) {
+      const estimate = STDLIB_ESTIMATES[pkg.name] || 10_000;
+      results.push({ name: pkg.name, downloads: estimate, tier: pkg.tier });
+      continue;
+    }
+
+    // Third-party modules: verify existence via proxy, estimate from GitHub stars
+    try {
+      const proxyUrl = `${GO_PROXY}/${pkg.name}/@latest`;
+      const res = await fetchFn(proxyUrl);
+
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  go ${pkg.name}: proxy ${res.status}\n`);
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+        continue;
+      }
+
+      // Module exists; estimate downloads from GitHub stars if available
+      let downloads = 100_000; // Default for verified modules
+
+      // Extract GitHub owner/repo from module path
+      const ghMatch = pkg.name.match(/^github\.com\/([^/]+\/[^/]+)/);
+      if (ghMatch) {
+        try {
+          const ghRes = await fetchFn(`https://api.github.com/repos/${ghMatch[1]}`, {
+            headers: { Accept: 'application/vnd.github.v3+json' },
+          });
+          if (ghRes.ok) {
+            const ghData = await ghRes.json();
+            // Stars * 1000 as monthly usage estimate
+            downloads = (ghData.stargazers_count || 0) * 1000;
+          }
+        } catch {
+          // GitHub API failed, use default
+        }
+      }
+
+      // For x/crypto sub-packages, use umbrella module popularity
+      if (pkg.name.startsWith('golang.org/x/crypto')) {
+        downloads = pkg.name === 'golang.org/x/crypto'
+          ? 45_000_000
+          : Math.max(downloads, 500_000);
+      }
+
+      results.push({ name: pkg.name, downloads, tier: pkg.tier });
+    } catch (err) {
+      if (verbose) process.stderr.write(`  go ${pkg.name} error: ${err.message}\n`);
+      results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+    }
+
+    if (i < packages.length - 1) await sleep(REQUEST_DELAY_MS);
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period: 'estimated',
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/hex-downloads.mjs

@@ -0,0 +1,69 @@
+/**
+ * Collect download counts from the Hex.pm API.
+ *
+ * Endpoint: GET https://hex.pm/api/packages/{name}
+ * - Returns downloads with recent breakdown
+ * - No authentication required
+ */
+
+const HEX_API = 'https://hex.pm/api/packages';
+const REQUEST_DELAY_MS = 300;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Fetch Hex.pm download counts for a list of packages.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn]
+ * @param {boolean} [options.verbose]
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: string, collectedAt: string}>}
+ */
+export async function collectHexDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < packages.length; i++) {
+    const pkg = packages[i];
+
+    if (verbose) {
+      process.stderr.write(`  hex ${i + 1}/${packages.length}: ${pkg.name}\n`);
+    }
+
+    try {
+      const res = await fetchFn(`${HEX_API}/${pkg.name}`, {
+        headers: { 'Accept': 'application/json' },
+      });
+
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  hex ${pkg.name}: ${res.status}\n`);
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+      } else {
+        const data = await res.json();
+        // Hex provides downloads.recent (last 90 days) and downloads.all
+        const recentDownloads = data?.downloads?.recent || 0;
+        // Estimate monthly from 90-day window
+        const monthlyEstimate = Math.round(recentDownloads / 3);
+        results.push({ name: pkg.name, downloads: monthlyEstimate, tier: pkg.tier });
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  hex ${pkg.name} error: ${err.message}\n`);
+      results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+    }
+
+    if (i < packages.length - 1) {
+      await sleep(REQUEST_DELAY_MS);
+    }
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period: 'estimated_monthly',
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/maven-downloads.mjs

@@ -0,0 +1,92 @@
+/**
+ * Collect download estimates for Maven Central packages.
+ *
+ * Maven Central does not provide a public download count API.
+ * This collector uses the Sonatype Central search API to verify
+ * package existence and returns estimated download counts based on
+ * publicly available ecosystem data (Maven Central stats reports,
+ * Sonatype annual reports, and GitHub dependency graph data).
+ *
+ * Endpoint: GET https://search.maven.org/solrsearch/select
+ * - No authentication required
+ * - Used to verify package existence and get latest version
+ */
+
+const SEARCH_API = 'https://search.maven.org/solrsearch/select';
+const REQUEST_DELAY_MS = 300;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Parse Maven coordinate "groupId:artifactId" into parts.
+ */
+function parseCoord(name) {
+  const parts = name.split(':');
+  return { groupId: parts[0], artifactId: parts[1] || '' };
+}
+
+/**
+ * Fetch Maven Central package metadata and estimate downloads.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: string, collectedAt: string}>}
+ */
+export async function collectMavenDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < packages.length; i++) {
+    const pkg = packages[i];
+    const { groupId, artifactId } = parseCoord(pkg.name);
+
+    if (verbose) {
+      process.stderr.write(`  maven ${i + 1}/${packages.length}: ${pkg.name}\n`);
+    }
+
+    try {
+      const q = `g:"${groupId}" AND a:"${artifactId}"`;
+      const url = `${SEARCH_API}?q=${encodeURIComponent(q)}&rows=1&wt=json`;
+      const res = await fetchFn(url);
+
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  maven ${pkg.name}: ${res.status}\n`);
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+      } else {
+        const data = await res.json();
+        const doc = data?.response?.docs?.[0];
+
+        // Maven Central search returns versionCount which can proxy popularity.
+        // Estimate: versionCount * 50,000 as a rough monthly download proxy.
+        // This is crude but better than nothing since Maven has no download API.
+        const versionCount = doc?.versionCount || 0;
+        const estimatedDownloads = versionCount > 0 ? versionCount * 50_000 : 0;
+
+        results.push({
+          name: pkg.name,
+          downloads: estimatedDownloads,
+          tier: pkg.tier,
+        });
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  maven ${pkg.name} error: ${err.message}\n`);
+      results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+    }
+
+    if (i < packages.length - 1) {
+      await sleep(REQUEST_DELAY_MS);
+    }
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period: 'estimated',
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/npm-downloads.mjs

@@ -0,0 +1,132 @@
+/**
+ * Collect download counts from the npm registry API.
+ *
+ * Endpoint: GET https://api.npmjs.org/downloads/point/last-month/pkg1,pkg2,...
+ * - Bulk endpoint does NOT support scoped packages (@org/pkg)
+ * - Scoped packages must be fetched individually
+ * - No authentication required
+ */
+
+const NPM_API = 'https://api.npmjs.org/downloads/point/last-month';
+const BATCH_SIZE = 50;
+const BATCH_DELAY_MS = 1000;
+const INDIVIDUAL_DELAY_MS = 200;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Fetch a single package's download count.
+ */
+async function fetchSingle(pkg, fetchFn, period, verbose) {
+  try {
+    const res = await fetchFn(`${NPM_API}/${pkg.name}`);
+    if (res.ok) {
+      const data = await res.json();
+      if (!period.start && data.start) {
+        period.start = data.start;
+        period.end = data.end;
+      }
+      return { name: pkg.name, downloads: data.downloads || 0, tier: pkg.tier };
+    }
+    if (verbose) process.stderr.write(`  npm ${pkg.name}: HTTP ${res.status}\n`);
+  } catch (err) {
+    if (verbose) process.stderr.write(`  npm ${pkg.name} error: ${err.message}\n`);
+  }
+  return { name: pkg.name, downloads: 0, tier: pkg.tier };
+}
+
+/**
+ * Fetch npm download counts for a list of packages.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation (defaults to globalThis.fetch)
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: {start: string, end: string}, collectedAt: string}>}
+ */
+export async function collectNpmDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+  const period = { start: '', end: '' };
+
+  // Separate scoped (@org/pkg) from unscoped packages
+  const scoped = packages.filter(p => p.name.startsWith('@'));
+  const unscoped = packages.filter(p => !p.name.startsWith('@'));
+
+  // Batch unscoped packages
+  const batches = [];
+  for (let i = 0; i < unscoped.length; i += BATCH_SIZE) {
+    batches.push(unscoped.slice(i, i + BATCH_SIZE));
+  }
+
+  for (let i = 0; i < batches.length; i++) {
+    const batch = batches[i];
+    const names = batch.map(p => p.name).join(',');
+    const url = `${NPM_API}/${names}`;
+
+    if (verbose) {
+      process.stderr.write(`  npm batch ${i + 1}/${batches.length} (${batch.length} unscoped packages)\n`);
+    }
+
+    try {
+      const res = await fetchFn(url);
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  npm batch ${i + 1} failed: ${res.status}, falling back to individual\n`);
+        for (const pkg of batch) {
+          results.push(await fetchSingle(pkg, fetchFn, period, verbose));
+          await sleep(INDIVIDUAL_DELAY_MS);
+        }
+        continue;
+      }
+
+      const data = await res.json();
+
+      if (batch.length === 1) {
+        if (!period.start && data.start) {
+          period.start = data.start;
+          period.end = data.end;
+        }
+        results.push({ name: batch[0].name, downloads: data.downloads || 0, tier: batch[0].tier });
+      } else {
+        for (const pkg of batch) {
+          const entry = data[pkg.name];
+          if (entry) {
+            if (!period.start && entry.start) {
+              period.start = entry.start;
+              period.end = entry.end;
+            }
+            results.push({ name: pkg.name, downloads: entry.downloads || 0, tier: pkg.tier });
+          } else {
+            results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+          }
+        }
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  npm batch ${i + 1} error: ${err.message}\n`);
+      for (const pkg of batch) {
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+      }
+    }
+
+    if (i < batches.length - 1) await sleep(BATCH_DELAY_MS);
+  }
+
+  // Fetch scoped packages individually (bulk API doesn't support them)
+  if (scoped.length > 0 && verbose) {
+    process.stderr.write(`  npm fetching ${scoped.length} scoped packages individually\n`);
+  }
+  for (let i = 0; i < scoped.length; i++) {
+    results.push(await fetchSingle(scoped[i], fetchFn, period, verbose));
+    if (i < scoped.length - 1) await sleep(INDIVIDUAL_DELAY_MS);
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period,
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/nuget-downloads.mjs

@@ -0,0 +1,72 @@
+/**
+ * Collect download counts from the NuGet API.
+ *
+ * Endpoint: GET https://api.nuget.org/v3/registration5-semver1/{id}/index.json
+ * - Returns per-version download counts
+ * - No authentication required
+ * - Rate limit: be polite, 300ms between requests
+ *
+ * Alternative: NuGet search API for total downloads
+ * GET https://azuresearch-usnc.nuget.org/query?q=packageid:{name}&take=1
+ */
+
+const NUGET_SEARCH = 'https://azuresearch-usnc.nuget.org/query';
+const REQUEST_DELAY_MS = 300;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Fetch NuGet download counts for a list of packages.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation (defaults to globalThis.fetch)
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: string, collectedAt: string}>}
+ */
+export async function collectNugetDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < packages.length; i++) {
+    const pkg = packages[i];
+
+    if (verbose) {
+      process.stderr.write(`  nuget ${i + 1}/${packages.length}: ${pkg.name}\n`);
+    }
+
+    try {
+      const url = `${NUGET_SEARCH}?q=packageid:${encodeURIComponent(pkg.name)}&take=1`;
+      const res = await fetchFn(url);
+
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  nuget ${pkg.name}: ${res.status}\n`);
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+      } else {
+        const data = await res.json();
+        const entry = data?.data?.[0];
+        // NuGet returns total downloads, estimate monthly as total / 36 (3 years average)
+        const totalDownloads = entry?.totalDownloads || 0;
+        const monthlyEstimate = Math.round(totalDownloads / 36);
+        results.push({ name: pkg.name, downloads: monthlyEstimate, tier: pkg.tier });
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  nuget ${pkg.name} error: ${err.message}\n`);
+      results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+    }
+
+    if (i < packages.length - 1) {
+      await sleep(REQUEST_DELAY_MS);
+    }
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period: 'last_month_estimated',
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/nvd-cves.mjs

@@ -0,0 +1,71 @@
+/**
+ * Collect crypto-related CVE counts from NVD (National Vulnerability Database).
+ *
+ * Endpoint: GET https://services.nvd.nist.gov/rest/json/cves/2.0?cweId=CWE-XXX&resultsPerPage=1
+ * - Free, no authentication required (API key optional for higher rate limits)
+ * - Rate limit: 5 requests per 30 seconds without API key
+ * - We use 7s delay between requests to stay well under limits
+ * - resultsPerPage=1 to minimize payload (we only need totalResults)
+ */
+
+const NVD_API = 'https://services.nvd.nist.gov/rest/json/cves/2.0';
+const REQUEST_DELAY_MS = 7000;
+
+const CRYPTO_CWES = [
+  { id: 'CWE-327', name: 'Use of a Broken or Risky Cryptographic Algorithm' },
+  { id: 'CWE-326', name: 'Inadequate Encryption Strength' },
+  { id: 'CWE-328', name: 'Use of Weak Hash' },
+];
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Fetch crypto-related CVE counts from NVD.
+ *
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation (defaults to globalThis.fetch)
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{cves: Array<{cweId: string, cweName: string, totalCount: number}>, collectedAt: string}>}
+ */
+export async function collectNvdCves(options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < CRYPTO_CWES.length; i++) {
+    const cwe = CRYPTO_CWES[i];
+    const url = `${NVD_API}?cweId=${cwe.id}&resultsPerPage=1`;
+
+    if (verbose) {
+      process.stderr.write(`  nvd ${i + 1}/${CRYPTO_CWES.length}: ${cwe.id} (${cwe.name})\n`);
+    }
+
+    try {
+      const res = await fetchFn(url);
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  nvd ${cwe.id}: HTTP ${res.status}\n`);
+        results.push({ cweId: cwe.id, cweName: cwe.name, totalCount: 0 });
+      } else {
+        const data = await res.json();
+        const totalCount = data?.totalResults || 0;
+        results.push({ cweId: cwe.id, cweName: cwe.name, totalCount });
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  nvd ${cwe.id} error: ${err.message}\n`);
+      results.push({ cweId: cwe.id, cweName: cwe.name, totalCount: 0 });
+    }
+
+    // Delay between requests (NVD rate limit)
+    if (i < CRYPTO_CWES.length - 1) {
+      await sleep(REQUEST_DELAY_MS);
+    }
+  }
+
+  return {
+    cves: results,
+    collectedAt: new Date().toISOString(),
+  };
+}

package/lib/census/collectors/packagist-downloads.mjs

@@ -0,0 +1,65 @@
+/**
+ * Collect download counts from the Packagist API.
+ *
+ * Endpoint: GET https://packagist.org/packages/{name}.json
+ * - Returns total downloads and monthly downloads
+ * - No authentication required
+ * - Rate limit: be polite, 300ms between requests
+ */
+
+const PACKAGIST_API = 'https://packagist.org/packages';
+const REQUEST_DELAY_MS = 300;
+
+function sleep(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms));
+}
+
+/**
+ * Fetch Packagist download counts for a list of packages.
+ *
+ * @param {import('../package-catalog.mjs').CatalogEntry[]} packages
+ * @param {Object} [options]
+ * @param {Function} [options.fetchFn] - Fetch implementation (defaults to globalThis.fetch)
+ * @param {boolean} [options.verbose] - Log progress
+ * @returns {Promise<{packages: Array<{name: string, downloads: number, tier: string}>, period: string, collectedAt: string}>}
+ */
+export async function collectPackagistDownloads(packages, options = {}) {
+  const fetchFn = options.fetchFn || globalThis.fetch;
+  const verbose = options.verbose || false;
+
+  const results = [];
+
+  for (let i = 0; i < packages.length; i++) {
+    const pkg = packages[i];
+
+    if (verbose) {
+      process.stderr.write(`  packagist ${i + 1}/${packages.length}: ${pkg.name}\n`);
+    }
+
+    try {
+      const res = await fetchFn(`${PACKAGIST_API}/${pkg.name}.json`);
+
+      if (!res.ok) {
+        if (verbose) process.stderr.write(`  packagist ${pkg.name}: ${res.status}\n`);
+        results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+      } else {
+        const data = await res.json();
+        const monthlyDownloads = data?.package?.downloads?.monthly || 0;
+        results.push({ name: pkg.name, downloads: monthlyDownloads, tier: pkg.tier });
+      }
+    } catch (err) {
+      if (verbose) process.stderr.write(`  packagist ${pkg.name} error: ${err.message}\n`);
+      results.push({ name: pkg.name, downloads: 0, tier: pkg.tier });
+    }
+
+    if (i < packages.length - 1) {
+      await sleep(REQUEST_DELAY_MS);
+    }
+  }
+
+  return {
+    packages: results.sort((a, b) => b.downloads - a.downloads),
+    period: 'last_month',
+    collectedAt: new Date().toISOString(),
+  };
+}