dep-oracle 1.2.0 → 1.3.0

package/dist/chunk-32B3QIPY.js

@@ -0,0 +1,1505 @@
+#!/usr/bin/env node
+
+// src/collectors/orchestrator.ts
+import pLimit from "p-limit";
+
+// src/utils/logger.ts
+import chalk from "chalk";
+var _verbose = false;
+function setVerbose(enabled) {
+  _verbose = enabled;
+}
+function isDebug() {
+  const val = process.env.DEP_ORACLE_DEBUG;
+  if (!val) return false;
+  return ["1", "true", "yes"].includes(val.toLowerCase());
+}
+function timestamp() {
+  return (/* @__PURE__ */ new Date()).toISOString().slice(11, 23);
+}
+function formatMessage(level, colorFn, msg) {
+  return `${chalk.dim(timestamp())} ${colorFn(level.padEnd(5))} ${msg}`;
+}
+var logger = {
+  debug(msg) {
+    if (!isDebug()) return;
+    process.stderr.write(formatMessage("DEBUG", chalk.gray, chalk.gray(msg)) + "\n");
+  },
+  info(msg) {
+    if (!_verbose && !isDebug()) return;
+    process.stderr.write(formatMessage("INFO", chalk.blue, msg) + "\n");
+  },
+  warn(msg) {
+    process.stderr.write(formatMessage("WARN", chalk.yellow, msg) + "\n");
+  },
+  error(msg) {
+    process.stderr.write(formatMessage("ERROR", chalk.red, msg) + "\n");
+  }
+};
+function createLogger(label) {
+  const prefix = chalk.dim(`[${label}]`);
+  return {
+    debug(msg) {
+      logger.debug(`${prefix} ${msg}`);
+    },
+    info(msg) {
+      logger.info(`${prefix} ${msg}`);
+    },
+    warn(msg) {
+      logger.warn(`${prefix} ${msg}`);
+    },
+    error(msg) {
+      logger.error(`${prefix} ${msg}`);
+    }
+  };
+}
+
+// src/utils/rate-limiter.ts
+var RateLimiter = class {
+  tokens;
+  maxTokens;
+  refillIntervalMs;
+  lastRefill;
+  waitQueue = [];
+  /**
+   * @param maxRequests  Maximum number of requests allowed in the window
+   * @param windowMs     Window duration in milliseconds
+   */
+  constructor(maxRequests, windowMs) {
+    this.maxTokens = maxRequests;
+    this.tokens = maxRequests;
+    this.refillIntervalMs = windowMs;
+    this.lastRefill = Date.now();
+  }
+  /**
+   * Acquire a token. Resolves immediately when tokens are available,
+   * otherwise waits until the bucket is refilled.
+   */
+  async acquire() {
+    this.refill();
+    if (this.tokens > 0) {
+      this.tokens--;
+      return;
+    }
+    return new Promise((resolve) => {
+      this.waitQueue.push(resolve);
+      this.scheduleRefill();
+    });
+  }
+  /**
+   * Return the number of tokens currently available (without waiting).
+   */
+  get remaining() {
+    this.refill();
+    return this.tokens;
+  }
+  /**
+   * Return the number of milliseconds until the next refill.
+   */
+  get msUntilRefill() {
+    const elapsed = Date.now() - this.lastRefill;
+    return Math.max(0, this.refillIntervalMs - elapsed);
+  }
+  // -----------------------------------------------------------------------
+  // Internal
+  // -----------------------------------------------------------------------
+  refill() {
+    const now = Date.now();
+    const elapsed = now - this.lastRefill;
+    if (elapsed >= this.refillIntervalMs) {
+      const periods = Math.floor(elapsed / this.refillIntervalMs);
+      this.tokens = Math.min(this.maxTokens, this.tokens + periods * this.maxTokens);
+      this.lastRefill = now - elapsed % this.refillIntervalMs;
+      this.drainWaitQueue();
+    }
+  }
+  scheduleRefill() {
+    const delay = this.msUntilRefill;
+    if (delay <= 0) {
+      this.refill();
+      return;
+    }
+    setTimeout(() => {
+      this.refill();
+    }, delay);
+  }
+  drainWaitQueue() {
+    while (this.waitQueue.length > 0 && this.tokens > 0) {
+      this.tokens--;
+      const resolve = this.waitQueue.shift();
+      resolve?.();
+    }
+  }
+};
+var githubRateLimiter = new RateLimiter(5e3, 36e5);
+var npmRateLimiter = new RateLimiter(300, 6e4);
+var pypiRateLimiter = new RateLimiter(100, 6e4);
+
+// src/collectors/base.ts
+var BaseCollector = class {
+  cache;
+  /** Default cache TTL in seconds (24 hours). */
+  defaultTTL = 86400;
+  constructor(cache) {
+    this.cache = cache;
+  }
+  // ---------------------------------------------------------------------------
+  // Cache helpers
+  // ---------------------------------------------------------------------------
+  /** Build a deterministic cache key. */
+  cacheKey(pkg, version) {
+    return `${this.name}:${pkg}@${version}`;
+  }
+  /**
+   * Return a cached CollectorResult if one exists, otherwise `null`.
+   *
+   * When a cache hit is found the result is returned with `status: 'cached'`
+   * so callers can differentiate between fresh and cached data.
+   */
+  async getCached(pkg, version) {
+    const key = this.cacheKey(pkg, version);
+    try {
+      const cached = await this.cache.get(key);
+      if (cached !== null && cached !== void 0) {
+        logger.debug(`Cache hit for ${key}`);
+        return {
+          status: "cached",
+          data: cached,
+          collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+    } catch (err) {
+      logger.warn(
+        `Cache read failed for ${key}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    return null;
+  }
+  /**
+   * Persist collector data in the cache.
+   *
+   * Failures are logged but never thrown -- caching is best-effort.
+   */
+  async setCache(pkg, version, data, ttl = this.defaultTTL) {
+    const key = this.cacheKey(pkg, version);
+    try {
+      await this.cache.set(key, data, ttl);
+      logger.debug(`Cache set for ${key} (ttl=${ttl}s)`);
+    } catch (err) {
+      logger.warn(
+        `Cache write failed for ${key}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+};
+
+// src/collectors/registry.ts
+var RegistryCollector = class extends BaseCollector {
+  name = "registry";
+  constructor(cache) {
+    super(cache);
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const [packument, downloads] = await Promise.all([
+        this.fetchPackument(packageName),
+        this.fetchWeeklyDownloads(packageName)
+      ]);
+      const versionCount = packument.versions ? Object.keys(packument.versions).length : 0;
+      const timeEntries = packument.time ?? {};
+      const publishDates = Object.entries(timeEntries).filter(([key]) => key !== "created" && key !== "modified").map(([, value]) => new Date(value).getTime()).sort((a, b) => b - a);
+      const lastPublishDate = publishDates.length > 0 ? new Date(publishDates[0]).toISOString() : null;
+      const versionInfo = packument.versions?.[version];
+      const deprecated = versionInfo?.deprecated ? String(versionInfo.deprecated) : null;
+      const data = {
+        packageName,
+        version,
+        description: packument.description ?? null,
+        lastPublishDate,
+        versionCount,
+        deprecated,
+        weeklyDownloads: downloads,
+        license: packument.license ?? null,
+        repositoryUrl: this.extractRepoUrl(packument)
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`RegistryCollector failed for ${packageName}@${version}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  async fetchPackument(packageName) {
+    const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+    logger.debug(`Fetching packument: ${url}`);
+    await npmRateLimiter.acquire();
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      throw new Error(`npm registry returned ${res.status} for ${packageName}`);
+    }
+    return await res.json();
+  }
+  async fetchWeeklyDownloads(packageName) {
+    const url = `https://api.npmjs.org/downloads/point/last-week/${encodeURIComponent(packageName)}`;
+    logger.debug(`Fetching weekly downloads: ${url}`);
+    try {
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        logger.warn(`Downloads API returned ${res.status} for ${packageName}`);
+        return 0;
+      }
+      const body = await res.json();
+      return body.downloads ?? 0;
+    } catch {
+      logger.warn(`Could not fetch download stats for ${packageName}`);
+      return 0;
+    }
+  }
+  /**
+   * Extract a normalised GitHub/repo URL from the packument.
+   * npm stores repo URLs in several formats; we normalise to https.
+   */
+  extractRepoUrl(packument) {
+    const repo = packument.repository;
+    if (!repo) return null;
+    const raw = typeof repo === "string" ? repo : repo.url;
+    if (!raw) return null;
+    return raw.replace(/^git\+/, "").replace(/^git:\/\//, "https://").replace(/^ssh:\/\/git@github\.com/, "https://github.com").replace(/^git@github\.com:/, "https://github.com/").replace(/\.git$/, "");
+  }
+};
+
+// src/collectors/pypi-registry.ts
+var PyPIRegistryCollector = class extends BaseCollector {
+  name = "pypi-registry";
+  constructor(cache) {
+    super(cache);
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const [metadataResult, downloadsResult] = await Promise.allSettled([
+        this.fetchMetadata(packageName),
+        this.fetchWeeklyDownloads(packageName)
+      ]);
+      const metadata = metadataResult.status === "fulfilled" ? metadataResult.value : null;
+      const downloads = downloadsResult.status === "fulfilled" ? downloadsResult.value : 0;
+      if (!metadata) {
+        throw new Error(`PyPI registry returned no data for ${packageName}`);
+      }
+      const versionCount = metadata.releases ? Object.keys(metadata.releases).length : 0;
+      const lastPublishDate = this.findLastPublishDate(metadata.releases);
+      const deprecated = this.checkYanked(metadata.releases, version);
+      const data = {
+        packageName,
+        version: version === "latest" ? metadata.info.version : version,
+        description: metadata.info.summary ?? null,
+        lastPublishDate,
+        versionCount,
+        deprecated,
+        weeklyDownloads: downloads,
+        license: metadata.info.license ?? null,
+        repositoryUrl: this.extractRepoUrl(metadata.info)
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(
+        `PyPIRegistryCollector failed for ${packageName}@${version}: ${message}`
+      );
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Private helpers
+  // ---------------------------------------------------------------------------
+  async fetchMetadata(packageName) {
+    await pypiRateLimiter.acquire();
+    const url = `https://pypi.org/pypi/${encodeURIComponent(packageName)}/json`;
+    logger.debug(`Fetching PyPI metadata: ${url}`);
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      if (res.status === 404) return null;
+      throw new Error(`PyPI registry returned ${res.status} for ${packageName}`);
+    }
+    return await res.json();
+  }
+  async fetchWeeklyDownloads(packageName) {
+    await pypiRateLimiter.acquire();
+    const url = `https://pypistats.org/api/packages/${encodeURIComponent(packageName)}/recent`;
+    logger.debug(`Fetching PyPI weekly downloads: ${url}`);
+    try {
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        logger.warn(
+          `PyPI stats API returned ${res.status} for ${packageName}`
+        );
+        return 0;
+      }
+      const body = await res.json();
+      return body.data?.last_week ?? 0;
+    } catch {
+      logger.warn(`Could not fetch PyPI download stats for ${packageName}`);
+      return 0;
+    }
+  }
+  /**
+   * Find the most recent upload date across all releases.
+   */
+  findLastPublishDate(releases) {
+    if (!releases) return null;
+    const dates = [];
+    for (const files of Object.values(releases)) {
+      for (const file of files) {
+        const dateStr = file.upload_time_iso_8601 ?? file.upload_time;
+        if (dateStr) {
+          const ts = new Date(dateStr).getTime();
+          if (!isNaN(ts)) dates.push(ts);
+        }
+      }
+    }
+    if (dates.length === 0) return null;
+    dates.sort((a, b) => b - a);
+    return new Date(dates[0]).toISOString();
+  }
+  /**
+   * Check if the requested version is yanked (PyPI's deprecation mechanism).
+   * Returns the yank reason string, or null if not yanked.
+   */
+  checkYanked(releases, version) {
+    if (!releases || version === "latest") return null;
+    const files = releases[version];
+    if (!files || files.length === 0) return null;
+    const yankedFile = files.find((f) => f.yanked);
+    if (yankedFile) {
+      return yankedFile.yanked_reason || "This version has been yanked";
+    }
+    return null;
+  }
+  /**
+   * Extract a normalised repository URL from PyPI project_urls or home_page.
+   */
+  extractRepoUrl(info) {
+    const projectUrls = info.project_urls ?? {};
+    const repoKeys = [
+      "Source",
+      "Source Code",
+      "Repository",
+      "GitHub",
+      "Code",
+      "Homepage",
+      "source",
+      "source_code",
+      "repository",
+      "github",
+      "code",
+      "homepage"
+    ];
+    for (const key of repoKeys) {
+      const url = projectUrls[key];
+      if (url && (url.includes("github.com") || url.includes("gitlab.com") || url.includes("bitbucket.org"))) {
+        return url.replace(/\.git$/, "");
+      }
+    }
+    for (const url of Object.values(projectUrls)) {
+      if (url && (url.includes("github.com") || url.includes("gitlab.com") || url.includes("bitbucket.org"))) {
+        return url.replace(/\.git$/, "");
+      }
+    }
+    const homePage = info.home_page;
+    if (homePage && (homePage.includes("github.com") || homePage.includes("gitlab.com"))) {
+      return homePage.replace(/\.git$/, "");
+    }
+    return null;
+  }
+};
+
+// src/collectors/github.ts
+var GitHubCollector = class extends BaseCollector {
+  name = "github";
+  token;
+  constructor(cache, githubToken) {
+    super(cache);
+    this.token = githubToken ?? process.env.GITHUB_TOKEN;
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const repoSlug = await this.resolveRepoSlug(packageName);
+      if (!repoSlug) {
+        return {
+          status: "error",
+          data: null,
+          error: "No GitHub repository found",
+          collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+      const { owner, repo } = repoSlug;
+      const [repoInfo, contributorCount, recentCommitCount, latestCommit, hasFunding] = await Promise.all([
+        this.fetchRepoInfo(owner, repo),
+        this.fetchContributorCount(owner, repo),
+        this.fetchRecentCommitCount(owner, repo),
+        this.fetchLatestCommit(owner, repo),
+        this.checkFundingYml(owner, repo)
+      ]);
+      const data = {
+        owner,
+        repo,
+        stars: repoInfo.stargazers_count,
+        forks: repoInfo.forks_count,
+        openIssues: repoInfo.open_issues_count,
+        updatedAt: repoInfo.updated_at,
+        archived: repoInfo.archived,
+        defaultBranch: repoInfo.default_branch,
+        contributorCount,
+        recentCommitCount,
+        lastCommitDate: latestCommit ? latestCommit.commit.committer?.date ?? null : null,
+        lastCommitSha: latestCommit?.sha ?? null,
+        hasFundingYml: hasFunding
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`GitHubCollector failed for ${packageName}@${version}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Repo slug resolution
+  // ---------------------------------------------------------------------------
+  /**
+   * Determine the GitHub owner/repo from the npm registry metadata.
+   * Falls back to a well-known heuristic for scoped packages.
+   */
+  async resolveRepoSlug(packageName) {
+    try {
+      const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) return null;
+      const body = await res.json();
+      const repoField = body.repository;
+      const raw = typeof repoField === "string" ? repoField : repoField?.url;
+      if (!raw) return null;
+      return this.parseGitHubUrl(raw);
+    } catch {
+      return null;
+    }
+  }
+  /** Extract owner/repo from a variety of GitHub URL formats. */
+  parseGitHubUrl(raw) {
+    const normalised = raw.replace(/^git\+/, "").replace(/^git:\/\//, "https://").replace(/^ssh:\/\/git@github\.com/, "https://github.com").replace(/^git@github\.com:/, "https://github.com/").replace(/\.git$/, "");
+    const match = normalised.match(
+      /github\.com\/([^/]+)\/([^/]+)/
+    );
+    if (!match) return null;
+    const owner = match[1];
+    const repo = match[2];
+    const GITHUB_NAME = /^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$/;
+    if (!GITHUB_NAME.test(owner) || !GITHUB_NAME.test(repo)) return null;
+    return { owner, repo };
+  }
+  // ---------------------------------------------------------------------------
+  // GitHub API calls
+  // ---------------------------------------------------------------------------
+  headers() {
+    const h = {
+      Accept: "application/vnd.github+json",
+      "X-GitHub-Api-Version": "2022-11-28"
+    };
+    if (this.token) {
+      h.Authorization = `Bearer ${this.token}`;
+    }
+    return h;
+  }
+  async fetchRepoInfo(owner, repo) {
+    const url = `https://api.github.com/repos/${owner}/${repo}`;
+    logger.debug(`GitHub: fetching repo info ${url}`);
+    await githubRateLimiter.acquire();
+    const res = await fetch(url, { headers: this.headers() });
+    if (!res.ok) {
+      throw new Error(`GitHub API ${res.status} for ${url}`);
+    }
+    return await res.json();
+  }
+  /**
+   * Get total contributor count using the Link header pagination trick.
+   * We request per_page=1&anon=true and read the `last` page number.
+   */
+  async fetchContributorCount(owner, repo) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contributors?per_page=1&anon=true`;
+    logger.debug(`GitHub: fetching contributor count ${url}`);
+    try {
+      await githubRateLimiter.acquire();
+      const res = await fetch(url, { headers: this.headers() });
+      if (!res.ok) return 0;
+      const count = this.extractLastPage(res.headers.get("link"));
+      if (count !== null) return count;
+      const body = await res.json();
+      return body.length;
+    } catch {
+      return 0;
+    }
+  }
+  /**
+   * Count commits in the last 30 days via the same Link-header trick.
+   */
+  async fetchRecentCommitCount(owner, repo) {
+    const since = new Date(
+      Date.now() - 30 * 24 * 60 * 60 * 1e3
+    ).toISOString();
+    const url = `https://api.github.com/repos/${owner}/${repo}/commits?since=${since}&per_page=1`;
+    logger.debug(`GitHub: fetching recent commit count ${url}`);
+    try {
+      await githubRateLimiter.acquire();
+      const res = await fetch(url, { headers: this.headers() });
+      if (!res.ok) return 0;
+      const count = this.extractLastPage(res.headers.get("link"));
+      if (count !== null) return count;
+      const body = await res.json();
+      return body.length;
+    } catch {
+      return 0;
+    }
+  }
+  /** Fetch the single most-recent commit. */
+  async fetchLatestCommit(owner, repo) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/commits?per_page=1`;
+    logger.debug(`GitHub: fetching latest commit ${url}`);
+    try {
+      await githubRateLimiter.acquire();
+      const res = await fetch(url, { headers: this.headers() });
+      if (!res.ok) return null;
+      const body = await res.json();
+      return body[0] ?? null;
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Check whether the repository contains a .github/FUNDING.yml file.
+   * A 200 response means the file exists.
+   */
+  async checkFundingYml(owner, repo) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contents/.github/FUNDING.yml`;
+    logger.debug(`GitHub: checking FUNDING.yml ${url}`);
+    try {
+      await githubRateLimiter.acquire();
+      const res = await fetch(url, { headers: this.headers() });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Utilities
+  // ---------------------------------------------------------------------------
+  /**
+   * Parse the GitHub `Link` header and return the last page number.
+   *
+   *   Link: <...?page=42>; rel="last", <...?page=2>; rel="next"
+   *
+   * Returns `null` when there is no last page (single page of results).
+   */
+  extractLastPage(linkHeader) {
+    if (!linkHeader) return null;
+    const match = linkHeader.match(
+      /[?&]page=(\d+)[^>]*>;\s*rel="last"/
+    );
+    return match ? parseInt(match[1], 10) : null;
+  }
+};
+
+// src/collectors/security.ts
+var SecurityCollector = class extends BaseCollector {
+  name = "security";
+  constructor(cache) {
+    super(cache);
+  }
+  async collect(packageName, version, ecosystem) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const vulns = await this.queryOsv(packageName, ecosystem);
+      const totalVulnerabilities = vulns.length;
+      const severityCounts = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        unknown: 0
+      };
+      for (const vuln of vulns) {
+        const severity = this.extractSeverity(vuln);
+        severityCounts[severity]++;
+      }
+      const vulnDates = vulns.map((v) => new Date(v.published ?? v.modified).getTime()).filter((t) => !isNaN(t)).sort((a, b) => b - a);
+      const latestVulnDate = vulnDates.length > 0 ? new Date(vulnDates[0]).toISOString() : null;
+      const patchDays = this.estimateAveragePatchDays(vulns);
+      const data = {
+        packageName,
+        version,
+        totalVulnerabilities,
+        severityCounts,
+        latestVulnDate,
+        averagePatchDays: patchDays,
+        vulnerabilities: vulns.map((v) => ({
+          id: v.id,
+          summary: v.summary ?? null,
+          severity: this.extractSeverity(v),
+          published: v.published ?? v.modified
+        }))
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`SecurityCollector failed for ${packageName}@${version}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // OSV API
+  // ---------------------------------------------------------------------------
+  async queryOsv(packageName, ecosystem = "npm") {
+    const url = "https://api.osv.dev/v1/query";
+    logger.debug(`OSV: querying vulnerabilities for ${packageName} (ecosystem=${ecosystem})`);
+    const res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        package: {
+          name: packageName,
+          ecosystem
+        }
+      })
+    });
+    if (!res.ok) {
+      throw new Error(`OSV API returned ${res.status}`);
+    }
+    const body = await res.json();
+    return body.vulns ?? [];
+  }
+  // ---------------------------------------------------------------------------
+  // Severity extraction
+  // ---------------------------------------------------------------------------
+  /**
+   * Determine the highest severity label for a vulnerability.
+   *
+   * OSV may provide CVSS vectors, database-specific severity strings, or
+   * nothing at all. We try multiple sources in order of preference.
+   */
+  extractSeverity(vuln) {
+    if (vuln.severity && vuln.severity.length > 0) {
+      for (const s of vuln.severity) {
+        const level = this.cvssToLevel(s.score);
+        if (level !== "unknown") return level;
+      }
+    }
+    const dbSeverity = vuln.database_specific?.severity;
+    if (typeof dbSeverity === "string") {
+      const normalised = dbSeverity.toLowerCase().trim();
+      if (normalised === "critical") return "critical";
+      if (normalised === "high") return "high";
+      if (normalised === "moderate" || normalised === "medium") return "medium";
+      if (normalised === "low") return "low";
+    }
+    return "unknown";
+  }
+  /**
+   * Map a CVSS 3.x vector string to a severity level by extracting the
+   * base score. If the string looks like a plain number, use it directly.
+   */
+  cvssToLevel(scoreOrVector) {
+    let numeric;
+    if (scoreOrVector.startsWith("CVSS:")) {
+      return "unknown";
+    }
+    numeric = parseFloat(scoreOrVector);
+    if (isNaN(numeric)) return "unknown";
+    if (numeric >= 9) return "critical";
+    if (numeric >= 7) return "high";
+    if (numeric >= 4) return "medium";
+    if (numeric > 0) return "low";
+    return "unknown";
+  }
+  // ---------------------------------------------------------------------------
+  // Patch-time estimation
+  // ---------------------------------------------------------------------------
+  /**
+   * Estimate average number of days between a vulnerability being introduced
+   * and being fixed. Uses the range events in the OSV affected data.
+   *
+   * When no usable data is available, returns `null`.
+   */
+  estimateAveragePatchDays(vulns) {
+    const daysPerVuln = [];
+    for (const vuln of vulns) {
+      if (!vuln.affected) continue;
+      for (const affected of vuln.affected) {
+        if (!affected.ranges) continue;
+        for (const range of affected.ranges) {
+          let introduced;
+          let fixed;
+          for (const event of range.events) {
+            if (event.introduced) introduced = event.introduced;
+            if (event.fixed) fixed = event.fixed;
+          }
+          if (introduced && fixed) {
+            continue;
+          }
+        }
+      }
+      const published = vuln.published ? new Date(vuln.published).getTime() : NaN;
+      const modified = new Date(vuln.modified).getTime();
+      if (!isNaN(published) && !isNaN(modified) && modified > published) {
+        const days = (modified - published) / (1e3 * 60 * 60 * 24);
+        if (days > 0 && days < 3650) {
+          daysPerVuln.push(days);
+        }
+      }
+    }
+    if (daysPerVuln.length === 0) return null;
+    const total = daysPerVuln.reduce((sum, d) => sum + d, 0);
+    return Math.round(total / daysPerVuln.length);
+  }
+};
+
+// src/collectors/funding.ts
+var FundingCollector = class extends BaseCollector {
+  name = "funding";
+  githubToken;
+  constructor(cache, githubToken) {
+    super(cache);
+    this.githubToken = githubToken ?? process.env.GITHUB_TOKEN;
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const [repoSlug, npmFunding] = await Promise.all([
+        this.resolveRepoSlug(packageName),
+        this.fetchNpmFunding(packageName)
+      ]);
+      const [fundingYml, openCollective] = await Promise.all([
+        repoSlug ? this.checkFundingYml(repoSlug.owner, repoSlug.repo) : Promise.resolve(null),
+        this.fetchOpenCollective(packageName)
+      ]);
+      const hasSponsors = fundingYml !== null && fundingYml.length > 0;
+      const hasOpenCollective = openCollective !== null && (openCollective.isActive ?? false);
+      const hasNpmFunding = npmFunding !== null;
+      let estimatedAnnualFunding = 0;
+      if (openCollective?.yearlyBudget) {
+        estimatedAnnualFunding = openCollective.yearlyBudget > 1e6 ? Math.round(openCollective.yearlyBudget / 100) : openCollective.yearlyBudget;
+      }
+      const data = {
+        packageName,
+        hasSponsors,
+        hasOpenCollective,
+        hasNpmFunding,
+        openCollectiveSlug: openCollective?.slug ?? null,
+        openCollectiveBackers: openCollective?.backersCount ?? 0,
+        estimatedAnnualFunding,
+        fundingUrls: this.buildFundingUrls(npmFunding, fundingYml, openCollective)
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.warn(`FundingCollector failed for ${packageName}@${version}: ${message}`);
+      const data = {
+        packageName,
+        hasSponsors: false,
+        hasOpenCollective: false,
+        hasNpmFunding: false,
+        openCollectiveSlug: null,
+        openCollectiveBackers: 0,
+        estimatedAnnualFunding: 0,
+        fundingUrls: []
+      };
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // npm registry funding field
+  // ---------------------------------------------------------------------------
+  async fetchNpmFunding(packageName) {
+    try {
+      const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) return null;
+      const body = await res.json();
+      if (!body.funding) return null;
+      if (typeof body.funding === "string") return body.funding;
+      if (Array.isArray(body.funding)) {
+        return body.funding.map(
+          (f) => typeof f === "string" ? f : f.url ?? ""
+        ).filter(Boolean);
+      }
+      if (typeof body.funding === "object" && body.funding.url) {
+        return body.funding.url;
+      }
+      return null;
+    } catch {
+      return null;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // GitHub FUNDING.yml
+  // ---------------------------------------------------------------------------
+  async checkFundingYml(owner, repo) {
+    const url = `https://api.github.com/repos/${owner}/${repo}/contents/.github/FUNDING.yml`;
+    logger.debug(`Funding: checking FUNDING.yml ${url}`);
+    try {
+      const headers = {
+        Accept: "application/vnd.github.raw+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      };
+      if (this.githubToken) {
+        headers.Authorization = `Bearer ${this.githubToken}`;
+      }
+      await githubRateLimiter.acquire();
+      const res = await fetch(url, { headers });
+      if (!res.ok) return null;
+      return await res.text();
+    } catch {
+      return null;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // OpenCollective
+  // ---------------------------------------------------------------------------
+  async fetchOpenCollective(packageName) {
+    const slug = packageName.replace(/^@[^/]+\//, "");
+    const url = `https://opencollective.com/${encodeURIComponent(slug)}.json`;
+    logger.debug(`Funding: checking OpenCollective ${url}`);
+    try {
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) return null;
+      return await res.json();
+    } catch {
+      return null;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Repo slug resolution (shared helper)
+  // ---------------------------------------------------------------------------
+  async resolveRepoSlug(packageName) {
+    try {
+      const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) return null;
+      const body = await res.json();
+      const repoField = body.repository;
+      const raw = typeof repoField === "string" ? repoField : repoField?.url;
+      if (!raw) return null;
+      const normalised = raw.replace(/^git\+/, "").replace(/^git:\/\//, "https://").replace(/^ssh:\/\/git@github\.com/, "https://github.com").replace(/^git@github\.com:/, "https://github.com/").replace(/\.git$/, "");
+      const match = normalised.match(/github\.com\/([^/]+)\/([^/]+)/);
+      if (!match) return null;
+      return { owner: match[1], repo: match[2] };
+    } catch {
+      return null;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Utilities
+  // ---------------------------------------------------------------------------
+  buildFundingUrls(npmFunding, fundingYml, oc) {
+    const urls = [];
+    if (npmFunding) {
+      if (typeof npmFunding === "string") {
+        urls.push(npmFunding);
+      } else {
+        urls.push(...npmFunding);
+      }
+    }
+    if (fundingYml) {
+      const ghMatch = fundingYml.match(/github:\s*(.+)/i);
+      if (ghMatch) {
+        const sponsors = ghMatch[1].trim().replace(/^\[/, "").replace(/]$/, "").split(",").map((s) => s.trim().replace(/['"]/g, "")).filter(Boolean);
+        const GITHUB_USERNAME = /^[a-zA-Z0-9]([a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$/;
+        for (const sponsor of sponsors) {
+          if (GITHUB_USERNAME.test(sponsor)) {
+            urls.push(`https://github.com/sponsors/${sponsor}`);
+          }
+        }
+      }
+      const ocMatch = fundingYml.match(/open_collective:\s*(\S+)/i);
+      if (ocMatch) {
+        urls.push(`https://opencollective.com/${ocMatch[1].trim()}`);
+      }
+      const kofiMatch = fundingYml.match(/ko_fi:\s*(\S+)/i);
+      if (kofiMatch) {
+        urls.push(`https://ko-fi.com/${kofiMatch[1].trim()}`);
+      }
+      const patreonMatch = fundingYml.match(/patreon:\s*(\S+)/i);
+      if (patreonMatch) {
+        urls.push(`https://patreon.com/${patreonMatch[1].trim()}`);
+      }
+    }
+    if (oc?.slug) {
+      const ocUrl = `https://opencollective.com/${oc.slug}`;
+      if (!urls.includes(ocUrl)) {
+        urls.push(ocUrl);
+      }
+    }
+    return [...new Set(urls)];
+  }
+};
+
+// src/collectors/popularity.ts
+var PopularityCollector = class extends BaseCollector {
+  name = "popularity";
+  constructor(cache) {
+    super(cache);
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const [weeklyDownloads, monthlyDownloads, dependentCount] = await Promise.all([
+        this.fetchDownloads(packageName, "last-week"),
+        this.fetchDownloads(packageName, "last-month"),
+        this.fetchDependentCount(packageName)
+      ]);
+      const monthlyWeeklyAvg = monthlyDownloads / 4;
+      let trend = "stable";
+      if (monthlyWeeklyAvg > 0) {
+        const ratio = weeklyDownloads / monthlyWeeklyAvg;
+        if (ratio > 1.1) {
+          trend = "rising";
+        } else if (ratio < 0.9) {
+          trend = "declining";
+        }
+      }
+      const data = {
+        packageName,
+        weeklyDownloads,
+        monthlyDownloads,
+        trend,
+        dependentCount
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`PopularityCollector failed for ${packageName}@${version}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // npm downloads API
+  // ---------------------------------------------------------------------------
+  async fetchDownloads(packageName, period) {
+    const url = `https://api.npmjs.org/downloads/point/${period}/${encodeURIComponent(packageName)}`;
+    logger.debug(`Popularity: fetching ${period} downloads: ${url}`);
+    try {
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        logger.warn(`Downloads API returned ${res.status} for ${packageName} (${period})`);
+        return 0;
+      }
+      const body = await res.json();
+      return body.downloads ?? 0;
+    } catch {
+      logger.warn(`Could not fetch ${period} downloads for ${packageName}`);
+      return 0;
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // Dependent count
+  // ---------------------------------------------------------------------------
+  /**
+   * Attempt to get the number of packages that depend on this one.
+   *
+   * The npm registry search API exposes a "dependents" count via the
+   * /-/v1/search endpoint. This is an approximation.
+   */
+  async fetchDependentCount(packageName) {
+    const url = `https://registry.npmjs.org/-/v1/search?text=${encodeURIComponent(packageName)}&size=1`;
+    logger.debug(`Popularity: fetching dependent count: ${url}`);
+    try {
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) return 0;
+      const body = await res.json();
+      if (body.objects && body.objects.length > 0) {
+        const exactMatch = body.objects.find(
+          (o) => o.package.name === packageName
+        );
+        if (exactMatch) {
+          return await this.fetchDependentCountFromRegistry(packageName);
+        }
+      }
+      return 0;
+    } catch {
+      return 0;
+    }
+  }
+  /**
+   * Secondary lookup: the npm registry exposes dependent info via the
+   * abbreviated packument endpoint.
+   */
+  async fetchDependentCountFromRegistry(packageName) {
+    try {
+      const url = `https://www.npmjs.com/package/${encodeURIComponent(packageName)}`;
+      await npmRateLimiter.acquire();
+      const res = await fetch(url, {
+        headers: {
+          Accept: "text/html",
+          "X-Spiferack": "1"
+          // npm returns JSON when this header is set
+        }
+      });
+      if (!res.ok) return 0;
+      const body = await res.json();
+      return body.dependents?.dependentsCount ?? 0;
+    } catch {
+      return 0;
+    }
+  }
+};
+
+// src/collectors/license.ts
+var RISK_MAP = {
+  // Safe -- permissive
+  "MIT": "safe",
+  "ISC": "safe",
+  "BSD-2-Clause": "safe",
+  "BSD-3-Clause": "safe",
+  "Apache-2.0": "safe",
+  "Unlicense": "safe",
+  "0BSD": "safe",
+  "CC0-1.0": "safe",
+  "CC-BY-4.0": "safe",
+  "Zlib": "safe",
+  "BlueOak-1.0.0": "safe",
+  "MIT-0": "safe",
+  // Cautious -- weak copyleft
+  "LGPL-2.1": "cautious",
+  "LGPL-2.1-only": "cautious",
+  "LGPL-2.1-or-later": "cautious",
+  "LGPL-3.0": "cautious",
+  "LGPL-3.0-only": "cautious",
+  "LGPL-3.0-or-later": "cautious",
+  "MPL-2.0": "cautious",
+  "EPL-2.0": "cautious",
+  "EPL-1.0": "cautious",
+  "CDDL-1.0": "cautious",
+  "CDDL-1.1": "cautious",
+  // Risky -- strong copyleft
+  "GPL-2.0": "risky",
+  "GPL-2.0-only": "risky",
+  "GPL-2.0-or-later": "risky",
+  "GPL-3.0": "risky",
+  "GPL-3.0-only": "risky",
+  "GPL-3.0-or-later": "risky",
+  "AGPL-3.0": "risky",
+  "AGPL-3.0-only": "risky",
+  "AGPL-3.0-or-later": "risky",
+  "SSPL-1.0": "risky",
+  "EUPL-1.2": "risky"
+};
+var OSI_APPROVED = /* @__PURE__ */ new Set([
+  "MIT",
+  "ISC",
+  "BSD-2-Clause",
+  "BSD-3-Clause",
+  "Apache-2.0",
+  "0BSD",
+  "Unlicense",
+  "LGPL-2.1",
+  "LGPL-2.1-only",
+  "LGPL-2.1-or-later",
+  "LGPL-3.0",
+  "LGPL-3.0-only",
+  "LGPL-3.0-or-later",
+  "MPL-2.0",
+  "EPL-2.0",
+  "EPL-1.0",
+  "GPL-2.0",
+  "GPL-2.0-only",
+  "GPL-2.0-or-later",
+  "GPL-3.0",
+  "GPL-3.0-only",
+  "GPL-3.0-or-later",
+  "AGPL-3.0",
+  "AGPL-3.0-only",
+  "AGPL-3.0-or-later",
+  "CDDL-1.0",
+  "Artistic-2.0",
+  "Zlib",
+  "PostgreSQL",
+  "EUPL-1.2",
+  "ECL-2.0"
+]);
+var LICENSE_ALIASES = {
+  "apache 2.0": "Apache-2.0",
+  "apache2": "Apache-2.0",
+  "apache-2": "Apache-2.0",
+  "apache license 2.0": "Apache-2.0",
+  "bsd": "BSD-2-Clause",
+  "bsd-2": "BSD-2-Clause",
+  "bsd-3": "BSD-3-Clause",
+  "bsd license": "BSD-2-Clause",
+  "gpl": "GPL-3.0",
+  "gpl-2": "GPL-2.0",
+  "gpl-3": "GPL-3.0",
+  "gplv2": "GPL-2.0",
+  "gplv3": "GPL-3.0",
+  "lgpl": "LGPL-3.0",
+  "lgpl-2": "LGPL-2.1",
+  "lgpl-3": "LGPL-3.0",
+  "agpl": "AGPL-3.0",
+  "agpl-3": "AGPL-3.0",
+  "mpl": "MPL-2.0",
+  "mpl-2": "MPL-2.0",
+  "unlicensed": "Unlicense",
+  "public domain": "Unlicense",
+  "wtfpl": "WTFPL",
+  "cc0": "CC0-1.0",
+  "cc0-1.0": "CC0-1.0",
+  "artistic-2.0": "Artistic-2.0"
+};
+var LicenseCollector = class extends BaseCollector {
+  name = "license";
+  constructor(cache) {
+    super(cache);
+  }
+  async collect(packageName, version) {
+    const cached = await this.getCached(packageName, version);
+    if (cached) return cached;
+    try {
+      const rawLicense = await this.fetchLicense(packageName, version);
+      const spdx = this.toSpdx(rawLicense);
+      const risk = this.classifyRisk(spdx);
+      const osiApproved = spdx !== null && OSI_APPROVED.has(spdx);
+      const data = {
+        packageName,
+        version,
+        raw: rawLicense,
+        spdx,
+        risk,
+        osiApproved
+      };
+      await this.setCache(packageName, version, data);
+      return {
+        status: "success",
+        data,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`LicenseCollector failed for ${packageName}@${version}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // npm registry
+  // ---------------------------------------------------------------------------
+  /**
+   * Fetch the license string from the npm registry.
+   *
+   * Tries the specific version first, then falls back to the top-level
+   * packument "license" field.
+   */
+  async fetchLicense(packageName, version) {
+    const url = `https://registry.npmjs.org/${encodeURIComponent(packageName)}`;
+    logger.debug(`License: fetching packument ${url}`);
+    await npmRateLimiter.acquire();
+    const res = await fetch(url, {
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) {
+      throw new Error(`npm registry returned ${res.status} for ${packageName}`);
+    }
+    const body = await res.json();
+    const versionInfo = body.versions?.[version];
+    if (versionInfo?.license) {
+      return typeof versionInfo.license === "string" ? versionInfo.license : versionInfo.license.type ?? null;
+    }
+    if (body.license) {
+      return typeof body.license === "string" ? body.license : body.license.type ?? null;
+    }
+    return null;
+  }
+  // ---------------------------------------------------------------------------
+  // SPDX mapping
+  // ---------------------------------------------------------------------------
+  /**
+   * Normalise a raw license string to an SPDX identifier.
+   *
+   * Handles common aliases, SPDX expression syntax (e.g. "(MIT OR Apache-2.0)"),
+   * and case-insensitive matching.
+   */
+  toSpdx(raw) {
+    if (!raw) return null;
+    const trimmed = raw.trim();
+    if (!trimmed) return null;
+    if (RISK_MAP[trimmed] !== void 0 || OSI_APPROVED.has(trimmed)) {
+      return trimmed;
+    }
+    const lower = trimmed.toLowerCase();
+    const alias = LICENSE_ALIASES[lower];
+    if (alias) return alias;
+    const stripped = trimmed.replace(/[()]/g, "");
+    const parts = stripped.split(/\s+(?:OR|AND)\s+/i);
+    for (const part of parts) {
+      const p = part.trim();
+      if (RISK_MAP[p] !== void 0) return p;
+      const pAlias = LICENSE_ALIASES[p.toLowerCase()];
+      if (pAlias) return pAlias;
+    }
+    return trimmed;
+  }
+  // ---------------------------------------------------------------------------
+  // Risk classification
+  // ---------------------------------------------------------------------------
+  classifyRisk(spdx) {
+    if (!spdx) return "unknown";
+    return RISK_MAP[spdx] ?? "unknown";
+  }
+};
+
+// src/collectors/orchestrator.ts
+var CollectorOrchestrator = class {
+  cache;
+  options;
+  registryCollector;
+  pypiRegistryCollector;
+  githubCollector;
+  securityCollector;
+  fundingCollector;
+  popularityCollector;
+  licenseCollector;
+  constructor(cache, options = {}) {
+    this.cache = cache;
+    this.options = {
+      offline: options.offline ?? false,
+      githubToken: options.githubToken ?? process.env.GITHUB_TOKEN ?? "",
+      concurrency: options.concurrency ?? 10
+    };
+    this.registryCollector = new RegistryCollector(this.cache);
+    this.pypiRegistryCollector = new PyPIRegistryCollector(this.cache);
+    this.githubCollector = new GitHubCollector(this.cache, this.options.githubToken || void 0);
+    this.securityCollector = new SecurityCollector(this.cache);
+    this.fundingCollector = new FundingCollector(this.cache, this.options.githubToken || void 0);
+    this.popularityCollector = new PopularityCollector(this.cache);
+    this.licenseCollector = new LicenseCollector(this.cache);
+  }
+  /**
+   * Run all collectors for the given package and version.
+   *
+   * In online mode every collector is invoked (cache-first). In offline mode
+   * only the cache is consulted; if there is no cached entry the result gets
+   * `status: 'offline'` with `data: null`.
+   */
+  async collectAll(packageName, version, ecosystem = "npm") {
+    logger.info(
+      `Collecting data for ${packageName}@${version} (ecosystem=${ecosystem}, offline=${String(this.options.offline)})`
+    );
+    const limit = pLimit(this.options.concurrency);
+    const activeRegistryCollector = ecosystem === "pypi" ? this.pypiRegistryCollector : this.registryCollector;
+    const osvEcosystem = ecosystem === "pypi" ? "PyPI" : "npm";
+    const entries = [
+      { key: "registry", collector: activeRegistryCollector },
+      { key: "github", collector: this.githubCollector },
+      { key: "security", collector: this.securityCollector },
+      { key: "funding", collector: this.fundingCollector },
+      { key: "popularity", collector: this.popularityCollector },
+      { key: "license", collector: this.licenseCollector }
+    ];
+    const results = {};
+    const COLLECTOR_TIMEOUT = 3e4;
+    const tasks = entries.map(
+      ({ key, collector }) => limit(async () => {
+        let result;
+        if (this.options.offline) {
+          result = await this.offlineCollect(collector, packageName, version);
+        } else {
+          try {
+            if (key === "security") {
+              result = await Promise.race([
+                this.securityCollector.collect(packageName, version, osvEcosystem),
+                new Promise(
+                  (_, reject) => setTimeout(() => reject(new Error("Collector timeout")), COLLECTOR_TIMEOUT)
+                )
+              ]);
+            } else {
+              result = await Promise.race([
+                this.onlineCollect(collector, packageName, version),
+                new Promise(
+                  (_, reject) => setTimeout(() => reject(new Error("Collector timeout")), COLLECTOR_TIMEOUT)
+                )
+              ]);
+            }
+          } catch {
+            logger.warn(`[${collector.name}] ${packageName}@${version} => timeout (${COLLECTOR_TIMEOUT}ms)`);
+            result = {
+              status: "error",
+              data: null,
+              error: `Timeout after ${COLLECTOR_TIMEOUT / 1e3}s`,
+              collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+            };
+          }
+        }
+        logger.info(
+          `[${collector.name}] ${packageName}@${version} => ${result.status}`
+        );
+        results[key] = result;
+      })
+    );
+    await Promise.all(tasks);
+    return results;
+  }
+  // ---------------------------------------------------------------------------
+  // Online / Offline strategies
+  // ---------------------------------------------------------------------------
+  /**
+   * Normal collection: delegate to the collector which checks cache internally.
+   */
+  async onlineCollect(collector, packageName, version) {
+    try {
+      return await collector.collect(packageName, version);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.error(`Unhandled error in ${collector.name}: ${message}`);
+      return {
+        status: "error",
+        data: null,
+        error: message,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+  /**
+   * Offline collection: only look in the cache. If nothing is cached return
+   * a result with `status: 'offline'`.
+   */
+  async offlineCollect(collector, packageName, version) {
+    try {
+      const key = `${collector.name}:${packageName}@${version}`;
+      const cached = await this.cache.get(key);
+      if (cached !== null && cached !== void 0) {
+        logger.debug(`Offline cache hit: ${key}`);
+        return {
+          status: "cached",
+          data: cached,
+          collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+      }
+      return {
+        status: "offline",
+        data: null,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      logger.warn(`Offline cache read failed for ${collector.name}: ${message}`);
+      return {
+        status: "offline",
+        data: null,
+        collectedAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+    }
+  }
+};
+
+export {
+  setVerbose,
+  logger,
+  createLogger,
+  CollectorOrchestrator
+};
+//# sourceMappingURL=chunk-32B3QIPY.js.map