dep-oracle 1.2.0 → 1.3.0

package/README.md

@@ -34,8 +34,8 @@
 
 ## Why?
 
-- **62% of breaches** in 2025 came from supply chain attacks
-- The average project has **683 transitive dependencies**
+- Supply chain attacks increased **742% since 2019** ([Sonatype 2024 Report](https://www.sonatype.com/state-of-the-software-supply-chain/introduction))
+- The average npm project pulls in **hundreds of transitive dependencies** — any one could be compromised
 - `npm audit` only catches **known** CVEs — dep-oracle **predicts** future risks
 - You audit your code. But do you audit your **trust**?
 
@@ -162,6 +162,26 @@ Packages that patch vulnerabilities quickly (within 7 days) receive a **+10 bonu
 
 If an API is unreachable (GitHub down, no internet, rate limited), dep-oracle doesn't crash. The missing metric weight is redistributed across available metrics. If 3+ metrics are unavailable, a reliability warning is shown.
 
+### Blast Radius Methodology
+
+The blast radius metric counts how many of your source files directly import a given dependency:
+
+1. Recursively collects all `.js`, `.ts`, `.jsx`, `.tsx`, `.mjs`, `.mts`, `.cjs`, `.cts` files
+2. Skips `node_modules`, `.git`, `dist`, `build`, `coverage`, and other build directories
+3. Searches each file for `import ... from 'pkg'`, `require('pkg')`, and dynamic `import('pkg')` patterns
+4. Reports the count, file paths, and percentage of codebase affected
+
+**Current limitations:**
+- Only scans JavaScript/TypeScript import patterns
+- Python `import` statements are not yet analyzed (blast radius returns 0 for Python-only projects)
+- Does not trace re-exports or barrel files — counts direct imports only
+
+### Weight Rationale
+
+Weights are based on the principle that **security vulnerabilities and maintainer abandonment** are the strongest predictors of supply chain risk, followed by development activity signals. Weights are fully configurable via `.dep-oraclerc.json` — enterprise teams can adjust to match their specific risk tolerance.
+
+When data is unavailable for a metric, the score is pulled toward the midpoint (50) proportionally to the fraction of missing weight, preventing artificial inflation from missing data.
+
 ## Typosquat Detection
 
 dep-oracle uses a multi-layer approach to catch typosquatting:
@@ -238,10 +258,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: ertugrulakben/dep-oracle-action@v1
+      - uses: actions/setup-node@v4
         with:
-          threshold: 60
-          format: sarif
+          node-version: '20'
+      - name: Run dep-oracle
+        run: npx dep-oracle scan --format sarif --min-score 60
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ## Configuration
@@ -296,17 +319,19 @@ Or add to `package.json`:
 | Feature | npm audit | Dependabot | Socket.dev | Snyk | **dep-oracle** |
 |---------|-----------|------------|------------|------|----------------|
 | Known CVE scan | Yes | Yes | Yes | Yes | **Yes** |
-| Predictive risk | No | No | Partial | No | **Yes** |
+| Predictive risk | No | No | Partial | Partial | **Yes** |
 | Trust Score (0-100) | No | No | No | No | **Yes** |
 | Zombie detection | No | No | No | No | **Yes** |
-| Blast radius | No | No | No | No | **Yes** |
+| Blast radius | No | Partial | No | No | **Yes** |
 | Typosquat detection | No | No | Yes | No | **Yes** |
 | Trend prediction | No | No | No | No | **Yes** |
 | Migration advisor | No | Partial | No | Partial | **Yes (131 pkgs)** |
-| MCP integration | No | No | Yes | Yes | **Yes** |
+| MCP integration | No | No | No | No | **Yes** |
 | Zero install (npx) | Yes | No | No | No | **Yes** |
 | Free & open source | Yes | Yes | Freemium | Freemium | **Yes** |
 
+> **Note:** dep-oracle is not a replacement for Snyk or Socket.dev in enterprise environments. They have dedicated security research teams and CVE databases. dep-oracle focuses on **predictive signals** (trust scores, maintenance health, funding, zombie detection) that complement existing tools.
+
 ## Programmatic API
 
 ```typescript

package/dist/action/index.js

@@ -5608,6 +5608,87 @@ function createLogger(label) {
   };
 }
 
+// src/utils/rate-limiter.ts
+var RateLimiter = class {
+  tokens;
+  maxTokens;
+  refillIntervalMs;
+  lastRefill;
+  waitQueue = [];
+  /**
+   * @param maxRequests  Maximum number of requests allowed in the window
+   * @param windowMs     Window duration in milliseconds
+   */
+  constructor(maxRequests, windowMs) {
+    this.maxTokens = maxRequests;
+    this.tokens = maxRequests;
+    this.refillIntervalMs = windowMs;
+    this.lastRefill = Date.now();
+  }
+  /**
+   * Acquire a token. Resolves immediately when tokens are available,
+   * otherwise waits until the bucket is refilled.
+   */
+  async acquire() {
+    this.refill();
+    if (this.tokens > 0) {
+      this.tokens--;
+      return;
+    }
+    return new Promise((resolve2) => {
+      this.waitQueue.push(resolve2);
+      this.scheduleRefill();
+    });
+  }
+  /**
+   * Return the number of tokens currently available (without waiting).
+   */
+  get remaining() {
+    this.refill();
+    return this.tokens;
+  }
+  /**
+   * Return the number of milliseconds until the next refill.
+   */
+  get msUntilRefill() {
+    const elapsed = Date.now() - this.lastRefill;
+    return Math.max(0, this.refillIntervalMs - elapsed);
+  }
+  // -----------------------------------------------------------------------
+  // Internal
+  // -----------------------------------------------------------------------
+  refill() {
+    const now = Date.now();
+    const elapsed = now - this.lastRefill;
+    if (elapsed >= this.refillIntervalMs) {
+      const periods = Math.floor(elapsed / this.refillIntervalMs);
+      this.tokens = Math.min(this.maxTokens, this.tokens + periods * this.maxTokens);
+      this.lastRefill = now - elapsed % this.refillIntervalMs;
+      this.drainWaitQueue();
+    }
+  }
+  scheduleRefill() {
+    const delay = this.msUntilRefill;
+    if (delay <= 0) {
+      this.refill();
+      return;
+    }
+    setTimeout(() => {
+      this.refill();
+    }, delay);
+  }
+  drainWaitQueue() {
+    while (this.waitQueue.length > 0 && this.tokens > 0) {
+      this.tokens--;
+      const resolve2 = this.waitQueue.shift();
+      resolve2?.();
+    }
+  }
+};
+var githubRateLimiter = new RateLimiter(5e3, 36e5);
+var npmRateLimiter = new RateLimiter(300, 6e4);
+var pypiRateLimiter = new RateLimiter(100, 6e4);
+
 // src/collectors/base.ts
 var BaseCollector = class {
   cache;
@@ -5720,6 +5801,7 @@ var RegistryCollector = class extends BaseCollector {
   async fetchPackument(packageName) {
     const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
     logger.debug(`Fetching packument: ${url}`);
+    await npmRateLimiter.acquire();
     const res = await fetch(url, {
       headers: { Accept: "application/json" }
     });
@@ -5732,6 +5814,7 @@ var RegistryCollector = class extends BaseCollector {
     const url = `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`;
     logger.debug(`Fetching weekly downloads: ${url}`);
     try {
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -5759,6 +5842,166 @@ var RegistryCollector = class extends BaseCollector {
   }
 };
 
+// src/collectors/pypi-registry.ts
+var PyPIRegistryCollector = class extends BaseCollector {
+  name = "pypi-registry";
+  constructor(cache2) {
+    super(cache2);
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const [metadataResult, downloadsResult] = await Promise.allSettled([
+        this.fetchMetadata(packageName),
+        this.fetchWeeklyDownloads(packageName)
+      ]);
+      const metadata = metadataResult.status === "fulfilled" ? metadataResult.value : null;
+      const downloads = downloadsResult.status === "fulfilled" ? downloadsResult.value : 0;
+      if (!metadata) {
+        throw new Error(`PyPI registry returned no data for ${packageName}`);
+      }
+      const versionCount = metadata.releases ? Object.keys(metadata.releases).length : 0;
+      const lastPublishDate = this.findLastPublishDate(metadata.releases);
+      const deprecated = this.checkYanked(metadata.releases, version);
+      const data = {
+        packageName,
+        version: version === "latest" ? metadata.info.version : version,
+        description: metadata.info.summary ?? null,
+        lastPublishDate,
+        versionCount,
+        deprecated,
+        weeklyDownloads: downloads,
+        license: metadata.info.license ?? null,
+        repositoryUrl: this.extractRepoUrl(metadata.info)
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(
+        `PyPIRegistryCollector failed for ${packageName}@${version}: ${message}`
+      );
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  async fetchMetadata(packageName) {
+    await pypiRateLimiter.acquire();
+    const url = `https://pypi.org/pypi/${encodeURIComponent(packageName)}/json`;
+    logger.debug(`Fetching PyPI metadata: ${url}`);
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      if (res.status === 404) return null;
+      throw new Error(`PyPI registry returned ${res.status} for ${packageName}`);
+    }
+    return await res.json();
+  }
+  async fetchWeeklyDownloads(packageName) {
+    await pypiRateLimiter.acquire();
+    const url = `https://pypistats.org/api/packages/${encodeURIComponent(packageName)}/recent`;
+    logger.debug(`Fetching PyPI weekly downloads: ${url}`);
+    try {
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        logger.warn(
+          `PyPI stats API returned ${res.status} for ${packageName}`
+        );
+        return 0;
+      }
+      const body = await res.json();
+      return body.data?.last_week ?? 0;
+    } catch {
+      logger.warn(`Could not fetch PyPI download stats for ${packageName}`);
+      return 0;
+    }
+  }
+  /**
+   * Find the most recent upload date across all releases.
+   */
+  findLastPublishDate(releases) {
+    if (!releases) return null;
+    const dates = [];
+    for (const files of Object.values(releases)) {
+      for (const file of files) {
+        const dateStr = file.upload_time_iso_8601 ?? file.upload_time;
+        if (dateStr) {
+          const ts = new Date(dateStr).getTime();
+          if (!isNaN(ts)) dates.push(ts);
+        }
+      }
+    }
+    if (dates.length === 0) return null;
+    dates.sort((a, b) => b - a);
+    return new Date(dates[0]).toISOString();
+  }
+  /**
+   * Check if the requested version is yanked (PyPI's deprecation mechanism).
+   * Returns the yank reason string, or null if not yanked.
+   */
+  checkYanked(releases, version) {
+    if (!releases || version === "latest") return null;
+    const files = releases[version];
+    if (!files || files.length === 0) return null;
+    const yankedFile = files.find((f) => f.yanked);
+    if (yankedFile) {
+      return yankedFile.yanked_reason || "This version has been yanked";
+    }
+    return null;
+  }
+  /**
+   * Extract a normalised repository URL from PyPI project_urls or home_page.
+   */
+  extractRepoUrl(info) {
+    const projectUrls = info.project_urls ?? {};
+    const repoKeys = [
+      "Source",
+      "Source Code",
+      "Repository",
+      "GitHub",
+      "Code",
+      "Homepage",
+      "source",
+      "source_code",
+      "repository",
+      "github",
+      "code",
+      "homepage"
+    ];
+    for (const key of repoKeys) {
+      const url = projectUrls[key];
+      if (url && (url.includes("github.com") || url.includes("gitlab.com") || url.includes("bitbucket.org"))) {
+        return url.replace(/\.git$/, "");
+      }
+    }
+    for (const url of Object.values(projectUrls)) {
+      if (url && (url.includes("github.com") || url.includes("gitlab.com") || url.includes("bitbucket.org"))) {
+        return url.replace(/\.git$/, "");
+      }
+    }
+    const homePage = info.home_page;
+    if (homePage && (homePage.includes("github.com") || homePage.includes("gitlab.com"))) {
+      return homePage.replace(/\.git$/, "");
+    }
+    return null;
+  }
+};
+
 // src/collectors/github.ts
 var GitHubCollector = class extends BaseCollector {
   name = "github";
@@ -5830,6 +6073,7 @@ var GitHubCollector = class extends BaseCollector {
   async resolveRepoSlug(packageName) {
     try {
       const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -5872,6 +6116,7 @@ var GitHubCollector = class extends BaseCollector {
   async fetchRepoInfo(owner, repo) {
     const url = `https://api.github.com/repos/${owner}/${repo}`;
     logger.debug(`GitHub: fetching repo info ${url}`);
+    await githubRateLimiter.acquire();
     const res = await fetch(url, { headers: this.headers() });
     if (!res.ok) {
       throw new Error(`GitHub API ${res.status} for ${url}`);
@@ -5886,6 +6131,7 @@ var GitHubCollector = class extends BaseCollector {
     const url = `https://api.github.com/repos/${owner}/${repo}/contributors?per_page=1&anon=true`;
     logger.debug(`GitHub: fetching contributor count ${url}`);
     try {
+      await githubRateLimiter.acquire();
       const res = await fetch(url, { headers: this.headers() });
       if (!res.ok) return 0;
       const count = this.extractLastPage(res.headers.get("link"));
@@ -5906,6 +6152,7 @@ var GitHubCollector = class extends BaseCollector {
     const url = `https://api.github.com/repos/${owner}/${repo}/commits?since=${since}&per_page=1`;
     logger.debug(`GitHub: fetching recent commit count ${url}`);
     try {
+      await githubRateLimiter.acquire();
       const res = await fetch(url, { headers: this.headers() });
       if (!res.ok) return 0;
       const count = this.extractLastPage(res.headers.get("link"));
@@ -5921,6 +6168,7 @@ var GitHubCollector = class extends BaseCollector {
     const url = `https://api.github.com/repos/${owner}/${repo}/commits?per_page=1`;
     logger.debug(`GitHub: fetching latest commit ${url}`);
     try {
+      await githubRateLimiter.acquire();
       const res = await fetch(url, { headers: this.headers() });
       if (!res.ok) return null;
       const body = await res.json();
@@ -5937,6 +6185,7 @@ var GitHubCollector = class extends BaseCollector {
     const url = `https://api.github.com/repos/${owner}/${repo}/contents/.github/FUNDING.yml`;
     logger.debug(`GitHub: checking FUNDING.yml ${url}`);
     try {
+      await githubRateLimiter.acquire();
       const res = await fetch(url, { headers: this.headers() });
       return res.ok;
     } catch {
@@ -5968,11 +6217,11 @@ var SecurityCollector = class extends BaseCollector {
   constructor(cache2) {
     super(cache2);
   }
-  async collect(packageName, version) {
+  async collect(packageName, version, ecosystem) {
     const cached = await this.getCached(packageName, version);
     if (cached) return cached;
     try {
-      const vulns = await this.queryOsv(packageName);
+      const vulns = await this.queryOsv(packageName, ecosystem);
       const totalVulnerabilities = vulns.length;
       const severityCounts = {
         critical: 0,
@@ -6022,16 +6271,16 @@ var SecurityCollector = class extends BaseCollector {
   // ---------------------------------------------------------------------------
   // OSV API
   // ---------------------------------------------------------------------------
-  async queryOsv(packageName) {
+  async queryOsv(packageName, ecosystem = "npm") {
     const url = "https://api.osv.dev/v1/query";
-    logger.debug(`OSV: querying vulnerabilities for ${packageName}`);
+    logger.debug(`OSV: querying vulnerabilities for ${packageName} (ecosystem=${ecosystem})`);
     const res = await fetch(url, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
         package: {
           name: packageName,
-          ecosystem: "npm"
+          ecosystem
         }
       })
     });
@@ -6195,6 +6444,7 @@ var FundingCollector = class extends BaseCollector {
   async fetchNpmFunding(packageName) {
     try {
       const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -6229,6 +6479,7 @@ var FundingCollector = class extends BaseCollector {
       if (this.githubToken) {
         headers.Authorization = `Bearer ${this.githubToken}`;
       }
+      await githubRateLimiter.acquire();
       const res = await fetch(url, { headers });
       if (!res.ok) return null;
       return await res.text();
@@ -6259,6 +6510,7 @@ var FundingCollector = class extends BaseCollector {
   async resolveRepoSlug(packageName) {
     try {
       const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -6377,6 +6629,7 @@ var PopularityCollector = class extends BaseCollector {
     const url = `https://api.npmjs.org/downloads/point/${period}/${encodeURIComponent(packageName)}`;
     logger.debug(`Popularity: fetching ${period} downloads: ${url}`);
     try {
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -6404,6 +6657,7 @@ var PopularityCollector = class extends BaseCollector {
     const url = `https://registry.npmjs.org/-/v1/search?text=${encodeURIComponent(packageName)}&size=1`;
     logger.debug(`Popularity: fetching dependent count: ${url}`);
     try {
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: { Accept: "application/json" }
       });
@@ -6429,6 +6683,7 @@ var PopularityCollector = class extends BaseCollector {
   async fetchDependentCountFromRegistry(packageName) {
     try {
       const url = `https://www.npmjs.com/package/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
       const res = await fetch(url, {
         headers: {
           Accept: "text/html",
@@ -6596,6 +6851,7 @@ var LicenseCollector = class extends BaseCollector {
   async fetchLicense(packageName, version) {
     const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
     logger.debug(`License: fetching packument ${url}`);
+    await npmRateLimiter.acquire();
     const res = await fetch(url, {
       headers: { Accept: "application/json" }
     });
@@ -6655,6 +6911,7 @@ var CollectorOrchestrator = class {
   cache;
   options;
   registryCollector;
+  pypiRegistryCollector;
   githubCollector;
   securityCollector;
   fundingCollector;
@@ -6668,6 +6925,7 @@ var CollectorOrchestrator = class {
       concurrency: options.concurrency ?? 10
     };
     this.registryCollector = new RegistryCollector(this.cache);
+    this.pypiRegistryCollector = new PyPIRegistryCollector(this.cache);
     this.githubCollector = new GitHubCollector(this.cache, this.options.githubToken || void 0);
     this.securityCollector = new SecurityCollector(this.cache);
     this.fundingCollector = new FundingCollector(this.cache, this.options.githubToken || void 0);
@@ -6681,13 +6939,15 @@ var CollectorOrchestrator = class {
    * only the cache is consulted; if there is no cached entry the result gets
    * `status: 'offline'` with `data: null`.
    */
-  async collectAll(packageName, version) {
+  async collectAll(packageName, version, ecosystem = "npm") {
     logger.info(
-      `Collecting data for ${packageName}@${version} (offline=${String(this.options.offline)})`
+      `Collecting data for ${packageName}@${version} (ecosystem=${ecosystem}, offline=${String(this.options.offline)})`
     );
     const limit = pLimit(this.options.concurrency);
+    const activeRegistryCollector = ecosystem === "pypi" ? this.pypiRegistryCollector : this.registryCollector;
+    const osvEcosystem = ecosystem === "pypi" ? "PyPI" : "npm";
     const entries = [
-      { key: "registry", collector: this.registryCollector },
+      { key: "registry", collector: activeRegistryCollector },
       { key: "github", collector: this.githubCollector },
       { key: "security", collector: this.securityCollector },
       { key: "funding", collector: this.fundingCollector },
@@ -6703,12 +6963,21 @@ var CollectorOrchestrator = class {
           result = await this.offlineCollect(collector, packageName, version);
         } else {
           try {
-            result = await Promise.race([
-              this.onlineCollect(collector, packageName, version),
-              new Promise(
-                (_, reject) => setTimeout(() => reject(new Error("Collector timeout")), COLLECTOR_TIMEOUT)
-              )
-            ]);
+            if (key === "security") {
+              result = await Promise.race([
+                this.securityCollector.collect(packageName, version, osvEcosystem),
+                new Promise(
+                  (_, reject) => setTimeout(() => reject(new Error("Collector timeout")), COLLECTOR_TIMEOUT)
+                )
+              ]);
+            } else {
+              result = await Promise.race([
+                this.onlineCollect(collector, packageName, version),
+                new Promise(
+                  (_, reject) => setTimeout(() => reject(new Error("Collector timeout")), COLLECTOR_TIMEOUT)
+                )
+              ]);
+            }
           } catch {
             logger.warn(`[${collector.name}] ${packageName}@${version} => timeout (${COLLECTOR_TIMEOUT}ms)`);
             result = {
@@ -6833,7 +7102,7 @@ var TrustScoreEngine = class {
     return {
       trustScore: Math.round(trustScore),
       metrics,
-      insufficientData: unavailableMetrics.length >= 3,
+      insufficientData: unavailableMetrics.length >= 2,
       unavailableMetrics
     };
   }
@@ -6975,6 +7244,11 @@ var TrustScoreEngine = class {
       const effectiveWeight = m.weight / totalAvailableWeight;
       score += m.score * effectiveWeight;
     }
+    const missingWeightFraction = 1 - totalAvailableWeight;
+    if (missingWeightFraction > 0) {
+      const penalty = (score - 50) * missingWeightFraction;
+      score = score - penalty;
+    }
     return clamp(Math.round(score));
   }
 };
@@ -10735,7 +11009,115 @@ var POPULAR_PACKAGES = [
   "request",
   "tslint",
   "node-pre-gyp",
-  "npm-lifecycle"
+  "npm-lifecycle",
+  // ---------------------------------------------------------------------------
+  // Popular Python packages (PyPI)
+  // ---------------------------------------------------------------------------
+  "requests",
+  "flask",
+  "django",
+  "fastapi",
+  "numpy",
+  "pandas",
+  "scipy",
+  "matplotlib",
+  "tensorflow",
+  "torch",
+  "scikit-learn",
+  "keras",
+  "pytorch-lightning",
+  "xgboost",
+  "lightgbm",
+  "pytest",
+  "black",
+  "mypy",
+  "ruff",
+  "pylint",
+  "flake8",
+  "isort",
+  "celery",
+  "redis",
+  "sqlalchemy",
+  "alembic",
+  "pydantic",
+  "httpx",
+  "aiohttp",
+  "uvicorn",
+  "gunicorn",
+  "starlette",
+  "boto3",
+  "botocore",
+  "awscli",
+  "google-cloud-storage",
+  "azure-storage-blob",
+  "pillow",
+  "opencv-python",
+  "beautifulsoup4",
+  "lxml",
+  "scrapy",
+  "cryptography",
+  "paramiko",
+  "fabric",
+  "ansible",
+  "click",
+  "typer",
+  "rich",
+  "tqdm",
+  "colorama",
+  "tabulate",
+  "setuptools",
+  "wheel",
+  "pip",
+  "twine",
+  "poetry",
+  "pdm",
+  "hatch",
+  "jinja2",
+  "mako",
+  "markupsafe",
+  "werkzeug",
+  "psycopg2",
+  "pymongo",
+  "motor",
+  "peewee",
+  "tortoise-orm",
+  "marshmallow",
+  "attrs",
+  "dataclasses-json",
+  "sentry-sdk",
+  "prometheus-client",
+  "opentelemetry-api",
+  "transformers",
+  "huggingface-hub",
+  "tokenizers",
+  "datasets",
+  "langchain",
+  "openai",
+  "anthropic",
+  "tiktoken",
+  "pytest-cov",
+  "pytest-asyncio",
+  "pytest-mock",
+  "coverage",
+  "pyyaml",
+  "toml",
+  "python-dotenv",
+  "decouple",
+  "arrow",
+  "pendulum",
+  "python-dateutil",
+  "stripe",
+  "twilio",
+  "sendgrid",
+  "selenium",
+  "playwright",
+  "httptools",
+  "orjson",
+  "ujson",
+  "msgpack",
+  "networkx",
+  "sympy",
+  "statsmodels"
 ];
 var TyposquatDetector = class _TyposquatDetector {
   popularPackages;