dependency-radar 0.5.0 → 0.6.0

package/dist/report.js

@@ -63,7 +63,7 @@ function buildHtml(data) {
                 month: 'short',
                 year: 'numeric',
                 hour: '2-digit',
-                minute: '2-digit'
+                minute: '2-digit',
             }).format(date);
         }
     }
@@ -199,6 +199,16 @@ ${safeCssContent}
             </svg>
             <input type="search" id="search" placeholder="Search packages..." />
           </div>
+          <div class="view-switch" id="view-switch">
+            <button
+              type="button"
+              class="view-switch-btn"
+              id="view-graph-btn"
+              data-view="graph"
+            >
+              Graph View
+            </button>
+          </div>
           <button
             type="button"
             class="filters-toggle"
@@ -319,7 +329,60 @@ ${safeCssContent}
   
   <!-- Main Content -->
   <main class="main-content">
-    <div id="dependency-list" class="dependency-grid"></div>
+    <section class="view-panel active" id="list-view" data-view="list" aria-hidden="false">
+      <div id="dependency-list" class="dependency-grid"></div>
+    </section>
+    <section class="view-panel" id="graph-view" data-view="graph" aria-hidden="true">
+      <div class="graph-canvas-shell" id="graph-canvas-shell">
+        <canvas id="graph-canvas"></canvas>
+        <div class="graph-overlay-top">
+          <button type="button" class="graph-back-btn" id="graph-back-btn">Back to List View</button>
+          <div class="graph-key" aria-label="Graph key">
+            <span class="graph-workspace-label">Key</span>
+            <div class="graph-key-items">
+              <span class="graph-key-item">
+                <span class="graph-key-dot dependency" aria-hidden="true"></span>
+                <span>Dependency</span>
+              </span>
+              <span class="graph-key-item">
+                <span class="graph-key-dot dev-dependency" aria-hidden="true"></span>
+                <span>Dev-Dependency</span>
+              </span>
+              <span class="graph-key-item">
+                <span class="graph-key-dot sub-dependency" aria-hidden="true"></span>
+                <span>Sub-Dependency</span>
+              </span>
+            </div>
+          </div>
+          <div class="graph-overlay-left" id="graph-workspace-wrap">
+            <label class="graph-workspace-label" for="graph-workspace">Workspace</label>
+            <select id="graph-workspace" class="graph-workspace-select"></select>
+          </div>
+        </div>
+        <div class="graph-controls graph-overlay graph-overlay-right" id="graph-controls">
+          <div class="dpad">
+            <button type="button" class="graph-control-btn up" data-action="pan-down" aria-label="Pan Up">▲</button>
+            <button type="button" class="graph-control-btn left" data-action="pan-right" aria-label="Pan Left">◀</button>
+            <div class="center-spacer" aria-hidden="true"></div>
+            <button type="button" class="graph-control-btn right" data-action="pan-left" aria-label="Pan Right">▶</button>
+            <button type="button" class="graph-control-btn down" data-action="pan-up" aria-label="Pan Down">▼</button>
+          </div>
+          <div class="zoom-controls">
+            <button type="button" class="graph-control-btn" data-action="zoom-in" aria-label="Zoom In">+</button>
+            <button type="button" class="graph-control-btn" data-action="zoom-out" aria-label="Zoom Out">−</button>
+          </div>
+          <button type="button" class="graph-control-btn reset-btn" data-action="reset">reset</button>
+        </div>
+        <div class="graph-popover" id="graph-popover" hidden>
+          <div class="graph-popover-name" id="graph-popover-name"></div>
+          <div class="graph-popover-meta" id="graph-popover-version"></div>
+          <div class="graph-popover-meta" id="graph-popover-license"></div>
+          <div class="graph-popover-meta" id="graph-popover-vulns"></div>
+          <div class="graph-popover-meta" id="graph-popover-amplification"></div>
+          <button type="button" class="graph-popover-action" id="graph-open-list">Open in List</button>
+        </div>
+      </div>
+    </section>
   </main>
 
   <footer class="report-footer">
@@ -335,5 +398,9 @@ ${safeJsContent}
 </html>`;
 }
 function escapeHtml(str) {
-    return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+    return str
+        .replace(/&/g, '&amp;')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;');
 }

package/dist/runners/importGraphRunner.js

@@ -10,7 +10,22 @@ const module_1 = require("module");
 const utils_1 = require("../utils");
 const IGNORED_DIRS = new Set(['node_modules', 'dist', 'build', 'coverage', '.dependency-radar']);
 const SOURCE_EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs'];
-async function runImportGraph(projectPath, tempDir) {
+/**
+ * Builds an import graph for a project and optionally writes it to disk.
+ *
+ * The produced graph maps each project-relative source file to its resolved local file dependencies,
+ * referenced packages, per-file package usage counts, and any unresolved import specifiers.
+ *
+ * @param options - Optional settings.
+ * @param options.persistToDisk - When `false`, the graph is not written to disk; defaults to `true`.
+ * @returns An object with:
+ *  - `ok: true` and `data` containing `{ files, packages, packageCounts, unresolvedImports }` on success.
+ *    When the graph was persisted to disk, a `file` field points to the written JSON file (`<tempDir>/import-graph.json`).
+ *  - `ok: false` and `error` containing an error message on failure. If persistence was enabled, a `file` field may point to
+ *    the JSON file containing the error object.
+ */
+async function runImportGraph(projectPath, tempDir, options = {}) {
+    const persistToDisk = options.persistToDisk !== false;
     const targetFile = path_1.default.join(tempDir, 'import-graph.json');
     try {
         const srcPath = path_1.default.join(projectPath, 'src');
@@ -32,12 +47,20 @@ async function runImportGraph(projectPath, tempDir) {
             unresolvedImports.push(...resolved.unresolved.map((spec) => ({ importer: rel, specifier: spec })));
         }
         const output = { files: fileGraph, packages: packageGraph, packageCounts, unresolvedImports };
-        await (0, utils_1.writeJsonFile)(targetFile, output);
-        return { ok: true, data: output, file: targetFile };
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, output);
+        }
+        return { ok: true, data: output, ...(persistToDisk ? { file: targetFile } : {}) };
     }
     catch (err) {
-        await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
-        return { ok: false, error: `import graph failed: ${String(err)}`, file: targetFile };
+        if (persistToDisk) {
+            await (0, utils_1.writeJsonFile)(targetFile, { error: String(err) });
+        }
+        return {
+            ok: false,
+            error: `import graph failed: ${String(err)}`,
+            ...(persistToDisk ? { file: targetFile } : {})
+        };
     }
 }
 async function collectSourceFiles(rootDir) {

package/dist/runners/lockfileGraph.js

@@ -6,7 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.tryBuildDependencyTreeFromLockfile = tryBuildDependencyTreeFromLockfile;
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
-const yaml_1 = __importDefault(require("yaml"));
+const lockfileParsers_1 = require("./lockfileParsers");
 const treeCache = new Map();
 const parseCache = new Map();
 /**
@@ -437,6 +437,7 @@ function parseNpmTree(projectPath, searchRoot) {
  * @returns A ResolvedTree mapping root dependency names to resolved nodes, or `undefined` if no valid root entry exists in `packages`
  */
 function parseNpmTreeFromPackages(packages, projectPath, lockDir) {
+    const installState = createNpmInstallState(projectPath, lockDir);
     const projectRel = toPosixRelative(lockDir, projectPath);
     const rootKey = projectRel === '' ? '' : projectRel;
     if (!(rootKey in packages) && rootKey !== '') {
@@ -454,7 +455,7 @@ function parseNpmTreeFromPackages(packages, projectPath, lockDir) {
         const childKey = resolveNpmPackagePath(packageKey, depName, packages);
         if (!childKey)
             continue;
-        const childNode = buildNpmNodeFromPackages(childKey, depName, packages, memo, stack);
+        const childNode = buildNpmNodeFromPackages(childKey, depName, packages, memo, stack, installState);
         if (childNode)
             dependencies[childNode.name] = childNode;
     }
@@ -470,18 +471,22 @@ function parseNpmTreeFromPackages(packages, projectPath, lockDir) {
  * @param stack - Recursion stack used to detect and avoid cycles while building the dependency graph.
  * @returns The constructed `ResolvedNode` for `packageKey`, or `undefined` if the entry is missing, invalid, cyclic, or cannot be resolved.
  */
-function buildNpmNodeFromPackages(packageKey, fallbackName, packages, memo, stack) {
+function buildNpmNodeFromPackages(packageKey, fallbackName, packages, memo, stack, installState) {
     if (memo.has(packageKey))
         return memo.get(packageKey);
     if (stack.has(packageKey))
         return undefined;
+    if (!isNpmPackageInstalled(packageKey, installState)) {
+        memo.set(packageKey, undefined);
+        return undefined;
+    }
     const entry = packages[packageKey];
     if (!entry || typeof entry !== 'object')
         return undefined;
     if (entry.link === true && typeof entry.resolved === 'string') {
         const linkedKey = normalizeLockPackageKey(entry.resolved);
         if (linkedKey && linkedKey in packages) {
-            const linkedNode = buildNpmNodeFromPackages(linkedKey, fallbackName, packages, memo, stack);
+            const linkedNode = buildNpmNodeFromPackages(linkedKey, fallbackName, packages, memo, stack, installState);
             memo.set(packageKey, linkedNode);
             return linkedNode;
         }
@@ -497,6 +502,10 @@ function buildNpmNodeFromPackages(packageKey, fallbackName, packages, memo, stac
         version,
         dependencies: {}
     };
+    const packagePath = resolveNpmInstalledPath(packageKey, installState.lockDir);
+    if (packagePath) {
+        out.path = packagePath;
+    }
     if ((entry === null || entry === void 0 ? void 0 : entry.dev) !== undefined) {
         out.dev = Boolean(entry.dev);
     }
@@ -506,7 +515,7 @@ function buildNpmNodeFromPackages(packageKey, fallbackName, packages, memo, stac
         const childKey = resolveNpmPackagePath(packageKey, depName, packages);
         if (!childKey)
             continue;
-        const childNode = buildNpmNodeFromPackages(childKey, depName, packages, memo, stack);
+        const childNode = buildNpmNodeFromPackages(childKey, depName, packages, memo, stack, installState);
         if (!childNode)
             continue;
         out.dependencies[childNode.name] = childNode;
@@ -556,6 +565,33 @@ function resolveNpmPackagePath(fromPackageKey, depName, packages) {
     const rootCandidate = `node_modules/${depName}`;
     return rootCandidate in packages ? rootCandidate : undefined;
 }
+/**
+ * Resolve an npm lockfile package key to the absolute filesystem path where that package would be installed under a given lock directory.
+ *
+ * @param packageKey - The package key from a lockfile (e.g., a normalized/package-relative path or package identifier).
+ * @param lockDir - The lockfile directory to treat as the installation root.
+ * @returns The absolute path inside `lockDir` corresponding to `packageKey` if it resolves to a location contained within `lockDir`, `undefined` otherwise.
+ */
+function resolveNpmInstalledPath(packageKey, lockDir) {
+    const normalizedKey = normalizeLockPackageKey(packageKey);
+    if (!normalizedKey)
+        return undefined;
+    const segments = normalizedKey.split('/').filter(Boolean);
+    if (segments.length === 0)
+        return undefined;
+    for (const segment of segments) {
+        if (segment === '.' || segment === '..')
+            return undefined;
+        if (path_1.default.isAbsolute(segment))
+            return undefined;
+    }
+    const lockRoot = path_1.default.resolve(lockDir);
+    const resolved = path_1.default.resolve(lockRoot, ...segments);
+    const relative = path_1.default.relative(lockRoot, resolved);
+    if (relative.startsWith('..') || path_1.default.isAbsolute(relative))
+        return undefined;
+    return resolved;
+}
 /**
  * Normalize a legacy npm lockfile node into a ResolvedNode.
  *
@@ -636,20 +672,7 @@ function parseYarnTree(projectPath, searchRoot) {
  * @returns A Map where each selector string maps to its YarnV1Entry, or `undefined` if parsing fails or the lockfile is not a Yarn v1 success parse
  */
 function parseYarnV1(raw) {
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
-    const lockfile = require('@yarnpkg/lockfile');
-    const parsed = lockfile.parse(raw);
-    if (!parsed || parsed.type !== 'success' || !parsed.object)
-        return undefined;
-    const map = new Map();
-    for (const [selectorKey, entry] of Object.entries(parsed.object)) {
-        for (const selector of splitSelectors(selectorKey)) {
-            if (!map.has(selector)) {
-                map.set(selector, entry || {});
-            }
-        }
-    }
-    return map;
+    return (0, lockfileParsers_1.parseYarnV1Lockfile)(raw);
 }
 /**
  * Parse a Yarn v2 (Berry) lockfile YAML string into a selector-to-entry map.
@@ -658,7 +681,7 @@ function parseYarnV1(raw) {
  * @returns A Map where each lockfile selector maps to its YarnV2Entry, or `undefined` if the input could not be parsed into an object
  */
 function parseYarnV2(raw) {
-    const parsed = yaml_1.default.parse(raw);
+    const parsed = (0, lockfileParsers_1.parseYamlLike)(raw);
     if (!parsed || typeof parsed !== 'object')
         return undefined;
     const map = new Map();
@@ -825,10 +848,7 @@ function collectPackageJsonDependencySpecs(pkg) {
  * @returns An array of trimmed, non-empty selector strings
  */
 function splitSelectors(selectorKey) {
-    return selectorKey
-        .split(',')
-        .map((part) => part.trim())
-        .filter(Boolean);
+    return (0, lockfileParsers_1.splitSelectorList)(selectorKey);
 }
 /**
  * Merge two arbitrary values into a string-to-string record, with entries from the second overriding the first.
@@ -990,7 +1010,7 @@ function getCachedYaml(filePath) {
     const raw = readCachedText(filePath);
     if (!raw)
         return undefined;
-    const parsed = yaml_1.default.parse(raw);
+    const parsed = (0, lockfileParsers_1.parseYamlLike)(raw);
     parseCache.set(cacheKey, parsed);
     return parsed;
 }
@@ -1037,6 +1057,21 @@ function createPnpmInstallState(projectPath) {
         installedCache: new Map()
     };
 }
+/**
+ * Create npm installation state used to filter lockfile package entries to actually installed paths.
+ *
+ * @param projectPath - Filesystem path inside the project to start discovery from
+ * @param lockDir - Directory containing the npm lockfile
+ * @returns Installation state with detected node_modules roots and per-package-key cache
+ */
+function createNpmInstallState(projectPath, lockDir) {
+    const nodeModulesRoots = findNodeModulesRoots(projectPath);
+    return {
+        enabled: nodeModulesRoots.length > 0,
+        lockDir,
+        installedByKeyCache: new Map()
+    };
+}
 /**
  * Discover node_modules directories by walking upward from a starting path.
  *
@@ -1058,6 +1093,27 @@ function findNodeModulesRoots(startPath) {
     }
     return roots;
 }
+/**
+ * Determine whether a package-lock `packages` entry key points to an installed package path.
+ *
+ * @param packageKey - Key from package-lock `packages` map
+ * @param installState - npm installation state with lockDir and cache
+ * @returns `true` when the key should be considered installed, `false` otherwise
+ */
+function isNpmPackageInstalled(packageKey, installState) {
+    if (!installState.enabled)
+        return true;
+    const normalizedKey = normalizeLockPackageKey(packageKey);
+    if (!normalizedKey)
+        return true;
+    const cached = installState.installedByKeyCache.get(normalizedKey);
+    if (cached !== undefined)
+        return cached;
+    const candidate = path_1.default.join(installState.lockDir, ...normalizedKey.split('/'));
+    const installed = safePathExists(candidate);
+    installState.installedByKeyCache.set(normalizedKey, installed);
+    return installed;
+}
 /**
  * Read the names of entries in a directory, returning an empty array if the directory cannot be read.
  *