dep-oracle 1.0.0

package/dist/index.js

@@ -0,0 +1,325 @@
+import {
+  BaseParser,
+  BlastRadiusCalculator,
+  CacheManager,
+  CollectorOrchestrator,
+  ConfigSchema,
+  DependencyNodeSchema,
+  DependencyTreeSchema,
+  MigrationAdvisor,
+  NpmParser,
+  PythonParser,
+  ScanResultSchema,
+  TrustMetricsSchema,
+  TrustReportSchema,
+  TrustScoreEngine,
+  TyposquatDetector,
+  ZombieDetector,
+  buildImportGraph,
+  collectorCached,
+  collectorError,
+  collectorOffline,
+  collectorSuccess,
+  createDependencyNode,
+  createDependencyTree,
+  createLogger,
+  getBlastRadius,
+  getImportingFiles,
+  isDebug,
+  isVerbose,
+  logger,
+  setVerbose
+} from "./chunk-RQV3VHZS.js";
+
+// src/analyzers/trend-predictor.ts
+var HIGH_CONFIDENCE_THRESHOLD = 3;
+var TrendPredictor = class {
+  /**
+   * Predict the trajectory of a package based on registry, popularity,
+   * and GitHub signals.
+   */
+  predict(registry, popularity, github) {
+    const signals = [];
+    const reasons = [];
+    if (popularity !== null) {
+      switch (popularity.trend) {
+        case "rising":
+          signals.push({ direction: "rising", weight: 0.4 });
+          reasons.push("Downloads are trending upward");
+          break;
+        case "declining":
+          signals.push({ direction: "declining", weight: 0.4 });
+          reasons.push("Downloads are trending downward");
+          break;
+        case "stable":
+          signals.push({ direction: "stable", weight: 0.3 });
+          reasons.push("Downloads are stable");
+          break;
+      }
+    }
+    if (github !== null) {
+      const commits30d = github.recentCommitCount;
+      if (commits30d >= 30) {
+        signals.push({ direction: "rising", weight: 0.3 });
+        reasons.push(`High commit activity (${commits30d} commits in 30 days)`);
+      } else if (commits30d >= 10) {
+        signals.push({ direction: "stable", weight: 0.2 });
+        reasons.push(`Moderate commit activity (${commits30d} commits in 30 days)`);
+      } else if (commits30d >= 1) {
+        signals.push({ direction: "stable", weight: 0.15 });
+        reasons.push(`Low commit activity (${commits30d} commits in 30 days)`);
+      } else {
+        signals.push({ direction: "declining", weight: 0.3 });
+        reasons.push("No commits in the last 30 days");
+      }
+    }
+    if (registry !== null) {
+      if (registry.lastPublishDate !== null) {
+        const lastPublish = new Date(registry.lastPublishDate);
+        const monthsSincePublish = monthsBetween(lastPublish, /* @__PURE__ */ new Date());
+        if (monthsSincePublish < 2) {
+          signals.push({ direction: "rising", weight: 0.2 });
+          reasons.push("Recent version published within last 2 months");
+        } else if (monthsSincePublish < 6) {
+          signals.push({ direction: "stable", weight: 0.15 });
+          reasons.push(`Last publish ${Math.round(monthsSincePublish)} months ago`);
+        } else if (monthsSincePublish < 12) {
+          signals.push({ direction: "declining", weight: 0.2 });
+          reasons.push(`No new version in ${Math.round(monthsSincePublish)} months`);
+        } else {
+          signals.push({ direction: "declining", weight: 0.3 });
+          reasons.push(`No new version in ${Math.round(monthsSincePublish)} months \u2014 possibly abandoned`);
+        }
+      }
+      if (registry.versionCount > 50) {
+        signals.push({ direction: "stable", weight: 0.1 });
+        reasons.push(`Mature package with ${registry.versionCount} versions`);
+      }
+      if (registry.deprecated !== null) {
+        signals.push({ direction: "declining", weight: 0.5 });
+        reasons.push("Package is marked as deprecated");
+      }
+    }
+    if (github !== null && github.stars > 0) {
+      const forkRatio = github.forks / github.stars;
+      if (forkRatio > 0.3) {
+        signals.push({ direction: "rising", weight: 0.1 });
+        reasons.push("High fork-to-star ratio indicates active community");
+      }
+    }
+    if (signals.length === 0) {
+      return {
+        trend: "unknown",
+        confidence: 0,
+        riskProjection3m: 0,
+        reason: "Insufficient data to determine trend"
+      };
+    }
+    const { trend, confidence } = this.aggregateSignals(signals);
+    const riskProjection3m = this.calculateRiskProjection(trend, confidence, signals);
+    return {
+      trend,
+      confidence: Math.round(confidence * 100) / 100,
+      riskProjection3m: Math.round(riskProjection3m),
+      reason: reasons.join(". ") + "."
+    };
+  }
+  // -------------------------------------------------------------------------
+  // Internal helpers
+  // -------------------------------------------------------------------------
+  /**
+   * Aggregate multiple trend signals into a single direction and confidence.
+   * Uses weighted voting: each signal votes for its direction with its weight.
+   */
+  aggregateSignals(signals) {
+    const votes = {
+      rising: 0,
+      stable: 0,
+      declining: 0
+    };
+    let totalWeight = 0;
+    for (const signal of signals) {
+      votes[signal.direction] += signal.weight;
+      totalWeight += signal.weight;
+    }
+    let maxVote = 0;
+    let trend = "stable";
+    for (const [direction, vote] of Object.entries(votes)) {
+      if (vote > maxVote) {
+        maxVote = vote;
+        trend = direction;
+      }
+    }
+    const dominance = totalWeight > 0 ? maxVote / totalWeight : 0;
+    const signalCountFactor = Math.min(signals.length / HIGH_CONFIDENCE_THRESHOLD, 1);
+    const confidence = Math.min(dominance * signalCountFactor, 1);
+    return { trend, confidence };
+  }
+  /**
+   * Estimate how much the trust score might change in 3 months based on
+   * the trend and confidence.
+   */
+  calculateRiskProjection(trend, confidence, signals) {
+    const projectionMap = {
+      rising: 5,
+      stable: 0,
+      declining: -10,
+      unknown: 0
+    };
+    let base = projectionMap[trend];
+    base *= confidence;
+    const decliningWeight = signals.filter((s) => s.direction === "declining").reduce((sum, s) => sum + s.weight, 0);
+    if (decliningWeight > 0.5) {
+      base -= Math.round(decliningWeight * 5);
+    }
+    return Math.max(-20, Math.min(10, base));
+  }
+};
+function monthsBetween(from, to) {
+  const years = to.getFullYear() - from.getFullYear();
+  const months = to.getMonth() - from.getMonth();
+  const days = to.getDate() - from.getDate();
+  return years * 12 + months + (days < 0 ? -0.5 : 0);
+}
+
+// src/utils/rate-limiter.ts
+var RateLimiter = class {
+  tokens;
+  maxTokens;
+  refillIntervalMs;
+  lastRefill;
+  waitQueue = [];
+  /**
+   * @param maxRequests  Maximum number of requests allowed in the window
+   * @param windowMs     Window duration in milliseconds
+   */
+  constructor(maxRequests, windowMs) {
+    this.maxTokens = maxRequests;
+    this.tokens = maxRequests;
+    this.refillIntervalMs = windowMs;
+    this.lastRefill = Date.now();
+  }
+  /**
+   * Acquire a token. Resolves immediately when tokens are available,
+   * otherwise waits until the bucket is refilled.
+   */
+  async acquire() {
+    this.refill();
+    if (this.tokens > 0) {
+      this.tokens--;
+      return;
+    }
+    return new Promise((resolve) => {
+      this.waitQueue.push(resolve);
+      this.scheduleRefill();
+    });
+  }
+  /**
+   * Return the number of tokens currently available (without waiting).
+   */
+  get remaining() {
+    this.refill();
+    return this.tokens;
+  }
+  /**
+   * Return the number of milliseconds until the next refill.
+   */
+  get msUntilRefill() {
+    const elapsed = Date.now() - this.lastRefill;
+    return Math.max(0, this.refillIntervalMs - elapsed);
+  }
+  // -----------------------------------------------------------------------
+  // Internal
+  // -----------------------------------------------------------------------
+  refill() {
+    const now = Date.now();
+    const elapsed = now - this.lastRefill;
+    if (elapsed >= this.refillIntervalMs) {
+      const periods = Math.floor(elapsed / this.refillIntervalMs);
+      this.tokens = Math.min(this.maxTokens, this.tokens + periods * this.maxTokens);
+      this.lastRefill = now - elapsed % this.refillIntervalMs;
+      this.drainWaitQueue();
+    }
+  }
+  scheduleRefill() {
+    const delay = this.msUntilRefill;
+    if (delay <= 0) {
+      this.refill();
+      return;
+    }
+    setTimeout(() => {
+      this.refill();
+    }, delay);
+  }
+  drainWaitQueue() {
+    while (this.waitQueue.length > 0 && this.tokens > 0) {
+      this.tokens--;
+      const resolve = this.waitQueue.shift();
+      resolve?.();
+    }
+  }
+};
+var githubRateLimiter = new RateLimiter(5e3, 36e5);
+var npmRateLimiter = new RateLimiter(300, 6e4);
+var pypiRateLimiter = new RateLimiter(100, 6e4);
+
+// src/cli/config.ts
+import { cosmiconfig } from "cosmiconfig";
+var explorer = cosmiconfig("dep-oracle");
+async function loadConfig(overrides) {
+  let fileConfig = {};
+  try {
+    const result = await explorer.search();
+    if (result?.config && typeof result.config === "object") {
+      fileConfig = result.config;
+    }
+  } catch {
+  }
+  const merged = { ...fileConfig, ...overrides };
+  if (!merged.githubToken && process.env.GITHUB_TOKEN) {
+    merged.githubToken = process.env.GITHUB_TOKEN;
+  }
+  if (!merged.githubToken && process.env.DEP_ORACLE_GITHUB_TOKEN) {
+    merged.githubToken = process.env.DEP_ORACLE_GITHUB_TOKEN;
+  }
+  return ConfigSchema.parse(merged);
+}
+export {
+  BaseParser,
+  BlastRadiusCalculator,
+  CacheManager,
+  CollectorOrchestrator,
+  ConfigSchema,
+  DependencyNodeSchema,
+  DependencyTreeSchema,
+  MigrationAdvisor,
+  NpmParser,
+  PythonParser,
+  RateLimiter,
+  ScanResultSchema,
+  TrendPredictor,
+  TrustMetricsSchema,
+  TrustReportSchema,
+  TrustScoreEngine,
+  TyposquatDetector,
+  ZombieDetector,
+  buildImportGraph,
+  collectorCached,
+  collectorError,
+  collectorOffline,
+  collectorSuccess,
+  createDependencyNode,
+  createDependencyTree,
+  createLogger,
+  getBlastRadius,
+  getImportingFiles,
+  githubRateLimiter,
+  isDebug,
+  isVerbose,
+  loadConfig,
+  logger,
+  npmRateLimiter,
+  pypiRateLimiter,
+  setVerbose
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/analyzers/trend-predictor.ts","../src/utils/rate-limiter.ts","../src/cli/config.ts"],"sourcesContent":["import type {\n  RegistryData,\n  PopularityData,\n  GitHubData,\n} from '../parsers/schema.js';\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport type TrendDirection = 'rising' | 'stable' | 'declining' | 'unknown';\n\nexport interface TrendResult {\n  /** Overall trend direction. */\n  trend: TrendDirection;\n  /** Confidence in the prediction (0-1). */\n  confidence: number;\n  /**\n   * Estimated trust score change over the next 3 months.\n   * Negative values indicate a projected decline (e.g. -5 means the score\n   * is expected to drop by roughly 5 points).\n   */\n  riskProjection3m: number;\n  /** Human-readable explanation of the trend assessment. */\n  reason: string;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Minimum signals required for a high-confidence prediction. */\nconst HIGH_CONFIDENCE_THRESHOLD = 3;\n\n// ---------------------------------------------------------------------------\n// TrendPredictor\n// ---------------------------------------------------------------------------\n\nexport class TrendPredictor {\n  /**\n   * Predict the trajectory of a package based on registry, popularity,\n   * and GitHub signals.\n   */\n  predict(\n    registry: RegistryData | null,\n    popularity: PopularityData | null,\n    github: GitHubData | null,\n  ): TrendResult {\n    const signals: TrendSignal[] = [];\n    const reasons: string[] = [];\n\n    // -----------------------------------------------------------------------\n    // Signal 1: Download trend from PopularityData\n    // -----------------------------------------------------------------------\n    if (popularity !== null) {\n      switch (popularity.trend) {\n        case 'rising':\n          signals.push({ direction: 'rising', weight: 0.4 });\n          reasons.push('Downloads are trending upward');\n          break;\n        case 'declining':\n          signals.push({ direction: 'declining', weight: 0.4 });\n          reasons.push('Downloads are trending downward');\n          break;\n        case 'stable':\n          signals.push({ direction: 'stable', weight: 0.3 });\n          reasons.push('Downloads are stable');\n          break;\n      }\n    }\n\n    // -----------------------------------------------------------------------\n    // Signal 2: Commit frequency from GitHub\n    // -----------------------------------------------------------------------\n    if (github !== null) {\n      const commits30d = github.recentCommitCount;\n\n      if (commits30d >= 30) {\n        signals.push({ direction: 'rising', weight: 0.3 });\n        reasons.push(`High commit activity (${commits30d} commits in 30 days)`);\n      } else if (commits30d >= 10) {\n        signals.push({ direction: 'stable', weight: 0.2 });\n        reasons.push(`Moderate commit activity (${commits30d} commits in 30 days)`);\n      } else if (commits30d >= 1) {\n        signals.push({ direction: 'stable', weight: 0.15 });\n        reasons.push(`Low commit activity (${commits30d} commits in 30 days)`);\n      } else {\n        signals.push({ direction: 'declining', weight: 0.3 });\n        reasons.push('No commits in the last 30 days');\n      }\n    }\n\n    // -----------------------------------------------------------------------\n    // Signal 3: Version release cadence from RegistryData\n    // -----------------------------------------------------------------------\n    if (registry !== null) {\n      if (registry.lastPublishDate !== null) {\n        const lastPublish = new Date(registry.lastPublishDate);\n        const monthsSincePublish = monthsBetween(lastPublish, new Date());\n\n        if (monthsSincePublish < 2) {\n          signals.push({ direction: 'rising', weight: 0.2 });\n          reasons.push('Recent version published within last 2 months');\n        } else if (monthsSincePublish < 6) {\n          signals.push({ direction: 'stable', weight: 0.15 });\n          reasons.push(`Last publish ${Math.round(monthsSincePublish)} months ago`);\n        } else if (monthsSincePublish < 12) {\n          signals.push({ direction: 'declining', weight: 0.2 });\n          reasons.push(`No new version in ${Math.round(monthsSincePublish)} months`);\n        } else {\n          signals.push({ direction: 'declining', weight: 0.3 });\n          reasons.push(`No new version in ${Math.round(monthsSincePublish)} months — possibly abandoned`);\n        }\n      }\n\n      // Version count as a maturity signal\n      if (registry.versionCount > 50) {\n        signals.push({ direction: 'stable', weight: 0.1 });\n        reasons.push(`Mature package with ${registry.versionCount} versions`);\n      }\n\n      // Deprecated flag is a strong declining signal (string | null)\n      if (registry.deprecated !== null) {\n        signals.push({ direction: 'declining', weight: 0.5 });\n        reasons.push('Package is marked as deprecated');\n      }\n    }\n\n    // -----------------------------------------------------------------------\n    // Signal 4: Star/fork ratio as community interest (GitHub)\n    // -----------------------------------------------------------------------\n    if (github !== null && github.stars > 0) {\n      const forkRatio = github.forks / github.stars;\n      if (forkRatio > 0.3) {\n        // High fork ratio suggests active community interest\n        signals.push({ direction: 'rising', weight: 0.1 });\n        reasons.push('High fork-to-star ratio indicates active community');\n      }\n    }\n\n    // -----------------------------------------------------------------------\n    // Aggregate signals\n    // -----------------------------------------------------------------------\n    if (signals.length === 0) {\n      return {\n        trend: 'unknown',\n        confidence: 0,\n        riskProjection3m: 0,\n        reason: 'Insufficient data to determine trend',\n      };\n    }\n\n    const { trend, confidence } = this.aggregateSignals(signals);\n    const riskProjection3m = this.calculateRiskProjection(trend, confidence, signals);\n\n    return {\n      trend,\n      confidence: Math.round(confidence * 100) / 100,\n      riskProjection3m: Math.round(riskProjection3m),\n      reason: reasons.join('. ') + '.',\n    };\n  }\n\n  // -------------------------------------------------------------------------\n  // Internal helpers\n  // -------------------------------------------------------------------------\n\n  /**\n   * Aggregate multiple trend signals into a single direction and confidence.\n   * Uses weighted voting: each signal votes for its direction with its weight.\n   */\n  private aggregateSignals(signals: TrendSignal[]): {\n    trend: TrendDirection;\n    confidence: number;\n  } {\n    const votes: Record<Exclude<TrendDirection, 'unknown'>, number> = {\n      rising: 0,\n      stable: 0,\n      declining: 0,\n    };\n\n    let totalWeight = 0;\n\n    for (const signal of signals) {\n      votes[signal.direction] += signal.weight;\n      totalWeight += signal.weight;\n    }\n\n    // Find the winning direction\n    let maxVote = 0;\n    let trend: TrendDirection = 'stable';\n\n    for (const [direction, vote] of Object.entries(votes)) {\n      if (vote > maxVote) {\n        maxVote = vote;\n        trend = direction as TrendDirection;\n      }\n    }\n\n    // Confidence is based on:\n    // 1. How dominant the winning direction is (proportion of total weight)\n    // 2. How many signals we have (more signals = higher confidence)\n    const dominance = totalWeight > 0 ? maxVote / totalWeight : 0;\n    const signalCountFactor = Math.min(signals.length / HIGH_CONFIDENCE_THRESHOLD, 1);\n    const confidence = Math.min(dominance * signalCountFactor, 1);\n\n    return { trend, confidence };\n  }\n\n  /**\n   * Estimate how much the trust score might change in 3 months based on\n   * the trend and confidence.\n   */\n  private calculateRiskProjection(\n    trend: TrendDirection,\n    confidence: number,\n    signals: TrendSignal[],\n  ): number {\n    // Base projection ranges\n    const projectionMap: Record<TrendDirection, number> = {\n      rising: 5,\n      stable: 0,\n      declining: -10,\n      unknown: 0,\n    };\n\n    let base = projectionMap[trend];\n\n    // Scale by confidence\n    base *= confidence;\n\n    // Strong negative signals amplify the projection\n    const decliningWeight = signals\n      .filter((s) => s.direction === 'declining')\n      .reduce((sum, s) => sum + s.weight, 0);\n\n    if (decliningWeight > 0.5) {\n      // Multiple strong declining signals — amplify the negative projection\n      base -= Math.round(decliningWeight * 5);\n    }\n\n    // Clamp to reasonable range\n    return Math.max(-20, Math.min(10, base));\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Internal types\n// ---------------------------------------------------------------------------\n\ninterface TrendSignal {\n  direction: 'rising' | 'stable' | 'declining';\n  weight: number;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction monthsBetween(from: Date, to: Date): number {\n  const years = to.getFullYear() - from.getFullYear();\n  const months = to.getMonth() - from.getMonth();\n  const days = to.getDate() - from.getDate();\n  return years * 12 + months + (days < 0 ? -0.5 : 0);\n}\n","/**\n * Token-bucket rate limiter for controlling outbound HTTP request frequency.\n *\n * Usage:\n * ```ts\n * const limiter = new RateLimiter(10, 60_000); // 10 requests per minute\n * await limiter.acquire(); // blocks if bucket is empty\n * await fetch(url);\n * ```\n */\nexport class RateLimiter {\n  private tokens: number;\n  private readonly maxTokens: number;\n  private readonly refillIntervalMs: number;\n  private lastRefill: number;\n  private waitQueue: Array<() => void> = [];\n\n  /**\n   * @param maxRequests  Maximum number of requests allowed in the window\n   * @param windowMs     Window duration in milliseconds\n   */\n  constructor(maxRequests: number, windowMs: number) {\n    this.maxTokens = maxRequests;\n    this.tokens = maxRequests;\n    this.refillIntervalMs = windowMs;\n    this.lastRefill = Date.now();\n  }\n\n  /**\n   * Acquire a token. Resolves immediately when tokens are available,\n   * otherwise waits until the bucket is refilled.\n   */\n  async acquire(): Promise<void> {\n    this.refill();\n\n    if (this.tokens > 0) {\n      this.tokens--;\n      return;\n    }\n\n    // No tokens available — wait for the next refill cycle\n    return new Promise<void>((resolve) => {\n      this.waitQueue.push(resolve);\n      this.scheduleRefill();\n    });\n  }\n\n  /**\n   * Return the number of tokens currently available (without waiting).\n   */\n  get remaining(): number {\n    this.refill();\n    return this.tokens;\n  }\n\n  /**\n   * Return the number of milliseconds until the next refill.\n   */\n  get msUntilRefill(): number {\n    const elapsed = Date.now() - this.lastRefill;\n    return Math.max(0, this.refillIntervalMs - elapsed);\n  }\n\n  // -----------------------------------------------------------------------\n  // Internal\n  // -----------------------------------------------------------------------\n\n  private refill(): void {\n    const now = Date.now();\n    const elapsed = now - this.lastRefill;\n\n    if (elapsed >= this.refillIntervalMs) {\n      // Full refill\n      const periods = Math.floor(elapsed / this.refillIntervalMs);\n      this.tokens = Math.min(this.maxTokens, this.tokens + periods * this.maxTokens);\n      this.lastRefill = now - (elapsed % this.refillIntervalMs);\n      this.drainWaitQueue();\n    }\n  }\n\n  private scheduleRefill(): void {\n    const delay = this.msUntilRefill;\n    if (delay <= 0) {\n      this.refill();\n      return;\n    }\n\n    setTimeout(() => {\n      this.refill();\n    }, delay);\n  }\n\n  private drainWaitQueue(): void {\n    while (this.waitQueue.length > 0 && this.tokens > 0) {\n      this.tokens--;\n      const resolve = this.waitQueue.shift();\n      resolve?.();\n    }\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Pre-configured limiters\n// ---------------------------------------------------------------------------\n\n/**\n * GitHub API rate limiter: 5000 requests per hour (authenticated).\n *\n * GitHub's unauthenticated limit is 60/hr, but dep-oracle is designed to\n * work with a token so we use the authenticated limit.\n */\nexport const githubRateLimiter = new RateLimiter(5000, 3_600_000);\n\n/**\n * npm registry rate limiter: generous default of 300 requests per minute.\n * The npm registry does not publish official limits, but this is safe.\n */\nexport const npmRateLimiter = new RateLimiter(300, 60_000);\n\n/**\n * PyPI rate limiter: conservative 100 requests per minute.\n */\nexport const pypiRateLimiter = new RateLimiter(100, 60_000);\n","/**\n * Configuration loader for dep-oracle.\n *\n * Uses cosmiconfig to search for configuration in:\n *   - package.json \"dep-oracle\" field\n *   - .dep-oraclerc / .dep-oraclerc.json / .dep-oraclerc.yaml / .dep-oraclerc.yml\n *   - dep-oracle.config.js / dep-oracle.config.cjs / dep-oracle.config.mjs\n *\n * Merge order: defaults < file config < environment variables < CLI overrides.\n */\n\nimport { cosmiconfig } from 'cosmiconfig';\nimport { ConfigSchema, type Config } from '../parsers/schema.js';\n\nconst explorer = cosmiconfig('dep-oracle');\n\n/**\n * Load and validate project configuration.\n *\n * @param overrides - Partial config values from CLI flags or programmatic use.\n *                    These take highest precedence.\n * @returns Fully validated Config object with defaults applied.\n */\nexport async function loadConfig(overrides?: Partial<Config>): Promise<Config> {\n  let fileConfig: Record<string, unknown> = {};\n\n  try {\n    const result = await explorer.search();\n    if (result?.config && typeof result.config === 'object') {\n      fileConfig = result.config as Record<string, unknown>;\n    }\n  } catch {\n    // Config file is optional -- continue with defaults if search fails\n  }\n\n  // Merge: file config < CLI overrides\n  const merged: Record<string, unknown> = { ...fileConfig, ...overrides };\n\n  // Read GitHub token from environment variables when not set by file or override\n  if (!merged.githubToken && process.env.GITHUB_TOKEN) {\n    merged.githubToken = process.env.GITHUB_TOKEN;\n  }\n  if (!merged.githubToken && process.env.DEP_ORACLE_GITHUB_TOKEN) {\n    merged.githubToken = process.env.DEP_ORACLE_GITHUB_TOKEN;\n  }\n\n  return ConfigSchema.parse(merged);\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,IAAM,4BAA4B;AAM3B,IAAM,iBAAN,MAAqB;AAAA;AAAA;AAAA;AAAA;AAAA,EAK1B,QACE,UACA,YACA,QACa;AACb,UAAM,UAAyB,CAAC;AAChC,UAAM,UAAoB,CAAC;AAK3B,QAAI,eAAe,MAAM;AACvB,cAAQ,WAAW,OAAO;AAAA,QACxB,KAAK;AACH,kBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,kBAAQ,KAAK,+BAA+B;AAC5C;AAAA,QACF,KAAK;AACH,kBAAQ,KAAK,EAAE,WAAW,aAAa,QAAQ,IAAI,CAAC;AACpD,kBAAQ,KAAK,iCAAiC;AAC9C;AAAA,QACF,KAAK;AACH,kBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,kBAAQ,KAAK,sBAAsB;AACnC;AAAA,MACJ;AAAA,IACF;AAKA,QAAI,WAAW,MAAM;AACnB,YAAM,aAAa,OAAO;AAE1B,UAAI,cAAc,IAAI;AACpB,gBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,gBAAQ,KAAK,yBAAyB,UAAU,sBAAsB;AAAA,MACxE,WAAW,cAAc,IAAI;AAC3B,gBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,gBAAQ,KAAK,6BAA6B,UAAU,sBAAsB;AAAA,MAC5E,WAAW,cAAc,GAAG;AAC1B,gBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,KAAK,CAAC;AAClD,gBAAQ,KAAK,wBAAwB,UAAU,sBAAsB;AAAA,MACvE,OAAO;AACL,gBAAQ,KAAK,EAAE,WAAW,aAAa,QAAQ,IAAI,CAAC;AACpD,gBAAQ,KAAK,gCAAgC;AAAA,MAC/C;AAAA,IACF;AAKA,QAAI,aAAa,MAAM;AACrB,UAAI,SAAS,oBAAoB,MAAM;AACrC,cAAM,cAAc,IAAI,KAAK,SAAS,eAAe;AACrD,cAAM,qBAAqB,cAAc,aAAa,oBAAI,KAAK,CAAC;AAEhE,YAAI,qBAAqB,GAAG;AAC1B,kBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,kBAAQ,KAAK,+CAA+C;AAAA,QAC9D,WAAW,qBAAqB,GAAG;AACjC,kBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,KAAK,CAAC;AAClD,kBAAQ,KAAK,gBAAgB,KAAK,MAAM,kBAAkB,CAAC,aAAa;AAAA,QAC1E,WAAW,qBAAqB,IAAI;AAClC,kBAAQ,KAAK,EAAE,WAAW,aAAa,QAAQ,IAAI,CAAC;AACpD,kBAAQ,KAAK,qBAAqB,KAAK,MAAM,kBAAkB,CAAC,SAAS;AAAA,QAC3E,OAAO;AACL,kBAAQ,KAAK,EAAE,WAAW,aAAa,QAAQ,IAAI,CAAC;AACpD,kBAAQ,KAAK,qBAAqB,KAAK,MAAM,kBAAkB,CAAC,mCAA8B;AAAA,QAChG;AAAA,MACF;AAGA,UAAI,SAAS,eAAe,IAAI;AAC9B,gBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,gBAAQ,KAAK,uBAAuB,SAAS,YAAY,WAAW;AAAA,MACtE;AAGA,UAAI,SAAS,eAAe,MAAM;AAChC,gBAAQ,KAAK,EAAE,WAAW,aAAa,QAAQ,IAAI,CAAC;AACpD,gBAAQ,KAAK,iCAAiC;AAAA,MAChD;AAAA,IACF;AAKA,QAAI,WAAW,QAAQ,OAAO,QAAQ,GAAG;AACvC,YAAM,YAAY,OAAO,QAAQ,OAAO;AACxC,UAAI,YAAY,KAAK;AAEnB,gBAAQ,KAAK,EAAE,WAAW,UAAU,QAAQ,IAAI,CAAC;AACjD,gBAAQ,KAAK,oDAAoD;AAAA,MACnE;AAAA,IACF;AAKA,QAAI,QAAQ,WAAW,GAAG;AACxB,aAAO;AAAA,QACL,OAAO;AAAA,QACP,YAAY;AAAA,QACZ,kBAAkB;AAAA,QAClB,QAAQ;AAAA,MACV;AAAA,IACF;AAEA,UAAM,EAAE,OAAO,WAAW,IAAI,KAAK,iBAAiB,OAAO;AAC3D,UAAM,mBAAmB,KAAK,wBAAwB,OAAO,YAAY,OAAO;AAEhF,WAAO;AAAA,MACL;AAAA,MACA,YAAY,KAAK,MAAM,aAAa,GAAG,IAAI;AAAA,MAC3C,kBAAkB,KAAK,MAAM,gBAAgB;AAAA,MAC7C,QAAQ,QAAQ,KAAK,IAAI,IAAI;AAAA,IAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,iBAAiB,SAGvB;AACA,UAAM,QAA4D;AAAA,MAChE,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,WAAW;AAAA,IACb;AAEA,QAAI,cAAc;AAElB,eAAW,UAAU,SAAS;AAC5B,YAAM,OAAO,SAAS,KAAK,OAAO;AAClC,qBAAe,OAAO;AAAA,IACxB;AAGA,QAAI,UAAU;AACd,QAAI,QAAwB;AAE5B,eAAW,CAAC,WAAW,IAAI,KAAK,OAAO,QAAQ,KAAK,GAAG;AACrD,UAAI,OAAO,SAAS;AAClB,kBAAU;AACV,gBAAQ;AAAA,MACV;AAAA,IACF;AAKA,UAAM,YAAY,cAAc,IAAI,UAAU,cAAc;AAC5D,UAAM,oBAAoB,KAAK,IAAI,QAAQ,SAAS,2BAA2B,CAAC;AAChF,UAAM,aAAa,KAAK,IAAI,YAAY,mBAAmB,CAAC;AAE5D,WAAO,EAAE,OAAO,WAAW;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBACN,OACA,YACA,SACQ;AAER,UAAM,gBAAgD;AAAA,MACpD,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR,WAAW;AAAA,MACX,SAAS;AAAA,IACX;AAEA,QAAI,OAAO,cAAc,KAAK;AAG9B,YAAQ;AAGR,UAAM,kBAAkB,QACrB,OAAO,CAAC,MAAM,EAAE,cAAc,WAAW,EACzC,OAAO,CAAC,KAAK,MAAM,MAAM,EAAE,QAAQ,CAAC;AAEvC,QAAI,kBAAkB,KAAK;AAEzB,cAAQ,KAAK,MAAM,kBAAkB,CAAC;AAAA,IACxC;AAGA,WAAO,KAAK,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC;AAAA,EACzC;AACF;AAeA,SAAS,cAAc,MAAY,IAAkB;AACnD,QAAM,QAAQ,GAAG,YAAY,IAAI,KAAK,YAAY;AAClD,QAAM,SAAS,GAAG,SAAS,IAAI,KAAK,SAAS;AAC7C,QAAM,OAAO,GAAG,QAAQ,IAAI,KAAK,QAAQ;AACzC,SAAO,QAAQ,KAAK,UAAU,OAAO,IAAI,OAAO;AAClD;;;AC9PO,IAAM,cAAN,MAAkB;AAAA,EACf;AAAA,EACS;AAAA,EACA;AAAA,EACT;AAAA,EACA,YAA+B,CAAC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMxC,YAAY,aAAqB,UAAkB;AACjD,SAAK,YAAY;AACjB,SAAK,SAAS;AACd,SAAK,mBAAmB;AACxB,SAAK,aAAa,KAAK,IAAI;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAyB;AAC7B,SAAK,OAAO;AAEZ,QAAI,KAAK,SAAS,GAAG;AACnB,WAAK;AACL;AAAA,IACF;AAGA,WAAO,IAAI,QAAc,CAAC,YAAY;AACpC,WAAK,UAAU,KAAK,OAAO;AAC3B,WAAK,eAAe;AAAA,IACtB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,YAAoB;AACtB,SAAK,OAAO;AACZ,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,gBAAwB;AAC1B,UAAM,UAAU,KAAK,IAAI,IAAI,KAAK;AAClC,WAAO,KAAK,IAAI,GAAG,KAAK,mBAAmB,OAAO;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA,EAMQ,SAAe;AACrB,UAAM,MAAM,KAAK,IAAI;AACrB,UAAM,UAAU,MAAM,KAAK;AAE3B,QAAI,WAAW,KAAK,kBAAkB;AAEpC,YAAM,UAAU,KAAK,MAAM,UAAU,KAAK,gBAAgB;AAC1D,WAAK,SAAS,KAAK,IAAI,KAAK,WAAW,KAAK,SAAS,UAAU,KAAK,SAAS;AAC7E,WAAK,aAAa,MAAO,UAAU,KAAK;AACxC,WAAK,eAAe;AAAA,IACtB;AAAA,EACF;AAAA,EAEQ,iBAAuB;AAC7B,UAAM,QAAQ,KAAK;AACnB,QAAI,SAAS,GAAG;AACd,WAAK,OAAO;AACZ;AAAA,IACF;AAEA,eAAW,MAAM;AACf,WAAK,OAAO;AAAA,IACd,GAAG,KAAK;AAAA,EACV;AAAA,EAEQ,iBAAuB;AAC7B,WAAO,KAAK,UAAU,SAAS,KAAK,KAAK,SAAS,GAAG;AACnD,WAAK;AACL,YAAM,UAAU,KAAK,UAAU,MAAM;AACrC,gBAAU;AAAA,IACZ;AAAA,EACF;AACF;AAYO,IAAM,oBAAoB,IAAI,YAAY,KAAM,IAAS;AAMzD,IAAM,iBAAiB,IAAI,YAAY,KAAK,GAAM;AAKlD,IAAM,kBAAkB,IAAI,YAAY,KAAK,GAAM;;;AC/G1D,SAAS,mBAAmB;AAG5B,IAAM,WAAW,YAAY,YAAY;AASzC,eAAsB,WAAW,WAA8C;AAC7E,MAAI,aAAsC,CAAC;AAE3C,MAAI;AACF,UAAM,SAAS,MAAM,SAAS,OAAO;AACrC,QAAI,QAAQ,UAAU,OAAO,OAAO,WAAW,UAAU;AACvD,mBAAa,OAAO;AAAA,IACtB;AAAA,EACF,QAAQ;AAAA,EAER;AAGA,QAAM,SAAkC,EAAE,GAAG,YAAY,GAAG,UAAU;AAGtE,MAAI,CAAC,OAAO,eAAe,QAAQ,IAAI,cAAc;AACnD,WAAO,cAAc,QAAQ,IAAI;AAAA,EACnC;AACA,MAAI,CAAC,OAAO,eAAe,QAAQ,IAAI,yBAAyB;AAC9D,WAAO,cAAc,QAAQ,IAAI;AAAA,EACnC;AAEA,SAAO,aAAa,MAAM,MAAM;AAClC;","names":[]}